Merge branch 'master' into fix-1637

Author: maraino

.github/workflows/actionlint.yml

@@ -0,0 +1,17 @@
+name: Lint GitHub Actions workflows
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  actionlint:
+    uses: smallstep/workflows/.github/workflows/actionlint.yml@main
+    secrets: inherit

.github/workflows/dependabot-auto-merge.yml

@@ -6,17 +6,6 @@ permissions:
   pull-requests: write
 
 jobs:
-  dependabot:
-    runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
-    steps:
-      - name: Dependabot metadata
-        id: metadata
-        uses: dependabot/[email protected]
-        with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
-      - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --merge "$PR_URL"
-        env:
-          PR_URL: ${{github.event.pull_request.html_url}}
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+  dependabot-auto-merge:
+    uses: smallstep/workflows/.github/workflows/dependabot-auto-merge.yml@main
+    secrets: inherit

.github/workflows/release.yml

@@ -53,12 +53,12 @@ jobs:
           echo "DOCKER_TAGS_DEBIAN=${{ env.DOCKER_TAGS_DEBIAN }},${{ env.DOCKER_IMAGE }}:${DEBIAN_TAG}" >> "${GITHUB_ENV}"
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
+          tag_name: ${{ github.ref_name }}
+          name: Release ${{ github.ref_name }}
           draft: false
           prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
 
@@ -100,69 +100,30 @@ jobs:
 
 # All jobs below this are for full releases (non release candidates e.g. *-rc.*)
 
-  build_upload_aws_s3_binaries:
-    name: Build & Upload AWS S3 Binaries
-    runs-on: ubuntu-latest
-    needs: create_release
-    if: needs.create_release.outputs.is_prerelease == 'false'
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: 'stable'
-          check-latest: true
-      - name: Build
-        id: build
-        run: |
-          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
-          make -j1 binary-linux-amd64 binary-linux-arm64 binary-darwin-amd64 binary-windows-amd64
-          mkdir -p ./.releases
-          cp ./output/binary/linux-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_linux_amd64
-          cp ./output/binary/linux-amd64/bin/step ./.releases/step_latest_linux_amd64
-          cp ./output/binary/linux-arm64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_linux_arm64
-          cp ./output/binary/linux-arm64/bin/step ./.releases/step_latest_linux_arm64
-          cp ./output/binary/darwin-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_darwin_amd64
-          cp ./output/binary/darwin-amd64/bin/step ./.releases/step_latest_darwin_amd64
-          cp ./output/binary/windows-amd64/bin/step ./.releases/step_${{ needs.create_release.outputs.version }}_windows.exe
-          cp ./output/binary/windows-amd64/bin/step ./.releases/step_latest_windows.exe
-      - name: Upload s3
-        id: upload-s3
-        uses: jakejarvis/[email protected]
-        with:
-          args: --acl public-read --follow-symlinks
-        env:
-          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: us-east-1
-          SOURCE_DIR: ./.releases
-
   update_reference_docs:
     name: Update Reference Docs
     runs-on: ubuntu-latest
     needs: create_release
     if: needs.create_release.outputs.is_prerelease == 'false'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Setup Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: 'stable'
           check-latest: true
       - name: Build
         id: build
         run: V=1 make build
       - name: Checkout Docs
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: smallstep/docs
           token: ${{ secrets.DOCS_PAT }}
           path: './docs'
       - name: Setup bot SSH signing key
-        uses: webfactory/ssh-agent@v0.8.0
+        uses: webfactory/ssh-agent@dc588b651fe13675774614f8e6a936a468676387 # v0.9.0
         env:
           HAS_SSH_PRIVATE_KEY: ${{ secrets.STEP_TRAVIS_CI_GH_PRIVATE_SIGNING_KEY != '' }}
         if: ${{ env.HAS_SSH_PRIVATE_KEY == 'true' }}
@@ -207,7 +168,7 @@ jobs:
 
           git add . && git commit -a -m "step-cli ${{ needs.create_release.outputs.vversion }} reference update"
       - name: Push changes
-        uses: ad-m/[email protected]
+        uses: ad-m/github-push-action@d91a481090679876dfc4178fef17f286781251df # v0.8.0
         with:
           github_token: ${{ secrets.DOCS_PAT }}
           branch: 'main'

.goreleaser.yml

@@ -1,18 +1,23 @@
-# This is an example .goreleaser.yml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
+# Documentation: https://goreleaser.com/customization/
+version: 2
 project_name: step
 
 before:
   hooks:
-    # You may remove this if you don't use go modules.
     - go mod download
-    # - go generate ./...
 
 builds:
-  -
-    id: default
+  - &COMMON
     env:
       - CGO_ENABLED=0
+    main: ./cmd/step/main.go
+    flags:
+      - -trimpath
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    << : *COMMON
+    id: default
     targets:
       - darwin_amd64
       - darwin_arm64
@@ -28,31 +33,48 @@ builds:
       - linux_ppc64le
       - windows_amd64
       - windows_arm64
-    flags:
-      - -trimpath
-    main: ./cmd/step/main.go
     binary: bin/step
-    ldflags:
-      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    << : *COMMON
+    id: debug
+    gcflags: all=-N -l
+  -
+    # This build is for S3 binaries that follow our naming convention there.
+    << : *COMMON
+    id: s3-versioned
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - linux_amd64
+      - linux_arm64
+      - windows_amd64
+      - freebsd_amd64
+    binary: 'step_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+  -
+    # This build is for S3 unversioned binaries that follow our naming convention there.
+    << : *COMMON
+    id: s3-unversioned
+    targets:
+      - darwin_amd64
+      - darwin_arm64
+      - linux_amd64
+      - linux_arm64
+      - windows_amd64
+      - freebsd_amd64
+    binary: 'step_latest_{{ .Os }}_{{ .Arch }}'
   -
     # This build is specifically for nFPM targets (.deb and .rpm files).
     # It's exactly the same as the default build above, except:
     # - it only builds the archs we want to produce .deb and .rpm files for
     # - the name of the output binary is step-cli
+    << : *COMMON
     id: nfpm
-    env:
-      - CGO_ENABLED=0
     goos:
       - linux
     goarch:
       - amd64
       - arm64
-    flags:
-      - -trimpath
-    main: ./cmd/step/main.go
     binary: step-cli
-    ldflags:
-      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
 
 archives:
   - &ARCHIVE
@@ -135,7 +157,7 @@ signs:
 - cmd: cosign
   signature: "${artifact}.sig"
   certificate: "${artifact}.pem"
-  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
+  args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
 snapshot:
@@ -174,11 +196,20 @@ release:
   header: |
     ## Official Release Artifacts
 
+    Below are the most popular artifacts for `step` on each platform.
+
+    For packaged versions (Homebrew, Scoop, etc.), see our [installation docs](https://smallstep.com/docs/step-cli/installation).
+
     #### Linux
 
     - 📦 [step_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_amd64.tar.gz)
+    - 📦 [step_linux_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_arm64.tar.gz)
+    - 📦 [step_linux_{{ .Version }}_armv7.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_armv7.tar.gz)
     - 📦 [step-cli_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_amd64.deb)
     - 📦 [step-cli_{{ .Version }}_amd64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_amd64.rpm)
+    - 📦 [step-cli_{{ .Version }}_arm64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_arm64.deb)
+    - 📦 [step-cli_{{ .Version }}_arm64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ .Version }}_arm64.rpm)
+    - see `Assets` below for more builds
 
     #### macOS Darwin
 
@@ -188,12 +219,8 @@ release:
     #### Windows
 
     - 📦 [step_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_windows_{{ .Version }}_amd64.zip)
+    - 📦 [step_windows_{{ .Version }}_arm64.zip](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_windows_{{ .Version }}_arm64.zip)
 
-    For more builds across platforms and architectures see the `Assets` section below.
-    And for packaged versions (Homebrew, Scoop, etc.), see our [installation docs](https://smallstep.com/docs/step-cli/installation).
-
-
-    Don't see the artifact you need? Open an issue [here](https://github.com/smallstep/cli/issues/new/choose).
 
     ## Signatures and Checksums
 
@@ -219,7 +246,7 @@ release:
 
     Those were the changes on {{ .Tag }}!
 
-    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.
+    Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.
 
   # You can disable this pipe in order to not upload any artifacts.
   # Defaults to false.
@@ -234,8 +261,33 @@ release:
   #  - glob: ./glob/**/to/**/file/**/*
   #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
 
+blobs:
+  - provider: s3
+    disable: 'false'
+    ids:
+      - s3-versioned
+    bucket: '{{ .Env.AWS_S3_BUCKET }}'
+    region: us-east-1
+    directory: '/'
+    acl: public-read
+    extra_files:
+      - glob: ./dist/s3-versioned_*/**
+    extra_files_only: true
+
+  - provider: s3
+    disable: '{{ if .Prerelease }}true{{ else }}false{{ end }}'
+    ids:
+      - s3-unversioned
+    bucket: '{{ .Env.AWS_S3_BUCKET }}'
+    region: us-east-1
+    directory: '/'
+    acl: public-read
+    extra_files:
+      - glob: ./dist/s3-unversioned_*/**
+    extra_files_only: true
+
 winget:
-  - 
+  -
     # IDs of the archives to use.
     # Empty means all IDs.
     ids: [ default ]
@@ -305,7 +357,7 @@ winget:
     # Release notes URL.
     #
     # Templates: allowed
-    release_notes_url: "https://github.com/smallstep/cli/releases/tag/{{.Version}}"
+    release_notes_url: "https://github.com/smallstep/cli/releases/tag/{{ .Tag }}"
 
     # Create the PR - for testing
     skip_upload: auto
@@ -319,7 +371,7 @@ winget:
     repository:
       owner: smallstep
       name: winget-pkgs
-      branch: step
+      branch: "step-{{.Version}}"
 
       # Optionally a token can be provided, if it differs from the token
       # provided to GoReleaser