diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 648661b2e..e1d313c9d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,45 +1,56 @@ -name: Cut Release +name: release on: - workflow_dispatch: + push: permissions: - id-token: write - contents: write - + id-token: write # needed for federation + contents: write # needed to write releases env: - VERSION_FILE: pkg/version/version.go + YARA_VERSION: 4.5.1 jobs: - tag: - if: ${{ github.repository }} == 'chainguard-dev/bincapz' + release: runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 - - name: Get Version - id: get-version - run: | - VERSION=$(awk -F'"' '/ID string =/ {print $2}' ${{ env.VERSION_FILE }}) - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - - name: Create Release - env: - GH_TOKEN: ${{ github.token }} - if: ${{ steps.get-version.outputs.VERSION != '' }} - run: | - VERSION=${{ steps.get-version.outputs.VERSION }} - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - git config --global tag.gpgsign true - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 + with: + go-version-file: go.mod + cache: true + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - uses: goto-bus-stop/setup-zig@7ab2955eb728f5440978d5824358023be3a2802d + - name: Fix zig-cache permissions + run: | + mkdir ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + sudo chown -R $(whoami):$(id -u) ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + env: + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache + - name: Set output + id: macos_sdk + run: echo "path=$(xcrun --show-sdk-path)" >> $GITHUB_OUTPUT + - name: Install yara + run: | + sudo apt -y install automake libtool make gcc pkg-config + mkdir -p /tmp/yara && cd /tmp/yara + wget https://github.com/VirusTotal/yara/archive/refs/tags/v${{ env.YARA_VERSION }}.tar.gz + tar -zxf v${{ env.YARA_VERSION }}.tar.gz + cd yara-${{ env.YARA_VERSION }} + ./bootstrap.sh + ./configure + make + sudo make install + rm -rf v${{ env.YARA_VERSION }}.tar.gz yara-${{ env.YARA_VERSION }} + sudo ldconfig -v + cd - + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 + with: + version: ~> v2 + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SDK_PATH: ${{ steps.macos_sdk.outputs.path }} + VERSION: ${{ github.ref_name }} + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml deleted file mode 100644 index 275fd4259..000000000 --- a/.github/workflows/version.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Bump Version - -on: - workflow_dispatch: - inputs: - update: - description: 'Semver update type (patch, minor, major)' - required: true - default: 'minor' - -permissions: - contents: write - id-token: write - pull-requests: write - -env: - VERSION_FILE: pkg/version/version.go - -jobs: - version: - if: ${{ github.repository }} == 'chainguard-dev/bincapz' - runs-on: ubuntu-latest - steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 - - name: Update Version - id: update - run: | - UPDATE_TYPE=${{ github.event.inputs.update }} - - CURRENT_VERSION=$(awk -F'"' '/ID string =/ {print $2}' ${{ env.VERSION_FILE }}) - - if [[ ! "${CURRENT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: CURRENT_VERSION is not a valid semver" - exit 1 - fi - - IFS='.' read -ra VERSION_PARTS <<< "${CURRENT_VERSION:1}" - - case "$UPDATE_TYPE" in - major) - VERSION=$(printf "v%d.0.0" $((${VERSION_PARTS[0]}+1))) - ;; - minor) - VERSION=$(printf "v%s.%d.0" ${VERSION_PARTS[0]} $((${VERSION_PARTS[1]}+1))) - ;; - patch) - VERSION=$(printf "v%s.%s.%d" ${VERSION_PARTS[0]} ${VERSION_PARTS[1]} $((${VERSION_PARTS[2]}+1))) - ;; - *) - echo "Error: Invalid update type" - exit 1 - ;; - esac - - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - - echo "Current bincapz version: $CURRENT_VERSION" - echo "New bincapz version: $VERSION" - - sed -i "s/ID string = \"v[0-9]*\.[0-9]*\.[0-9]*\"/ID string = \"${VERSION}\"/" ${{ env.VERSION_FILE }} - - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - BRANCH="bincapz-version-bump-$VERSION" - git checkout -b $BRANCH - git add ${{ env.VERSION_FILE }} - git commit -m "Bump bincapz version to $VERSION" - git push origin $BRANCH - - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - - name: Create Pull Request - env: - GH_TOKEN: ${{ github.token }} - run: | - VERSION=${{ steps.update.outputs.VERSION }} - gh pr create -t "Update bincapz to $VERSION" -b "PR to update the version in ${{ env.VERSION_FILE }} to $VERSION" -B main diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 597384392..24ed38630 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -1,28 +1,113 @@ +# Sourced and adapted from https://github.com/goreleaser/goreleaser-example-zig-cgo/blob/master/.goreleaser.yaml project_name: bincapz before: hooks: - go mod tidy +env: + - COSIGN_YES=true + builds: - - id: bincapz-build - binary: bincapz - main: ./ + - id: bincapz-macos-build goos: - - darwin - - linux - - windows + - darwin + goarch: + - amd64 + - arm64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} flags: - - -trimpath - mod_timestamp: '{{ .CommitTimestamp }}' + - -trimpath + - -buildmode=pie + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "darwin" }} + {{- if eq .Arch "amd64" }}CC=zig cc -target x86-64-macos-none{{- end }} + {{- if eq .Arch "arm64" }}CC=zig cc -target aarch64-macos-none{{- end }} + {{- end }} + - >- + {{- if eq .Os "darwin" }} + {{- if eq .Arch "amd64" }}CXX=zig c++ -target x86_64-macos-none{{- end }} + {{- if eq .Arch "arm64" }}CXX=zig c++ -target aarch64-macos-none{{- end }} + {{- end }} + - id: bincapz-linux-build + goos: + - linux + goarch: + - amd64 + - arm64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} + flags: + - -trimpath + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "amd64" }}CC=zig cc -target x86_64-linux-gnu{{- end }} + {{- if eq .Arch "arm64" }}CC=zig cc -target aarch64-linux-gnu{{- end }} + {{- end }} + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "amd64" }}CXX=zig c++ -target x86_64-linux-gnu{{- end }} + {{- if eq .Arch "arm64" }}CXX=zig c++ -target aarch64-linux-gnu{{- end }} + {{- end }} + + - id: bincapz-windows-build + goos: + - windows + goarch: + - amd64 + - arm64 ldflags: - - -X main.BuildVersion={{.Version}} + - -s -w -X main.BuildVersion={{.Env.VERSION}} + flags: + - -trimpath + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "windows" }} + {{- if eq .Arch "amd64" }}CC=zig cc -target x86_64-windows-gnu{{- end }} + {{- if eq .Arch "arm64" }}CC=zig cc -target aarch64-windows-gnu{{- end }} + {{- end }} + - >- + {{- if eq .Os "windows" }} + {{- if eq .Arch "amd64" }}CXX=zig c++ -target x86_64-windows-gnu{{- end }} + {{- if eq .Arch "arm64" }}CXX=zig c++ -target aarch64-windows-gnu{{- end }} + {{- end }} +archives: + - format: tar.gz + # this name template makes the OS and Arch compatible with the results of uname. + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + format: zip + files: + - LICENSE + wrap_in_directory: true checksum: name_template: 'checksums.txt' - -changelog: - sort: asc - snapshot: name_template: "{{ incpatch .Version }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' +signs: + - id: apko-cosign + cmd: cosign + certificate: "${artifact}.crt" + args: ["sign-blob", "--output-signature", "${signature}", "--output-certificate", "${certificate}", "${artifact}", "--yes"] + artifacts: all diff --git a/go.mod b/go.mod index 20ae90fd4..475e302d2 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/chainguard-dev/bincapz -go 1.23 +go 1.23.0 require ( github.com/agext/levenshtein v1.2.3