go.mondoo.com/cnquery@v0.0.0-20231005093811-59568235f6ea/.github/workflows/goreleaser.yml (about) 1 name: goreleaser 2 3 on: 4 push: 5 tags: 6 - '*' 7 workflow_dispatch: 8 inputs: 9 skip-publish: 10 description: 'Skip publishing to releases.mondoo.com?' 11 type: boolean 12 required: false 13 default: false 14 15 16 env: 17 REGISTRY: docker.io 18 19 jobs: 20 goreleaser: 21 permissions: 22 # Add "contents" to write release 23 contents: 'write' 24 # Add "id-token" for google-github-actions/auth 25 id-token: 'write' 26 27 runs-on: self-hosted 28 timeout-minutes: 120 29 steps: 30 - name: Checkout 31 uses: actions/checkout@v4 32 with: 33 fetch-depth: 0 34 35 - name: Skip Publish for Alpha and Beta Tags 36 id: skip-publish 37 if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true' 38 run: | 39 echo "Skipping publish for alpha and beta tags" 40 echo "skip-publish=true" >> $GITHUB_OUTPUT 41 echo "skip-publish=true" >> $GITHUB_ENV 42 43 - name: Set up Go 44 uses: actions/setup-go@v4 45 with: 46 go-version: ">=1.21.0" 47 cache: false 48 49 - name: 'Authenticate to Google Cloud' 50 uses: 'google-github-actions/auth@v1' 51 with: 52 workload_identity_provider: ${{ secrets.GCP_WIP }} 53 service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} 54 55 - id: 'gcp_secrets' 56 uses: 'google-github-actions/get-secretmanager-secrets@v1' 57 with: 58 secrets: |- 59 code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64 60 code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge 61 62 - name: "Write RPM Signing Cert" 63 run: | 64 gpgkey="$(mktemp -t gpgkey.XXX)" 65 base64 -d <<<"$GPG_KEY" > "$gpgkey" 66 echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV 67 env: 68 GPG_KEY: '${{ secrets.GPG_KEY}}' 69 70 - name: "Write Windows Signing Cert" 71 run: | 72 cert="$(mktemp -t cert.XXX)" 73 base64 -d <<<"$CERT_CONTENTS" > "$cert" 74 echo "CERT_FILE=$cert" >> $GITHUB_ENV 75 env: 76 CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}' 77 78 - name: Configure DigiCert Signing Variables 79 shell: bash 80 run: | 81 # CertLocker Authentication Certifiate 82 CERT_PATH="$(mktemp -t cert.XXX)" 83 echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH} 84 echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV" 85 echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 86 # CertLocker API Key & Host 87 echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 88 echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 89 # DigiCert CertLocker Code Signing Certificate 90 echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" 91 echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV" 92 93 # - name: Install jSign (Windows Signing Tool) -- Required for public runners 94 # run: | 95 # curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb 96 # sudo dpkg -i ./jsign_5.0_all.deb 97 98 - name: Install Quill for Mac Signing and Notarization 99 run: | 100 curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp 101 /tmp/quill help 102 103 - name: Log in to the Container registry 104 uses: docker/login-action@v3 105 with: 106 registry: ${{ env.REGISTRY }} 107 username: ${{ secrets.DOCKER_USERNAME }} 108 password: ${{ secrets.DOCKER_PASSWORD }} 109 110 - name: Run GoReleaser (w/ Docker Release) 111 if: ${{ ! steps.skip-publish.outputs.skip-publish }} 112 uses: goreleaser/goreleaser-action@v4 113 with: 114 distribution: goreleaser 115 version: latest 116 args: release --clean --timeout 120m 117 env: 118 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 119 CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} 120 NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 121 QUILL_SIGN_PASSWORD: '' 122 QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} 123 QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} 124 QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} 125 QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} 126 127 - name: Run GoReleaser (w/o Docker Release) 128 if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }} 129 uses: goreleaser/goreleaser-action@v4 130 with: 131 distribution: goreleaser 132 version: latest 133 args: release -f .github/.goreleaser-unstable.yml --clean --timeout 120m 134 env: 135 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 136 CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} 137 NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} 138 QUILL_SIGN_PASSWORD: '' 139 QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} 140 QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} 141 QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} 142 QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} 143 144 - name: Check RPMs 145 run: | 146 rpm -qpi dist/*.rpm 147 - name: Output Quill Logs 148 if: ${{ failure() }} 149 run: | 150 for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do 151 echo "=== $f ===" 152 ls -l $f 153 cat $f 154 done 155 156 - name: Publish Release to releases.mondoo.com 157 if: ${{ ! steps.skip-publish.outputs.skip-publish }} 158 uses: peter-evans/repository-dispatch@v2 159 with: 160 token: ${{ secrets.RELEASR_ACTION_TOKEN }} 161 repository: "mondoohq/releasr" 162 event-type: publish-release 163 client-payload: '{ 164 "repository": "${{ github.event.repository.name }}", 165 "version": "${{ github.ref_name }}" 166 }' 167 168 - name: Cleanup 169 if: always() 170 run: 171 rm -f ${CERT_PATH}