feat: apple signing and notary using quill (ekristen#64)

* chore: quill, sign darwin binaries

* feat: support apple binary signing, a few minor chores

Author: ekristen

.github/workflows/release.yml renamed to .github/workflows/goreleaser.yml

@@ -3,6 +3,9 @@ name: goreleaser
 on:
   workflow_dispatch:
   push:
+    branches:
+      - main
+      - next
     tags:
       - "*"
   release:
@@ -12,6 +15,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write
 
 jobs:
   release:
@@ -43,14 +47,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: install cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: "v2.0.1"
-      - name: setup cosign
-        run: |
-          echo "${COSIGN_KEY}" > "$GITHUB_WORKSPACE/cosign.key"
+        uses: sigstore/cosign-installer@v3
+      - name: install quill
         env:
-          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+          QUILL_VERSION: 0.4.1
+        run: |
+          curl -Lo /tmp/quill_${QUILL_VERSION}_linux_amd64.tar.gz https://github.com/anchore/quill/releases/download/v${QUILL_VERSION}/quill_${QUILL_VERSION}_linux_amd64.tar.gz
+          tar -xvf /tmp/quill_${QUILL_VERSION}_linux_amd64.tar.gz -C /tmp
+          mv /tmp/quill /usr/local/bin/quill
+          chmod +x /usr/local/bin/quill
       - name: set goreleaser default args
         if: startsWith(github.ref, 'refs/tags/') == true
         run: |
@@ -63,6 +68,18 @@ jobs:
         if: startsWith(github.ref, 'refs/heads/renovate') == true
         run: |
           echo "GORELEASER_ARGS=--snapshot --skip-publish" >> $GITHUB_ENV
+      - name: setup quill
+        uses: 1password/load-secrets-action@v1
+        if: startsWith(github.ref, 'refs/tags/') == true && github.actor == github.repository_owner
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          QUILL_NOTARY_KEY: ${{ secrets.OP_QUILL_NOTARY_KEY }}
+          QUILL_NOTARY_KEY_ID: ${{ secrets.OP_QUILL_NOTARY_KEY_ID }}
+          QUILL_NOTARY_ISSUER: ${{ secrets.OP_QUILL_NOTARY_ISSUER }}
+          QUILL_SIGN_PASSWORD: ${{ secrets.OP_QUILL_SIGN_PASSWORD }}
+          QUILL_SIGN_P12: ${{ secrets.OP_QUILL_SIGN_P12 }}
       - name: run goreleaser
         uses: goreleaser/goreleaser-action@v5
         with:
@@ -71,11 +88,10 @@ jobs:
           args: release --clean ${{ env.GORELEASER_ARGS }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       - name: push docker images (for branches)
         if: github.ref == 'refs/heads/main' || github.event.pull_request.base.ref == 'main'
         run: |
-          docker images --format "{{.Repository}}:{{.Tag}}" | grep "ekristen/aws-nuke" | xargs -L1 docker push
+          docker images --format "{{.Repository}}:{{.Tag}}" | grep "${{ github.repository }}" | xargs -L1 docker push
       - name: upload artifacts
         if: github.event.pull_request.base.ref == 'main'
         uses: actions/upload-artifact@v4

.github/workflows/semantic-lint.yml

@@ -1,9 +1,6 @@
 name: semantic-lint
 
 on:
-  pull_request:
-    branches:
-      - main
   pull_request_target:
     types:
       - opened

.gitignore

@@ -5,3 +5,5 @@ cosign.key
 /config*.yaml
 /*-config.yaml
 /config.*.yaml
+*.p12
+*.p8

.goreleaser.yml

@@ -3,16 +3,14 @@ release:
   github:
     owner: ekristen
     name: aws-nuke
-  extra_files:
-    - glob: ./cosign.pub
 builds:
   - id: default
     env:
       - CGO_ENABLED=0
     goos:
-      - darwin
       - linux
       - windows
+      - darwin
     goarch:
       - amd64
       - arm64
@@ -29,9 +27,11 @@ builds:
     ldflags:
       - -s
       - -w
-      - -X '{{ .ModulePath }}/cmd.BuildVersion={{ .Version }}'
-      - -X '{{ .ModulePath }}/cmd.BuildDate={{ .Date }}'
-      - -X '{{ .ModulePath }}/cmd.BuildHash={{ .Commit }}'
+      - -extldflags="-static"
+      - -X '{{ .ModulePath }}/pkg/common.SUMMARY=v{{ .Version }}'
+      - -X '{{ .ModulePath }}/pkg/common.BRANCH={{ .Branch }}'
+      - -X '{{ .ModulePath }}/pkg/common.VERSION={{ .Tag }}'
+      - -X '{{ .ModulePath }}/pkg/common.COMMIT={{ .Commit }}'
 archives:
   - id: default
     builds:
@@ -63,14 +63,14 @@ dockers:
     image_templates:
       - ghcr.io/ekristen/aws-nuke:v{{ .Version }}-arm64
     build_flag_templates:
+      - "--platform=linux/arm64"
       - "--target=goreleaser"
       - "--pull"
       - "--label=org.opencontainers.image.created={{.Date}}"
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source=https://github.com/ekristen/aws-nuke"
-      - "--platform=linux/arm64"
+      - '--label=org.opencontainers.image.source={{replace (replace (replace .GitURL "git@" "https://") ".git" "") "github.com:" "github.com/"}}'
   - use: buildx
     goos: linux
     goarch: arm
@@ -79,14 +79,14 @@ dockers:
     image_templates:
       - ghcr.io/ekristen/aws-nuke:v{{ .Version }}-arm32v7
     build_flag_templates:
+      - "--platform=linux/arm/v7"
       - "--target=goreleaser"
       - "--pull"
       - "--label=org.opencontainers.image.created={{.Date}}"
       - "--label=org.opencontainers.image.title={{.ProjectName}}"
       - "--label=org.opencontainers.image.revision={{.FullCommit}}"
       - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source=https://github.com/ekristen/aws-nuke"
-      - "--platform=linux/arm/v7"
+      - '--label=org.opencontainers.image.source={{replace (replace (replace .GitURL "git@" "https://") ".git" "") "github.com:" "github.com/"}}'
 docker_manifests:
   - use: docker
     name_template: ghcr.io/ekristen/aws-nuke:v{{ .Version }}
@@ -95,14 +95,19 @@ docker_manifests:
       - ghcr.io/ekristen/aws-nuke:v{{ .Version }}-arm64
       - ghcr.io/ekristen/aws-nuke:v{{ .Version }}-arm32v7
 signs:
-  - cmd: cosign
-    stdin: "{{ .Env.COSIGN_PASSWORD }}"
-    args:
-      ["sign-blob", "--yes", "--key=cosign.key", "--output=${signature}", "${artifact}"]
+  - ids:
+      - default
+    cmd: cosign
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    args: ["sign-blob", "--yes", "--oidc-provider=github", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
     artifacts: all
 docker_signs:
-  - artifacts: all
-    stdin: "{{ .Env.COSIGN_PASSWORD }}"
+  - ids:
+      - default
+    artifacts: all
+    cmd: cosign
+    args: ["sign", "--yes", "--oidc-provider=github", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}"]
 checksum:
   name_template: "checksums.txt"
 snapshot: