diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..61c28ef --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,123 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Release + +permissions: {} + +on: + push: + tags: + - v* + +jobs: + goreleaser: + permissions: + contents: write + id-token: write + packages: write + pull-requests: write + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + image: ${{ steps.digest.outputs.image }} + digest: ${{ steps.digest.outputs.digest }} + runs-on: ubuntu-latest + steps: + - name: Free disk space + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 + with: + tool-cache: true + android: true + dotnet: true + haskell: true + large-packages: false + docker-images: true + swap-storage: false + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: 0 + - name: Fetch all tags + run: | + set -e + git fetch --force --tags + - name: Setup Go + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + with: + go-version-file: go.mod + cache-dependency-path: go.sum + - name: Install Cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - name: Install Syft + uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4 + - name: Install Ko + uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7 + - name: Run GoReleaser + id: goreleaser + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 + with: + distribution: goreleaser + version: latest + args: release --clean --timeout 90m + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload artifacts.json + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: dist/artifacts.json + asset_name: artifacts.json + tag: ${{ github.ref }} + - name: Upload metadata.json + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 + with: + repo_token: ${{ secrets.GITHUB_TOKEN }} + file: dist/metadata.json + asset_name: metadata.json + tag: ${{ github.ref }} + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + hashes=$(cat $checksum_file | base64 -w0) + echo "hashes=$hashes" >> $GITHUB_OUTPUT + - name: Image digest + id: digest + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path') + image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1) + digest=$(echo "${image_and_digest}" | cut -d'@' -f2) + echo "image=$image" >> "$GITHUB_OUTPUT" + echo "digest=$digest" >> "$GITHUB_OUTPUT" + + provenance: + needs: + - goreleaser + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true + + image-provenance: + needs: + - goreleaser + permissions: + actions: read + id-token: write + packages: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ${{ needs.goreleaser.outputs.image }} + digest: ${{ needs.goreleaser.outputs.digest }} + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..eb85c8d --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,82 @@ +version: 2 + +before: + hooks: + - go mod tidy + +builds: + - id: kyverno-envoy-plugin + env: + - CGO_ENABLED=0 + goos: + - linux + - windows + - darwin + binary: kyverno-envoy-plugin + flags: + - -trimpath + ldflags: + - -s -w + +kos: + - build: kyverno-envoy-plugin + repository: ghcr.io/kyverno/kyverno-envoy-plugin + tags: + - '{{ .Tag }}' + - '{{ if not .Prerelease }}latest{{ end }}' + bare: true + preserve_import_paths: false + sbom: none + platforms: + - all + labels: + org.opencontainers.image.source: https://github.com/kyverno/kyverno-envoy-plugin + org.opencontainers.image.description: Kyverno policies based authorization plugin for Envoy ❤️ + +signs: + - cmd: cosign + certificate: '${artifact}.pem' + args: + - sign-blob + - --output-certificate=${certificate} + - --output-signature=${signature} + - ${artifact} + - --yes + artifacts: all + output: true + +docker_signs: + - cmd: cosign + artifacts: all + output: true + args: + - sign + - ${artifact} + - --yes + +archives: + - name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}' + +checksum: + name_template: checksums.txt + +source: + enabled: true + +sboms: + - artifacts: archive + - id: source + artifacts: source + +snapshot: + version_template: '{{ incpatch .Version }}-next' + +release: + prerelease: auto + +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:'