diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d4f3cae..8274f1e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -11,14 +11,14 @@ on: jobs: tests: name: Test - permissions: - contents: read runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: os: [ubuntu-22.04] go: ["1.21.10", "1.22.3"] + permissions: + contents: read steps: - name: Setup Go diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..b7cf17b --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,47 @@ +name: Release + +on: + push: + tags: + - "v*" + +jobs: + release: + name: Release + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-22.04] + go: ["1.22.3"] + permissions: + attestations: write + id-token: write + contents: write + packages: write + steps: + - name: Setup Go + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 + with: + go-version: ${{ matrix.go }} + + - name: Install cosign + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + + - name: Install Syft + uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11 + + - name: Code checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + fetch-depth: 0 + + # https://github.com/actions/checkout/issues/290#issuecomment-680260080 + - name: Fetch upstream tags + run: git fetch --tags --force + + - name: Run Goreleaser + uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..12867b8 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,91 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +version: 1 + +metadata: + mod_timestamp: "{{ .CommitTimestamp }}" + +report_sizes: true + +builds: + - main: github.com/caddyserver/gateway/cmd + binary: caddy-gateway + env: + - CGO_ENABLED=0 + goos: + - linux + goarch: + - amd64 + - arm64 + flags: + - -trimpath + +kos: + - repository: ghcr.io/caddyserver/gateway + platforms: + - linux/amd64 + - linux/arm64 + tags: + - '{{.Version}}' + # TODO: find a way to set the latest package tag, only when the release gets published on GitHub. + # we can trigger an action on release_published, but we then need to write a system that "pushes" + # the `latest` manifest. + # - latest + creation_time: '{{.CommitTimestamp}}' + ko_data_creation_time: '{{.CommitTimestamp}}' + sbom: 'spdx' + bare: true + base_import_paths: true + preserve_import_paths: false + +checksum: + algorithm: sha512 + name_template: "CHECKSUMS.txt" + +sboms: + - artifacts: binary + cmd: syft + args: + - "$artifact" + - "--file" + - "${document}" + - "--output" + - "spdx-json" + +signs: + - cmd: cosign + artifacts: all + output: true + args: + - sign-blob + - --yes + - "--output-certificate=${certificate}" + - "--output-signature=${signature}" + - "${artifact}" + +docker_signs: + - cmd: cosign + artifacts: manifests # TODO: all? + output: true + args: + - sign + - --yes + - "${artifact}@${digest}" + +release: + draft: true + prerelease: auto + github: + owner: caddyserver + name: gateway + +changelog: + use: github + sort: asc + filters: + exclude: + - '^chore:' + - '^ci:' + - '^docs?:' + - '^readme:' + - '^tests?:' + - '^\w+\s+' # a hack to remove commit messages without colons thus don't correspond to a package