chore(ci): macos notarization.

Zenithar · Zenithar · commit 881584669baf · 2022-02-24T18:05:03.000+01:00
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -52,8 +52,8 @@ jobs:
           git --no-pager diff --quiet go.mod go.sum
 
   # Try compiple all binaries first
-  goreleaser-dryrun:
-    name: "GoReleaser (dry-run)"
+  compile-dryrun:
+    name: "Compile"
     runs-on: ubuntu-latest
     needs: [golangci-lint, go-mod]
     steps:
@@ -82,13 +82,9 @@ jobs:
         name: Fetch dependencies
         run: go mod download
       -
-        name: Run GoReleaser (Dry Run)
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          version: latest
-          args: release --rm-dist --snapshot --skip-publish
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        name: Build Harp
+        run: |
+          go mod vendor && go build -mod=vendor -o bin/harp github.com/elastic/harp/cmd/harp
 
   # Run golangci-lint
   golangci-lint:
@@ -116,7 +112,7 @@ jobs:
 
   tests-on-linux:
     name: "Tests (linux)"
-    needs: [go-mod, goreleaser-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
+    needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
     runs-on: ubuntu-latest
     steps:
       -
@@ -154,7 +150,7 @@ jobs:
 
   tests-on-windows:
     name: "Tests (windows)"
-    needs: [go-mod, goreleaser-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
+    needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
     runs-on: windows-latest
     steps:
       -
@@ -192,7 +188,7 @@ jobs:
 
   tests-on-macos:
     name: "Tests (darwin)"
-    needs: [go-mod, goreleaser-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
+    needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
     runs-on: macos-latest
     steps:
       -
diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
@@ -12,12 +12,11 @@ permissions:
   actions: write
 
 jobs:
-  linux-build:
-    runs-on: ubuntu-latest
+  release:
+    runs-on: macos-latest
     permissions:
-      packages: write
-      contents: read
-
+      packages: read
+      contents: write
     steps:
       -
         name: Cancel previous workflows
@@ -36,9 +35,6 @@ jobs:
         with:
           go-version: '1.17'
           check-latest: true
-      -
-        name: Set up Cosign
-        uses: sigstore/cosign-installer@v2.0.1
       -
         name: Cache Go modules
         uses: actions/cache@v1
@@ -47,6 +43,24 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
+      -
+        name: Download cyclonedx-gomod
+        uses: CycloneDX/gh-gomod-generate-sbom@v1
+        with:
+          version: v1.2.0
+      -
+        uses: sigstore/cosign-installer@v2
+      -
+        name: Import Code-Signing Certificates
+        uses: Apple-Actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
+          p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+      -
+        name: Install gon via HomeBrew for code signing and app notarization
+        run: |
+          brew tap mitchellh/gon
+          brew install mitchellh/gon/gon
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
@@ -55,3 +69,93 @@ jobs:
           args: release --rm-dist --skip-publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Prepare Github release packages
+        run: |
+          mkdir .dist
+          cp "./dist/harp-*" .dist/
+      -
+        name: Sign and notarize AMD64 cli
+        run: |
+          echo '{
+            "source": ["./dist/harp-darwin-amd64"]
+            "bundle_id":"co.elastic.harp",
+            "apple_id": {},
+            "sign": { "application_identity": "9470D0A7B70090A8EF31C3B33AB3868B38B27A3D" },
+            "zip": {
+              "output_path": "./.dist/harp-darwin-amd64.zip"
+            }
+          }' | jq '' > gon.json
+          gon -log-level=debug -log-json ./gon.json
+          rm -f .dist/harp-darwin-amd64
+      - name: Sign and notarize ARM64 cli
+        run: |
+          echo '{
+            "source": ["./dist/harp-darwin-arm64"]
+            "bundle_id":"co.elastic.harp",
+            "apple_id": {},
+            "sign": { "application_identity": "9470D0A7B70090A8EF31C3B33AB3868B38B27A3D" },
+            "zip": {
+              "output_path": "./.dist/harp-darwin-arm64.zip"
+            }
+          }' | jq '' > gon.json
+          gon -log-level=debug -log-json ./gon.json
+          rm -f .dist/harp-darwin-arm64
+      -
+        name: Generate provenance for Release
+        uses: philips-labs/slsa-provenance-action@v0.7.2
+        with:
+          command: generate
+          subcommand: files
+          arguments: --artifact-path .dist --output-path '.dist/provenance.json'
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      -
+        name: Sign
+        shell: bash
+        run: |
+          #!/bin/bash
+          shopt -s expand_aliases
+          cd .dist
+          FILES="*"
+          for f in $FILES;
+          do
+            case $f in
+            *.sbom.json)
+                continue
+                ;;
+            provenance.json)
+                cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
+                ;;
+            harp-*)
+                sha256sum "$f" | cut -d " " -f 1 > "$f.sha256"
+                cosign sign-blob --key <(echo -n "${COSIGN_KEY}") "$f" > "$f.sig"
+                ;;
+            esac
+          done
+        env:
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      -
+        name: Verify
+        shell: bash
+        run: |
+          #!/bin/bash
+          shopt -s expand_aliases
+          curl -sLO https://raw.githubusercontent.com/elastic/harp/cmd/harp/v${{ github.event.inputs.release }}/build/artifact/cosign.pub
+          cd .dist
+          FILES="*"
+          for f in $FILES;
+          do
+            if [[ -f "$f.sig" ]];
+            then
+              cosign verify-blob --key ../cosign.pub --signature "$f.sig" $f
+            fi
+          done
+      -
+        name: Upload to release
+        uses: AButler/upload-release-assets@v2.0
+        with:
+          files: '.dist/*'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          release-tag: v${{ github.event.inputs.release }}
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -5,8 +5,12 @@ before:
     - go mod tidy
     - go mod vendor
 
+gomod:
+  proxy: true
+
 builds:
-  - main: './cmd/harp'
+  - id: harp
+    main: './cmd/harp'
     env:
       - CGO_ENABLED=0
     mod_timestamp: '{{ .CommitTimestamp }}'
@@ -31,13 +35,24 @@ builds:
       - windows_amd64
       - windows_arm
       - windows_arm64
-    binary: '{{ .ProjectName }}'
+    binary: 'harp-{{replace .Target "_" "-"}}'
+    hooks:
+      post:
+        - cmd: cyclonedx-gomod app -main ./cmd/harp -licenses -packages -json -output "dist/harp-{{replace .Target "_" "-"}}.sbom.json"
+          env:
+            - GOARCH={{ .Arch }}
+            - GOOS={{ .Os }}
+    no_unique_dist_dir: true
 
 archives:
   - format: binary
+    name_template: '{{ .Binary }}'
+
+snapshot:
+  name_template: "{{.Tag}}-next"
 
 checksum:
-  disable: true
+  name_template: 'checksums.txt'
 
 release:
   disable: true
diff --git a/build/artifact/gon.hcl b/build/artifact/gon.hcl
