chore: add release pipeline

Signed-off-by: Matthew Penner <me@matthewp.io>

.github/workflows/ci.yaml

@@ -11,14 +11,14 @@ on:
 jobs:
  tests:
  name: Test
- permissions:
- contents: read
  runs-on: ${{ matrix.os }}
  strategy:
  fail-fast: false
  matrix:
  os: [ubuntu-22.04]
  go: ["1.21.10", "1.22.3"]
+ permissions:
+ contents: read
 
  steps:
  - name: Setup Go

.github/workflows/release.yaml

@@ -0,0 +1,47 @@
+name: Release
+
+on:
+ push:
+ tags:
+ - "v*"
+
+jobs:
+ release:
+ name: Release
+ runs-on: ${{ matrix.os }}
+ strategy:
+ fail-fast: false
+ matrix:
+ os: [ubuntu-22.04]
+ go: ["1.22.3"]
+ permissions:
+ attestations: write
+ id-token: write
+ contents: write
+ packages: write
+ steps:
+ - name: Setup Go
+ uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+ with:
+ go-version: ${{ matrix.go }}
+
+ - name: Install cosign
+ uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+ - name: Install Syft
+ uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+
+ - name: Code checkout
+ uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+ with:
+ fetch-depth: 0
+
+ # https://github.com/actions/checkout/issues/290#issuecomment-680260080
+ - name: Fetch upstream tags
+ run: git fetch --tags --force
+
+ - name: Run Goreleaser
+ uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ COSIGN_EXPERIMENTAL: 1

.goreleaser.yaml

@@ -0,0 +1,91 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+version: 1
+
+metadata:
+ mod_timestamp: "{{ .CommitTimestamp }}"
+
+report_sizes: true
+
+builds:
+ - main: github.com/caddyserver/gateway/cmd
+ binary: caddy-gateway
+ env:
+ - CGO_ENABLED=0
+ goos:
+ - linux
+ goarch:
+ - amd64
+ - arm64
+ flags:
+ - -trimpath
+
+kos:
+ - repository: ghcr.io/caddyserver/gateway
+ platforms:
+ - linux/amd64
+ - linux/arm64
+ tags:
+ - '{{.Version}}'
+ # TODO: find a way to set the latest package tag, only when the release gets published on GitHub.
+ # we can trigger an action on release_published, but we then need to write a system that "pushes"
+ # the `latest` manifest.
+ # - latest
+ creation_time: '{{.CommitTimestamp}}'
+ ko_data_creation_time: '{{.CommitTimestamp}}'
+ sbom: 'spdx'
+ bare: true
+ base_import_paths: true
+ preserve_import_paths: false
+
+checksum:
+ algorithm: sha512
+ name_template: "CHECKSUMS.txt"
+
+sboms:
+ - artifacts: binary
+ cmd: syft
+ args:
+ - "$artifact"
+ - "--file"
+ - "${document}"
+ - "--output"
+ - "spdx-json"
+
+signs:
+ - cmd: cosign
+ artifacts: all
+ output: true
+ args:
+ - sign-blob
+ - --yes
+ - "--output-certificate=${certificate}"
+ - "--output-signature=${signature}"
+ - "${artifact}"
+
+docker_signs:
+ - cmd: cosign
+ artifacts: manifests # TODO: all?
+ output: true
+ args:
+ - sign
+ - --yes
+ - "${artifact}@${digest}"
+
+release:
+ draft: true
+ prerelease: auto
+ github:
+ owner: caddyserver
+ name: gateway
+
+changelog:
+ use: github
+ sort: asc
+ filters:
+ exclude:
+ - '^chore:'
+ - '^ci:'
+ - '^docs?:'
+ - '^readme:'
+ - '^tests?:'
+ - '^\w+\s+' # a hack to remove commit messages without colons thus don't correspond to a package