jmpsec · javuto · Aug 14, 2025 · Aug 13, 2025 · Aug 14, 2025 · Aug 14, 2025
diff --git a/.github/actions/tagged_release/docker/codesign/action.yml b/.github/actions/tagged_release/docker/codesign/action.yml
@@ -1,5 +1,5 @@
-name: "Sign Osctrl Docker images"
-description: "Sign Osctrl Docker images"
+name: "Sign osctrl Docker images"
+description: "Sign osctrl Docker images"
 inputs:
   osctrl_component:
     required: true

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,74 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  packages: write
+
+env:
+  GOLANG_VERSION: 1.24.3
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@8e57b58e57be52ac95949151e2777ffda8501267 # v5.5.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@af1b253b8dc984466d22633f04ef341c1520ed2f # v3.11.1
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5.0.0
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCKER_HUB_ORG: ${{ secrets.DOCKER_HUB_ORG }}
+
+  # Optional: Sign Docker images with cosign
+  sign:
+    needs: goreleaser
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3.9.2
+
+      - name: Log in to Docker Hub
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+
+      - name: Sign Docker images
+        run: |
+          for component in tls admin api cli; do
+            cosign sign --yes docker.io/${{ secrets.DOCKER_HUB_ORG }}/osctrl-$component:${{ github.ref_name }}
+            cosign verify \
+              --certificate-identity-regexp="https://github.com/${{ github.repository }}/.github/workflows/.*" \
+              --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
+              docker.io/${{ secrets.DOCKER_HUB_ORG }}/osctrl-$component:${{ github.ref_name }}
+          done
diff --git a/.github/workflows/test-release.yml b/.github/workflows/test-release.yml
@@ -0,0 +1,43 @@
+name: Test Release
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+env:
+  GOLANG_VERSION: 1.24.3
+
+jobs:
+  test-build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@8e57b58e57be52ac95949151e2777ffda8501267 # v5.5.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Run GoReleaser build
+        uses: goreleaser/goreleaser-action@v5.0.0
+        with:
+          distribution: goreleaser
+          version: latest
+          args: build --snapshot --clean --single-target
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: osctrl-binaries
+          path: dist/
+          retention-days: 1
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,248 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+    - go mod download
+
+builds:
+  - id: osctrl-tls
+    main: ./cmd/tls
+    binary: osctrl-tls
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+
+  - id: osctrl-admin
+    main: ./cmd/admin
+    binary: osctrl-admin
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+
+  - id: osctrl-api
+    main: ./cmd/api
+    binary: osctrl-api
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ignore:
+      - goos: windows
+        goarch: arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+
+  - id: osctrl-cli
+    main: ./cmd/cli
+    binary: osctrl-cli
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+    ldflags:
+      - -s -w
+      - -X main.version={{.Version}}
+      - -X main.commit={{.Commit}}
+      - -X main.date={{.Date}}
+
+archives:
+  - name_template: >-
+      {{ .ProjectName }}-
+      {{- title .Os }}-
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+    files:
+      - README.md
+      - LICENSE
+      - CHANGELOG.md
+
+checksum:
+  name_template: "checksums.txt"
+
+snapshot: {}
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^ci:"
+      - Merge pull request
+      - Merge branch
+
+dockers:
+  - image_templates:
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-tls:{{ .Version }}"
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-tls:latest"
+    dockerfile: deploy/cicd/docker/Dockerfile-osctrl-tls
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--platform=linux/arm64"
+    extra_files:
+      - osctrl-tls-linux-amd64
+      - osctrl-tls-linux-arm64
+
+  - image_templates:
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-admin:{{ .Version }}"
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-admin:latest"
+    dockerfile: deploy/cicd/docker/Dockerfile-osctrl-admin
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--platform=linux/arm64"
+    extra_files:
+      - osctrl-admin-linux-amd64
+      - osctrl-admin-linux-arm64
+
+  - image_templates:
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-api:{{ .Version }}"
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-api:latest"
+    dockerfile: deploy/cicd/docker/Dockerfile-osctrl-api
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--platform=linux/arm64"
+    extra_files:
+      - osctrl-api-linux-amd64
+      - osctrl-api-linux-arm64
+
+  - image_templates:
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-cli:{{ .Version }}"
+      - "{{ .Env.DOCKER_HUB_ORG }}/osctrl-cli:latest"
+    dockerfile: deploy/cicd/docker/Dockerfile-osctrl-cli
+    use: buildx
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--platform=linux/arm64"
+    extra_files:
+      - osctrl-cli-linux-amd64
+      - osctrl-cli-linux-arm64
+
+nfpms:
+  - id: osctrl-tls
+    maintainer: jmpsec/osctrl
+    description: osctrl TLS component
+    homepage: https://github.com/jmpsec/osctrl
+    license: MIT
+    formats:
+      - deb
+    bindir: /usr/bin
+    contents:
+      - src: osctrl-tls-linux-amd64
+        dst: /usr/bin/osctrl-tls
+      - src: osctrl-tls-linux-arm64
+        dst: /usr/bin/osctrl-tls
+    overrides:
+      deb:
+        scripts:
+          postinstall: deploy/cicd/deb/post-install.sh
+          preremove: deploy/cicd/deb/pre-remove.sh
+
+  - id: osctrl-admin
+    maintainer: jmpsec/osctrl
+    description: osctrl Admin component
+    homepage: https://github.com/jmpsec/osctrl
+    license: MIT
+    formats:
+      - deb
+    bindir: /usr/bin
+    contents:
+      - src: osctrl-admin-linux-amd64
+        dst: /usr/bin/osctrl-admin
+      - src: osctrl-admin-linux-arm64
+        dst: /usr/bin/osctrl-admin
+    overrides:
+      deb:
+        scripts:
+          postinstall: deploy/cicd/deb/post-install.sh
+          preremove: deploy/cicd/deb/pre-remove.sh
+
+  - id: osctrl-api
+    maintainer: jmpsec/osctrl
+    description: osctrl API component
+    homepage: https://github.com/jmpsec/osctrl
+    license: MIT
+    formats:
+      - deb
+    bindir: /usr/bin
+    contents:
+      - src: osctrl-api-linux-amd64
+        dst: /usr/bin/osctrl-api
+      - src: osctrl-api-linux-arm64
+        dst: /usr/bin/osctrl-api
+    overrides:
+      deb:
+        scripts:
+          postinstall: deploy/cicd/deb/post-install.sh
+          preremove: deploy/cicd/deb/pre-remove.sh
+
+  - id: osctrl-cli
+    maintainer: jmpsec/osctrl
+    description: osctrl CLI component
+    homepage: https://github.com/jmpsec/osctrl
+    license: MIT
+    formats:
+      - deb
+    bindir: /usr/bin
+    contents:
+      - src: osctrl-cli-linux-amd64
+        dst: /usr/bin/osctrl-cli
+      - src: osctrl-cli-linux-arm64
+        dst: /usr/bin/osctrl-cli
+    overrides:
+      deb:
+        scripts:
+          postinstall: deploy/cicd/deb/post-install.sh
+          preremove: deploy/cicd/deb/pre-remove.sh
+
+release:
+  draft: false
+  prerelease: false