forked from ThalesGroup/k8s-kms-plugin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path.goreleaser.yml
199 lines (182 loc) · 5.18 KB
/
.goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
project_name: k8s-kms-plugin
env:
- GO111MODULE=on
- CGO_ENABLED=1
- LATEST_TAG=,latest
# Prevents parallel builds from stepping on each others toes downloading modules
before:
hooks:
- go mod tidy
- go mod download
# Define GITLAB parameters o publish release on gitlab
gitlab_urls:
api: "{{ .Env.CI_API_V4_URL }}"
download: "{{ .Env.CI_SERVER_URL }}"
skip_tls_verify: true
use_package_registry: true
# Build the binary for different architectures
builds:
- id: k8s-kms-plugin
binary: '{{ .ProjectName }}-linux-{{ .Arch }}_{{ .Version }}'
no_unique_dist_dir: true
main: ./cmd/{{ .ProjectName }}/main.go
mod_timestamp: '{{ .CommitTimestamp }}'
goos:
- linux
goarch:
- amd64
ldflags:
- "{{ .Env.LDFLAGS }}"
# Use ko-build to publish container image to a specific registry
# It is possible to define platforms
kos:
- repository: ghcr.io/{{ .Env.GITHUB_REPOSITORY }}
tags:
- "{{.Tag}}"
- "{{ if not .Prerelease }}latest{{ end }}"
main: ./cmd/k8s-kms-plugin
base_image: "cgr.dev/chainguard/glibc-dynamic:latest"
bare: true
preserve_import_paths: false
sbom: cyclonedx
platforms:
- linux/amd64
flags:
- -trimpath
ldflags:
- "{{ .Env.LDFLAGS }}"
env:
- CGO_ENABLED=1 # Mandatory for crypto11 pkg or go libraries using C compilator
# Generate different type of packages from binary(ies) generated in build section: apk, deb, rpm
nfpms:
- id: '{{ .ProjectName }}'
package_name: '{{ .ProjectName }}'
file_name_template: "{{ .ConventionalFileName }}"
license: "Apache License 2.0"
maintainer: ThalesGroup
builds:
- k8s-kms-plugin # need to use the same id that the build id
formats:
- apk
- deb
- rpm
contents:
- src: /usr/bin/{{ .ProjectName }}-linux-{{ .Arch }}_{{ .Version }}
dst: /usr/bin/{{ .ProjectName }}
type: "symlink"
# Define caracteristics of binary artifacts
# Generate zip and tar archives from binary(ies) generated in the build section
archives:
- id: binary
format: binary
name_template: "{{ .Binary }}"
allow_different_binary_count: true
- id: zip
format: zip
name_template: "{{ .Binary }}"
allow_different_binary_count: true
- id: tar
format: tar.gz
name_template: "{{ .Binary }}"
allow_different_binary_count: true
# create metadata file
metadata:
mod_timestamp: "{{ .CommitTimestamp }}"
# Checksum caracteristics
checksum:
name_template: "{{ .ProjectName }}_checksums.txt"
# Snapshot caracteristics
snapshot:
version_template: SNAPSHOT-{{ .ShortCommit }}
# Generate SBOM for all artifacts
# SPDX generate with syft (default scanner)
# CycloneDX generate with trivy
# CycloneDX "Vex" contains also informations on vulnerabilities
# It is possible to change the scanner and the command
sboms:
- id: binary sbom
artifacts: binary
documents:
- "${artifact}.spdx.sbom"
- id: CycloneDX sbom
artifacts: binary
documents:
- "${artifact}.cyclonedx-json.sbom"
args: ["$artifact", "--output", "cyclonedx-json","--file","$document"]
- id: trivy sbom
artifacts: binary
cmd: trivy
documents:
- "${artifact}.cyclonedx-vex.sbom"
args: ["fs","--format","cyclonedx","--scanners","vuln","--output","$document","{{ .Env.WORKSPACE }}"]
# Sign the artifacts
# Use the command cosign in keyless mode to sign the different kind of artifacts: binary, checksum, package, sbom
signs:
- id : '{{ .ProjectName }}-keyless'
cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
signature : "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "-y"
- "${artifact}"
artifacts: binary
output: true
- id : checksum-keyless
cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
signature : "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "-y"
- "${artifact}"
artifacts: checksum
output: true
- id : package-keyless
cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
signature : "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "-y"
- "${artifact}"
artifacts: package
output: true
- id : 'sbom-keyless'
cmd: cosign
env:
- COSIGN_EXPERIMENTAL=1
signature : "${artifact}-keyless.sig"
certificate: "${artifact}-keyless.pem"
args:
- sign-blob
- "--output-certificate=${certificate}"
- "--output-signature=${signature}"
- "-y"
- "${artifact}"
artifacts: sbom
output: true
# Create a release
release:
# draft: true # Used to publish a draft on github
make_latest: true
github:
owner: "{{ .Env.GITHUB_REPOSITORY_OWNER }}"
name: '{{ .ProjectName }}'
#gitlab:
# owner: ""
# name: "{{ .Env.CI_PROJECT_PATH }}"
footer: |
### Thanks to all contributors!