feat: goreleaser, multi platform build, cosign (#167)

Author: tomsozolins

.github/workflows/build-and-publish-release.yml

@@ -0,0 +1,81 @@
+name: release
+
+on:
+  push:
+    tags:
+      - v*.*.* # stable release, v0.0.1
+      - v*.*.*-pre.* # pre-release, v0.0.1-pre.calendardate
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write # needed for signing the images with GitHub OIDC Token
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Set up QEMU # required for multi architecture build - https://goreleaser.com/cookbooks/multi-platform-docker-images/?h=multi#other-things-to-pay-attention-to
+        uses: docker/setup-qemu-action@v2
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0 # required for changelog to work properly - https://github.com/goreleaser/goreleaser-action#usage
+          submodules: true
+
+      - name: Install NodeJS
+        uses: actions/setup-node@v3
+        with:
+          node-version: '17'
+
+      - name: Build argo-watcher UI
+        run: make build-ui
+
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Install Syft for SBOM Generation
+        uses: anchore/sbom-action@v0
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: go.mod
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser for stable release
+        uses: goreleaser/goreleaser-action@v4
+        if: (!contains(github.ref, 'pre'))
+        with:
+          version: v1.19.2
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Run GoReleaser for pre-release
+        uses: goreleaser/goreleaser-action@v4
+        if: contains(github.ref, 'pre')
+        with:
+          version: v1.19.2
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GORELEASER_CURRENT_TAG: ${{ steps.changelog.outputs.RELEASE_TAG }}
+
+      - name: Update helm chart
+        uses: shini4i/helm-charts-updater@v1
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          github_token: ${{ secrets.GH_TOKEN }}
+          gh_user: shini4i
+          gh_repo: charts
+          chart_name: argo-watcher
+          app_version: ${{ github.ref_name }}
+          update_chart_annotations: true

.github/workflows/release.yaml

@@ -23,3 +23,6 @@ bin/
 # dynamicly generated files
 cmd/argo-watcher/docs
 cmd/argo-watcher/mock
+
+# goreleaser
+dist/

.gitignore

@@ -0,0 +1,94 @@
+before:
+  hooks:
+    - make install-deps docs mocks
+    - go mod tidy
+
+builds:
+  - id: argo-watcher
+    main: ./cmd/argo-watcher
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+
+dockers:
+  - image_templates:
+      - 'ghcr.io/shini4i/{{.ProjectName}}:{{ .Tag }}-amd64'
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.licenses=MIT"
+    goos: linux
+    goarch: amd64
+    extra_files:
+      - web/build
+  - image_templates:
+      - 'ghcr.io/shini4i/{{.ProjectName}}:{{ .Tag }}-arm64'
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.licenses=MIT"
+    goos: linux
+    goarch: arm64
+    extra_files:
+      - web/build
+
+docker_manifests:
+  - name_template: 'ghcr.io/shini4i/{{.ProjectName}}:{{ .Tag }}'
+    image_templates:
+      - 'ghcr.io/shini4i/{{.ProjectName}}:{{ .Tag }}-amd64'
+      - 'ghcr.io/shini4i/{{.ProjectName}}:{{ .Tag }}-arm64'
+
+archives:
+  - format: tar.gz
+    name_template: "{{ .ProjectName }}_{{ .Tag }}_{{ .Os }}_{{ .Arch }}"
+
+sboms:
+  - artifacts: archive
+
+signs:
+  - cmd: cosign
+    certificate: "${artifact}.pem"
+    output: true
+    artifacts: checksum
+    args:
+      - "sign-blob"
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    args:
+      - "sign"
+      - "${artifact}@${digest}"
+      - "--yes"
+
+checksum:
+  name_template: 'checksums.txt'
+
+snapshot:
+  name_template: "{{ incpatch .Version }}-next"
+
+changelog:
+  use:
+    github-native
+
+release:
+  prerelease: auto
+  draft: false

.goreleaser.yaml

@@ -1,13 +1,11 @@
 FROM alpine:3.18
 
-COPY ./bin/argo-watcher /argo-watcher
-COPY ./web/build /static
+COPY argo-watcher /argo-watcher
+COPY web/build /static
 
 RUN addgroup -S argo-watcher && adduser -S argo-watcher -G argo-watcher
 RUN apk add --no-cache ca-certificates
 
-COPY db /db
-
 USER argo-watcher
 
 CMD ["/argo-watcher", "-server"]

Dockerfile

@@ -31,6 +31,12 @@ build: ensure-dirs docs ## Build the binaries
 	@CGO_ENABLED=0 go build -ldflags="-s -w -X main.version=${VERSION}" -o bin/argo-watcher ./cmd/argo-watcher
 	@echo "===> Done"
 
+.PHONY: build-goreleaser
+build-goreleaser:
+	@echo "===> Building [$(CYAN)${VERSION}$(RESET)] version of [$(CYAN)argo-watcher$(RESET)] binary"
+	@goreleaser build --snapshot --clean --single-target
+	@echo "===> Done"
+
 .PHONY: build-ui
 build-ui: ## Build the UI
 	@echo "===> Building UI"

Makefile

@@ -17,6 +17,9 @@ require (
 	github.com/swaggo/gin-swagger v1.5.2
 	github.com/swaggo/swag v1.16.1
 	go.uber.org/mock v0.2.0
+	gorm.io/datatypes v1.2.0
+	gorm.io/driver/postgres v1.5.2
+	gorm.io/gorm v1.25.2
 )
 
 require (
@@ -38,8 +41,6 @@ require (
 	github.com/go-sql-driver/mysql v1.7.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/hashicorp/errwrap v1.1.0 // indirect
-	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
 	github.com/jackc/pgx/v5 v5.3.1 // indirect
@@ -60,15 +61,8 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
-	github.com/uptrace/bun v1.1.14 // indirect
-	github.com/uptrace/bun/dialect/pgdialect v1.1.14 // indirect
-	github.com/uptrace/bun/driver/pgdriver v1.1.14 // indirect
-	github.com/vmihailenco/msgpack/v5 v5.3.5 // indirect
-	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	go.uber.org/atomic v1.7.0 // indirect
 	golang.org/x/arch v0.3.0 // indirect
 	golang.org/x/crypto v0.10.0 // indirect
 	golang.org/x/net v0.11.0 // indirect
@@ -77,9 +71,5 @@ require (
 	golang.org/x/tools v0.10.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	gorm.io/datatypes v1.2.0 // indirect
 	gorm.io/driver/mysql v1.4.7 // indirect
-	gorm.io/driver/postgres v1.5.2 // indirect
-	gorm.io/gorm v1.25.2 // indirect
-	mellium.im/sasl v0.3.1 // indirect
 )