Update release process and binaries (#193)

.github/workflows/release.yml

@@ -0,0 +1,56 @@
+name: 'release'
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: 'write'
+  packages: 'write'
+
+jobs:
+  release:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - uses: 'docker/setup-qemu-action@v2'
+
+      - uses: 'actions/checkout@v3'
+        with:
+          fetch-depth: 0
+
+      - uses: 'actions/setup-go@v3'
+        with:
+          go-version: '1.19'
+
+      - uses: 'docker/login-action@v2'
+        with:
+          registry: 'asia-docker.pkg.dev'
+          username: '_json_key'
+          password: '${{ secrets.GOOGLE_CREDENTIALS }}'
+
+      - uses: 'docker/login-action@v2'
+        with:
+          registry: 'europe-docker.pkg.dev'
+          username: '_json_key'
+          password: '${{ secrets.GOOGLE_CREDENTIALS }}'
+
+      - uses: 'docker/login-action@v2'
+        with:
+          registry: 'us-docker.pkg.dev'
+          username: '_json_key'
+          password: '${{ secrets.GOOGLE_CREDENTIALS }}'
+
+      - id: 'import_gpg'
+        uses: 'crazy-max/ghaction-import-gpg@v5'
+        with:
+          gpg_private_key: '${{ secrets.GPG_PRIVATE_KEY }}'
+          passphrase: '${{ secrets.GPG_PASSPHRASE }}'
+
+      - uses: 'goreleaser/goreleaser-action@v3'
+        with:
+          version: 'latest'
+          args: 'release --rm-dist'
+        env:
+          GPG_FINGERPRINT: '${{ steps.import_gpg.outputs.fingerprint }}'
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/test.yml

@@ -1,170 +1,45 @@
-# Copyright 2019 The Berglas Authors
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-name: CI/CD
+name: 'test'
 
 on:
   push:
     branches:
-    - 'main'
-    tags:
-    - '*'
+      - 'main'
   pull_request:
     branches:
-    - 'main'
+      - 'main'
+  workflow_dispatch:
+
+concurrency:
+  group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
+  cancel-in-progress: true
 
 jobs:
-  # test runs the tests
   test:
-    strategy:
-      fail-fast: false
-
     runs-on: 'ubuntu-latest'
 
-    name: 'test'
-
     env:
-      CREDS_JSON: ${{ secrets.GOOGLE_CREDENTIALS }}
+      CREDENTIALS: '${{ secrets.GOOGLE_CREDENTIALS }}'
+      GOOGLE_CLOUD_PROJECT: 'berglas-test'
+      GOOGLE_CLOUD_BUCKET: 'berglas-test-secrets'
+      GOOGLE_CLOUD_KMS_KEY: 'projects/berglas-test/locations/global/keyRings/my-keyring/cryptoKeys/my-key'
+      GOOGLE_CLOUD_SERVICE_ACCOUNT: 'berglas-test@berglas-test.iam.gserviceaccount.com'
 
     steps:
-    - uses: actions/checkout@v3
-
-    - uses: actions/setup-go@v3
-      with:
-        go-version: '1.19'
-
-    - run: 'go mod download'
+      - uses: 'actions/checkout@v3'
 
-    - name: Test (Unit)
-      run: make test
+      - uses: 'actions/setup-go@v3'
+        with:
+          go-version: '1.19'
 
-    - name: Test (Integration)
-      if: ${{ env.CREDS_JSON }}
-      run: |-
-        echo '${{ env.CREDS_JSON }}' > ${{ runner.temp }}/account.json
-        make test-acc
-      env:
-        GOOGLE_APPLICATION_CREDENTIALS: ${{ runner.temp }}/account.json
-        GOOGLE_CLOUD_PROJECT: berglas-test
-        GOOGLE_CLOUD_BUCKET: berglas-test-secrets
-        GOOGLE_CLOUD_KMS_KEY: projects/berglas-test/locations/global/keyRings/my-keyring/cryptoKeys/my-key
-        GOOGLE_CLOUD_SERVICE_ACCOUNT: berglas-test@berglas-test.iam.gserviceaccount.com
-
-  # binaries builds and publishes the go binaries, only on push and tag
-  binaries:
-    if: ${{ success() && (github.event_name == 'push' || github.event_name == 'tag') }}
-    needs: test
-
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-        include:
-        - os: ubuntu-latest
-          goos: linux
-          goarch: amd64
-        - os: macos-latest
-          goos: darwin
-          goarch: amd64
-        - os: windows-latest
-          goos: windows
-          goarch: amd64
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-    - uses: actions/checkout@v3
-
-    - uses: actions/setup-go@v3
-      with:
-        go-version: '1.19'
-
-    - run: 'go mod download'
-
-    - name: Extract ref
-      id: extract_ref
-      shell: bash
-      run: |-
-        REF="${GITHUB_REF##*/}"
-        REF="${REF//v}"
-        echo "##[set-output name=ref;]$(echo ${REF})"
-
-    - name: Build binary
-      shell: bash
-      env:
-        CGO_ENABLED: 0
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-      run: |-
-        go build \
-          -a \
-          -trimpath \
-          -ldflags "-s -w -extldflags '-static'" \
-          -tags "osusergo,netgo,static,static_build" \
-          -o build/${{ env.GOOS }}_${{ env.GOARCH }}/berglas \
-          .
-
-    - name: Upload binary
-      uses: google-github-actions/upload-cloud-storage@v0
-      with:
-        credentials: ${{ secrets.GOOGLE_CREDENTIALS }}
-        path: build/${{ matrix.goos }}_${{ matrix.goarch }}
-        destination: berglas/${{ steps.extract_ref.outputs.ref }}/${{ matrix.goos }}_${{ matrix.goarch }}/
-        parent: false
-
-  # container builds and publishes the docker container
-  container:
-    if: ${{ success() && (github.event_name == 'push' || github.event_name == 'tag') }}
-    needs: test
-
-    strategy:
-      fail-fast: false
-      matrix:
-        target:
-        - asia-docker.pkg.dev
-        - europe-docker.pkg.dev
-        - us-docker.pkg.dev
-        repository:
-        - berglas/berglas/berglas
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v3
+      - run: 'go mod download'
 
-    - name: Authenticate to Artifact Registry
-      uses: docker/login-action@v2
-      with:
-        username: _json_key
-        password: ${{ secrets.GOOGLE_CREDENTIALS }}
-        registry: ${{ matrix.target }}
+      - run: 'make test'
+        if: '${{ !env.CREDENTIALS }}'
 
-    - name: Extract ref
-      id: extract_ref
-      shell: bash
-      run: |-
-        REF="${GITHUB_REF##*/}"
-        REF="${REF//v}"
-        REF="${REF/main/latest}"
-        echo "##[set-output name=ref;]$(echo ${REF})"
+      - uses: 'google-github-actions/auth@v0'
+        if: '${{ env.CREDENTIALS }}'
+        with:
+          credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
 
-    - name: ${{ matrix.target }}
-      uses: docker/build-push-action@v2
-      with:
-        push: true
-        pull: true
-        tags: ${{ matrix.target }}/${{ matrix.repository }}:${{ steps.extract_ref.outputs.ref }}
-        labels: |
-          org.opencontainers.image.source=${{ github.event.repository.html_url }}
-          org.opencontainers.image.revision=${{ github.sha }}
+      - run: 'make test-acc'
+        if: '${{ env.CREDENTIALS }}'

.goreleaser.yml

@@ -0,0 +1,132 @@
+before:
+  hooks:
+    - 'go mod tidy'
+
+builds:
+  -
+    env:
+      - 'CGO_ENABLED=0'
+      - 'GO111MODULE=on'
+      - 'GOPROXY=https://proxy.golang.org,direct'
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    flags:
+      - '-a'
+      - '-trimpath'
+    ldflags:
+      - '-s'
+      - '-w'
+      - '-X={{ .ModulePath }}/internal/version.Name=berglas'
+      - '-X={{ .ModulePath }}/internal/version.Version={{ .Version }}'
+      - '-X={{ .ModulePath }}/internal/version.Commit={{ .FullCommit }}'
+      - '-extldflags=-static'
+    goos:
+      - 'darwin'
+      - 'linux'
+      - 'windows'
+    goarch:
+      - 'amd64'
+      - 'arm64'
+    binary: 'berglas'
+
+dockers:
+  -
+    use: 'buildx'
+    goos: 'linux'
+    goarch: 'amd64'
+    image_templates:
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+    build_flag_templates:
+      - '--platform=linux/amd64'
+      - '--pull'
+      - '--label=org.opencontainers.image.created={{ .CommitTimestamp }}'
+      - '--label=org.opencontainers.image.description=Berglas is a tool for managing secrets on Google Cloud.'
+      - '--label=org.opencontainers.image.licenses=Apache-2.0'
+      - '--label=org.opencontainers.image.name=berglas'
+      - '--label=org.opencontainers.image.revision={{ .FullCommit }}'
+      - '--label=org.opencontainers.image.source={{ .GitURL }}'
+      - '--label=org.opencontainers.image.title=berglas'
+      - '--label=org.opencontainers.image.version={{ .Version }}'
+  -
+    use: 'buildx'
+    goos: 'linux'
+    goarch: 'arm64'
+    image_templates:
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+    build_flag_templates:
+      - '--platform=linux/arm64'
+      - '--pull'
+      - '--label=org.opencontainers.image.created={{ .CommitTimestamp }}'
+      - '--label=org.opencontainers.image.description=Berglas is a tool for managing secrets on Google Cloud.'
+      - '--label=org.opencontainers.image.licenses=Apache-2.0'
+      - '--label=org.opencontainers.image.name=berglas'
+      - '--label=org.opencontainers.image.revision={{ .FullCommit }}'
+      - '--label=org.opencontainers.image.source={{ .GitURL }}'
+      - '--label=org.opencontainers.image.title=berglas'
+      - '--label=org.opencontainers.image.version={{ .Version }}'
+
+docker_manifests:
+  -
+    name_template: 'asia-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}'
+    image_templates:
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+  -
+    name_template: 'asia-docker.pkg.dev/berglas/berglas/berglas:latest'
+    image_templates:
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+      - 'asia-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+  -
+    name_template: 'europe-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}'
+    image_templates:
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+  -
+    name_template: 'europe-docker.pkg.dev/berglas/berglas/berglas:latest'
+    image_templates:
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+      - 'europe-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+  -
+    name_template: 'us-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}'
+    image_templates:
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-amd64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:{{ .Version }}-arm64'
+  -
+    name_template: 'us-docker.pkg.dev/berglas/berglas/berglas:latest'
+    image_templates:
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:latest-amd64'
+      - 'us-docker.pkg.dev/berglas/berglas/berglas:latest-arm64'
+
+archives:
+  - format: 'tar.gz'
+    name_template: 'berglas_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
+    format_overrides:
+      - goos: 'windows'
+        format: 'zip'
+
+checksum:
+  name_template: 'berglas_{{ .Version }}_SHA512SUMS'
+  algorithm: 'sha512'
+
+signs:
+  - artifacts: 'checksum'
+    args:
+      - '--batch'
+      - '--local-user'
+      - '{{ .Env.GPG_FINGERPRINT }}'
+      - '--output'
+      - '${signature}'
+      - '--detach-sign'
+      - '${artifact}'
+
+release:
+  draft: false