Skip to content
This repository has been archived by the owner on Oct 30, 2024. It is now read-only.

go releaser action #539

Merged
merged 7 commits into from
Mar 30, 2023
Merged

go releaser action #539

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
2318c5c
new action
dani-santos-code Mar 14, 2023
c3c13b9
modify goreleaser
dani-santos-code Mar 14, 2023
8a5e5a5
update changelog
dani-santos-code Mar 15, 2023
3ac358b
updates changelog
dani-santos-code Mar 15, 2023
432df8c
update docs
dani-santos-code Mar 27, 2023
c55fb49
removes manual changelog
dani-santos-code Mar 28, 2023
3ad866e
mention button in the instructions
dani-santos-code Mar 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: release

on:
push:
tags: [ v*.*.* ]

env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}

jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Question: why contents: write?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I got it from toxiproxy: https://github.com/Shopify/toxiproxy/blob/master/.github/workflows/release.yml#L17

I assumed the release action required write to be able to create a draft release?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also it seems it's required? https://github.com/marketplace/actions/create-release#example

In the example above only required permissions for the action specified (which is contents: write). If you add other actions to the same workflow you should expand permissions block accordingly.

packages: write

steps:
-
name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0

-
name: GPG config
run: |
mkdir -p ~/.gnupg
cat << EOF >> ~/.gnupg/options
keyserver keys.openpgp.org
keyserver-options auto-key-retrieve
EOF

-
name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Idea: if you track the semver tag in a comment, Dependabot should update both!
example / example PR.

I really dig it: you get the immutability of pinning a tag, without losing the visibility that the tag provides.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, neat! will add it! thank you!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be addressed in a separate PR as per: #547

with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

-
name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
check-latest: true
cache: true
-
name: Build release changelog
run: |
version=${GITHUB_REF#refs/tags/v*}
mkdir -p tmp
sed '/^# \['$version'\]/,/^# \[/!d;//d;/^\s*$/d' CHANGELOG.md > tmp/release_changelog.md

-
name: Release
uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757
with:
distribution: goreleaser
version: v1.10.3
args: release --rm-dist --release-notes=tmp/release_changelog.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
18 changes: 18 additions & 0 deletions .goreleaser.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,15 @@ release:
name: kubeaudit
draft: true
name_template: "{{.ProjectName}}-v{{.Version}}"
dockers:
- dockerfile: goreleaser.Dockerfile
goos: linux
goarch: amd64
goarm: ''
image_templates:
- "ghcr.io/shopify/kubeaudit:latest"
- "ghcr.io/shopify/kubeaudit:{{ .Tag }}"
- "ghcr.io/shopify/kubeaudit:v{{ .Major }}.{{ .Minor }}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noice: this pattern is cool!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the pattern that we had before, but were pointing to docker hub registries instead

builds:
- goos:
- linux
Expand All @@ -17,6 +26,15 @@ builds:
binary: kubeaudit
ldflags:
- -s -w -X github.com/Shopify/kubeaudit/cmd.Version={{.Version}} -X github.com/Shopify/kubeaudit/cmd.Commit={{.Commit}} -X github.com/Shopify/kubeaudit/cmd.BuildDate={{.Date}}

changelog:
sort: asc
filters:
exclude:
- "^docs:"
- "^test:"
- ^Merge

archives:
- format: tar.gz
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
Expand Down
15 changes: 15 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Unreleased
* tba

# 0.22.0

* support for metadata info on sarif result
* Makefile fix for go mod tidy
* test without Kind by default
* deprecate kubernetes.io in override labels


# 0.21.0
* the Seccomp auditor has been updated to flag missing Seccomp profiles in securityContext instead of deprecated seccomp annotations. Thank you @Ser87ch, for your amazing contribution! 👏

* Override added for the unconfined apparmor profile! Once again, thank you @Ser87ch! 😍