Skip to content

Add secure release automation with GoReleaser #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 2, 2025
Merged

Add secure release automation with GoReleaser #14

merged 2 commits into from
Jun 2, 2025

Conversation

jakec-dev
Copy link
Owner

@jakec-dev jakec-dev commented Jun 2, 2025
edited
Loading

Summary

This PR implements a comprehensive release automation system using GoReleaser v2, with a focus on security
and OpenSSF Scorecard compliance. The implementation follows best practices from major Go open source
projects like Kubernetes and Docker.

What's Changed

GoReleaser Configuration

  • Added .goreleaser.yml with GoReleaser v2 syntax
  • Configured multi-platform builds (Linux, macOS, Windows) for all architectures
  • Enabled artifact signing with cosign (keyless mode)
  • Added SBOM generation for supply chain transparency
  • Configured draft releases for manual review before publishing

Release Workflows

  • .github/workflows/release-manual.yml: Secure manual release trigger
    • Version validation and semantic versioning enforcement
    • Automated testing before release
    • Tag creation by workflow (not humans)
    • Full GoReleaser pipeline execution
  • .github/workflows/release.yml: Automated SLSA provenance generation
    • Triggered by tags created from manual workflow
    • Generates .intoto.jsonl files for maximum OpenSSF score

Build System Updates

  • Makefile: Added release tools to install target
    • goreleaser v2.9.0
    • cosign v2.5.0 (artifact signing)
    • syft v1.26.1 (SBOM generation)
  • All tools use pinned versions for reproducibility

Documentation

  • CONTRIBUTING.md: Updated with secure release process
    • Clear separation of contributor vs maintainer workflows
    • Step-by-step release instructions
    • Security artifact documentation
  • docs/RELEASE_SETUP.md: New comprehensive guide for maintainers
    • GitHub protection rules setup
    • Tag protection via rulesets
    • Troubleshooting and monitoring

Security Improvements

This implementation achieves maximum OpenSSF Scorecard rating for Signed-Releases:

Release Process Overview

graph LR
    A[Maintainer] -->|Triggers| B[Release Workflow]
    B --> C[Validate Version]
    C --> D[Run Tests]
    D --> E[Create Tag]
    E --> F[Build Artifacts]
    F --> G[Sign & Generate SBOMs]
    G --> H[Create Draft Release]
    H --> I[Generate SLSA Provenance]
    I --> J[Maintainer Reviews & Publishes]
Loading

Breaking Changes

None - this only affects the release process, not the codebase functionality.

Testing

  • Validated GoReleaser configuration with goreleaser check
  • Tested snapshot builds with make release-snapshot
  • Verified all artifact generation in local testing

Checklist

  • GoReleaser v2 configuration implemented
  • Secure release workflows created
  • Artifact signing with cosign configured
  • SBOM generation enabled
  • SLSA provenance workflow added
  • Documentation updated
  • Tools added to Makefile
  • Branch/tag protection guide created

Next Steps

Maintainers should:

  1. Review docs/RELEASE_SETUP.md
  2. Configure GitHub branch and tag protection rules
  3. Test the release process with a pre-release version

Closes #13

@jakec-dev jakec-dev merged commit 360e15c into master Jun 2, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Finalise release process
1 participant
@jakec-dev