From 8627ea88ce473ce5fe243cdf8e2e3087cc067b7e Mon Sep 17 00:00:00 2001 From: Dan Luhring Date: Wed, 11 Nov 2020 14:29:55 -0500 Subject: [PATCH 1/3] Fix usage of goreleaser's artifact pipeline Signed-off-by: Dan Luhring --- .goreleaser.yaml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 23536c5eb..b93427b12 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -6,10 +6,6 @@ release: # If set to true, will not auto-publish the release. This is done to allow us to review the changelog before publishing. draft: true - # This ensures any macOS signed artifacts get included with the release. - extra_files: - - glob: "./dist/*.dmg" - builds: - binary: syft id: syft @@ -61,15 +57,11 @@ archives: - syft-macos signs: - - artifacts: checksum - ids: - - syft # i.e. Linux only - args: ["--output", "${signature}", "--detach-sign", "${artifact}"] - id: syft-macos-signing - signature: "./dist/syft_{{ .Version }}_darwin_amd64.dmg" ids: - syft-macos cmd: ./.github/scripts/mac-sign-and-notarize.sh + signature: "syft_${VERSION}_darwin_amd64.dmg" # This is somewhat unintuitive. This gets the DMG file recognized as an artifact. In fact, both a DMG and a ZIP file are being produced by this signing step. args: - "{{ .IsSnapshot }}" - "gon.hcl" From fde37b4b5685ed62ca24ec8171cbec66d8933581 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 11 Nov 2020 14:36:24 -0500 Subject: [PATCH 2/3] provide goreleaser asset version via env var Signed-off-by: Alex Goodman --- Makefile | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index c0a6e54e2..e20276431 100644 --- a/Makefile +++ b/Makefile @@ -273,10 +273,13 @@ release: clean-dist ci-bootstrap-mac changelog-release ## Build and publish fina cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml # release - bash -c "BUILD_GIT_TREE_STATE=$(GITTREESTATE) $(TEMPDIR)/goreleaser \ - --rm-dist \ - --config $(TEMPDIR)/goreleaser.yaml \ - --release-notes <(cat CHANGELOG.md)" + bash -c "\ + BUILD_GIT_TREE_STATE=$(GITTREESTATE) \ + VERSION=$(VERSION) \ + $(TEMPDIR)/goreleaser \ + --rm-dist \ + --config $(TEMPDIR)/goreleaser.yaml \ + --release-notes <(cat CHANGELOG.md)" # verify checksum signatures .github/scripts/verify-signature.sh "$(DISTDIR)" From 7e270bf76c174dbf399573236d62c1cebfaca142 Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Wed, 11 Nov 2020 15:11:51 -0500 Subject: [PATCH 3/3] restore the checksum file during release Signed-off-by: Alex Goodman --- .goreleaser.yaml | 7 +++++++ Makefile | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index b93427b12..f1fd98345 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -57,6 +57,13 @@ archives: - syft-macos signs: + - artifacts: checksum + cmd: sh + args: + - '-c' + # we should not include the zip artifact, as the artifact is mutated throughout the next macOS notarization step + # note: sed -i is not portable + - 'sed "/.*\.zip/d" ${artifact} > tmpfile && mv tmpfile ${artifact} && gpg --output ${signature} --detach-sign ${artifact}' - id: syft-macos-signing ids: - syft-macos diff --git a/Makefile b/Makefile index e20276431..f44a26289 100644 --- a/Makefile +++ b/Makefile @@ -272,10 +272,10 @@ release: clean-dist ci-bootstrap-mac changelog-release ## Build and publish fina echo "dist: $(DISTDIR)" > $(TEMPDIR)/goreleaser.yaml cat .goreleaser.yaml >> $(TEMPDIR)/goreleaser.yaml - # release + # release (note the version transformation from v0.7.0 --> 0.7.0) bash -c "\ BUILD_GIT_TREE_STATE=$(GITTREESTATE) \ - VERSION=$(VERSION) \ + VERSION=$(VERSION:v%=%) \ $(TEMPDIR)/goreleaser \ --rm-dist \ --config $(TEMPDIR)/goreleaser.yaml \