Use Goreleaser, and publish arm64

Signed-off-by: peterdeme <[email protected]>
spacelift-io · Nov 25, 2023 · 3c30b5f · 3c30b5f
1 parent 8d8dd75
commit 3c30b5f
Show file tree

Hide file tree

Showing 7 changed files with 121 additions and 149 deletions.
diff --git a/.github/workflows/build-binary.yml b/.github/workflows/build-binary.yml
@@ -2,31 +2,33 @@ name: Build Binary
 
 on: { push: { branches-ignore: [main, production] } }
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
-  preprod-agent-deployment:
-    name: Build and upload agent
+  build-binary:
+    name: Build binary
     runs-on: ubuntu-latest
     container: golang:1.20
 
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
-
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
diff --git a/.github/workflows/preprod-deployment.yml b/.github/workflows/preprod-deployment.yml
@@ -1,20 +1,16 @@
 name: Preprod deployment
 
-on:
-  push: 
-    branches:
-      - main
+on: [push]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
 jobs:
   preprod-agent-deployment:
     name: Build and upload agent
     runs-on: ubuntu-latest
-    outputs:
-      deployment_id: ${{ steps.deployment.outputs.deployment_id }}
     container: golang:1.20
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
     permissions:
       id-token: write
       contents: read
@@ -24,28 +20,21 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
-      - uses: chrnorm/deployment-action@releases/v1
-        name: Create GitHub deployment
-        if: ${{ github.ref == 'refs/heads/main' }}
-        id: deployment
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          environment: preprod/vcs-agent
-
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot=${{ github.ref != 'refs/heads/main' }}
         env:
           BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
       - name: Install dependencies
@@ -66,54 +55,17 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Sign Spacelift VCS Agent Binary
-        run: ./scripts/sign.sh $BIN_DIR $BASE_NAME
+        run: |
+          chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
+
+          chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent
+          ./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
+          ./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
         env:
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Verify Checksum Spacelift VCS Agent Binary
-        run: ./scripts/verify.sh $BIN_DIR $BASE_NAME
-        env:
-          SHORT_SHA: ${{ steps.vars.outputs.sha }}
-
-      - name: Upload the VCS Agent binary
-        uses: actions/upload-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: build/
-          retention-days: 1
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-
-  publish-preprod-agent-deployment:
-    name: Upload VCS agent binary and container image
-    needs: ["preprod-agent-deployment"]
-    runs-on: ubuntu-latest
-
-    env:
-      BIN_DIR: build
-    permissions:
-      id-token: write
-      contents: read
-      deployments: write
-
-    steps:
-      - name: Check out repository code
-        uses: actions/checkout@v4
-
-      - name: Download the VCS Agent binary
-        uses: actions/download-artifact@v3
-        with:
-          name: vcs-agent-binary
-          path: ./build
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -124,11 +76,36 @@ jobs:
           role-duration-seconds: 900
 
       - name: Upload the VCS Agent binary to downloads.spacelift.dev
-        if: ${{ github.ref == 'refs/heads/main' }}
         run: >-
+          ######## AMD 64 old path ######## 
+
+          aws s3 sync
+          dist/vcs-agent_linux_amd64_v1/* s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          ######## AMD 64 new path ######## 
+
+          aws s3 sync
+          "./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          "./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          ######## ARM 64 new path ######## 
+
+          aws s3 sync
+          "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
+          aws s3 sync
+          "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
+
           aws s3 sync
-          ${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/
-          --no-progress
+          "./dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig" s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS.sig
+          --no-progress ${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
 
       - name: Invalidate downloads.spacelift.dev cache
         if: ${{ github.ref == 'refs/heads/main' }}
@@ -141,36 +118,16 @@ jobs:
         if: ${{ github.ref == 'refs/heads/main' }}
         run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws
 
-    # This will be needed in the future for adding multi architecture build support
-    #  - name: Set up QEMU
-    #    uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
       - name: Build and push the image
         uses: docker/build-push-action@v5
         with:
-          context: .
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.ref == 'refs/heads/main' }}
           tags: |
             ${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
-
-      - name: Update deployment status (success)
-        uses: chrnorm/deployment-status@releases/v1        
-        if: success() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "success"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
-
-      - name: Update deployment status (failure)
-        uses: chrnorm/deployment-status@releases/v1
-        if: failure() && ${{ github.ref == 'refs/heads/main' }}
-        with:
-          token: "${{ github.token }}"
-          target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
-          state: "failure"
-          deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
diff --git a/.github/workflows/prod-deployment.yml b/.github/workflows/prod-deployment.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
+      - name: Mark source directory as safe.
         run: git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - uses: chrnorm/deployment-action@releases/v1

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -13,75 +13,68 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
 
-    env:
-      BASE_NAME: spacelift-vcs-agent
-      BIN_DIR: build
-
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with: { fetch-depth: 0 }
 
-      - name: Set up Go
+      - name: Mark source directory as safe.
+        run: git config --global --add safe.directory $GITHUB_WORKSPACE
+
+      - name: Setup Go
         uses: actions/setup-go@v4
-        with: { go-version: 1.18 }
+        with: { go-version: "1.20" }
 
       - name: parse short SHA
         id: vars
         run: |
           echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
 
-      - name: Build Spacelift VCS Agent
-        run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: latest
+          args: release --snapshot
         env:
           BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
-          CGO_ENABLED: 0
           SHORT_SHA: ${{ steps.vars.outputs.sha }}
 
-      - name: Archive artifacts for use in Docker build
-        uses: actions/upload-artifact@v3
-        with:
-          name: build
-          path: |
-            build
-
-  analyze:
-    name: Analyze with Trivy
-    needs: build
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Download build artifacts
-        uses: actions/download-artifact@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
         with:
-          name: build
-          path: build
+          platforms: "linux/amd64,linux/arm64"
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Build Docker image
+        run: |
+          docker build --platform linux/amd64 -t spacelift-vcs-agent:${{ github.sha }}-amd64 .
+          docker build --platform linux/arm64 -t spacelift-vcs-agent:${{ github.sha }}-arm64 .
 
-      - name: Build and push the image
-        uses: docker/build-push-action@v5
+      - name: Run Trivy vulnerability scanner (amd64)
+        uses: aquasecurity/trivy-action@master
         with:
-          context: .
-          push: false
-          load: true
-          tags: "spacelift-vcs-agent:${{ github.sha }}"
+          image-ref: "spacelift-vcs-agent:${{ github.sha }}-amd64"
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-results-amd64.sarif"
+          severity: "CRITICAL,HIGH"
 
-      - name: Run Trivy vulnerability scanner
+      - name: Run Trivy vulnerability scanner (arm64)
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: "spacelift-vcs-agent:${{ github.sha }}"
+          image-ref: "spacelift-vcs-agent:${{ github.sha }}-arm64"
           format: "template"
           template: "@/contrib/sarif.tpl"
-          output: "trivy-results.sarif"
+          output: "trivy-results-arm64.sarif"
           severity: "CRITICAL,HIGH"
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy scan results to GitHub Security tab (amd64)
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results-amd64.sarif"
+          category: "Trivy (amd64)"
+
+      - name: Upload Trivy scan results to GitHub Security tab (arm64)
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: "trivy-results.sarif"
-          category: "Trivy"
+          sarif_file: "trivy-results-arm64.sarif"
+          category: "Trivy (arm64)"
diff --git a/.gitignore b/.gitignore
@@ -20,3 +20,5 @@
 
 # Binary
 cmd/spacelift-vcs-agent/spacelift-vcs-agent
+
+dist/
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,17 @@
+builds:
+  - main: ./cmd/spacelift-vcs-agent
+    binary: spacelift-vcs-agent
+    env: [CGO_ENABLED=0]
+    goos: [linux]
+    goarch: [amd64, arm64]
+    flags: [-trimpath]
+    tags: [netgo]
+    ldflags:
+      - "-s -w -extldflags '-static' -X main.VERSION={{.Env.SHORT_SHA}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}"
+
+changelog:
+  skip: true
+
+archives:
+  # This disables the archive step entirely
+  - format: binary