Skip to content

Commit

Permalink
Add automatic releases using goreleaser (theupdateframework#234)
Browse files Browse the repository at this point in the history
* chore: add goreleaser + cosign releases

* feat: keyless realeases with goreleaser and cosign

This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance

* chore: try a basic config of gorelease

* chore: split test and release phases into reusable workflows

Adds also github style changelog in which it tags people who
contributed to the last release. It also groups breaking commits
into a separate group that is on top of the changelog for better
visibility.

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: bump goreleaser to v1.6.3

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: use golangci-lint instead of go fmt, staticcheck, etc.

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: use github-action for goveralls instead of the legacy GOPATH way

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: add golangci.yml config enabling several other linters

Fix also some of the linter errors so it doesn't fail.

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: use the flags property of goreleaser instead of env vars while building

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: set goreleaser to automatically mark releases with a suffix as prereleases

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: partially revert "Add golangci.yml config enabling several other linters"

This reverts commit a72cf40 which
also included fixes for some of the issues raised by golangci-lint.
They will be addressed in a separate PR.

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: add commitsar action to enforce the use of conventional commits

For reference - https://www.conventionalcommits.org

Signed-off-by: Radoslav Dimitrov <[email protected]>

* fix: use keyword specificed in the conventional commit spec for breaking changes

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: configure dependabot to monitor github-actions too

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: pin github-actions dependencies by digest

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: pin and configure dependabot to monitor Python test dependencies

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: bump goreleaser version to v1.7.0

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: run tests using Go version 1.18.x

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: checkout code first in order to fix CI failure

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: run CI against all Go versions newer than the minimal one set in go.mod

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: download python dependencies from requirements-test.txt

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: use the minimal Go version set in go.mod for releases

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: pin the go-version-action using a digest

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: configure dependabot to use chore commit prefix for gomod updates

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: revert the use of dedicated requirements.txt file path for github actions

Signed-off-by: Radoslav Dimitrov <[email protected]>

Co-authored-by: Christian Rebischke <[email protected]>
Co-authored-by: Trishank Karthik Kuppusamy <[email protected]>
  • Loading branch information
3 people authored Mar 30, 2022
1 parent 2b4cbfe commit 5d0a9c3
Show file tree
Hide file tree
Showing 9 changed files with 260 additions and 46 deletions.
35 changes: 30 additions & 5 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,32 @@
version: 2
updates:
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 10
# Monitor Go dependencies
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "daily"
time: "10:00"
commit-message:
prefix: "chore"
include: "scope"
open-pull-requests-limit: 10
# Monitor Github Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
time: "10:00"
commit-message:
prefix: "chore"
include: "scope"
open-pull-requests-limit: 10
# Monitor Python test dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "daily"
time: "10:00"
commit-message:
prefix: "chore"
include: "scope"
open-pull-requests-limit: 10
41 changes: 0 additions & 41 deletions .github/workflows/build.yml

This file was deleted.

23 changes: 23 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
on:
pull_request:
push:
branches:
- "master"
tags:
- "v*"
name: CI
jobs:
tests:
uses: ./.github/workflows/tests.yml
tuf:
needs: tests
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
uses: ./.github/workflows/release.yml
with:
cli-name: tuf
tuf-client:
needs: tests
if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
uses: ./.github/workflows/release.yml
with:
cli-name: tuf-client
35 changes: 35 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
on:
workflow_call:
inputs:
cli-name:
required: true
type: string
name: Release
jobs:
release:
permissions:
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
with:
fetch-depth: 0
- name: Get Go version
uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
id: go-version
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
with:
go-version: ${{ steps.go-version.outputs.minimal }}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b
with:
distribution: goreleaser
version: "v1.7.0"
args: release --config ./.goreleaser/${{ inputs.cli-name }}.yml --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
78 changes: 78 additions & 0 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
on:
workflow_call:
name: Tests
jobs:
get-go-versions:
name: Collect available Go versions
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.versions.outputs.matrix }}
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
id: versions
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

run:
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
runs-on: ${{ matrix.os }}
needs: get-go-versions
steps:
- name: Checkout code
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579

- name: Setup - Go ${{ matrix.go-version }}
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
with:
go-version: ${{ matrix.go-version }}

- name: Setup - Python
uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
with:
python-version: 3.6
cache: "pip"
cache-dependency-path: "requirements-test.txt"

- name: Install Python dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade -r requirements-test.txt
- name: Run tests
run: go test -race -covermode atomic -coverprofile='profile.cov' ./...

- name: Send coverage
uses: shogo82148/actions-goveralls@31ee804b8576ae49f6dc3caa22591bc5080e7920
with:
path-to-profile: profile.cov
flag-name: Go-${{ matrix.go-version }}
parallel: true

golangci:
strategy:
matrix:
go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
needs: get-go-versions
steps:
- uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
- name: golangci-lint
uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018
with:
version: v1.44

conventional-commits-lint-check:
runs-on: "ubuntu-latest"
steps:
- name: Checkout code
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
with:
fetch-depth: 0
- name: Commitsar Action
uses: aevea/commitsar@159cec82966ca402a09ae3c185524a5256affa22
11 changes: 11 additions & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
linters:
disable-all: true
enable:
- staticcheck
- gofmt
- govet
- gosimple
- structcheck
- varcheck
- unused
- typecheck
39 changes: 39 additions & 0 deletions .goreleaser/tuf-client.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
project_name: tuf-client
builds:
- ldflags:
- "-s -w"
- "-extldflags=-zrelro"
- "-extldflags=-znow"
env:
- "CGO_ENABLED=0"
- "GO111MODULE=on"
flags:
- -mod=readonly
- -trimpath
goos:
- linux
- darwin
- windows
goarch:
- amd64
main: ./cmd/tuf-client/
source:
enabled: true
changelog:
use: github
groups:
- title: "Breaking changes"
regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
order: 0
- title: Features
regexp: "^.*feat[(\\w)]*:+.*$"
order: 1
- title: "Bug fixes"
regexp: "^.*fix[(\\w)]*:+.*$"
order: 2
- title: Others
order: 999
release:
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
prerelease: auto
39 changes: 39 additions & 0 deletions .goreleaser/tuf.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
project_name: tuf
builds:
- ldflags:
- "-s -w"
- "-extldflags=-zrelro"
- "-extldflags=-znow"
env:
- "CGO_ENABLED=0"
- "GO111MODULE=on"
flags:
- -mod=readonly
- -trimpath
goos:
- linux
- darwin
- windows
goarch:
- amd64
main: ./cmd/tuf/
source:
enabled: true
changelog:
use: github
groups:
- title: "Breaking changes"
regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
order: 0
- title: Features
regexp: "^.*feat[(\\w)]*:+.*$"
order: 1
- title: "Bug fixes"
regexp: "^.*fix[(\\w)]*:+.*$"
order: 2
- title: Others
order: 999
release:
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
prerelease: auto
5 changes: 5 additions & 0 deletions requirements-test.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
iso8601==1.0.2
requests==2.27.1
securesystemslib==0.21.0
six==1.16.0
tuf==0.20.0

0 comments on commit 5d0a9c3

Please sign in to comment.