diff --git a/.github/workflows/_test-acceptance.tmpl.yaml b/.github/workflows/_test-acceptance.tmpl.yaml index 959e52f..76d3010 100644 --- a/.github/workflows/_test-acceptance.tmpl.yaml +++ b/.github/workflows/_test-acceptance.tmpl.yaml @@ -48,6 +48,14 @@ jobs: name: vault-plugin-secrets-nexus-repository path: dist/bin + - name: Download plugin from release + if: github.action_ref == 'v*' + run: | + set -euo pipefail + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64" + mkdir -p "${VAULT_PLUGIN_DIR}" + mv "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64" "${VAULT_PLUGIN_DIR}/vault-plugin-secrets-nexus-repository" + - name: Run test shell: bash env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..66bd096 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,116 @@ +name: Release with SLSA + +on: + # For manual tests. + workflow_dispatch: + push: + tags: + - "*" # triggers only if push new tag version, like `0.8.4`. + # Run daily as a dry-run/test. + schedule: + - cron: "0 1 * * *" + +permissions: read-all + +env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ISSUE_REPOSITORY: manhtukhang/vault-plugin-secrets-nexus-repository + # In case daily runs fail, the label for filing the issue + HEADER: release + +jobs: + args: + runs-on: ubuntu-latest + outputs: + version: ${{ steps.ldflags.outputs.version }} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + # - name: Generate SLSA Goreleaser config files + # run: | + # mkdir -p .slsa-goreleaser/ + # for os in "linux windows darwin"; do + # for arch in "amd64 arm64"; do + # sed "s/__REPLACE_GOOS__/${os}; s/__REPLACE_GOARCH__/${arch}/g" .slsa-goreleaser.tmpl.yaml > ".slsa-goreleaser/${os}-${arch}.yaml" + # done + # done + # - name: Upload SLSA Goreleaser config files + # uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + # with: + # name: slsa-goreleaser + # path: slsa-goreleaser + # if-no-files-found: error + - name: Generate dynamic LDFlags + id: ldflags + run: | + echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT" + + build-provenance: + name: build-${{matrix.os}}-${{matrix.arch}} + needs: [ args ] + strategy: + matrix: + os: + - linux + # - windows + # - darwin + arch: + - amd64 + # - arm64 + permissions: + actions: read # For the detection of GitHub Actions environment. + id-token: write # For signing. + contents: write # For asset uploads. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.0.0 # always use a tag @X.Y.Z for for slsa builders, not SHA! + with: + go-version-file: "go.mod" + config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yaml + compile-builder: false + draft-release: true + evaluated-envs: "VERSION:${{needs.args.outputs.version}}" + + verification: + needs: [ build-provenance ] + runs-on: ubuntu-latest + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + permissions: read-all + steps: + - name: Install the verifier + uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0 + + - name: Download assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl" + ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }} + run: | + set -euo pipefail + + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ARTIFACT" + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME" + + - name: Verify assets + env: + ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }} + ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl" + run: | + set -euo pipefail + + echo "Verifying $ARTIFACT using $ATT_FILE_NAME" + slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \ + --source-uri "github.com/$GITHUB_REPOSITORY" \ + --source-tag "$GITHUB_REF_NAME" \ + "$ARTIFACT" + test: + needs: [ build-provenance ] + if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' + strategy: + matrix: + vault: [ "1.17.6", "1.18.2" ] + nexus: [ "3.73.0", "3.74.0" ] + uses: ./.github/workflows/_test-acceptance.tmpl.yaml + with: + vault-version: ${{ matrix.vault }} + nxr-version: ${{ matrix.nexus }} + vault-plugin-dir: ./dist/bin diff --git a/.slsa-goreleaser/darwin-amd64.yaml b/.slsa-goreleaser/darwin-amd64.yaml new file mode 100644 index 0000000..eebd2cb --- /dev/null +++ b/.slsa-goreleaser/darwin-amd64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: darwin +goarch: amd64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/darwin-arm64.yaml b/.slsa-goreleaser/darwin-arm64.yaml new file mode 100644 index 0000000..e340d54 --- /dev/null +++ b/.slsa-goreleaser/darwin-arm64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: darwin +goarch: arm64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/linux-amd64.yaml b/.slsa-goreleaser/linux-amd64.yaml new file mode 100644 index 0000000..4230cc7 --- /dev/null +++ b/.slsa-goreleaser/linux-amd64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: linux +goarch: amd64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/linux-arm64.yaml b/.slsa-goreleaser/linux-arm64.yaml new file mode 100644 index 0000000..74b356c --- /dev/null +++ b/.slsa-goreleaser/linux-arm64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: linux +goarch: arm64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/windows-amd64.yaml b/.slsa-goreleaser/windows-amd64.yaml new file mode 100644 index 0000000..0a0a359 --- /dev/null +++ b/.slsa-goreleaser/windows-amd64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: windows +goarch: amd64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}" diff --git a/.slsa-goreleaser/windows-arm64.yaml b/.slsa-goreleaser/windows-arm64.yaml new file mode 100644 index 0000000..791a8c9 --- /dev/null +++ b/.slsa-goreleaser/windows-arm64.yaml @@ -0,0 +1,13 @@ +version: 1 +env: + - CGO_ENABLED=0 +goos: windows +goarch: arm64 +binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}" +main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go" +flags: + - -trimpath +ldflags: + - -s + - -w + - "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"