Add automatic releases using goreleaser (#234)

rdimitrov · shibumi · trishankatdatadog · web-flow · commit 5d0a9c359fe1 · 2022-03-30T09:40:36.000-04:00
* chore: add goreleaser + cosign releases * feat: keyless realeases with goreleaser and cosign This commit enables keyless signatures via the Github Actions workload identity. The pipeline will run on a new tag and will generate a compiled cli and server version of TUF and a signed source tarball. The keys are ephemeral and valid for 30min and strictly coupled to the workload identity of the Github Actions workflow. Transparency logs will be automatically uploaded to the public rekor instance * chore: try a basic config of gorelease * chore: split test and release phases into reusable workflows Adds also github style changelog in which it tags people who contributed to the last release. It also groups breaking commits into a separate group that is on top of the changelog for better visibility. Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: bump goreleaser to v1.6.3 Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: use golangci-lint instead of go fmt, staticcheck, etc. Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: use github-action for goveralls instead of the legacy GOPATH way Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: add golangci.yml config enabling several other linters Fix also some of the linter errors so it doesn't fail. Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: use the flags property of goreleaser instead of env vars while building Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: set goreleaser to automatically mark releases with a suffix as prereleases Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: partially revert "Add golangci.yml config enabling several other linters" This reverts commit a72cf40 which also included fixes for some of the issues raised by golangci-lint. They will be addressed in a separate PR. Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: add commitsar action to enforce the use of conventional commits For reference - https://www.conventionalcommits.org Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * fix: use keyword specificed in the conventional commit spec for breaking changes Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: configure dependabot to monitor github-actions too Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: pin github-actions dependencies by digest Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: pin and configure dependabot to monitor Python test dependencies Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: bump goreleaser version to v1.7.0 Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: run tests using Go version 1.18.x Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: checkout code first in order to fix CI failure Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: run CI against all Go versions newer than the minimal one set in go.mod Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: download python dependencies from requirements-test.txt Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: use the minimal Go version set in go.mod for releases Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: pin the go-version-action using a digest Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: configure dependabot to use chore commit prefix for gomod updates Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> * chore: revert the use of dedicated requirements.txt file path for github actions Signed-off-by: Radoslav Dimitrov <dimitrovr@vmware.com> Co-authored-by: Christian Rebischke <chris@shibumi.dev> Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,7 +1,32 @@
 version: 2
 updates:
-- package-ecosystem: "gomod"
-  directory: "/"
-  schedule:
-    interval: "daily"
-  open-pull-requests-limit: 10
+  # Monitor Go dependencies
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
+  # Monitor Github Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
+  # Monitor Python test dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:00"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,23 @@
+on:
+  pull_request:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*"
+name: CI
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml
+  tuf:
+    needs: tests
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    uses: ./.github/workflows/release.yml
+    with:
+      cli-name: tuf
+  tuf-client:
+    needs: tests
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    uses: ./.github/workflows/release.yml
+    with:
+      cli-name: tuf-client
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,35 @@
+on:
+  workflow_call:
+    inputs:
+      cli-name:
+        required: true
+        type: string
+name: Release
+jobs:
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Get Go version
+        uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
+        id: go-version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up Go
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+        with:
+          go-version: ${{ steps.go-version.outputs.minimal }}
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b
+        with:
+          distribution: goreleaser
+          version: "v1.7.0"
+          args: release --config ./.goreleaser/${{ inputs.cli-name }}.yml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -0,0 +1,78 @@
+on:
+  workflow_call:
+name: Tests
+jobs:
+  get-go-versions:
+    name: Collect available Go versions
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.versions.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+      - uses: arnested/go-version-action@d44f8fbecf1ac5ea61d81603e99dfec9833f592f
+        id: versions
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  run:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+
+      - name: Setup - Go ${{ matrix.go-version }}
+        uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Setup - Python
+        uses: actions/setup-python@7f80679172b057fc5e90d70d197929d454754a5a
+        with:
+          python-version: 3.6
+          cache: "pip"
+          cache-dependency-path: "requirements-test.txt"
+
+      - name: Install Python dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install --upgrade -r requirements-test.txt
+
+      - name: Run tests
+        run: go test -race -covermode atomic -coverprofile='profile.cov' ./...
+
+      - name: Send coverage
+        uses: shogo82148/actions-goveralls@31ee804b8576ae49f6dc3caa22591bc5080e7920
+        with:
+          path-to-profile: profile.cov
+          flag-name: Go-${{ matrix.go-version }}
+          parallel: true
+
+  golangci:
+    strategy:
+      matrix:
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018
+        with:
+          version: v1.44
+
+  conventional-commits-lint-check:
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
+        with:
+          fetch-depth: 0
+      - name: Commitsar Action
+        uses: aevea/commitsar@159cec82966ca402a09ae3c185524a5256affa22
diff --git a/.golangci.yml b/.golangci.yml
@@ -0,0 +1,11 @@
+linters:
+  disable-all: true
+  enable:
+    - staticcheck
+    - gofmt
+    - govet
+    - gosimple
+    - structcheck
+    - varcheck
+    - unused
+    - typecheck
diff --git a/.goreleaser/tuf-client.yml b/.goreleaser/tuf-client.yml
@@ -0,0 +1,39 @@
+project_name: tuf-client
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+    flags:
+      - -mod=readonly
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/tuf-client/
+source:
+  enabled: true
+changelog:
+  use: github
+  groups:
+    - title: "Breaking changes"
+      regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
+      order: 0
+    - title: Features
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 1
+    - title: "Bug fixes"
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 2
+    - title: Others
+      order: 999
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
diff --git a/.goreleaser/tuf.yml b/.goreleaser/tuf.yml
@@ -0,0 +1,39 @@
+project_name: tuf
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+    flags:
+      - -mod=readonly
+      - -trimpath
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./cmd/tuf/
+source:
+  enabled: true
+changelog:
+  use: github
+  groups:
+    - title: "Breaking changes"
+      regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
+      order: 0
+    - title: Features
+      regexp: "^.*feat[(\\w)]*:+.*$"
+      order: 1
+    - title: "Bug fixes"
+      regexp: "^.*fix[(\\w)]*:+.*$"
+      order: 2
+    - title: Others
+      order: 999
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
diff --git a/requirements-test.txt b/requirements-test.txt
@@ -0,0 +1,5 @@
+iso8601==1.0.2
+requests==2.27.1
+securesystemslib==0.21.0
+six==1.16.0
+tuf==0.20.0
