use goreleaser for releasing and cosign for signing (#322)

.github/workflows/golangci-lint.yml

@@ -18,15 +18,18 @@ on:
     branches:
       - main
   pull_request:
-
+permissions:
+  contents: read
+env:
+  GO_VERSION: 1.21.3
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@v4
-        with:
-          go-version: 1.20.6
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: '${{ env.GO_VERSION }}'
       - name: golangci-lint
         uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0

.github/workflows/license.yml

@@ -20,14 +20,17 @@ on:
       - main
   pull_request:
 
+env:
+  GO_VERSION: 1.21.3
+
 jobs:
   license-check:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
-        go-version: 1.20.6
+        go-version: '${{ env.GO_VERSION }}'
     - name: checkout
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Install addlicense

.github/workflows/linux.yml

@@ -25,7 +25,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.19.x', '1.20.x', '1.21.0' ]
+        go: [ '1.19.x', '1.20.x', '1.21.x' ]
     name: Go ${{ matrix.go }} build
     steps:
       - name: checkout

.github/workflows/release.yml

@@ -12,51 +12,46 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: create release and upload binary
-
+name: Create Release and Upload Binaries
+# run only on tags
 on:
   push:
     tags:
-    - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed to upload artifacts
+env:
+  GO_VERSION: 1.21.3
 
 jobs:
-  build:
+  release:
     runs-on: ubuntu-latest
     steps:
-    - name: checkout
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-    - name: install go
-      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-      with:
-        go-version: 1.20.6
-
-    - name: get version
-      id: v
-      run: echo ::set-output name=tag::$( awk -F '/' '{print $NF}' <<< "${GITHUB_REF}" )
-
-    - name: build
-      run: |
-       go build ./cmd/crypki
-       tar -czvf crypki-${{ steps.v.outputs.tag }}-linux.tar.gz --transform 's,^,crypki-${{ steps.v.outputs.tag }}-${OS}/,' crypki
-
-    - name: create release
-      id: create-release
-      uses: actions/create-release@v1
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        tag_name: ${{ steps.v.outputs.tag }}
-        release_name: ${{ steps.v.outputs.tag }}
-        draft: false
-        prerelease: false
-
-    - name: upload linux binary
-      uses: actions/upload-release-asset@v1.0.2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      with:
-        upload_url: ${{ steps.create-release.outputs.upload_url }}
-        asset_path: crypki-${{ steps.v.outputs.tag }}-linux.tar.gz
-        asset_name: crypki-${{ steps.v.outputs.tag }}-linux.tar.gz
-        asset_content_type: application/gzip
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
+
+      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        with:
+          cosign-release: 'v2.2.0' # optional
+      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+      - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -0,0 +1,52 @@
+project_name: crypki
+
+gomod:
+  proxy: true
+
+env:
+  - GO111MODULE=on
+  - COSIGN_YES=true
+
+
+sboms:
+- artifacts: binary
+
+builds:
+- main: ./cmd/crypki
+  goos:
+    - linux
+
+kos:
+  - repository: ghcr.io/theparanoids/crypki
+    tags:
+    - '{{.Version}}'
+    - latest
+    bare: true
+    preserve_import_paths: false
+    platforms:
+    - linux/amd64
+    - linux/arm64
+
+signs:
+- cmd: cosign
+  signature: "${artifact}.sig"
+  certificate: "${artifact}.pem"
+  args:
+    - sign-blob
+    - '--output-certificate=${certificate}'
+    - '--output-signature=${signature}'
+    - '${artifact}'
+  artifacts: all
+  output: true
+
+docker_signs:
+- cmd: cosign
+  args:
+  - 'sign'
+  - '${artifact}'
+  artifacts: manifests
+  output: true
+
+release:
+  footer: |
+    ### Thanks for all contributors!

README.md

@@ -25,7 +25,7 @@ You should be able to run crypki server on any linux platform as long as you hav
 
 Prerequisites:
 
-- Go >= 1.18
+- Go >= 1.19
 
 Run:
 

proto/protogen.go

@@ -4,7 +4,7 @@
 // Package proto contains proto generated code.
 package proto
 
-// use protoc v4.23.4
+// use protoc v4.25.0
 //go:generate protoc -I. -I../third_party/googleapis --go_out=paths=source_relative:. --go-grpc_out=paths=source_relative:. sign.proto healthcheck.proto
 //go:generate protoc -I. -I../third_party/googleapis --grpc-gateway_out=paths=source_relative:. --grpc-gateway_opt logtostderr=true --grpc-gateway_opt paths=source_relative --grpc-gateway_opt generate_unbound_methods=true sign.proto
 //go:generate mockgen -source=./sign_grpc.pb.go -destination=./sign_grpc_mock.go -package=proto