-
Notifications
You must be signed in to change notification settings - Fork 6
/
.goreleaser.yaml
274 lines (267 loc) · 9.81 KB
/
.goreleaser.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
---
# INFO: Why is there a _v1 suffix on amd64 builds? https://goreleaser.com/customization/build/#why-is-there-a-_v1-suffix-on-amd64-builds
project_name: dsv-cli
dist: .artifacts/goreleaser
env:
- GITHUB_TOKEN={{ if index .Env "GITHUB_TOKEN" }}{{ .Env.GITHUB_TOKEN }}{{else}}''{{end}}
- GITLAB_TOKEN=''
- GITEA_TOKEN=''
- LOCAL_DEBUGGING={{ if index .Env "LOCAL_DEBUGGING" }}{{ .Env.LOCAL_DEBUGGING }}{{else}}{{end}}
- QUILL_SIGN_P12={{ if index .Env "QUILL_SIGN_P12" }}{{ .Env.QUILL_SIGN_P12 }}{{else}}{{end}}
- QUILL_SIGN_PASSWORD={{ if index .Env "QUILL_SIGN_PASSWORD" }}{{ .Env.QUILL_SIGN_PASSWORD }}{{else}}{{end}}
- COSIGN_PASSWORD={{ if index .Env "COSIGN_PASSWORD" }}{{ .Env.COSIGN_PASSWORD }}{{else}}{{end}}
- COSIGN_KEY={{ if index .Env "COSIGN_KEY" }}{{ .Env.COSIGN_KEY }}{{else}}{{end}}
- DOCKER_CLI_EXPERIMENTAL=enabled
- S3_BUCKET={{ if index .Env "S3_BUCKET" }}{{ .Env.S3_BUCKET }}{{else}}{{end}}
- S3_KEY_PREFIX={{ if index .Env "S3_KEY_PREFIX" }}{{ .Env.S3_KEY_PREFIX }}{{else}}{{end}}
- CGO_ENABLED=0
before:
hooks:
- go mod download
builds:
- id: build-darwin
binary: &build-binary-name-template dsv
# dsv-{{ replace .Os "windows" "win" }}-{{ if eq .Arch "386" }}x86{{ else if eq .Arch "amd64" }}x64{{ else }}{{ .Arch }}{{end}}
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: &common-ldflags |
-s -w
-X github.com/DelineaXPM/dsv-cli/version.Version={{.Version}}
-X github.com/DelineaXPM/dsv-cli/version.GitCommit={{ .FullCommit }}
-X github.com/DelineaXPM/dsv-cli/version.BuildDate={{ .CommitDate }}
goos: [darwin]
goarch:
- amd64
- arm64
hooks:
post:
# Quill tool is installed in environment by aqua.
- cmd: '{{ if index .Env "QUILL_SIGN_P12_PASSWORD" }}quill sign "{{ .Path }}" --ad-hoc={{ .IsSnapshot }} -vv{{ else }}echo "👉 no QUILL_SIGN_P12_PASSWORD provided so bypassing"{{ end }}'
env:
- QUILL_LOG_FILE=.cache/quill-{{ .Target }}.log
- QUILL_SIGN_P12={{ .Env.QUILL_SIGN_P12 }}
- QUILL_SIGN_P12_PASSWORD={{ .Env.QUILL_SIGN_PASSWORD }}
- cmd: &hook-sign-blob '{{ if index .Env "COSIGN_PASSWORD" }}cosign sign-blob --key={{.Env.COSIGN_KEY }} --output-signature="{{ .Path }}.sig" --output-file=".cache/cosign-{{ .Target }}.log" --verbose --yes "{{ .Path }}" {{ else }}echo "👉 no COSIGN_PASSWORD provided so bypassing"{{ end }}'
env:
- COSIGN_KEY={{ .Env.COSIGN_KEY }}
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
- id: build-linux
binary: *build-binary-name-template
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: *common-ldflags
goos: [linux]
goarch:
- amd64
- '386'
hooks:
post:
- cmd: *hook-sign-blob
env:
- COSIGN_KEY={{ .Env.COSIGN_KEY }}
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
- id: build-windows
binary: *build-binary-name-template
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: *common-ldflags
goos: [windows]
goarch:
- amd64
- '386'
hooks:
post:
- cmd: *hook-sign-blob
env:
- COSIGN_KEY={{ .Env.COSIGN_KEY }}
- COSIGN_PASSWORD={{ .Env.COSIGN_PASSWORD }}
archives:
# Name template is: 'dsv-{{ .Os }}-{{ .Arch }}',
# but we replace:
# - "windows" with "win"
# - "386" with "x86"
# - "amd64" with "x64"
# Example: "build-windows-amd64.exe" -> "dsv-win-x64.exe"
# - id: archives
# builds:
# - build-darwin
# - build-linux
# - build-windows
# name_template: dsv-{{ replace .Os "windows" "win" }}-{{ if eq .Arch "386" }}x86{{ else }}{{ .Arch }}{{end}}
# files:
# - dsv
# - '.artifacts/goreleaser/*.sig'
- format: binary
id: archive-binary-darwin
name_template: &artifact-build-name dsv-{{ replace .Os "windows" "win" }}-{{ if eq .Arch "386" }}x86{{ else if eq .Arch "amd64" }}x64{{ else }}{{ .Arch }}{{end}}
builds:
- build-darwin
- format: binary
id: archive-binary-linux
name_template: *artifact-build-name
builds:
- build-linux
- format: binary
id: archive-binary-windows
name_template: *artifact-build-name
builds:
- build-windows
- format: zip
id: archive-zip-windows
name_template: *artifact-build-name
builds:
- build-windows
checksum:
name_template: checksums-sha256.txt
algorithm: sha256
disable: false
release:
prerelease: auto
draft: false
mode: replace
skip_upload: false
replace_existing_draft: true
name_template: '{{.ProjectName}}-v{{.Version}}'
extra_files:
- glob: .artifacts/goreleaser/**/*.sig
- glob: .artifacts/cli-version.json
sboms:
- artifacts: binary
id: sbom-binaries
documents:
- '{{ .Binary }}-{{ .Os }}-{{ .Arch }}.sbom.json'
#- '${artifact}.{{.Runtime.Goos}}.{{.Runtime.Goarch}}.spdx.json'
changelog:
skip: false
sort: asc
use: github
groups:
- title: Features
regexp: "^.*feat[(\\w)]*:+.*$"
order: 0
- title: 'Fixes'
regexp: "^.*fix[(\\w)]*:+.*$"
order: 1
- title: 'CI & Chore'
regexp: "^.*(fix|chore|build)[(\\w)]*:+.*$"
order: 2
- title: Others
order: 999
filters:
exclude:
- '^docs:'
- '^test:'
- '^style:'
blobs:
# Binaries, signatures, and SBOMs
- provider: s3
region: us-east-1
disableSSL: true
bucket: '{{ .Env.S3_BUCKET }}'
folder: '{{ .Env.S3_KEY_PREFIX }}/{{.Version}}'
extra_files:
- glob: .artifacts/goreleaser/**/*.sig
brews:
- name: dsv-cli
ids:
- archive-binary-linux
- archive-binary-darwin
tap:
owner: DelineaXPM
name: homebrew-tap
branch: main
token: '{{ .Env.GITHUB_TOKEN }}'
download_strategy: CurlDownloadStrategy
commit_author:
name: goreleaserbot
email: [email protected]
commit_msg_template: 'Brew formula update for {{ .ProjectName }} version {{ .Tag }}'
folder: Formula
homepage: 'https://github.com/DelineaXPM/dsv-cli'
description: '⚡ A cross-platform swiss army knife tool for DevOps secrets management from Delinea.'
license: 'Apache-2.0 license'
skip_upload: '{{ if .IsSnapshot }}true{{else}}false{{end}}'
dependencies:
- name: git
conflicts: []
test: |
assert_equal "{{.Version}}", shell_output("#{bin}/dsv --version").strip
scoop:
bucket:
owner: DelineaXPM
name: scoop-bucket
branch: main
commit_author:
name: goreleaserbot
email: [email protected]
homepage: 'https://github.com/DelineaXPM/dsv-cli'
description: '⚡ A cross-platform swiss army knife tool for DevOps secrets management from Delinea.'
license: 'Apache-2.0 license'
skip_upload: '{{ if .IsSnapshot }}true{{else}}false{{end}}'
snapcrafts:
- id: dsv-cli-snap
builds:
- build-linux #'{{ if (eq .Runtime.Goos "linux") }}build-linux{{else}}{{end}}'
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
name: dsv-cli
# must run snapcraft login first
publish: true
summary: '⚡ A cross-platform swiss army tool for DevOps secrets management from Delinea'
description: |
The DSV CLI is a cross-platform swiss army knife tool for DevOps secrets management from Delinea.
It is designed to be a simple, yet powerful, tool for managing secrets in a variety of
environments. It is designed to be used in CI/CD pipelines, as well as locally on developer
machines.
grade: stable
confinement: strict
license: Apache-2.0
apps:
# The name of the app must be the same name as the binary built or the snapcraft name.
dsv-cli:
# https://snapcraft.io/docs/home-interface
plugs: ['network'] # removed home, and personal-files as these would persist outside the snap but require special approval. Instead all the data will be contained the snap environment itself.
command: dsv
# SNAP DOCS:
# https://snapcraft.io/docs/environment-variables
# For non-classic snaps, this environment variable is re-written to SNAP_USER_DATA by snapd so that each snap appears to have a dedicated home directory that is a subdirectory of the real home directory.
# args: --config 'SNAP_USER_COMMON/.dsv.yml'
# aliases: ['dsv']
# as a result, no plugs for home should be required
# plugs:
# personal-files:
# read:
# - $HOME/.dsv.yml
# - $HOME/.thy
# write:
# - $HOME/.dsv.yml
# - $HOME/.thy
dockers:
- id: docker-publish-cli
ids: [build-linux]
goos: linux
image_templates:
- '{{ if index .Env "DOCKER_ORG" }}{{ .Env.DOCKER_ORG }}/{{ .ProjectName }}:{{ .Tag }}{{ end }}'
- '{{ if index .Env "DOCKER_ORG" }}{{ .Env.DOCKER_ORG }}/{{ .ProjectName }}:latest{{ end }}'
skip_push: false
dockerfile: ./docker/Dockerfile.dsv.chainguard
use: buildx
build_flag_templates:
- --platform=linux/amd64
- --label=org.opencontainers.image.created={{.Date}}
- --label=org.opencontainers.image.title={{ .ProjectName }}
- --label=org.opencontainers.image.revision={{ .FullCommit }}
- --label=org.opencontainers.image.version={{.Version}}
# local builds
- id: docker-publish-local
ids: [build-linux]
goos: linux
image_templates:
- '{{ .ProjectName }}:{{ .Tag }}'
- '{{ .ProjectName }}:latest' # This one is for dev usage so latest version, no tagged semver required in docker compose or local testing
skip_push: true
dockerfile: ./docker/Dockerfile.dsv.chainguard
use: buildx
build_flag_templates:
- --platform=linux/amd64
- --label=org.opencontainers.image.created={{.Date}}
- --label=org.opencontainers.image.title={{ .ProjectName }}
- --label=org.opencontainers.image.revision={{ .FullCommit }}
- --label=org.opencontainers.image.version={{.Version}}
- --label=org.opencontainers.image.version="{{ .Tag }}"