Merge pull request #257 from cpanato/update-release

refactor release

.bom-config.yaml

@@ -0,0 +1,48 @@
+---
+namespace: https://sigs.k8s.io/bom
+license: Apache-2.0
+name: bom
+creator:
+ person: The Kubernetes Authors
+ tool: bom
+
+artifacts:
+  - type: file
+    source: bom-amd64-windows.exe
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-amd64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-amd64-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-arm-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-arm64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-arm64-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-ppc64le-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: bom-s390x-linux
+    license: Apache-2.0
+    gomodules: true

.github/workflows/release.yml

@@ -0,0 +1,48 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: write
+
+    env:
+      COSIGN_YES: "true"
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          fetch-depth: 1
+
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: '1.20'
+          check-latest: true
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+
+      - name: Install GoReleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          install-only: true
+
+      - name: Get TAG
+        id: get_tag
+        run: echo "TAG=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Run Mage
+        uses: magefile/mage-action@3b833fb24c0d19eed3aa760b9eb285b4b84f420f # v2.3.0
+        with:
+          version: latest
+          args: buildBinaries
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/snapshot.yml

@@ -0,0 +1,36 @@
+name: Snapshot
+
+on:
+  push:
+    branches:
+      - 'main'
+  pull_request:
+
+jobs:
+  snapshot:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code onto GOPATH
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: '1.20'
+          check-latest: true
+
+      - name: Install GoReleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          install-only: true
+
+      - name: Run Mage
+        uses: magefile/mage-action@3b833fb24c0d19eed3aa760b9eb285b4b84f420f # v2.3.0
+        with:
+          version: latest
+          args: buildBinariesSnapshot
+
+      - name: check binary
+        run: |
+          ./dist/bom-amd64-linux version
+          cat ./dist/bom.json.spdx

.gitignore

@@ -137,3 +137,4 @@ CHANGELOG-*.html
 bin
 qemu-*-static
 rootfs.tar
+dist/

.goreleaser.yml

@@ -0,0 +1,90 @@
+project_name: bom
+
+env:
+  - GO111MODULE=on
+  - CGO_ENABLED=0
+  - COSIGN_YES=true
+
+before:
+  hooks:
+    - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+
+gomod:
+  proxy: true
+
+builds:
+  - id: bom
+    no_unique_dist_dir: true
+    binary: bom-{{ .Arch }}-{{ .Os }}
+    main: ./cmd/bom
+    goos:
+      - darwin
+      - linux
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - arm
+      - s390x
+      - ppc64le
+    goarm:
+      - '7'
+    ignore:
+      - goos: windows
+        goarch: arm64
+      - goos: windows
+        goarch: arm
+      - goos: windows
+        goarch: s390x
+      - goos: windows
+        goarch: ppc64le
+    flags:
+      - -trimpath
+    ldflags:
+      - "{{ .Env.BOM_LDFLAGS }}"
+
+archives:
+  - format: binary
+    allow_different_binary_count: true
+
+signs:
+  # Keyless
+  - id: bom-keyless
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: all
+
+sboms:
+  - id: bom
+    cmd: ./bom-amd64-linux
+    args:
+      - generate
+      - "--output"
+      - "bom.json.spdx"
+      - "-d"
+      - "../"
+      - "-c"
+      - "../.bom-config.yaml"
+      - "--format"
+      - "json"
+    artifacts: any
+    documents:
+      - "bom.json.spdx"
+
+checksum:
+  name_template: 'checksums.txt'
+
+snapshot:
+  name_template: "{{ .Tag }}-next"
+
+release:
+  github:
+    owner: kubernetes-sigs
+    name: bom
+  prerelease: auto
+
+changelog:
+  skip: true

cloudbuild.yaml

@@ -32,12 +32,6 @@ steps:
       - mage.go
       - buildStaging
 
-artifacts:
-  objects:
-    location: 'gs://k8s-staging-bom/${_PULL_BASE_REF}'
-    paths:
-      - "go/src/sigs.k8s.io/bom/output/*"
-
 substitutions:
   # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and
   # can be used as a substitution

go.mod

@@ -18,7 +18,7 @@ require (
 	golang.org/x/term v0.6.0
 	golang.org/x/tools v0.7.0
 	gopkg.in/yaml.v2 v2.4.0
-	sigs.k8s.io/release-utils v0.7.3
+	sigs.k8s.io/release-utils v0.7.4-0.20230327115955-2b998c68e4b6
 )
 
 require (

go.sum

@@ -273,5 +273,5 @@ k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 mvdan.cc/editorconfig v0.2.0/go.mod h1:lvnnD3BNdBYkhq+B4uBuFFKatfp02eB6HixDvEz91C0=
 mvdan.cc/sh/v3 v3.5.1/go.mod h1:1JcoyAKm1lZw/2bZje/iYKWicU/KMd0rsyJeKHnsK4E=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
-sigs.k8s.io/release-utils v0.7.3 h1:6pS8x6c5RmdUgR9qcg1LO6hjUzuE4Yo9TGZ3DemrZdM=
-sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE=
+sigs.k8s.io/release-utils v0.7.4-0.20230327115955-2b998c68e4b6 h1:3RZgcl4MiJO7jGbntYz6oabnF/aPQuqWNkwGR1xoHZE=
+sigs.k8s.io/release-utils v0.7.4-0.20230327115955-2b998c68e4b6/go.mod h1:wWdwP44w/z+zoXg0jUZiHieFcgS3Z5Bi7TP3f18IDOw=