release: add goreleaser scripts for cosigned

[hectorj2f]

Add scripts to inject scripts to release cosigned binary and its respective docker image using goreleaser.

[cpanato]

@hectorj2f missing the DCO :)

[cpanato]

i see that is a helm chart, what we make the release of the chart as well? maybe we push the chart to a dedicated repo. I'm 0/5 on this but just saying will be good to release the chart.

Need some infra for that, but I can take care, did for several other projects already :)

[dlorenc]

Sorry @cpanato not sure I follow - whatever you think is the best way to release this works for me!

[cpanato]

the helm chart can be released as well, and for that, we can use the GitHub page to host :) and then we later can publish it to the artifact hub, the whole party

but to release it we will need to do some GitHub actions to deal if the helm.

will work on that.

one question: the image for cosigned is already published?

[cpanato]

I think you don't need this, or where we are using this binary?

[hectorj2f]

This is the binary of the webhook server (named cosigned) that we bake within the Docker image of the webhook controller.

[cpanato]

but the docker build that binary inside the container, my question why do we need to be available outside

[cpanato]

maybe im missing something

[cpanato]

test locally this is not needed

[hectorj2f]

gotcha! I remove line https://github.com/sigstore/cosign/pull/576/files#diff-e8e280160bda2facd282b4c4fa90d1737a05c285293fced00d7d6cbce2811fb0R73

[hectorj2f]

@cpanato Yes, there are two options:
a) Keep the chart here and release it in an automated manner (for that we have to setup the gh pages. I can help you with this).
b) Once we can release the docker image ..., we can do the manual bump of the chart version in https://github.com/sigstore/helm-charts/pull/9/files.

[cpanato]

@cpanato Yes, there are two options:
a) Keep the chart here and release it in an automated manner (for that we have to setup the gh pages. I can help you with this).
b) Once we can release the docker image ..., we can do the manual bump of the chart version in https://github.com/sigstore/helm-charts/pull/9/files.

yep! sgtm!

[hectorj2f]

yep! sgtm!

Which option do you prefer a) or b) :) ?

one question: the image for cosigned is already published?

@cpanato Nope!

[cpanato]

yep! sgtm!

Which option do you prefer a) or b) :) ?

one question: the image for cosigned is already published?

@cpanato Nope!

we will do both, make the release in an automated manner but when we have the image we replace to the new one, for now we can use the one you already pushed

[cpanato]

testing this change! 🐻 with me

[cpanato]

built everything :)

   • building binaries
      • building                  binary=/cosign/dist/cosign-linux-amd64
      • building                  binary=/cosign/dist/linux-pivkey-amd64_linux_amd64/cosign-linux-pivkey-amd64
      • running hook              hook=apt-get update
      • running hook              hook=apt-get -y install libpcsclite-dev
      • building                  binary=/cosign/dist/cosign-darwin-amd64
      • building                  binary=/cosign/dist/cosign-darwin-arm64
      • building                  binary=/cosign/dist/cosign-windows-amd64.exe
      • building                  binary=/cosign/dist/cosigned-linux-amd64
   • archives
      • skip archiving            binary=cosign-darwin-amd64
      • skip archiving            binary=cosign-windows-amd64.exe
      • skip archiving            binary=cosign-linux-amd64
      • skip archiving            binary=cosign-linux-pivkey-amd64
      • skip archiving            binary=cosigned-linux-amd64
      • skip archiving            binary=cosign-darwin-arm64
   • creating source archive
   • linux packages
   • snapcraft packages
   • calculating checksums
      • checksumming              file=cosign-darwin-arm64
      • checksumming              file=cosign-linux-pivkey-amd64
      • checksumming              file=cosigned-linux-amd64
      • checksumming              file=cosign-linux-amd64
      • checksumming              file=cosign-darwin-amd64
      • checksumming              file=cosign-windows-amd64.exe

[cpanato]

small nits. made the changes in my local and was able to run a successful release

[cpanato]

test locally this is not needed

[cpanato]

thanks for all!
/lgtm