Skip to content

🧹 Improving the keyVault resources to cover automatic key rotation po… #331

🧹 Improving the keyVault resources to cover automatic key rotation po…

🧹 Improving the keyVault resources to cover automatic key rotation po… #331

Workflow file for this run

name: goreleaser
on:
push:
tags:
- '*'
workflow_dispatch:
inputs:
skip-publish:
description: 'Skip publishing to releases.mondoo.com?'
type: boolean
required: false
default: false
env:
REGISTRY: docker.io
jobs:
goreleaser:
permissions:
# Add "contents" to write release
contents: 'write'
# Add "id-token" for google-github-actions/auth
id-token: 'write'
runs-on: self-hosted
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Skip Publish for Alpha and Beta Tags
id: skip-publish
if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true'
run: |
echo "Skipping publish for alpha and beta tags"
echo "skip-publish=true" >> $GITHUB_OUTPUT
echo "skip-publish=true" >> $GITHUB_ENV
- name: Import environment variables from file
run: cat ".github/env" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ">=${{ env.golang-version }}"
cache: false
- name: Install Protoc
uses: arduino/setup-protoc@v3
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
workload_identity_provider: ${{ secrets.GCP_WIP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- id: 'gcp_secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v2'
with:
secrets: |-
code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
- name: "Write RPM Signing Cert"
run: |
gpgkey="$(mktemp -t gpgkey.XXX)"
base64 -d <<<"$GPG_KEY" > "$gpgkey"
echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
env:
GPG_KEY: '${{ secrets.GPG_KEY}}'
- name: "Write Windows Signing Cert"
run: |
cert="$(mktemp -t cert.XXX)"
base64 -d <<<"$CERT_CONTENTS" > "$cert"
echo "CERT_FILE=$cert" >> $GITHUB_ENV
env:
CERT_CONTENTS: '${{ steps.gcp_secrets.outputs.code_sign_cert_b64 }}'
- name: Configure DigiCert Signing Variables
shell: bash
run: |
# CertLocker Authentication Certifiate
CERT_PATH="$(mktemp -t cert.XXX)"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
# CertLocker API Key & Host
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
# DigiCert CertLocker Code Signing Certificate
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
# - name: Install jSign (Windows Signing Tool) -- Required for public runners
# run: |
# curl -LO https://github.com/ebourg/jsign/releases/download/5.0/jsign_5.0_all.deb
# sudo dpkg -i ./jsign_5.0_all.deb
- name: Install Quill for Mac Signing and Notarization
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
/tmp/quill help
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run GoReleaser (w/ Docker Release)
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
args: release --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ''
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Run GoReleaser (w/o Docker Release)
if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }}
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
args: release -f .github/.goreleaser-unstable.yml --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
QUILL_SIGN_PASSWORD: ''
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Check RPMs
run: |
rpm -qpi dist/*.rpm
- name: Output Quill Logs
if: ${{ failure() }}
run: |
for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do
echo "=== $f ==="
ls -l $f
cat $f
done
- name: Publish Release to releases.mondoo.com
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/releasr"
event-type: publish-release
client-payload: '{
"repository": "${{ github.event.repository.name }}",
"version": "${{ github.ref_name }}"
}'
- name: Cleanup
if: always()
run:
rm -f ${CERT_PATH}