refactor release process to use ko to build the images

Signed-off-by: Carlos Panato <[email protected]>

.github/workflows/kind-e2e-cosigned.yaml

@@ -169,6 +169,10 @@ jobs:
         sudo echo "127.0.0.1 $INSECURE_REGISTRY_NAME" | sudo tee -a /etc/hosts
 
     - name: Install cosigned
+      env:
+        GIT_HASH: $GITHUB_SHA
+        GIT_VERSION: ci
+        LDFLAGS: ""
       run: |
         ko apply -Bf config/
 

.github/workflows/validate-release.yml

@@ -50,17 +50,11 @@ jobs:
             -v /var/run/docker.sock:/var/run/docker.sock \
             -w /go/src/sigstore/cosign \
             --entrypoint="" \
-            ghcr.io/gythialy/golang-cross:v1.17.2-1@sha256:51f3c71079f6e1d7d0732b33bcc54ebd310f6ea155ac7dbe244a8695334bd50a \
+            ghcr.io/gythialy/golang-cross:v1.17.3-1@sha256:f934a6b0411bbe6723a65732baa8ff7e318cc2d8b089afddb41be3d60d0ea1ae \
             make snapshot
 
       - name: check binaries
         run: |
           ./dist/cosign-linux-amd64 version
           ./dist/cosigned-linux-amd64 --help
           ./dist/sget-linux-amd64 --help
-
-      - name: check images
-        run: |
-          docker run gcr.io/honk-fake-project/cosign:SNAPSHOT-${GITHUB_SHA:0:7}-amd64 version
-          docker run gcr.io/honk-fake-project/cosigned:SNAPSHOT-${GITHUB_SHA:0:7}-amd64 --help
-          docker run gcr.io/honk-fake-project/sget:SNAPSHOT-${GITHUB_SHA:0:7}-amd64 --help

.goreleaser.yml

@@ -5,7 +5,7 @@ env:
   - CGO_ENABLED=1
   - DOCKER_CLI_EXPERIMENTAL=enabled
 
-# Prevents parallel builds from stepping on eachothers toes downloading modules
+# Prevents parallel builds from stepping on each others toes downloading modules
 before:
   hooks:
   - go mod tidy
@@ -23,6 +23,11 @@ builds:
   goarch:
     - amd64
     - arm64
+    - arm
+    - s390x
+    - ppc64le
+  goarm:
+    - 7
   ldflags:
     - "{{ .Env.LDFLAGS }}"
   env:
@@ -108,6 +113,7 @@ builds:
     - CC=x86_64-w64-mingw32-gcc
     - CXX=x86_64-w64-mingw32-g++
   main: ./cmd/cosign
+  mod_timestamp: '{{ .CommitTimestamp }}'
   flags:
     - -trimpath
   goos:
@@ -124,13 +130,19 @@ builds:
   binary: cosigned-linux-{{ .Arch }}
   no_unique_dist_dir: true
   main: ./cmd/cosign/webhook
+  mod_timestamp: '{{ .CommitTimestamp }}'
   flags:
     - -trimpath
   goos:
     - linux
   goarch:
     - amd64
     - arm64
+    - arm
+    - s390x
+    - ppc64le
+  goarm:
+    - 7
   ldflags:
     - "{{ .Env.LDFLAGS }}"
   env:
@@ -139,6 +151,7 @@ builds:
 - id: sget
   binary: sget-{{ .Os }}-{{ .Arch }}
   no_unique_dist_dir: true
+  mod_timestamp: '{{ .CommitTimestamp }}'
   main: ./cmd/sget
   flags:
     - -trimpath
@@ -149,9 +162,20 @@ builds:
   goarch:
     - amd64
     - arm64
+    - arm
+    - s390x
+    - ppc64le
+  goarm:
+    - 7
   ignore:
     - goos: windows
       goarch: arm64
+    - goos: windows
+      goarch: arm
+    - goos: windows
+      goarch: s390x
+    - goos: windows
+      goarch: ppc64le
   ldflags:
     - "{{ .Env.LDFLAGS }}"
   env:
@@ -178,92 +202,6 @@ signs:
     ids:
       - sget
 
-dockers:
-  # cosign Image
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-amd64"
-    dockerfile: Dockerfile
-    goos: linux
-    goarch: amd64
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
-      - "--build-arg=TARGETARCH=amd64"
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-arm64v8"
-    goos: linux
-    goarch: arm64
-    dockerfile: Dockerfile
-    build_flag_templates:
-      - "--platform=linux/arm64/v8"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
-      - "--build-arg=TARGETARCH=arm64"
-
-  # cosigned Image
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-amd64"
-    dockerfile: Dockerfile.cosigned
-    goos: linux
-    goarch: amd64
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
-      - "--build-arg=TARGETARCH=amd64"
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-arm64v8"
-    goos: linux
-    goarch: arm64
-    dockerfile: Dockerfile.cosigned
-    build_flag_templates:
-      - "--platform=linux/arm64/v8"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
-      - "--build-arg=TARGETARCH=arm64"
-
-  # sget Image
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-amd64"
-    dockerfile: Dockerfile.sget
-    goos: linux
-    goarch: amd64
-    build_flag_templates:
-      - "--platform=linux/amd64"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-amd64"
-      - "--build-arg=TARGETARCH=amd64"
-  - image_templates:
-      - "gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-arm64v8"
-    goos: linux
-    goarch: arm64
-    dockerfile: Dockerfile.sget
-    build_flag_templates:
-      - "--platform=linux/arm64/v8"
-      # TODO(dekkagaijin): remove suffix when race condition fixed
-      - "--build-arg=RUNTIME_IMAGE={{ .Env.RUNTIME_IMAGE }}-arm64"
-      - "--build-arg=TARGETARCH=arm64"
-
-docker_manifests:
-  - name_template: gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}
-    image_templates:
-      - gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-amd64
-      - gcr.io/{{ .Env.PROJECT_ID }}/cosign:{{ .Version }}-arm64v8
-  - name_template: gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}
-    image_templates:
-      - gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-amd64
-      - gcr.io/{{ .Env.PROJECT_ID }}/cosigned:{{ .Version }}-arm64v8
-  - name_template: gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}
-    image_templates:
-      - gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-amd64
-      - gcr.io/{{ .Env.PROJECT_ID }}/sget:{{ .Version }}-arm64v8
-
-docker_signs:
-  - artifacts: all
-    cmd: ./dist/cosign-linux-amd64
-    args: [ "sign", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}" ]
-
 archives:
 - format: binary
   name_template: "{{ .Binary }}"

.ko.yaml

@@ -15,3 +15,49 @@
 
 # We need a shell for a lot of redirection/piping to work
 defaultBaseImage: gcr.io/distroless/base:debug-nonroot
+
+builds:
+- id: cosign
+  dir: .
+  main: ./cmd/cosign
+  env:
+  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - -tags
+  - "{{ .Env.GIT_HASH }}"
+  - -tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"
+
+- id: cosigned
+  dir: .
+  main: ./cmd/cosign/webhook
+  env:
+  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - --tags
+  - "{{ .Env.GIT_HASH }}"
+  - --tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"
+
+- id: sget
+  dir: .
+  main: ./cmd/sget
+  env:
+  - CGO_ENABLED=0
+  flags:
+  - -trimpath
+  - --tags
+  - "{{ .Env.GIT_HASH }}"
+  - --tags
+  - "{{ .Env.GIT_VERSION }}"
+  ldflags:
+  - -extldflags "-static"
+  - "{{ .Env.LDFLAGS }}"