From 3852393586b5b24f56b60b19a33f0d0b84727d00 Mon Sep 17 00:00:00 2001 From: Taylor Ludwig Date: Mon, 18 Aug 2025 15:23:36 -0700 Subject: [PATCH 1/4] reusable workflow for go build release using goreleaser --- .github/workflows/go-build-release.yml | 139 +++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 .github/workflows/go-build-release.yml diff --git a/.github/workflows/go-build-release.yml b/.github/workflows/go-build-release.yml new file mode 100644 index 0000000..7686386 --- /dev/null +++ b/.github/workflows/go-build-release.yml @@ -0,0 +1,139 @@ +name: Go Build and Release with GoReleaser + +on: + workflow_call: + inputs: + go-version: + description: 'Go version to use' + required: false + type: string + default: 'stable' + fetch-depth: + description: 'Git fetch depth for checkout' + required: false + type: number + default: 0 + fetch-tags: + description: 'Whether to fetch tags during checkout' + required: false + type: number + default: 1 + cgo-enabled: + description: 'Set CGO_ENABLED environment variable' + required: false + type: string + default: '' + additional-env-vars: + description: 'Additional environment variables to set (KEY=value format, one per line)' + required: false + type: string + default: '' + pre-build-commands: + description: 'Commands to run before GoReleaser (multiline string)' + required: false + type: string + default: '' + goreleaser-version: + description: 'GoReleaser version to use' + required: false + type: string + default: 'latest' + goreleaser-args: + description: 'Additional arguments for goreleaser' + required: false + type: string + default: 'release --clean' + attestation-binary-path: + description: 'Path for binary attestation' + required: false + type: string + default: 'dist/*' + registry-name: + description: 'Container registry name (e.g., ghcr.io/openchami/project-name) to Generate build provenance for container' + required: true + type: string + +permissions: write-all # Necessary for the generate-build-provenance action with containers + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version: ${{ inputs.go-version }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Docker Login + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Checkout + uses: actions/checkout@v4 + with: + fetch-tags: ${{ inputs.fetch-tags }} + fetch-depth: ${{ inputs.fetch-depth }} + + - name: Set build environment variables + run: | + echo "GIT_STATE=$(if git diff-index --quiet HEAD --; then echo 'clean'; else echo 'dirty'; fi)" >> $GITHUB_ENV + echo "BUILD_HOST=$(hostname)" >> $GITHUB_ENV + echo "GO_VERSION=$(go version | awk '{print $3}')" >> $GITHUB_ENV + echo "BUILD_USER=$(whoami)" >> $GITHUB_ENV + + - name: Set CGO_ENABLED if specified + if: ${{ inputs.cgo-enabled != '' }} + run: echo "CGO_ENABLED=${{ inputs.cgo-enabled }}" >> $GITHUB_ENV + + - name: Set additional environment variables + if: ${{ inputs.additional-env-vars != '' }} + run: | + # Process additional environment variables + echo "${{ inputs.additional-env-vars }}" | while IFS= read -r line; do + if [[ -n "$line" && "$line" == *"="* ]]; then + echo "$line" >> $GITHUB_ENV + fi + done + + - name: Run pre-build commands + if: ${{ inputs.pre-build-commands != '' }} + run: ${{ inputs.pre-build-commands }} + + - name: Release with GoReleaser + uses: goreleaser/goreleaser-action@v6 + env: + GITHUB_TOKEN: ${{ github.token }} + with: + version: ${{ inputs.goreleaser-version }} + args: ${{ inputs.goreleaser-args }} + id: goreleaser + + - name: Process GoReleaser output + id: process_goreleaser_output + run: | + echo "const fs = require('fs');" > process.js + echo 'const artifacts = ${{ steps.goreleaser.outputs.artifacts }}' >> process.js + echo "const firstNonNullDigest = artifacts.find(artifact => artifact.extra && artifact.extra.Digest != null)?.extra.Digest;" >> process.js + echo "console.log(firstNonNullDigest);" >> process.js + echo "fs.writeFileSync('digest.txt', firstNonNullDigest);" >> process.js + node process.js + echo "digest=$(cat digest.txt)" >> $GITHUB_OUTPUT + + - name: Attest Binaries + uses: actions/attest-build-provenance@v1 + with: + subject-path: ${{ inputs.attestation-binary-path }} + + - name: Generate build provenance for container + if: ${{ steps.process_goreleaser_output.outputs.digest != '' && steps.process_goreleaser_output.outputs.digest != 'undefined' }} + uses: actions/attest-build-provenance@v1 + with: + subject-name: ${{ inputs.registry-name }} + subject-digest: ${{ steps.process_goreleaser_output.outputs.digest }} + push-to-registry: true From dd1fefc6123cd39b5aa3617467e5252ef498a1b8 Mon Sep 17 00:00:00 2001 From: Taylor Ludwig Date: Mon, 18 Aug 2025 15:36:09 -0700 Subject: [PATCH 2/4] update name --- .github/workflows/go-build-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-build-release.yml b/.github/workflows/go-build-release.yml index 7686386..b4b2221 100644 --- a/.github/workflows/go-build-release.yml +++ b/.github/workflows/go-build-release.yml @@ -56,7 +56,7 @@ on: permissions: write-all # Necessary for the generate-build-provenance action with containers jobs: - build: + build_and_release: runs-on: ubuntu-latest steps: - name: Set up Go From 346ee4a90aa78139e47ee35596095b666ed34cfc Mon Sep 17 00:00:00 2001 From: Taylor Ludwig Date: Mon, 18 Aug 2025 15:40:18 -0700 Subject: [PATCH 3/4] updated docs --- README.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1c131a3..a05ff42 100644 --- a/README.md +++ b/README.md @@ -6,19 +6,50 @@ Reusable GitHub Actions for CI/CD. - `actions/gpg-ephemeral-key`: Ephemeral key generation for RPM/GPG signing - `actions/sign-rpm`: RPM signing with ephemeral keys +- `.github/workflows/go-build-release.yml`: Reusable workflow for GoReleaser builds ## Versioning & Usage Use major version tags for stability: ```yaml +# For actions - uses: OpenCHAMI/github-actions/actions/gpg-ephemeral-key@v1 - uses: OpenCHAMI/github-actions/actions/sign-rpm@v1 + +# For reusable workflows +jobs: + release: + uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v2 ``` Pin a commit SHA internally for maximum supply‑chain safety if desired. -## Actions Overview +## Actions and Workflows Overview + +### go-build-release (Reusable Workflow) +Standardized GoReleaser workflow for building and releasing Go applications with: +- Multi-architecture builds (linux/amd64, linux/arm64) +- Flexible pre-build setup steps +- Wraps `goreleaser-action` action with all .gorelease.yaml configurations +- Container image builds and publishing +- Binary and container attestation/signing + +**Usage:** +```yaml +jobs: + release: + uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v2 + with: + pre-build-commands: | + go install github.com/swaggo/swag/cmd/swag@latest + attestation-binary-path: "dist/cloud-init*" + registry-name: ghcr.io/openchami/cloud-init + +``` + +**Documentation:** [docs/go-build-release.md](docs/go-build-release.md) +**Examples:** [examples/](examples/) ### gpg-ephemeral-key Generates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated `GNUPGHOME`, signs it with a repo‑scoped subkey you provide, and outputs: From 508f7e65dcbab5a15162884f0e68d8ba4f01e0b3 Mon Sep 17 00:00:00 2001 From: Taylor Ludwig Date: Mon, 18 Aug 2025 15:47:47 -0700 Subject: [PATCH 4/4] update path --- README.md | 9 ++++----- {.github/workflows => workflows}/go-build-release.yml | 0 2 files changed, 4 insertions(+), 5 deletions(-) rename {.github/workflows => workflows}/go-build-release.yml (100%) diff --git a/README.md b/README.md index a05ff42..ee0a6f3 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ Reusable GitHub Actions for CI/CD. - `actions/gpg-ephemeral-key`: Ephemeral key generation for RPM/GPG signing - `actions/sign-rpm`: RPM signing with ephemeral keys -- `.github/workflows/go-build-release.yml`: Reusable workflow for GoReleaser builds +- `workflows/go-build-release.yml`: Reusable workflow for GoReleaser builds ## Versioning & Usage @@ -20,7 +20,7 @@ Use major version tags for stability: # For reusable workflows jobs: release: - uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v2 + uses: OpenCHAMI/github-actions/workflows/go-build-release.yml@v2 ``` Pin a commit SHA internally for maximum supply‑chain safety if desired. @@ -39,7 +39,7 @@ Standardized GoReleaser workflow for building and releasing Go applications with ```yaml jobs: release: - uses: OpenCHAMI/github-actions/.github/workflows/go-build-release.yml@v2 + uses: OpenCHAMI/github-actions/workflows/go-build-release.yml@v2 with: pre-build-commands: | go install github.com/swaggo/swag/cmd/swag@latest @@ -48,8 +48,7 @@ jobs: ``` -**Documentation:** [docs/go-build-release.md](docs/go-build-release.md) -**Examples:** [examples/](examples/) +See the [workflow](workflows/go-build-release.yml) for additional input parameters. ### gpg-ephemeral-key Generates a short‑lived RSA key (default 3072‑bit, 1 day) using an isolated `GNUPGHOME`, signs it with a repo‑scoped subkey you provide, and outputs: diff --git a/.github/workflows/go-build-release.yml b/workflows/go-build-release.yml similarity index 100% rename from .github/workflows/go-build-release.yml rename to workflows/go-build-release.yml