-
Notifications
You must be signed in to change notification settings - Fork 879
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revamp release automation #1250
Conversation
2a71e05
to
9da6f02
Compare
9da6f02
to
d80f687
Compare
421b4e8
to
951b428
Compare
3874a58
to
3517a21
Compare
@getsops/maintainers this is ready for an early review. I need to update the PR message to include all details, but also really need to catch some sleep at the moment. The thing to focus on in the preview is the file formats of the artifacts, in comparison to https://github.com/getsops/sops/releases/tag/v3.7.3. Most of them should be fully backwards compatible (the binaries), but for the package formats I have reached the absolute limits of what I deemed possible. In addition, it includes all the niceness of a checksum file signed with Cosign, SBOMs for the binaries (but not containers, which include a 1:1 copy of the binary — we can add this later), and SLSA provenance for all artifacts uploaded to GitHub and the container images themselves. To get an idea of the changelog which would normally be included, run: gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/getsops/sops/releases/generate-notes \
-f tag_name='v3.8.0' \
-f target_commitish='main' \
-f previous_tag_name='v3.7.2' | jq -r .body Based on the output, I think the current |
3c2999f
to
4439cc9
Compare
99d6b5e
to
d5a8a3a
Compare
This adds the base for releasing using GoReleaser going forward in a backwards compatible manner, which means: - Publishing of artifacts in the same formats as previous releases - Publishing of RPM and deb artifacts in the same formats as previous releases (although the metadata may need a bit of tweaking) In addition, it includes: - SBOM inclusion per binary artifact It still needs work around: - Artifact signing - SLSA compliance - Docker images - GitHub release - Changelog generation - GitHub Action workflow Signed-off-by: Hidde Beydals <[email protected]>
GoReleaser requires specifically crafted Dockerfiles as the build context is dynamically constructed. For more information, refer to https://goreleaser.com/errors/docker-build/#do and other documentation around Docker image templates and manifests. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
This appears to be the best option at present to e.g. celebrate new contributors while also allowing things to be grouped by pull request label. For more information, see xrefs in patch. Signed-off-by: Hidde Beydals <[email protected]>
This still needs further configuration of at least the `.header` field. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Plus a tiny nit to not have to pass `--yes` to Cosign everywhere, and enabling of size reporting. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
These are no longer required, as they are now handled by GoReleaser or no longer under our control (`make_download_page.sh`). Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Which in turn solves the generation of the checksum file. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
These were only part of the release process, and now continue to exist in `.release/*`. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
As it has been replaced with GoReleaser. Signed-off-by: Hidde Beydals <[email protected]>
This allows you to run the release locally, without publishing or signing, against the current state of the repository. There are some more improvements I would like to make to the `Makefile` e.g., the deprecation of `golint` and the introduction of a `help` target. But they are out of scope for the current things I am working on. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Which now allows us to set the `mod_timestamp` on universal binaries. Signed-off-by: Hidde Beydals <[email protected]>
- Describe difference between Debian (slim) and Alpine image - Add `-o text` flag to `cosign verify` example to print readable text instead of JSON blob - Fix typo in one of the `ghcr.io` domains - Use correct OCI annotation for image "title" Signed-off-by: Hidde Beydals <[email protected]>
68aa071
to
79bbb22
Compare
This pull request changes the release automation so that it uses GoReleaser.
The configuration for GoReleaser is in the file
.goreleaser.yaml
. The configuration for the GitHub Actions workflow is in the filerelease.yml
.This configuration is quite sophisticated, and ensures at least the following:
Dockerfile
andDockerfile.alpine
have been removed in favor of Dockerfiles specifically crafted for GoReleaser in.release/
. These Dockerfiles need a specially crafted build context (with pretty much just the binary in it), and do not work using a normaldocker build ...
..rpm
and.deb
artifacts..darwin
artifact is now a "fat binary".👀 Preview (on fork)
🧑🏭 Preview workflow (on fork)
🖥️ Testing locally
Run
make release-snapshot
and viewdist/
contents.