diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index ee4b89ac..69a54c74 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -18,15 +18,18 @@ on: branches: - main pull_request: - +permissions: + contents: read +env: + GO_VERSION: 1.21.3 jobs: golangci: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v4 - with: - go-version: 1.20.6 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: '${{ env.GO_VERSION }}' - name: golangci-lint uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 3a59907c..3f1d45d5 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -20,6 +20,9 @@ on: - main pull_request: +env: + GO_VERSION: 1.21.3 + jobs: license-check: runs-on: ubuntu-latest @@ -27,7 +30,7 @@ jobs: - name: Setup Go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: 1.20.6 + go-version: '${{ env.GO_VERSION }}' - name: checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install addlicense diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index bf4960b0..79433c51 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -25,7 +25,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - go: [ '1.19.x', '1.20.x', '1.21.0' ] + go: [ '1.19.x', '1.20.x', '1.21.x' ] name: Go ${{ matrix.go }} build steps: - name: checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 18ea4acc..7e278dfa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,51 +12,46 @@ # See the License for the specific language governing permissions and # limitations under the License. -name: create release and upload binary - +name: Create Release and Upload Binaries +# run only on tags on: push: tags: - - 'v[0-9]+.[0-9]+.[0-9]+' + - 'v[0-9]+.[0-9]+.[0-9]+' + +permissions: + contents: write # needed to write releases + id-token: write # needed for keyless signing + packages: write # needed to upload artifacts +env: + GO_VERSION: 1.21.3 jobs: - build: + release: runs-on: ubuntu-latest steps: - - name: checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: install go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: 1.20.6 - - - name: get version - id: v - run: echo ::set-output name=tag::$( awk -F '/' '{print $NF}' <<< "${GITHUB_REF}" ) - - - name: build - run: | - go build ./cmd/crypki - tar -czvf crypki-${{ steps.v.outputs.tag }}-linux.tar.gz --transform 's,^,crypki-${{ steps.v.outputs.tag }}-${OS}/,' crypki - - - name: create release - id: create-release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.v.outputs.tag }} - release_name: ${{ steps.v.outputs.tag }} - draft: false - prerelease: false - - - name: upload linux binary - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create-release.outputs.upload_url }} - asset_path: crypki-${{ steps.v.outputs.tag }}-linux.tar.gz - asset_name: crypki-${{ steps.v.outputs.tag }}-linux.tar.gz - asset_content_type: application/gzip + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags) + + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: ${{ env.GO_VERSION }} + + - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + + - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 + with: + cosign-release: 'v2.2.0' # optional + - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 + - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml deleted file mode 100644 index 44a4c3ac..00000000 --- a/.github/workflows/reuse.yml +++ /dev/null @@ -1,161 +0,0 @@ -# Copyright 2022 Yahoo. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -name: Create Publish and Sign Docker Image - -on: - workflow_call: - inputs: - publish_command: - required: true - type: string - image_name: - required: true - type: string - tag: - required: true - type: string - main: - type: string - secrets: - registry_username: - required: true - registry_password: - required: true -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - steps: - - name: Checkout release - if: ${{ inputs.tag == 'release'}} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - with: - fetch-depth: 0 - - - name: Checkout image - if: ${{ inputs.tag == 'image'}} - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - - name: Unshallow - if: ${{ inputs.tag == 'image'}} - run: git fetch --prune --unshallow --tags - - - name: Set up Go - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 - with: - go-version: ~1.20.6 - - - name: Install Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - with: - cosign-release: 'v1.11.0' - - - name: Cache Go modules - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # pin@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - /tmp/ko-cache - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - name: Run Trivy vulnerability scanner in repo mode - if: ${{inputs.tag == 'release'}} - uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Set Version - if: ${{ inputs.tag == 'release'}} - run: | - echo "CRYPKI_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV - - name: Generate SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0 - with: - version: v1 - args: app -licenses -json -output ${{inputs.image_name}}-${{ env.CRYPKI_VERSION }}-bom.cdx.json -main ${{inputs.main}} - - - name: Upload SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: ${{inputs.image_name}}-bom-cdx - path: ${{inputs.image_name}}-v*-bom.cdx.json - - - name: Extract branch name - if: ${{inputs.tag == 'image'}} - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - - name: Check branch - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} - id: check-branch - run: | - if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then - echo ::set-output name=match::true - fi - - name: ko build dev image - id: ko-publish-dev - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - run: | - set -e - echo "::set-output name=digest::$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" - - name: ko build release image - id: ko-publish - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - run: | - set -e - echo "::set-output name=digest::$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" - - name: Sign dev image - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - run: | - set -e - cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ${{ steps.ko-publish-dev.outputs.digest }} - - name: Sign release-image - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - run: | - set -e - cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ${{ steps.ko-publish.outputs.digest }} - - name : Attach SBOM - if: ${{inputs.tag == 'release'}} - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }} diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 00000000..71c92539 --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,52 @@ +project_name: crypki + +gomod: + proxy: true + +env: + - GO111MODULE=on + - COSIGN_YES=true + + +sboms: +- artifacts: binary + +builds: +- main: ./cmd/crypki + goos: + - linux + +kos: + - repository: ghcr.io/theparanoids/crypki + tags: + - '{{.Version}}' + - latest + bare: true + preserve_import_paths: false + platforms: + - linux/amd64 + - linux/arm64 + +signs: +- cmd: cosign + signature: "${artifact}.sig" + certificate: "${artifact}.pem" + args: + - sign-blob + - '--output-certificate=${certificate}' + - '--output-signature=${signature}' + - '${artifact}' + artifacts: all + output: true + +docker_signs: +- cmd: cosign + args: + - 'sign' + - '${artifact}' + artifacts: manifests + output: true + +release: + footer: | + ### Thanks for all contributors! diff --git a/README.md b/README.md index d8be8e0e..0d4351b6 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ You should be able to run crypki server on any linux platform as long as you hav Prerequisites: -- Go >= 1.18 +- Go >= 1.19 Run: diff --git a/proto/healthcheck.pb.go b/proto/healthcheck.pb.go index 91de10cb..5cd3dbe0 100644 --- a/proto/healthcheck.pb.go +++ b/proto/healthcheck.pb.go @@ -15,7 +15,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.31.0 -// protoc v4.23.4 +// protoc v4.25.0 // source: healthcheck.proto package proto diff --git a/proto/healthcheck_grpc.pb.go b/proto/healthcheck_grpc.pb.go index f66c4d56..d3958e9f 100644 --- a/proto/healthcheck_grpc.pb.go +++ b/proto/healthcheck_grpc.pb.go @@ -15,7 +15,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v4.23.4 +// - protoc v4.25.0 // source: healthcheck.proto package proto diff --git a/proto/protogen.go b/proto/protogen.go index b7c81b4b..e3e3d553 100644 --- a/proto/protogen.go +++ b/proto/protogen.go @@ -4,7 +4,7 @@ // Package proto contains proto generated code. package proto -// use protoc v4.23.4 +// use protoc v4.25.0 //go:generate protoc -I. -I../third_party/googleapis --go_out=paths=source_relative:. --go-grpc_out=paths=source_relative:. sign.proto healthcheck.proto //go:generate protoc -I. -I../third_party/googleapis --grpc-gateway_out=paths=source_relative:. --grpc-gateway_opt logtostderr=true --grpc-gateway_opt paths=source_relative --grpc-gateway_opt generate_unbound_methods=true sign.proto //go:generate mockgen -source=./sign_grpc.pb.go -destination=./sign_grpc_mock.go -package=proto diff --git a/proto/sign.pb.go b/proto/sign.pb.go index 44398285..78356dfb 100644 --- a/proto/sign.pb.go +++ b/proto/sign.pb.go @@ -4,7 +4,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.31.0 -// protoc v4.23.4 +// protoc v4.25.0 // source: sign.proto package proto diff --git a/proto/sign_grpc.pb.go b/proto/sign_grpc.pb.go index fb60a920..bd9ac9cf 100644 --- a/proto/sign_grpc.pb.go +++ b/proto/sign_grpc.pb.go @@ -4,7 +4,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: // - protoc-gen-go-grpc v1.3.0 -// - protoc v4.23.4 +// - protoc v4.25.0 // source: sign.proto package proto