forked from TrueCloudLab/certificates
187 lines
6.1 KiB
YAML
187 lines
6.1 KiB
YAML
# This is an example .goreleaser.yml file with some sane defaults.
|
|
# Make sure to check the documentation at http://goreleaser.com
|
|
project_name: step-ca
|
|
|
|
before:
|
|
hooks:
|
|
# You may remove this if you don't use go modules.
|
|
- go mod download
|
|
|
|
builds:
|
|
-
|
|
id: step-ca
|
|
env:
|
|
- CGO_ENABLED=0
|
|
targets:
|
|
- darwin_amd64
|
|
- darwin_arm64
|
|
- freebsd_amd64
|
|
- linux_386
|
|
- linux_amd64
|
|
- linux_arm64
|
|
- linux_arm_5
|
|
- linux_arm_6
|
|
- linux_arm_7
|
|
- windows_amd64
|
|
flags:
|
|
- -trimpath
|
|
main: ./cmd/step-ca/main.go
|
|
binary: step-ca
|
|
ldflags:
|
|
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
|
|
|
archives:
|
|
-
|
|
# Can be used to change the archive formats for specific GOOSs.
|
|
# Most common use case is to archive as zip on Windows.
|
|
# Default is empty.
|
|
name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
|
|
format_overrides:
|
|
- goos: windows
|
|
format: zip
|
|
wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}"
|
|
files:
|
|
- README.md
|
|
- LICENSE
|
|
allow_different_binary_count: true
|
|
|
|
nfpms:
|
|
# Configure nFPM for .deb and .rpm releases
|
|
#
|
|
# See https://nfpm.goreleaser.com/configuration/
|
|
# and https://goreleaser.com/customization/nfpm/
|
|
#
|
|
# Useful tools for debugging .debs:
|
|
# List file contents: dpkg -c dist/step_...deb
|
|
# Package metadata: dpkg --info dist/step_....deb
|
|
#
|
|
-
|
|
builds:
|
|
- step-ca
|
|
package_name: step-ca
|
|
file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
|
|
vendor: Smallstep Labs
|
|
homepage: https://github.com/smallstep/certificates
|
|
maintainer: Smallstep <techadmin@smallstep.com>
|
|
description: >
|
|
step-ca is an online certificate authority for secure, automated certificate management.
|
|
license: Apache 2.0
|
|
section: utils
|
|
formats:
|
|
- deb
|
|
- rpm
|
|
priority: optional
|
|
bindir: /usr/bin
|
|
contents:
|
|
- src: debian/copyright
|
|
dst: /usr/share/doc/step-ca/copyright
|
|
|
|
source:
|
|
enabled: true
|
|
name_template: '{{ .ProjectName }}_{{ .Version }}'
|
|
|
|
checksum:
|
|
name_template: 'checksums.txt'
|
|
extra_files:
|
|
- glob: ./.releases/*
|
|
|
|
signs:
|
|
- cmd: cosign
|
|
signature: "${artifact}.sig"
|
|
certificate: "${artifact}.pem"
|
|
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
|
|
artifacts: all
|
|
|
|
snapshot:
|
|
name_template: "{{ .Tag }}-next"
|
|
|
|
release:
|
|
# Repo in which the release will be created.
|
|
# Default is extracted from the origin remote URL or empty if its private hosted.
|
|
# Note: it can only be one: either github, gitlab or gitea
|
|
github:
|
|
owner: smallstep
|
|
name: certificates
|
|
|
|
# IDs of the archives to use.
|
|
# Defaults to all.
|
|
#ids:
|
|
# - foo
|
|
# - bar
|
|
|
|
# If set to true, will not auto-publish the release.
|
|
# Default is false.
|
|
draft: false
|
|
|
|
# If set to auto, will mark the release as not ready for production
|
|
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
|
|
# If set to true, will mark the release as not ready for production.
|
|
# Default is false.
|
|
prerelease: auto
|
|
|
|
# You can change the name of the release.
|
|
# Default is `{{.Tag}}`
|
|
name_template: "Step CA {{ .Tag }} ({{ .Env.RELEASE_DATE }})"
|
|
|
|
# Header template for the release body.
|
|
# Defaults to empty.
|
|
header: |
|
|
## Official Release Artifacts
|
|
|
|
#### Linux
|
|
|
|
- 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
|
|
- 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
|
|
|
|
#### OSX Darwin
|
|
|
|
- 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
|
|
- 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)
|
|
|
|
#### Windows
|
|
|
|
- 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.step.sm/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
|
|
|
|
For more builds across platforms and architectures, see the `Assets` section below.
|
|
And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation).
|
|
|
|
Don't see the artifact you need? Open an issue [here](https://github.com/smallstep/certificates/issues/new/choose).
|
|
|
|
## Signatures and Checksums
|
|
|
|
`step-ca` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying release artifacts.
|
|
|
|
Below is an example using `cosign` to verify a release artifact:
|
|
|
|
```
|
|
COSIGN_EXPERIMENTAL=1 cosign verify-blob \
|
|
--certificate ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
|
|
--signature ~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
|
|
~/Downloads/step-ca_darwin_{{ .Version }}_amd64.tar.gz
|
|
```
|
|
|
|
The `checksums.txt` file (in the `Assets` section below) contains a checksum for every artifact in the release.
|
|
|
|
# Footer template for the release body.
|
|
# Defaults to empty.
|
|
footer: |
|
|
## Thanks!
|
|
|
|
Those were the changes on {{ .Tag }}!
|
|
|
|
Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.
|
|
|
|
# You can disable this pipe in order to not upload any artifacts.
|
|
# Defaults to false.
|
|
#disable: true
|
|
|
|
# You can add extra pre-existing files to the release.
|
|
# The filename on the release will be the last part of the path (base). If
|
|
# another file with the same name exists, the latest one found will be used.
|
|
# Defaults to empty.
|
|
extra_files:
|
|
- glob: ./.releases/*
|
|
#extra_files:
|
|
# - glob: ./path/to/file.txt
|
|
# - glob: ./glob/**/to/**/file/**/*
|
|
# - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
|