diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 648661b2e..8bded8ec0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,45 +1,99 @@ -name: Cut Release +name: release +# run only on tags on: - workflow_dispatch: + push: + tags: + - 'v*' permissions: - id-token: write - contents: write - + id-token: write # needed for federation + contents: write # needed to write releases env: - VERSION_FILE: pkg/version/version.go + YARA_VERSION: 4.5.1 jobs: - tag: - if: ${{ github.repository }} == 'chainguard-dev/bincapz' - runs-on: ubuntu-latest + release-arm64: + runs-on: macos-latest + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 + with: + go-version-file: go.mod + cache: true + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - name: Fix zig-cache permissions + run: | + mkdir ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + sudo chown -R $(whoami):$(id -u) ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + env: + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache + - name: Set output + id: macos_sdk + run: echo "path=$(xcrun --show-sdk-path)" >> $GITHUB_OUTPUT + - name: Install yara + run: | + brew install automake autoconf libtool pkg-config messense/macos-cross-toolchains messense/x86_64-unknown-linux-gnu messense/aarch64-unknown-linux-gnu mingw-w64 + mkdir -p /tmp/yara && cd /tmp/yara + wget https://github.com/VirusTotal/yara/archive/refs/tags/v${{ env.YARA_VERSION }}.tar.gz + tar -zxf v${{ env.YARA_VERSION }}.tar.gz + cd yara-${{ env.YARA_VERSION }} + ./bootstrap.sh + ./configure + make + sudo make install + rm -rf v${{ env.YARA_VERSION }}.tar.gz yara-${{ env.YARA_VERSION }} + cd - + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 + with: + version: ~> v2 + args: release --clean -f .goreleaser_arm64.yaml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SDK_PATH: ${{ steps.macos_sdk.outputs.path }} + VERSION: ${{ github.ref_name }} + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache + release-amd64: + runs-on: macos-13 steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 - - name: Get Version - id: get-version - run: | - VERSION=$(awk -F'"' '/ID string =/ {print $2}' ${{ env.VERSION_FILE }}) - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT" - - name: Create Release - env: - GH_TOKEN: ${{ github.token }} - if: ${{ steps.get-version.outputs.VERSION != '' }} - run: | - VERSION=${{ steps.get-version.outputs.VERSION }} - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - git config --global tag.gpgsign true - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - gh release create "$VERSION" --title "$VERSION" --notes "Release $VERSION" --draft + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 + with: + go-version-file: go.mod + cache: true + - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - name: Fix zig-cache permissions + run: | + mkdir ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + sudo chown -R $(whoami):$(id -u) ${{ env.ZIG_USE_GLOBAL_CACHE_DIR }} + env: + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache + - name: Set output + id: macos_sdk + run: echo "path=$(xcrun --show-sdk-path)" >> $GITHUB_OUTPUT + - name: Install yara + run: | + brew install automake autoconf libtool pkg-config messense/macos-cross-toolchains messense/x86_64-unknown-linux-gnu messense/aarch64-unknown-linux-gnu mingw-w64 + mkdir -p /tmp/yara && cd /tmp/yara + wget https://github.com/VirusTotal/yara/archive/refs/tags/v${{ env.YARA_VERSION }}.tar.gz + tar -zxf v${{ env.YARA_VERSION }}.tar.gz + cd yara-${{ env.YARA_VERSION }} + ./bootstrap.sh + ./configure + make + sudo make install + rm -rf v${{ env.YARA_VERSION }}.tar.gz yara-${{ env.YARA_VERSION }} + cd - + - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 + with: + version: ~> v2 + args: release --clean -f .goreleaser_amd64.yaml + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SDK_PATH: ${{ steps.macos_sdk.outputs.path }} + VERSION: ${{ github.ref_name }} + ZIG_USE_GLOBAL_CACHE_DIR: $HOME/zig-cache diff --git a/.github/workflows/version.yaml b/.github/workflows/version.yaml deleted file mode 100644 index 275fd4259..000000000 --- a/.github/workflows/version.yaml +++ /dev/null @@ -1,83 +0,0 @@ -name: Bump Version - -on: - workflow_dispatch: - inputs: - update: - description: 'Semver update type (patch, minor, major)' - required: true - default: 'minor' - -permissions: - contents: write - id-token: write - pull-requests: write - -env: - VERSION_FILE: pkg/version/version.go - -jobs: - version: - if: ${{ github.repository }} == 'chainguard-dev/bincapz' - runs-on: ubuntu-latest - steps: - - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde - with: - egress-policy: audit - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 - - uses: chainguard-dev/actions/setup-gitsign@e82b4e5ae10182af72972addcb3fedf7454621c8 - - name: Update Version - id: update - run: | - UPDATE_TYPE=${{ github.event.inputs.update }} - - CURRENT_VERSION=$(awk -F'"' '/ID string =/ {print $2}' ${{ env.VERSION_FILE }}) - - if [[ ! "${CURRENT_VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: CURRENT_VERSION is not a valid semver" - exit 1 - fi - - IFS='.' read -ra VERSION_PARTS <<< "${CURRENT_VERSION:1}" - - case "$UPDATE_TYPE" in - major) - VERSION=$(printf "v%d.0.0" $((${VERSION_PARTS[0]}+1))) - ;; - minor) - VERSION=$(printf "v%s.%d.0" ${VERSION_PARTS[0]} $((${VERSION_PARTS[1]}+1))) - ;; - patch) - VERSION=$(printf "v%s.%s.%d" ${VERSION_PARTS[0]} ${VERSION_PARTS[1]} $((${VERSION_PARTS[2]}+1))) - ;; - *) - echo "Error: Invalid update type" - exit 1 - ;; - esac - - if [[ ! "${VERSION}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "Error: VERSION is not a valid semver" - exit 1 - fi - - echo "Current bincapz version: $CURRENT_VERSION" - echo "New bincapz version: $VERSION" - - sed -i "s/ID string = \"v[0-9]*\.[0-9]*\.[0-9]*\"/ID string = \"${VERSION}\"/" ${{ env.VERSION_FILE }} - - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - BRANCH="bincapz-version-bump-$VERSION" - git checkout -b $BRANCH - git add ${{ env.VERSION_FILE }} - git commit -m "Bump bincapz version to $VERSION" - git push origin $BRANCH - - echo "VERSION=$VERSION" >> $GITHUB_OUTPUT - - name: Create Pull Request - env: - GH_TOKEN: ${{ github.token }} - run: | - VERSION=${{ steps.update.outputs.VERSION }} - gh pr create -t "Update bincapz to $VERSION" -b "PR to update the version in ${{ env.VERSION_FILE }} to $VERSION" -B main diff --git a/.goreleaser.yaml b/.goreleaser.yaml deleted file mode 100644 index 597384392..000000000 --- a/.goreleaser.yaml +++ /dev/null @@ -1,28 +0,0 @@ -project_name: bincapz - -before: - hooks: - - go mod tidy - -builds: - - id: bincapz-build - binary: bincapz - main: ./ - goos: - - darwin - - linux - - windows - flags: - - -trimpath - mod_timestamp: '{{ .CommitTimestamp }}' - ldflags: - - -X main.BuildVersion={{.Version}} - -checksum: - name_template: 'checksums.txt' - -changelog: - sort: asc - -snapshot: - name_template: "{{ incpatch .Version }}-next" diff --git a/.goreleaser_amd64.yaml b/.goreleaser_amd64.yaml new file mode 100644 index 000000000..af3f1cd45 --- /dev/null +++ b/.goreleaser_amd64.yaml @@ -0,0 +1,92 @@ +# Sourced and adapted from https://github.com/goreleaser/goreleaser-example-zig-cgo/blob/master/.goreleaser.yaml +project_name: bincapz_amd64 + +before: + hooks: + - go mod tidy + +env: + - COSIGN_YES=true + +builds: + - id: bincapz-macos-amd64-build + goos: + - darwin + goarch: + - amd64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} + flags: + - -trimpath + - -buildmode=pie + env: + - CGO_ENABLED=1 + - id: bincapz-linux-amd64-build + goos: + - linux + goarch: + - amd64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} -extldflags=-static + flags: + - -trimpath + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "amd64" }}CC=x86_64-linux-gnu-gcc{{- end }} + {{- end }} + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "amd64" }}CXX=x86_64-linux-gnu-g++{{- end }} + {{- end }} + + - id: bincapz-windows-amd64-build + goos: + - windows + goarch: + - amd64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} -linkmode external -extldflags -static + flags: + - -trimpath + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "windows" }} + {{- if eq .Arch "amd64" }}CC=x86_64-w64-mingw32-gcc{{- end }} + {{- end }} + +archives: + - format: tar.gz + # this name template makes the OS and Arch compatible with the results of uname. + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + format: zip + files: + - LICENSE + wrap_in_directory: true +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ incpatch .Version }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' +signs: + - id: apko-cosign + cmd: cosign + certificate: "${artifact}.crt" + args: ["sign-blob", "--output-signature", "${signature}", "--output-certificate", "${certificate}", "${artifact}", "--yes"] + artifacts: all diff --git a/.goreleaser_arm64.yaml b/.goreleaser_arm64.yaml new file mode 100644 index 000000000..be314e1ae --- /dev/null +++ b/.goreleaser_arm64.yaml @@ -0,0 +1,76 @@ +# Sourced and adapted from https://github.com/goreleaser/goreleaser-example-zig-cgo/blob/master/.goreleaser.yaml +project_name: bincapz_arm64 + +before: + hooks: + - go mod tidy + +env: + - COSIGN_YES=true + +builds: + - id: bincapz-macos-arm64-build + goos: + - darwin + goarch: + - arm64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} -extldflags=-static + flags: + - -trimpath + - -buildmode=pie + env: + - CGO_ENABLED=1 + - id: bincapz-linux-arm64-build + goos: + - linux + goarch: + - arm64 + ldflags: + - -s -w -X main.BuildVersion={{.Env.VERSION}} -linkmode external -extldflags -static + flags: + - -trimpath + env: + - CGO_ENABLED=1 + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "arm64" }}CC=aarch64-linux-gnu-gcc{{- end }} + {{- end }} + - >- + {{- if eq .Os "linux" }} + {{- if eq .Arch "arm64" }}CXX=aarch64-linux-gnu-g++{{- end }} + {{- end }} + +archives: + - format: tar.gz + # this name template makes the OS and Arch compatible with the results of uname. + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + format: zip + files: + - LICENSE + wrap_in_directory: true +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ incpatch .Version }}-next" +changelog: + sort: asc + filters: + exclude: + - '^docs:' + - '^test:' +signs: + - id: apko-cosign + cmd: cosign + certificate: "${artifact}.crt" + args: ["sign-blob", "--output-signature", "${signature}", "--output-certificate", "${certificate}", "${artifact}", "--yes"] + artifacts: all diff --git a/go.mod b/go.mod index 20ae90fd4..475e302d2 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/chainguard-dev/bincapz -go 1.23 +go 1.23.0 require ( github.com/agext/levenshtein v1.2.3