-
Notifications
You must be signed in to change notification settings - Fork 3
/
.goreleaser.yaml
127 lines (101 loc) · 3.53 KB
/
.goreleaser.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
version: 2
env:
- 'CI={{ (envOrDefault "CI" "false") }}'
- 'CHANGELOG_DISABLE={{ eq (envOrDefault "CI" "false") "false" }}'
- 'RELEASE_DISABLE={{ eq (envOrDefault "CI" "false") "false" }}'
- 'KO_DOCKER_REPO={{ envOrDefault "KO_DOCKER_REPO" (printf "ttl.sh/chinmina-prerelease/%d" .Now.Unix) }}'
builds:
- id: release
binary: chinmina-bridge
flags: "-trimpath" # don't include the full path of the source files
ldflags: "-w" # don't include DWARF symbols
env:
- CGO_ENABLED=0
goos:
- linux
goarch:
- amd64
- arm64
# Sign with cosign -- this picks up the OIDC token from the environment in GHA.
# If you do this locally, sign with an OAuth identity you don't mind being permanently
# published to a transparency log.
binary_signs:
- id: cosign
signature: '${artifact}.cosign.bundle'
cmd: './ci-only.sh'
args:
- "cosign"
- "sign-blob"
- "${artifact}"
- "--bundle=${signature}"
- "--yes" # needed on cosign 2.0.0+
output: false # the necessary output is the .cosign.bundle file
checksum:
name_template: "checksums.txt"
archives:
- id: archives
format: tar.gz
name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
files:
# cosign produces a bundle file to allow for verification of the artifacts
# this is included in the archive to allow for easier verification after download
- src: '{{ .ArtifactPath }}.cosign.bundle'
strip_parent: true
changelog:
disable: "{{ .Env.CHANGELOG_DISABLE }}"
use: github-native
sort: asc
release:
disable: "{{ .Env.RELEASE_DISABLE }}"
ids:
- archives
prerelease: auto
header: |
Distributions for this release are published as binaries and a Docker image.
The preferred way to consume a release is via its [Docker image](https://hub.docker.com/r/chinmina/chinmina-bridge). This image is multi-platform, supporting both Linux x86-64 and Linux ARM-64.
```text
chinmina/chinmina-bridge:{{ .Tag }}
```
If needed, binaries of this build can be found below.
> [!IMPORTANT]
> Releases can be verified with Sigstore's `cosign`: see the [release verification documentation](./docs/verifying-releases.md) in this repo for details.
kos:
- id: chinmina-bridge
build: release
working_dir: .
base_image: cgr.dev/chainguard/static
# repository is set using environment variables in the top-level env section
# (see above).
platforms:
- linux/amd64
- linux/arm64
# Tag to build and push.
tags:
- "{{if not .Prerelease}}latest{{end}}"
- "{{.Tag}}"
sbom: spdx
# Bare uses a tag on the $KO_DOCKER_REPO without anything additional.
bare: true
# Whether to preserve the full import path after the repository name.
preserve_import_paths: false
# Whether to use the base path without the MD5 hash after the repository name.
base_import_paths: true
# Sign with cosign -- this picks up the OIDC token from the environment in GHA.
# If you do this locally, sign with an OAuth identity you don't mind being permanently
# published to a transparency log.
docker_signs:
- id: ko-signing
cmd: './ci-only.sh'
args:
- "cosign"
- "sign"
- "${artifact}"
- "--yes"
artifacts: all
ids:
# id of ko image above
- chinmina-bridge
# output is not necessary, as the signing is done in place, but it helps to
# provide the index in the transparency log.
output: true