f8ae4b1ad4
This commit hardens the CI/CD pipeline and fixes the release process. - Replaces the manual release process with `goreleaser` to streamline builds and enable artifact signing. - Pins all GitHub Actions to specific commit hashes to prevent supply chain attacks. - Enables cryptographic signing of release artifacts using `cosign` and Sigstore's keyless signing. - Adds a Dependabot configuration to automate dependency updates. - Removes excessive `contents: write` permissions from workflows. - Creates an `AUDIT-CICD.md` file to document the audit findings and remediation steps. - Fixes a build failure by adding a placeholder for a missing demo file. - Updates the `.goreleaser.yaml` to include WASM and console assets in the release, fixing a regression from the previous release process.
101 lines
2.1 KiB
YAML
101 lines
2.1 KiB
YAML
# Goreleaser config for Borg
|
|
# Non-invasive: builds the existing CLI binary without changing functionality.
|
|
project_name: borg
|
|
|
|
version: 2
|
|
|
|
dist: dist
|
|
|
|
before:
|
|
hooks:
|
|
- go mod tidy
|
|
# Build WASM and console assets before the release build
|
|
- mkdir -p dist
|
|
- GOOS=js GOARCH=wasm go build -o dist/stmf.wasm ./pkg/wasm/stmf/
|
|
- cp "$(go env GOROOT)/misc/wasm/wasm_exec.js" dist/ 2>/dev/null || cp "$(go env GOROOT)/lib/wasm/wasm_exec.js" dist/
|
|
- go build -o borg main.go
|
|
- ./borg console build -p "borg-demo" -o dist/console.stim -s js/borg-stmf
|
|
|
|
builds:
|
|
- id: borg
|
|
main: ./main.go
|
|
binary: borg
|
|
env:
|
|
- CGO_ENABLED=0
|
|
goos:
|
|
- linux
|
|
- darwin
|
|
- windows
|
|
- freebsd
|
|
goarch:
|
|
- amd64
|
|
- arm64
|
|
- arm
|
|
goarm:
|
|
- 6
|
|
- 7
|
|
flags:
|
|
- -trimpath
|
|
ldflags:
|
|
- -s -w
|
|
mod_timestamp: '{{ .CommitDate }}'
|
|
|
|
archives:
|
|
- id: archive
|
|
builds:
|
|
- borg
|
|
name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
|
|
format_overrides:
|
|
- goos: windows
|
|
format: zip
|
|
files:
|
|
- LICENSE.md
|
|
- README.md
|
|
- docs/**
|
|
|
|
checksum:
|
|
name_template: 'checksums.txt'
|
|
|
|
signs:
|
|
- artifacts: checksum
|
|
args:
|
|
# Keyless signing
|
|
- "--yes"
|
|
- "--fulcio-url=https://fulcio.sigstore.dev"
|
|
- "--oidc-issuer=https://token.actions.githubusercontent.com"
|
|
- "--output-signature=${signature}"
|
|
- "--output-certificate=${certificate}"
|
|
- "${artifact}"
|
|
|
|
changelog:
|
|
sort: asc
|
|
use: github-native
|
|
filters:
|
|
exclude:
|
|
- '^docs: '
|
|
- '^test: '
|
|
|
|
release:
|
|
# By default goreleaser creates GitHub releases from tags.
|
|
prerelease: auto
|
|
mode: replace
|
|
extra_files:
|
|
- glob: 'dist/stmf.wasm'
|
|
- glob: 'dist/wasm_exec.js'
|
|
- glob: 'dist/console.stim'
|
|
|
|
brews:
|
|
- name: borg
|
|
repository:
|
|
owner: Snider
|
|
name: homebrew-tap
|
|
folder: Formula
|
|
homepage: https://github.com/Snider/Borg
|
|
description: "Borg Data Collector CLI"
|
|
commit_author:
|
|
name: goreleaserbot
|
|
email: bot@goreleaser.com
|
|
test: |
|
|
system "#{bin}/borg", "--help"
|
|
install: |
|
|
bin.install "borg"
|