build: use goreleaser, new release-workflow and distroless image

Signed-off-by: Christian Kotzbauer <git@ckotzbauer.de>
ckotzbauer · Dec 30, 2021 · 404c629 · 404c629
1 parent c18da7e
commit 404c629
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 163 deletions.
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -9,93 +9,20 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.REPO_ACCESS }}
-
-      - name: Setup Node
-        uses: actions/setup-node@v2.5.1
-        with:
-          node-version: '16'
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: '1.17'
-
-      - name: Setup Kubebuilder
-        uses: RyanSiu1995/kubebuilder-action@v1.2
-        with:
-          version: 3.1.0
-
-      - name: Setup Kubectl
-        uses: azure/setup-kubectl@v1
-        with:
-          version: 'v1.23.0'
-
-      - name: Set up QEMU
-        id: qemu
-        uses: docker/setup-qemu-action@v1
-        with:
-          image: tonistiigi/binfmt:latest
-          platforms: all
-
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v1
-
-      - name: Dockerhub Login
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-
-      - name: GHCR Login
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GHCR_PASSWORD }}
-
-      - name: Build and push image
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          push: true
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            ckotzbauer/access-manager:${{ github.event.inputs.version }}
-            ckotzbauer/access-manager:latest
-            ghcr.io/ckotzbauer/access-manager:${{ github.event.inputs.version }}
-            ghcr.io/ckotzbauer/access-manager:latest
-
-      - name: Generate changelog
-        run: npx @code-chris/changelog-generator --release-version ${{ github.event.inputs.version }} --github-handle ${{ github.repository }} --commit-output commits.md
-
-      - name: Commit files
-        id: commit
-        run: |
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
-          git commit -m "chore: release ${{ github.event.inputs.version }}" -a
-
-      - name: Push changes
-        uses: ad-m/github-push-action@v0.6.0
-        with:
-          github_token: ${{ secrets.REPO_ACCESS }}
-          branch: main
-
-      - name: Create release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          commitish: main
-          tag_name: ${{ github.event.inputs.version }}
-          release_name: ${{ github.event.inputs.version }}
-          body_path: commits.md
-          prerelease: ${{ contains(github.event.inputs.version, 'alpha') || contains(github.event.inputs.version, 'beta') || contains(github.event.inputs.version, 'rc') }}
+    uses: ckotzbauer/actions-toolkit/.github/workflows/toolkit-release-goreleaser.yml@0.2.1
+    with:
+      go-version: 1.17
+      version: ${{ github.event.inputs.version }}
+      docker-platforms: linux/amd64,linux/arm64
+      docker-tags: |
+        ckotzbauer/access-manager:${{ github.event.inputs.version }}
+        ckotzbauer/access-manager:latest
+        ghcr.io/ckotzbauer/access-manager:${{ github.event.inputs.version }}
+        ghcr.io/ckotzbauer/access-manager:latest
+      cosign-repository: ghcr.io/ckotzbauer/access-manager-metadata
+    secrets:
+      token: ${{ secrets.GITHUB_TOKEN }}
+      pat: ${{ secrets.REPO_ACCESS }}
+      dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }}
+      dockerhub-password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      ghcr-password: ${{ secrets.GHCR_PASSWORD }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -59,6 +59,15 @@ jobs:
         with:
           version: 'v${{ matrix.kubernetes-version }}'
 
+      - name: Install GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: "v1.2.2"
+          install-only: true
+
+      - name: Build binary
+        run: make build
+
       - name: Build image
         uses: docker/build-push-action@v2
         with:
@@ -95,6 +104,15 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v2
 
+      - name: Install GoReleaser
+        uses: goreleaser/goreleaser-action@v2
+        with:
+          version: "v1.2.2"
+          install-only: true
+
+      - name: Build binary
+        run: make build
+
       - name: Build image
         uses: docker/build-push-action@v2
         with:

diff --git a/.gitignore b/.gitignore
@@ -5,7 +5,6 @@
 *.dll
 *.so
 *.dylib
-bin
 dist
 
 # Test binary, build with `go test -c`

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,47 @@
+project_name: access-manager
+before:
+  hooks:
+    - go mod tidy
+builds:
+  - env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarm:
+      - "6"
+      - "7"
+    ignore:
+      - goos: linux
+        goarch: "386"
+    ldflags:
+      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.Date={{.CommitDate}} -X main.BuiltBy=goreleaser
+    mod_timestamp: "{{.CommitTimestamp}}"
+    flags:
+      - -trimpath
+
+sboms:
+  - artifacts: archive
+    args: ["$artifact", "--file", "$document", "--output", "json"]
+
+snapshot:
+  name_template: "{{ .Version }}"
+
+release:
+  disable: true
+
+changelog:
+  skip: true
+
+source:
+  enabled: true
+
+signs:
+  - cmd: cosign
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: all
+    output: true
diff --git a/Dockerfile b/Dockerfile
@@ -1,28 +1,8 @@
-FROM golang:1.17.5-buster as builder
+FROM gcr.io/distroless/base
 
 ARG TARGETOS
 ARG TARGETARCH
 
-ARG version
-ENV VERSION=$version
-
-WORKDIR /go/src/app
-COPY . .
-RUN TARGETOS=${TARGETOS} TARGETARCH=${TARGETARCH} make manager && \
-    mv bin/manager_${TARGETOS}_${TARGETARCH} bin/manager
-
-
-FROM alpine:3.15
-
-ENV USER_UID=1001 \
-    USER_NAME=access-manager
-
-RUN echo "${USER_NAME}:x:${USER_UID}:0:${USER_NAME} user:${HOME}:/sbin/nologin" >> /etc/passwd && \
-    mkdir -p "${HOME}" && \
-    chown "${USER_UID}:0" "${HOME}" && \
-    chmod ug+rwx "${HOME}"
-
-COPY --from=builder /go/src/app/bin/manager /usr/local/bin/access-manager
+COPY dist/access-manager_${TARGETOS}_${TARGETARCH}/access-manager /usr/local/bin/access-manager
 
 ENTRYPOINT ["/usr/local/bin/access-manager"]
-USER ${USER_UID}
diff --git a/Makefile b/Makefile
@@ -25,7 +25,7 @@ else
 GOBIN=$(shell go env GOBIN)
 endif
 
-all: manager
+all: build
 
 # Run unit-tests
 test: generate fmt vet manifests
@@ -36,9 +36,8 @@ e2e-test: kind
 	cd e2e && \
 	bash test.sh $(KIND) $(K8S_VERSION)
 
-# Build manager binary
-manager: generate fmt vet
-	CGO_ENABLED=0 GOOS=$(TARGETOS) GOARCH=$(TARGETARCH) go build -a -ldflags '-w -X=main.Version=$(BIN_VERSION)' -o bin/manager_$(TARGETOS)_$(TARGETARCH) main.go
+build: generate fmt vet
+	goreleaser build --rm-dist --single-target --snapshot
 
 # Run against the configured Kubernetes cluster in ~/.kube/config
 run: generate fmt vet manifests