addlicense icon indicating copy to clipboard operation
addlicense copied to clipboard

Published 20 hours ago verified publisher icon google

feat: goreleaser release

Open developer-guy opened this issue 2 years ago • 5 comments

Signed-off-by: Batuhan Apaydın [email protected] Co-authored-by: Furkan Türkal [email protected]

Fixes #100

cc: @willnorris

https://github.com/developer-guy/addlicense/releases/tag/v0.999.0

developer-guy avatar Dec 04 '21 21:12 developer-guy

Given GitHub's blog post yesterday, I tried using the purely Actions based cosign workflow on a personal project of mine, and it worked really well. I wonder if we just do that here as well? Any major downside that I'm not seeing?

willnorris avatar Dec 08 '21 23:12 willnorris

Given GitHub's blog post yesterday, I tried using the purely Actions based cosign workflow on a personal project of mine, and it worked really well. I wonder if we just do that here as well? Any major downside that I'm not seeing?

No, there is no major downside at all. You're right. We can do it that way as well. Still, GoReleaser already supports that, but it should wait for cosign v1.4.x for the keyless feature, that's why I commented out the signs and docker_signs sections within the .goreleaser.yml file, but anyway, we can do it without using GoReleaser also if you want to move forward like this.

developer-guy avatar Dec 09 '21 07:12 developer-guy

kindly ping @willnorris, cosign v1.4.1 with some bunch of fixes is released today, so, everything seems fine in cosign project which means that we can start using it to sign addlicense both binary and container image 🤩 similar works being done in several projects such as google/ko, goreleaser.

  • https://github.com/google/ko/pull/498
  • https://github.com/goreleaser/goreleaser/pull/2716

developer-guy avatar Dec 10 '21 18:12 developer-guy

ugh, I really hate how GitHub shows comments sometimes. I actually missed your reply here. sigh

So yeah, I think we should add signing support without goreleaser (at least for the docker images). But seriously, thanks for your patience with me on this PR. It's honestly been a lot of fun to learn about these things.

willnorris avatar Dec 10 '21 21:12 willnorris

Hello @willnorris, GoReleaser v1.2.2 has just been released yesterday, and now, GoReleaser is capable of signing releases with a keyless approach using GitHub Actions OIDC flow, and also, another notable feature has been added with v1.2.2 is SBOM support, again, now, GoReleaser can generate an SBOMs for container images by using Syft tool under the hood, please see it all in action on a sample repository:

👉 https://github.com/goreleaser/supply-chain-example

developer-guy avatar Dec 23 '21 07:12 developer-guy