Revamp release automation #1250
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hiddeco
force-pushed
the
release-automation
branch
4 times, most recently
from
2a71e05
to
9da6f02
Compare
hiddeco
force-pushed
the
release-automation
branch
from
9da6f02
to
d80f687
Compare
hiddeco
force-pushed
the
release-automation
branch
9 times, most recently
from
421b4e8
to
951b428
Compare
hiddeco
force-pushed
the
release-automation
branch
2 times, most recently
from
3874a58
to
3517a21
Compare
|
@getsops/maintainers this is ready for an early review. I need to update the PR message to include all details, but also really need to catch some sleep at the moment. The thing to focus on in the preview is the file formats of the artifacts, in comparison to https://github.com/getsops/sops/releases/tag/v3.7.3. Most of them should be fully backwards compatible (the binaries), but for the package formats I have reached the absolute limits of what I deemed possible. In addition, it includes all the niceness of a checksum file signed with Cosign, SBOMs for the binaries (but not containers, which include a 1:1 copy of the binary — we can add this later), and SLSA provenance for all artifacts uploaded to GitHub and the container images themselves. To get an idea of the changelog which would normally be included, run: gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
/repos/getsops/sops/releases/generate-notes \
-f tag_name='v3.8.0' \
-f target_commitish='main' \
-f previous_tag_name='v3.7.2' | jq -r .bodyBased on the output, I think the current |
hiddeco
force-pushed
the
release-automation
branch
from
3c2999f
to
4439cc9
Compare
This was referenced Aug 9, 2023
hiddeco
force-pushed
the
release-automation
branch
5 times, most recently
from
99d6b5e
to
d5a8a3a
Compare
This adds the base for releasing using GoReleaser going forward in a backwards compatible manner, which means: - Publishing of artifacts in the same formats as previous releases - Publishing of RPM and deb artifacts in the same formats as previous releases (although the metadata may need a bit of tweaking) In addition, it includes: - SBOM inclusion per binary artifact It still needs work around: - Artifact signing - SLSA compliance - Docker images - GitHub release - Changelog generation - GitHub Action workflow Signed-off-by: Hidde Beydals <[email protected]>
GoReleaser requires specifically crafted Dockerfiles as the build context is dynamically constructed. For more information, refer to https://goreleaser.com/errors/docker-build/#do and other documentation around Docker image templates and manifests. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
This appears to be the best option at present to e.g. celebrate new contributors while also allowing things to be grouped by pull request label. For more information, see xrefs in patch. Signed-off-by: Hidde Beydals <[email protected]>
This still needs further configuration of at least the `.header` field. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Plus a tiny nit to not have to pass `--yes` to Cosign everywhere, and enabling of size reporting. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
These are no longer required, as they are now handled by GoReleaser or no longer under our control (`make_download_page.sh`). Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Which in turn solves the generation of the checksum file. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
These were only part of the release process, and now continue to exist in `.release/*`. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
As it has been replaced with GoReleaser. Signed-off-by: Hidde Beydals <[email protected]>
This allows you to run the release locally, without publishing or signing, against the current state of the repository. There are some more improvements I would like to make to the `Makefile` e.g., the deprecation of `golint` and the introduction of a `help` target. But they are out of scope for the current things I am working on. Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
Which now allows us to set the `mod_timestamp` on universal binaries. Signed-off-by: Hidde Beydals <[email protected]>
- Describe difference between Debian (slim) and Alpine image - Add `-o text` flag to `cosign verify` example to print readable text instead of JSON blob - Fix typo in one of the `ghcr.io` domains - Use correct OCI annotation for image "title" Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
release-automation
branch
from
68aa071
to
79bbb22
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request changes the release automation so that it uses GoReleaser.
The configuration for GoReleaser is in the file
.goreleaser.yaml. The configuration for the GitHub Actions workflow is in the filerelease.yml.This configuration is quite sophisticated, and ensures at least the following:
DockerfileandDockerfile.alpinehave been removed in favor of Dockerfiles specifically crafted for GoReleaser in.release/. These Dockerfiles need a specially crafted build context (with pretty much just the binary in it), and do not work using a normaldocker build .....rpmand.debartifacts..darwinartifact is now a "fat binary".👀 Preview (on fork)
🧑🏭 Preview workflow (on fork)
🖥️ Testing locally
Run
make release-snapshotand viewdist/contents.