.goreleaser.yml

project_name: cosign

env:
  - GO111MODULE=on
  - CGO_ENABLED=1
  - DOCKER_CLI_EXPERIMENTAL=enabled
  - COSIGN_EXPERIMENTAL=true
  - LATEST_TAG=,latest

# Prevents parallel builds from stepping on each others toes downloading modules
before:
  hooks:
  - go mod tidy
  - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
# if running a release we will generate the images in this step
# if running in the CI the CI env va is set and we dont run the ko steps
# this is needed because we are generating files that goreleaser was not aware to push to GH project release
  - /bin/bash -c 'if [ -z "$CI" ]; then make sign-release-images; fi'

gomod:
  proxy: true

sboms:
- artifacts: binary

builds:
- id: linux
  binary: cosign-linux-{{ .Arch }}
  no_unique_dist_dir: true
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - linux
  goarch:
    - amd64
    - arm64
    - arm
    - s390x
    - ppc64le
  goarm:
    - '7'
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  env:
    - CGO_ENABLED=0

- id: linux-pivkey-pkcs11key-amd64
  binary: cosign-linux-pivkey-pkcs11key-amd64
  no_unique_dist_dir: true
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - linux
  goarch:
    - amd64
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key
  hooks:
    pre:
      - apt-get update
      - apt-get -y install libpcsclite-dev
  env:
    - PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/"

- id: darwin-amd64
  binary: cosign-darwin-amd64
  no_unique_dist_dir: true
  env:
    - CC=o64-clang
    - CXX=o64-clang++
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - darwin
  goarch:
    - amd64
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key

- id: darwin-arm64
  binary: cosign-darwin-arm64
  no_unique_dist_dir: true
  env:
    - CC=aarch64-apple-darwin20.2-clang
    - CXX=aarch64-apple-darwin20.2-clang++
  main: ./cmd/cosign
  flags:
    - -trimpath
  goos:
    - darwin
  goarch:
    - arm64
  tags:
    - pivkey
    - pkcs11key
  ldflags:
    - "{{.Env.LDFLAGS}}"

- id: windows-amd64
  binary: cosign-windows-amd64
  no_unique_dist_dir: true
  env:
    - CC=x86_64-w64-mingw32-gcc
    - CXX=x86_64-w64-mingw32-g++
  main: ./cmd/cosign
  mod_timestamp: '{{ .CommitTimestamp }}'
  flags:
    - -trimpath
  goos:
    - windows
  goarch:
    - amd64
  ldflags:
    - -buildmode=exe
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key

- id: sget
  binary: sget-{{ .Os }}-{{ .Arch }}
  no_unique_dist_dir: true
  mod_timestamp: '{{ .CommitTimestamp }}'
  main: ./cmd/sget
  flags:
    - -trimpath
  goos:
    - linux
    - darwin
    - windows
  goarch:
    - amd64
    - arm64
    - arm
    - s390x
    - ppc64le
  goarm:
    - 7
  ignore:
    - goos: windows
      goarch: arm64
    - goos: windows
      goarch: arm
    - goos: windows
      goarch: s390x
    - goos: windows
      goarch: ppc64le
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  env:
    - CGO_ENABLED=0

signs:
  - id: cosign
    signature: "${artifact}.sig"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
  - id: sget
    signature: "${artifact}.sig"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
    ids:
      - sget
  # Keyless
  - id: cosign-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
  - id: sget-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
    ids:
      - sget
  - id: checksum-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: checksum
  - id: packages-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: package

nfpms:
  - id: cosign
    package_name: cosign
    file_name_template: "{{ .ConventionalFileName }}"
    vendor: Sigstore
    homepage: https://sigstore.dev
    maintainer: Sigstore Authors 86837369+sigstore-bot@users.noreply.github.com
    builds:
      - linux
    description: Container Signing, Verification and Storage in an OCI registry.
    license: "Apache License 2.0"
    formats:
      - apk
      - deb
      - rpm
    contents:
      - src: /usr/bin/cosign-linux-{{ .Arch }}
        dst: /usr/bin/cosign
        type: "symlink"

archives:
- format: binary
  name_template: "{{ .Binary }}"
  allow_different_binary_count: true

checksum:
  name_template: "{{ .ProjectName }}_checksums.txt"

snapshot:
  name_template: SNAPSHOT-{{ .ShortCommit }}

release:
  prerelease: allow # remove this when we start publishing non-prerelease or set to auto
  draft: true # allow for manual edits
  github:
    owner: sigstore
    name: cosign
  footer: |
    ### Thanks to all contributors!

  extra_files:
    - glob: "./release/release-cosign.pub"
    - glob: "./cosign*.yaml"

rigs:
  - rig:
      owner: sigstore
      name: fish-food
    commit_author:
      name: sigstore-bot
      email: 86837369+sigstore-bot@users.noreply.github.com
    homepage: https://sigstore.dev
    description: Container Signing, Verification and Storage in an OCI registry.
    license: "Apache License 2.0"