From 1868e3d325875957c09d890e13afc64d667a0618 Mon Sep 17 00:00:00 2001
From: Christian Rebischke <chris@shibumi.dev>
Date: Wed, 22 Sep 2021 00:48:02 +0200
Subject: [PATCH] add signed release builds

---
 .github/workflows/build.yml      | 28 ----------------
 .github/workflows/goreleaser.yml | 57 ++++++++++++++++++++++++++++++++
 .gitignore                       | 12 +++++++
 .goreleaser.yaml                 | 26 +++++++++++++++
 cmd/version.go                   | 33 ++++++++++++++++++
 5 files changed, 128 insertions(+), 28 deletions(-)
 delete mode 100644 .github/workflows/build.yml
 create mode 100644 .github/workflows/goreleaser.yml
 create mode 100644 .goreleaser.yaml
 create mode 100644 cmd/version.go

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
deleted file mode 100644
index 2cbe948d..00000000
--- a/.github/workflows/build.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-on: [push, pull_request]
-name: build
-jobs:
-  test:
-    strategy:
-      matrix:
-        go-version: [1.16.x, 1.17.x]
-        os: [ubuntu-latest, macos-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-    - name: Install Go
-      uses: actions/setup-go@v2
-      with:
-        go-version: ${{ matrix.go-version }}
-    - name: Checkout code
-      uses: actions/checkout@v2
-    - name: Format Unix
-      if: runner.os == 'Linux'
-      run: test -z $(go fmt ./...)
-    - name: Test
-      run: go test -covermode atomic -coverprofile='profile.cov' ./...
-    - name: Send coverage
-      if: runner.os == 'Linux'
-      env:
-        COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      run: |
-        GO111MODULE=off go get github.com/mattn/goveralls
-        $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
new file mode 100644
index 00000000..b955f077
--- /dev/null
+++ b/.github/workflows/goreleaser.yml
@@ -0,0 +1,57 @@
+name: release
+on: [push, pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [ 1.16.x, 1.17.x ]
+        os: [ ubuntu-latest, macos-latest, windows-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Format Unix
+        if: runner.os == 'Linux'
+        run: test -z $(go fmt ./...)
+      - name: Test
+        run: go test -covermode atomic -coverprofile='profile.cov' ./...
+      - name: Send coverage
+        if: runner.os == 'Linux'
+        env:
+          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          GO111MODULE=off go get github.com/mattn/goveralls
+          $(go env GOPATH)/bin/goveralls -coverprofile=profile.cov -service=github
+  release:
+    permissions:
+      id-token: write
+      contents: write
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.17
+      - name: install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.4.1'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          distribution: goreleaser
+          version: 'v1.1.0'
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index e660fd93..37d1b1fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,13 @@
+# goreleaser distribution directory
+dist
+
+# GoLand idea configuration
+.idea
+
+# VSCode configuration
+.vscode
+
+# ignore cosign private key
+cosign.key
+
 bin/
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
new file mode 100644
index 00000000..75997c76
--- /dev/null
+++ b/.goreleaser.yaml
@@ -0,0 +1,26 @@
+project_name: in-toto
+builds:
+  - ldflags:
+      - "-s -w"
+      - "-extldflags=-zrelro"
+      - "-extldflags=-znow"
+      - "-X cmd.tag={{.Version}}"
+      - "-X cmd.commit={{.FullCommit}}"
+      - "-X cmd.date={{.CommitDate}}"
+    env:
+      - "CGO_ENABLED=0"
+      - "GO111MODULE=on"
+      - "GOFLAGS=-mod=readonly -trimpath"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+    main: ./
+signs:
+  - cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
+    artifacts: all
diff --git a/cmd/version.go b/cmd/version.go
new file mode 100644
index 00000000..e2858a22
--- /dev/null
+++ b/cmd/version.go
@@ -0,0 +1,33 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+)
+
+var (
+	commit = "none"
+	date   = "unknown"
+	tag    = "dev"
+)
+
+var versionCmd = &cobra.Command{
+	Use:   "version",
+	Short: "Display the version of the in-toto CLI tool",
+	Long:  `Display the commit ID, the build date and the version tag of the in-toto CLI as embedded by the build system.`,
+	RunE:  version,
+}
+
+func init() {
+	rootCmd.AddCommand(versionCmd)
+}
+
+func version(cmd *cobra.Command, args []string) error {
+	// let us make it as simple as possible.
+	// We could encode the version information as JSON like kubectl does,
+	// but what if the json package has a bug? :/
+	fmt.Println("commit : ", commit)
+	fmt.Println("date   : ", date)
+	fmt.Println("version: ", tag)
+	return nil
+}