From 5d0a9c359fe16fec78e23e7810fdf8b5d386339f Mon Sep 17 00:00:00 2001 From: Radoslav Dimitrov Date: Wed, 30 Mar 2022 16:40:36 +0300 Subject: [PATCH] Add automatic releases using goreleaser (#234) * chore: add goreleaser + cosign releases * feat: keyless realeases with goreleaser and cosign This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance * chore: try a basic config of gorelease * chore: split test and release phases into reusable workflows Adds also github style changelog in which it tags people who contributed to the last release. It also groups breaking commits into a separate group that is on top of the changelog for better visibility. Signed-off-by: Radoslav Dimitrov * chore: bump goreleaser to v1.6.3 Signed-off-by: Radoslav Dimitrov * chore: use golangci-lint instead of go fmt, staticcheck, etc. Signed-off-by: Radoslav Dimitrov * chore: use github-action for goveralls instead of the legacy GOPATH way Signed-off-by: Radoslav Dimitrov * chore: add golangci.yml config enabling several other linters Fix also some of the linter errors so it doesn't fail. Signed-off-by: Radoslav Dimitrov * chore: use the flags property of goreleaser instead of env vars while building Signed-off-by: Radoslav Dimitrov * chore: set goreleaser to automatically mark releases with a suffix as prereleases Signed-off-by: Radoslav Dimitrov * chore: partially revert "Add golangci.yml config enabling several other linters" This reverts commit a72cf40a01962398b530a5afb742188ea28cf0d7 which also included fixes for some of the issues raised by golangci-lint. They will be addressed in a separate PR. Signed-off-by: Radoslav Dimitrov * chore: add commitsar action to enforce the use of conventional commits For reference - https://www.conventionalcommits.org Signed-off-by: Radoslav Dimitrov * fix: use keyword specificed in the conventional commit spec for breaking changes Signed-off-by: Radoslav Dimitrov * chore: configure dependabot to monitor github-actions too Signed-off-by: Radoslav Dimitrov * chore: pin github-actions dependencies by digest Signed-off-by: Radoslav Dimitrov * chore: pin and configure dependabot to monitor Python test dependencies Signed-off-by: Radoslav Dimitrov * chore: bump goreleaser version to v1.7.0 Signed-off-by: Radoslav Dimitrov * chore: run tests using Go version 1.18.x Signed-off-by: Radoslav Dimitrov * chore: checkout code first in order to fix CI failure Signed-off-by: Radoslav Dimitrov * chore: run CI against all Go versions newer than the minimal one set in go.mod Signed-off-by: Radoslav Dimitrov * chore: download python dependencies from requirements-test.txt Signed-off-by: Radoslav Dimitrov * chore: use the minimal Go version set in go.mod for releases Signed-off-by: Radoslav Dimitrov * chore: pin the go-version-action using a digest Signed-off-by: Radoslav Dimitrov * chore: configure dependabot to use chore commit prefix for gomod updates Signed-off-by: Radoslav Dimitrov * chore: revert the use of dedicated requirements.txt file path for github actions Signed-off-by: Radoslav Dimitrov Co-authored-by: Christian Rebischke Co-authored-by: Trishank Karthik Kuppusamy --- .github/dependabot.yml | 35 +++++++++++++--- .github/workflows/build.yml | 41 ------------------ .github/workflows/ci.yml | 23 +++++++++++ .github/workflows/release.yml | 35 ++++++++++++++++ .github/workflows/tests.yml | 78 +++++++++++++++++++++++++++++++++++ .golangci.yml | 11 +++++ .goreleaser/tuf-client.yml | 39 ++++++++++++++++++ .goreleaser/tuf.yml | 39 ++++++++++++++++++ requirements-test.txt | 5 +++ 9 files changed, 260 insertions(+), 46 deletions(-) delete mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/tests.yml create mode 100644 .golangci.yml create mode 100644 .goreleaser/tuf-client.yml create mode 100644 .goreleaser/tuf.yml create mode 100644 requirements-test.txt diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b2b5771e..a1423f06 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,32 @@ version: 2 updates: -- package-ecosystem: "gomod" - directory: "/" - schedule: - interval: "daily" - open-pull-requests-limit: 10 + # Monitor Go dependencies + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" + time: "10:00" + commit-message: + prefix: "chore" + include: "scope" + open-pull-requests-limit: 10 + # Monitor Github Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "10:00" + commit-message: + prefix: "chore" + include: "scope" + open-pull-requests-limit: 10 + # Monitor Python test dependencies + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "daily" + time: "10:00" + commit-message: + prefix: "chore" + include: "scope" + open-pull-requests-limit: 10 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index d1a2160c..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,41 +0,0 @@ -on: [push, pull_request] -name: build -jobs: - test: - strategy: - matrix: - go-version: [1.16.x, 1.17.x] - os: [ubuntu-latest, macos-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Setup Python - uses: actions/setup-python@v2 - with: - python-version: 3.6 - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Python dependencies - run: | - python -m pip install --upgrade iso8601 requests securesystemslib six tuf - - name: Format Unix - if: runner.os == 'Linux' - run: test -z $(go fmt ./...) - - name: Test - run: go test -race -covermode atomic -coverprofile='profile.cov' ./... - - name: Send coverage - if: runner.os == 'Linux' - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github - - name: Vet - run: go vet ./... - - name: Install staticcheck - run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" - - name: Run staticcheck - run: staticcheck ./... diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..6de89310 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,23 @@ +on: + pull_request: + push: + branches: + - "master" + tags: + - "v*" +name: CI +jobs: + tests: + uses: ./.github/workflows/tests.yml + tuf: + needs: tests + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + uses: ./.github/workflows/release.yml + with: + cli-name: tuf + tuf-client: + needs: tests + if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') + uses: ./.github/workflows/release.yml + with: + cli-name: tuf-client diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..ec5d7882 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,35 @@ +on: + workflow_call: + inputs: + cli-name: + required: true + type: string +name: Release +jobs: + release: + permissions: + id-token: write + contents: write + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + with: + fetch-depth: 0 + - name: Get Go version + uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f + id: go-version + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Go + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 + with: + go-version: ${{ steps.go-version.outputs.minimal }} + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b + with: + distribution: goreleaser + version: "v1.7.0" + args: release --config ./.goreleaser/${{ inputs.cli-name }}.yml --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 00000000..96eb4b62 --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,78 @@ +on: + workflow_call: +name: Tests +jobs: + get-go-versions: + name: Collect available Go versions + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.versions.outputs.matrix }} + steps: + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + - uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f + id: versions + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + run: + strategy: + matrix: + os: [ubuntu-latest, macos-latest] + go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }} + runs-on: ${{ matrix.os }} + needs: get-go-versions + steps: + - name: Checkout code + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + + - name: Setup - Go ${{ matrix.go-version }} + uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 + with: + go-version: ${{ matrix.go-version }} + + - name: Setup - Python + uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a + with: + python-version: 3.6 + cache: "pip" + cache-dependency-path: "requirements-test.txt" + + - name: Install Python dependencies + run: | + python3 -m pip install --upgrade pip + python3 -m pip install --upgrade -r requirements-test.txt + + - name: Run tests + run: go test -race -covermode atomic -coverprofile='profile.cov' ./... + + - name: Send coverage + uses: shogo82148/actions-goveralls@31ee804b8576ae49f6dc3caa22591bc5080e7920 + with: + path-to-profile: profile.cov + flag-name: Go-${{ matrix.go-version }} + parallel: true + + golangci: + strategy: + matrix: + go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }} + os: [ubuntu-latest, macos-latest] + runs-on: ${{ matrix.os }} + needs: get-go-versions + steps: + - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + - name: golangci-lint + uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018 + with: + version: v1.44 + + conventional-commits-lint-check: + runs-on: "ubuntu-latest" + steps: + - name: Checkout code + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 + with: + fetch-depth: 0 + - name: Commitsar Action + uses: aevea/commitsar@159cec82966ca402a09ae3c185524a5256affa22 diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..4d860521 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,11 @@ +linters: + disable-all: true + enable: + - staticcheck + - gofmt + - govet + - gosimple + - structcheck + - varcheck + - unused + - typecheck diff --git a/.goreleaser/tuf-client.yml b/.goreleaser/tuf-client.yml new file mode 100644 index 00000000..36a46ae0 --- /dev/null +++ b/.goreleaser/tuf-client.yml @@ -0,0 +1,39 @@ +project_name: tuf-client +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + flags: + - -mod=readonly + - -trimpath + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf-client/ +source: + enabled: true +changelog: + use: github + groups: + - title: "Breaking changes" + regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$" + order: 0 + - title: Features + regexp: "^.*feat[(\\w)]*:+.*$" + order: 1 + - title: "Bug fixes" + regexp: "^.*fix[(\\w)]*:+.*$" + order: 2 + - title: Others + order: 999 +release: + # If set to auto, will mark the release as not ready for production + # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 + prerelease: auto diff --git a/.goreleaser/tuf.yml b/.goreleaser/tuf.yml new file mode 100644 index 00000000..eaa45c77 --- /dev/null +++ b/.goreleaser/tuf.yml @@ -0,0 +1,39 @@ +project_name: tuf +builds: + - ldflags: + - "-s -w" + - "-extldflags=-zrelro" + - "-extldflags=-znow" + env: + - "CGO_ENABLED=0" + - "GO111MODULE=on" + flags: + - -mod=readonly + - -trimpath + goos: + - linux + - darwin + - windows + goarch: + - amd64 + main: ./cmd/tuf/ +source: + enabled: true +changelog: + use: github + groups: + - title: "Breaking changes" + regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$" + order: 0 + - title: Features + regexp: "^.*feat[(\\w)]*:+.*$" + order: 1 + - title: "Bug fixes" + regexp: "^.*fix[(\\w)]*:+.*$" + order: 2 + - title: Others + order: 999 +release: + # If set to auto, will mark the release as not ready for production + # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 + prerelease: auto diff --git a/requirements-test.txt b/requirements-test.txt new file mode 100644 index 00000000..e29d3f90 --- /dev/null +++ b/requirements-test.txt @@ -0,0 +1,5 @@ +iso8601==1.0.2 +requests==2.27.1 +securesystemslib==0.21.0 +six==1.16.0 +tuf==0.20.0 \ No newline at end of file