releaser.yml

name: Release

on:
  workflow_dispatch:
    inputs:
      release:
        description: 'Release version'
        required: true

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}

jobs:
  release:
    runs-on: macos-latest
    permissions:
      packages: read
      contents: write
    steps:
      -
        name: Checkout
        uses: actions/checkout@v3
      -
        name: Unshallow
        run: git fetch --prune --unshallow
      -
        name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
          check-latest: true
      -
        name: Cache Go modules
        uses: actions/cache@v3.0.3
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      -
        name: Download cyclonedx-gomod
        uses: Zenithar/gh-gomod-generate-sbom@v1.0.1
        with:
          version: v1.2.0
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      -
        name: Install Cosign
        uses: sigstore/cosign-installer@v2.3.0
      -
        name: Import Code-Signing Certificates
        uses: Apple-Actions/import-codesign-certs@v1
        with:
          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
      -
        name: Install gon via HomeBrew for code signing and app notarization
        run: |
          brew tap mitchellh/gon
          brew install mitchellh/gon/gon
          brew install coreutils
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v3
        with:
          version: latest
          args: release --rm-dist --skip-publish
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Prepare Github release packages
        run: |
          #!/bin/bash
          shopt -s expand_aliases
          mkdir .dist
          cp dist/harp-* .dist/
      -
        name: Sign and notarize MacOS AMD64 cli
        env:
          AC_USERNAME: "${{ secrets.AC_USERNAME }}"
          AC_PASSWORD: "${{ secrets.AC_PASSWORD }}"
        run: |
          echo '{
            "source": ["./dist/harp-darwin-amd64"],
            "bundle_id":"co.elastic.harp",
            "apple_id": {},
            "sign": { "application_identity": "9470D0A7B70090A8EF31C3B33AB3868B38B27A3D" },
            "zip": {
              "output_path": "./dist/harp-darwin-amd64.zip"
            }
          }' | jq '' > gon.amd64.json
          gon -log-level=debug -log-json ./gon.amd64.json
          rm -f .dist/harp-darwin-amd64
      -
        name: Sign and notarize MacOS ARM64 cli
        env:
          AC_USERNAME: "${{ secrets.AC_USERNAME }}"
          AC_PASSWORD: "${{ secrets.AC_PASSWORD }}"
        run: |
          echo '{
            "source": ["./dist/harp-darwin-arm64"],
            "bundle_id":"co.elastic.harp",
            "apple_id": {},
            "sign": { "application_identity": "9470D0A7B70090A8EF31C3B33AB3868B38B27A3D" },
            "zip": {
              "output_path": "./dist/harp-darwin-arm64.zip"
            }
          }' | jq '' > gon.arm64.json
          gon -log-level=debug -log-json ./gon.arm64.json
          rm -f .dist/harp-darwin-arm64
      -
        name: Prepare archives
        run: |
          #!/bin/bash
          shopt -s expand_aliases
          cd .dist/
          unzip ../dist/harp-darwin-amd64.zip
          unzip ../dist/harp-darwin-arm64.zip
          FILES="*"
          for f in $FILES;
          do
            case $f in
            *.sbom.json)
                continue
                ;;
            harp-*)
                fn=$(basename -s ".exe" $f)
                tar czf ${fn}.tar.gz $f ${fn}.sbom.json
                rm -f $f ${fn}.sbom.json
                ;;
            esac
          done
      # Disable provenance
      #
      #-
      #  name: Generate provenance for Release
      #  uses: philips-labs/slsa-provenance-action@v0.7.2
      #  with:
      #    command: generate
      #    subcommand: files
      #    arguments: --artifact-path .dist --output-path '.dist/provenance.json'
      #  env:
      #    GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
      -
        name: Sign
        shell: bash
        run: |
          #!/bin/bash
          shopt -s expand_aliases
          cd .dist
          sha256sum *.tar.gz > checksums.txt
          FILES="*"
          for f in $FILES;
          do
            case $f in
            provenance.json|checksums.txt)
                cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
                ;;
            *.tar.gz)
                sha256sum "$f" | cut -d " " -f 1 > "$f.sha256"
                cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
                ;;
            esac
          done
        env:
          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
      -
        name: Verify
        shell: bash
        run: |
          #!/bin/bash
          shopt -s expand_aliases
          curl -sLO https://raw.githubusercontent.com/elastic/harp/v${{ github.event.inputs.release }}/build/artifact/cosign.pub
          cd .dist
          FILES="*"
          for f in $FILES;
          do
            if [[ -f "$f.sig" ]];
            then
              cosign verify-blob --key ../cosign.pub --signature "$f.sig" $f
            fi
          done
      -
        name: Upload to release
        uses: AButler/upload-release-assets@v2.0
        with:
          files: '.dist/*'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          release-tag: v${{ github.event.inputs.release }}