forked from sigstore/fulcio
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.goreleaser.yml
149 lines (134 loc) · 3.51 KB
/
.goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
project_name: fulcio
env:
- GO111MODULE=on
- CGO_ENABLED=1
- DOCKER_CLI_EXPERIMENTAL=enabled
- COSIGN_YES=true
# Prevents parallel builds from stepping on eachothers toes downloading modules
before:
hooks:
- go mod tidy
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
# if running a release we will generate the images in this step
# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
# this is needed because we are generating files that goreleaser was not aware to push to GH project release
- /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release && make sign-keyless-release; fi'
gomod:
proxy: true
sboms:
- artifacts: binary
builds:
- id: fulcio-linux-amd64
binary: fulcio-linux-amd64
no_unique_dist_dir: true
main: .
goos:
- linux
goarch:
- amd64
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/"
- id: fulcio-linux-arm64
binary: fulcio-linux-arm64
no_unique_dist_dir: true
main: .
goos:
- linux
goarch:
- arm64
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CC=aarch64-linux-gnu-gcc
- id: fulcio-linux-arm
binary: fulcio-linux-arm
no_unique_dist_dir: true
main: .
goos:
- linux
goarch:
- arm
goarm:
- 7
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CC=arm-linux-gnueabihf-gcc
- id: fulcio-linux-s390x
binary: fulcio-linux-s390x
no_unique_dist_dir: true
main: .
goos:
- linux
goarch:
- s390x
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CC=s390x-linux-gnu-gcc
- id: fulcio-linux-ppc64le
binary: fulcio-linux-ppc64le
no_unique_dist_dir: true
main: .
goos:
- linux
goarch:
- ppc64le
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CC=powerpc64le-linux-gnu-gcc
signs:
- id: fulcio
signature: "${artifact}.sig"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
# Keyless
- id: fulcio-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: binary
- id: checksum-keyless
signature: "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
artifacts: checksum
archives:
- format: binary
name_template: "{{ .Binary }}"
allow_different_binary_count: true
checksum:
name_template: "{{ .ProjectName }}_checksums.txt"
snapshot:
name_template: SNAPSHOT-{{ .ShortCommit }}
release:
prerelease: allow # remove this when we start publishing non-prerelease or set to auto
draft: true # allow for manual edits
github:
owner: sigstore
name: fulcio
footer: |
### Thanks for all contributors!
extra_files:
- glob: "./fulcio*.yaml"