diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..e9b32f3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,63 @@ +name: release + +on: + push: + branches: + - main + +jobs: + release: + name: release + runs-on: ubuntu-latest + permissions: + checks: write + contents: write + steps: + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + + - name: Release + run: | + npm install @semantic-release/exec + npx -y semantic-release@v22 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: release-notes + path: /tmp/release-notes.md + + goreleaser: + name: upload binaries + runs-on: ubuntu-latest + needs: release + permissions: + id-token: write + checks: write + contents: read + steps: + - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + fetch-depth: 0 + + - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0 + + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.20" + cache: true + + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: release-notes + path: /tmp + + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + distribution: goreleaser + version: latest + # NOTE: we use parallelism 1 because the cosign process is not concurrency safe. + args: release --parallelism 1 --release-notes /tmp/release-notes.md --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_EXPERIMENTAL: true diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..ea9cff9 --- /dev/null +++ b/.goreleaser.yaml @@ -0,0 +1,46 @@ +before: + hooks: + - go mod tidy + +builds: + - main: . + binary: github-app-token + env: + - CGO_ENABLED=0 + flags: + - -trimpath #removes all file system paths from the compiled executable + ldflags: + - "-s -w" + goos: + - linux + goarch: + - amd64 + +archives: + - name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}" + +signs: + - id: github-app-token-keyless + artifacts: archive + signature: "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + cmd: cosign + args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] + - id: checksum-keyless + artifacts: checksum + signature: "${artifact}-keyless.sig" + certificate: "${artifact}-keyless.pem" + cmd: cosign + args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"] + +checksum: + name_template: "{{ .ProjectName }}_checksums.txt" + +snapshot: + name_template: "SNAPSHOT-{{ .ShortCommit }}" + +release: + github: + owner: fensak-io + name: github-app-token + mode: keep-existing diff --git a/.releaserc.yaml b/.releaserc.yaml new file mode 100644 index 0000000..1da69ff --- /dev/null +++ b/.releaserc.yaml @@ -0,0 +1,20 @@ +branches: ["main"] +plugins: + - - "@semantic-release/commit-analyzer" + - preset: angular + releaseRules: + - type: chore + release: patch + # Override default rules for pre-1.0 + - breaking: true + release: minor + - type: feat + release: patch + parserOpts: + noteKeywords: + - BREAKING CHANGE + - BREAKING CHANGES + - "@semantic-release/release-notes-generator" + - - "@semantic-release/exec" + - publishCmd: | + echo "${nextRelease.notes}" > /tmp/release-notes.md