add signed release builds

Author: shibumi

.github/workflows/build.yml

@@ -0,0 +1,57 @@
+name: release
+on: [push, pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [ 1.16.x, 1.17.x ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Format Unix
+        if: runner.os == 'Linux'
+        run: test -z $(go fmt ./...)
+      - name: Test
+        run: go test -covermode atomic -coverprofile='profile.cov' ./...
+      - name: Send coverage
+        if: runner.os == 'Linux'
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          GO111MODULE=off go get github.com/mattn/goveralls
+          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      - name: install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.3.0'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: 'v0.184.0'
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1

.github/workflows/goreleaser.yml

@@ -1 +1,13 @@
+# goreleaser distribution directory
+dist
+
+# GoLand idea configuration
+.idea
+
+# VSCode configuration
+.vscode
+
+# ignore cosign private key
+cosign.key
+
 bin/

.gitignore

@@ -0,0 +1,25 @@
+project_name: in-toto
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-X cmd.tag={{.Version}}"
+      - "-X cmd.commit={{.FullCommit}}"
+      - "-X cmd.date={{.CommitDate}}"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
+    artifacts: all

.goreleaser.yaml

@@ -0,0 +1,33 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+)
+
+var (
+	commit = "none"
+	date   = "unknown"
+	tag    = "dev"
+)
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Display the version of the in-toto CLI tool",
+	Long:  `Display the commit ID, the build date and the version tag of the in-toto CLI as embedded by the build system.`,
+	RunE:  version,
+}
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}
+
+func version(cmd *cobra.Command, args []string) error {
+	// let us make it as simple as possible.
+	// We could encode the version information as JSON like kubectl does,
+	// but what if the json package has a bug? :/
+	fmt.Println("commit : ", commit)
+	fmt.Println("date   : ", date)
+	fmt.Println("version: ", tag)
+	return nil
+}