forked from sigstore/rekor
-
Notifications
You must be signed in to change notification settings - Fork 6
/
.goreleaser.yml
118 lines (106 loc) · 3.06 KB
/
.goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
project_name: rekor
env:
- GO111MODULE=on
- CGO_ENABLED=0
- DOCKER_CLI_EXPERIMENTAL=enabled
- COSIGN_YES=true
# Prevents parallel builds from stepping on eachothers toes downloading modules
before:
hooks:
- go mod tidy
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
# if running a release we will generate the images in this step
# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
# this is needed because we are generating files that goreleaser was not aware to push to GH project release
- /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release; fi'
gomod:
proxy: true
sboms:
- artifacts: binary
builds:
- id: rekor-server-linux
binary: rekor-server-linux-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/rekor-server
goos:
- linux
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.SERVER_LDFLAGS }}"
- id: rekor-cli
binary: rekor-cli-{{ .Os }}-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/rekor-cli
goos:
- linux
- darwin
- windows
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
ignore:
- goos: windows
goarch: arm64
- goos: windows
goarch: arm
- goos: windows
goarch: s390x
- goos: windows
goarch: ppc64le
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.CLI_LDFLAGS }}"
signs:
- id: rekor
signature: "${artifact}.sig"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
# Keyless
- id: rekor-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: binary
- id: checksum-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: checksum
archives:
- format: binary
name_template: "{{ .Binary }}"
allow_different_binary_count: true
checksum:
name_template: "{{ .ProjectName }}_checksums.txt"
snapshot:
name_template: SNAPSHOT-{{ .ShortCommit }}
release:
prerelease: allow # remove this when we start publishing non-prerelease or set to auto
draft: true # allow for manual edits
github:
owner: sigstore
name: rekor
footer: |
### Thanks for all contributors!
extra_files:
- glob: "./rekor*.yaml"