diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index fcaf6775..00000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,35 +0,0 @@ -on: [push, pull_request] -name: build -jobs: - test: - strategy: - matrix: - go-version: [1.15.x, 1.16.x, 1.17.x] - os: [ubuntu-latest, macos-latest] - runs-on: ${{ matrix.os }} - steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.go-version }} - - name: Setup Python - uses: actions/setup-python@v2 - with: - python-version: 3.6 - - name: Checkout code - uses: actions/checkout@v2 - - name: Install Python dependencies - run: | - python -m pip install --upgrade iso8601 requests securesystemslib six tuf - - name: Format Unix - if: runner.os == 'Linux' - run: test -z $(go fmt ./...) - - name: Test - run: go test -race -covermode atomic -coverprofile='profile.cov' ./... - - name: Send coverage - if: runner.os == 'Linux' - env: - COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - GO111MODULE=off go get github.com/mattn/goveralls - $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml index 9ae8401d..88189d96 100644 --- a/.github/workflows/goreleaser.yaml +++ b/.github/workflows/goreleaser.yaml @@ -4,7 +4,7 @@ jobs: test: strategy: matrix: - go-version: [1.13.x, 1.14.x, 1.15.x] + go-version: [1.16.x, 1.17.x] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} steps: @@ -33,7 +33,16 @@ jobs: run: | GO111MODULE=off go get github.com/mattn/goveralls $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github + - name: Vet + run: go vet ./... + - name: Install staticcheck + run: "go install honnef.co/go/tools/cmd/staticcheck@v0.2.2" + - name: Run staticcheck + run: staticcheck ./... release-server: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -46,25 +55,24 @@ jobs: uses: actions/setup-go@v2 with: go-version: 1.17 - - name: write cosign.key to environment - run: 'echo "$COSIGN_KEY" > .github/cosign.key' - shell: bash - env: COSIGN_KEY: ${{ secrets.COSIGN_KEY }} - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.2' args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 release-cli: + permissions: + id-token: write + contents: write runs-on: ubuntu-latest needs: test if: github.event_name == 'push' && contains(github.ref, 'refs/tags/') @@ -85,13 +93,14 @@ jobs: - name: install cosign uses: sigstore/cosign-installer@main with: - cosign-release: 'v1.2.1' + cosign-release: 'v1.4.1' + - uses: anchore/sbom-action/download-syft@v0.6.0 - name: Run GoReleaser uses: goreleaser/goreleaser-action@v2 with: distribution: goreleaser - version: 'v0.180.2' + version: 'v1.2.5' args: release --config ./.goreleaser_client.yaml --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - COSIGN_PWD: ${{ secrets.COSIGN_PWD }} + COSIGN_EXPERIMENTAL: 1 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 297984de..e9ba69a8 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -15,9 +15,17 @@ builds: goarch: - amd64 main: ./cmd/tuf/ +gomod: + proxy: true +sboms: + - artifacts: archive + - id: source + artifacts: source +source: + enabled: true signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file diff --git a/.goreleaser_client.yaml b/.goreleaser_client.yaml index 9701e072..08352a98 100644 --- a/.goreleaser_client.yaml +++ b/.goreleaser_client.yaml @@ -15,9 +15,13 @@ builds: goarch: - amd64 main: ./cmd/tuf-client/ +gomod: + proxy: true +sboms: + - artifacts: archive signs: - cmd: cosign signature: "${artifact}.sig" - stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=.github/cosign.key", "-output=${signature}", "${artifact}"] + certificate: "${artifact}.pem" + args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-signature=${signature}", "--output-certificate=${certificate}", "${artifact}"] artifacts: all \ No newline at end of file