1project_name: rekor
2
3env:
4 - GO111MODULE=on
5 - CGO_ENABLED=0
6 - DOCKER_CLI_EXPERIMENTAL=enabled
7 - COSIGN_YES=true
8
9# Prevents parallel builds from stepping on eachothers toes downloading modules
10before:
11 hooks:
12 - go mod tidy
13 - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
14# if running a release we will generate the images in this step
15# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
16# this is needed because we are generating files that goreleaser was not aware to push to GH project release
17 - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release; fi'
18
19gomod:
20 proxy: true
21
22sboms:
23 - artifacts: binary
24
25builds:
26 - id: rekor-server-linux
27 binary: rekor-server-linux-{{ .Arch }}
28 no_unique_dist_dir: true
29 main: ./cmd/rekor-server
30 goos:
31 - linux
32 goarch:
33 - amd64
34 - arm64
35 - arm
36 - s390x
37 - ppc64le
38 goarm:
39 - 7
40 flags:
41 - -trimpath
42 mod_timestamp: '{{ .CommitTimestamp }}'
43 ldflags:
44 - "{{ .Env.SERVER_LDFLAGS }}"
45
46 - id: rekor-cli
47 binary: rekor-cli-{{ .Os }}-{{ .Arch }}
48 no_unique_dist_dir: true
49 main: ./cmd/rekor-cli
50 goos:
51 - linux
52 - darwin
53 - windows
54 goarch:
55 - amd64
56 - arm64
57 - arm
58 - s390x
59 - ppc64le
60 goarm:
61 - 7
62 ignore:
63 - goos: windows
64 goarch: arm64
65 - goos: windows
66 goarch: arm
67 - goos: windows
68 goarch: s390x
69 - goos: windows
70 goarch: ppc64le
71 flags:
72 - -trimpath
73 mod_timestamp: '{{ .CommitTimestamp }}'
74 ldflags:
75 - "{{ .Env.CLI_LDFLAGS }}"
76
77signs:
78 - id: rekor
79 signature: "${artifact}.sig"
80 cmd: cosign
81 args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
82 artifacts: binary
83 # Keyless
84 - id: rekor-keyless
85 signature: "${artifact}-keyless.sig"
86 certificate: "${artifact}-keyless.pem"
87 cmd: cosign
88 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
89 artifacts: binary
90 - id: checksum-keyless
91 signature: "${artifact}-keyless.sig"
92 certificate: "${artifact}-keyless.pem"
93 cmd: cosign
94 args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
95 artifacts: checksum
96
97archives:
98 - format: binary
99 name_template: "{{ .Binary }}"
100 allow_different_binary_count: true
101
102checksum:
103 name_template: "{{ .ProjectName }}_checksums.txt"
104
105snapshot:
106 name_template: SNAPSHOT-{{ .ShortCommit }}
107
108release:
109 prerelease: allow # remove this when we start publishing non-prerelease or set to auto
110 draft: true # allow for manual edits
111 github:
112 owner: sigstore
113 name: rekor
114 footer: |
115 ### Thanks for all contributors!
116
117 extra_files:
118 - glob: "./rekor*.yaml"
View as plain text