Add automatic releases using goreleaser (#234)

* chore: add goreleaser + cosign releases * feat: keyless realeases with goreleaser and cosign This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance * chore: try a basic config of gorelease * chore: split test and release phases into reusable workflows Adds also github style changelog in which it tags people who contributed to the last release. It also groups breaking commits into a separate group that is on top of the changelog for better visibility. Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: bump goreleaser to v1.6.3 Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: use golangci-lint instead of go fmt, staticcheck, etc. Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: use github-action for goveralls instead of the legacy GOPATH way Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: add golangci.yml config enabling several other linters Fix also some of the linter errors so it doesn't fail. Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: use the flags property of goreleaser instead of env vars while building Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: set goreleaser to automatically mark releases with a suffix as prereleases Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: partially revert "Add golangci.yml config enabling several other linters" This reverts commit a72cf40 which also included fixes for some of the issues raised by golangci-lint. They will be addressed in a separate PR. Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: add commitsar action to enforce the use of conventional commits For reference - https://www.conventionalcommits.org Signed-off-by: Radoslav Dimitrov <[email protected]> * fix: use keyword specificed in the conventional commit spec for breaking changes Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: configure dependabot to monitor github-actions too Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: pin github-actions dependencies by digest Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: pin and configure dependabot to monitor Python test dependencies Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: bump goreleaser version to v1.7.0 Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: run tests using Go version 1.18.x Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: checkout code first in order to fix CI failure Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: run CI against all Go versions newer than the minimal one set in go.mod Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: download python dependencies from requirements-test.txt Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: use the minimal Go version set in go.mod for releases Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: pin the go-version-action using a digest Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: configure dependabot to use chore commit prefix for gomod updates Signed-off-by: Radoslav Dimitrov <[email protected]> * chore: revert the use of dedicated requirements.txt file path for github actions Signed-off-by: Radoslav Dimitrov <[email protected]> Co-authored-by: Christian Rebischke <[email protected]> Co-authored-by: Trishank Karthik Kuppusamy <[email protected]>
theupdateframework · Mar 30, 2022 · 5d0a9c3 · 5d0a9c3
1 parent 2b4cbfe
commit 5d0a9c3
Show file tree

Hide file tree

Showing 9 changed files with 260 additions and 46 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,32 @@
 version: 2
 updates:
-- package-ecosystem: "gomod"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 10
+  # Monitor Go dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
+  # Monitor Github Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
+  # Monitor Python test dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,23 @@
+on:
+  pull_request:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*"
+name: CI
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+  tuf:
+    needs: tests
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    uses: ./.github/workflows/release.yml
+    with:
+      cli-name: tuf
+  tuf-client:
+    needs: tests
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    uses: ./.github/workflows/release.yml
+    with:
+      cli-name: tuf-client
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+on:
+  workflow_call:
+    inputs:
+      cli-name:
+        required: true
+        type: string
+name: Release
+jobs:
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Get Go version
+        uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
+        id: go-version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+        with:
+          go-version: ${{ steps.go-version.outputs.minimal }}
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b
+        with:
+          distribution: goreleaser
+          version: "v1.7.0"
+          args: release --config ./.goreleaser/${{ inputs.cli-name }}.yml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -0,0 +1,78 @@
+on:
+  workflow_call:
+name: Tests
+jobs:
+  get-go-versions:
+    name: Collect available Go versions
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.versions.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+      - uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
+        id: versions
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  run:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+
+      - name: Setup - Go ${{ matrix.go-version }}
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Setup - Python
+        uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
+        with:
+          python-version: 3.6
+          cache: "pip"
+          cache-dependency-path: "requirements-test.txt"
+
+      - name: Install Python dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade -r requirements-test.txt
+
+      - name: Run tests
+        run: go test -race -covermode atomic -coverprofile='profile.cov' ./...
+
+      - name: Send coverage
+        uses: shogo82148/actions-goveralls@31ee804b8576ae49f6dc3caa22591bc5080e7920
+        with:
+          path-to-profile: profile.cov
+          flag-name: Go-${{ matrix.go-version }}
+          parallel: true
+
+  golangci:
+    strategy:
+      matrix:
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018
+        with:
+          version: v1.44
+
+  conventional-commits-lint-check:
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Commitsar Action
+        uses: aevea/commitsar@159cec82966ca402a09ae3c185524a5256affa22
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,11 @@
+linters:
+  disable-all: true
+  enable:
+    - staticcheck
+    - gofmt
+    - govet
+    - gosimple
+    - structcheck
+    - varcheck
+    - unused
+    - typecheck
diff --git a/.goreleaser/tuf-client.yml b/.goreleaser/tuf-client.yml
@@ -0,0 +1,39 @@
+project_name: tuf-client
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+    flags:
+      - -mod=readonly
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/tuf-client/
+source:
+  enabled: true
+changelog:
+  use: github
+  groups:
+    - title: "Breaking changes"
+      regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
+      order: 0
+    - title: Features
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 1
+    - title: "Bug fixes"
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 2
+    - title: Others
+      order: 999
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
diff --git a/.goreleaser/tuf.yml b/.goreleaser/tuf.yml
@@ -0,0 +1,39 @@
+project_name: tuf
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+    flags:
+      - -mod=readonly
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/tuf/
+source:
+  enabled: true
+changelog:
+  use: github
+  groups:
+    - title: "Breaking changes"
+      regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
+      order: 0
+    - title: Features
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 1
+    - title: "Bug fixes"
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 2
+    - title: Others
+      order: 999
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
diff --git a/requirements-test.txt b/requirements-test.txt
@@ -0,0 +1,5 @@
+iso8601==1.0.2
+requests==2.27.1
+securesystemslib==0.21.0
+six==1.16.0
+tuf==0.20.0