act3-ai · justenstall · May 16, 2024 · May 16, 2024 · May 16, 2024 · May 16, 2024
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,20 +1,14 @@
 version: 2
 updates:
-  # Maintain dependencies for GitHub Actions
-  - package-ecosystem: "github-actions"
-    # Workflow files stored in the default location of `.github/workflows`. (You don't need to specify `/.github/workflows` for `directory`. You can use `directory: "/"`.)
-    directory: "/"
+  - package-ecosystem: github-actions
+    directory: /
     schedule:
-      interval: "weekly"
-
-  # Maintain dependencies for Go
-  - package-ecosystem: "gomod"
-    directory: "/"
+      interval: daily
+  - package-ecosystem: gomod
+    directory: /
     schedule:
-      interval: "weekly"
-
-  # Maintain dependencies for Docker
-  - package-ecosystem: "docker"
-    directory: "/"
+      interval: daily
+  - package-ecosystem: docker
+    directory: /
     schedule:
-      interval: "weekly"
+      interval: daily
diff --git a/.github/workflows/build-fips.yml b/.github/workflows/build-fips.yml
@@ -0,0 +1,37 @@
+name: Build FIPS
+
+on:
+  push:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+
+jobs:
+  go-build-fips:
+    name: Go build FIPS
+    runs-on: ubuntu-latest
+    env:
+      BUILD_ID: hops-fips
+      EXECUTABLE: hops
+      VERSION: ${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', github.workflow, github.sha) }}-fips
+      CGO_ENABLED: 1
+      GOEXPERIMENT: boringcrypto
+    strategy:
+      matrix:
+        GOOS:
+          - linux
+          # - windows
+          # - darwin
+        GOARCH:
+          - amd64
+          # - arm64
+      fail-fast: true
+    steps:
+      - uses: ./.github/workflows/build.yml
diff --git a/.github/workflows/build-ko.yml b/.github/workflows/build-ko.yml
@@ -0,0 +1,42 @@
+name: Build ko image
+
+on:
+  release:
+    types:
+      - "created"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  ko-build:
+    name: Build ko image
+    runs-on: ubuntu-latest
+    env:
+      KO_DOCKER_REPO: ghcr.io/act3-ai/hops/distroless
+    steps:
+      - uses: actions/setup-go@v4
+        with:
+          go-version: 1.22
+      - uses: actions/checkout@v3
+      - uses: ko-build/setup-ko@v0.6
+      - run: ko build
+
+  ko-publish-release-yaml:
+    name: Publish Release YAML
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.20"
+      - uses: actions/checkout@v3
+      - uses: ko-build/setup-ko@v0.6
+
+      - name: Generate and upload release.yaml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          tag=$(echo ${{ github.ref }} | cut -c11-)  # get tag name without tags/refs/ prefix.
+          ko resolve -t ${tag} -f config/ > release.yaml
+          gh release upload ${tag} release.yaml
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,26 +1,31 @@
-# This workflow will build a golang project
-# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
 name: Build
 
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["main"]
+  workflow_call:
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  CGO_ENABLED: 0
-  EXECUTABLE: hops
-  VERSION: ${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', github.workflow, github.run_number) }}
-
 jobs:
   go-build:
     name: Go build
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+    env:
+      BUILD_ID: hops
+      EXECUTABLE: hops
+      VERSION: ${{ github.ref_type == 'tag' && github.ref_name || format('{0}-{1}', github.workflow, github.sha) }}
+      CGO_ENABLED: 0
+    outputs:
+      artifact-id: ${{ steps.upload.outputs.artifact-id }}
     strategy:
       matrix:
         GOOS:
@@ -42,52 +47,37 @@ jobs:
 
       # Go build
       - name: Build ${{env.EXECUTABLE}}
+        id: build
+        env:
+          EXECUTABLE_PATH: bin/${{env.EXECUTABLE}}
         run: |
           go build \
             -trimpath -ldflags="-s -w -X 'main.version=${{env.VERSION}}'" \
-            -o artifacts/${{env.EXECUTABLE}}/${{matrix.GOOS}}/${{matrix.GOARCH}}/bin/${{env.EXECUTABLE}} \
+            -o ${{env.EXECUTABLE_PATH}} \
             ./cmd/${{env.EXECUTABLE}}
+          echo "executable-path=${{env.EXECUTABLE_PATH}}" >> $GITHUB_OUTPUT
 
-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
+      - uses: actions/attest-build-provenance@v1
+        id: attest
         with:
-          name: ${{env.EXECUTABLE}}--${{matrix.GOOS}}--${{matrix.GOARCH}}
-          path: artifacts/${{env.EXECUTABLE}}/${{matrix.GOOS}}/${{matrix.GOARCH}}/bin/${{env.EXECUTABLE}}
+          subject-path: ${{steps.build.outputs.executable-path}}
 
-  go-build-fips:
-    name: Go build FIPS
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        GOOS:
-          - linux
-          # - windows
-          # - darwin
-        GOARCH:
-          - amd64
-          # - arm64
-      fail-fast: true
-    steps:
-      - uses: actions/checkout@v4
-        name: Check out repo
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.22"
-
-      # Go Boring FIPS 140-2 build
-      # See https://kupczynski.info/posts/fips-golang/ for more information
-      - name: Build ${{env.EXECUTABLE}} FIPS
+      - name: Create archive
+        id: archive
+        env:
+          ARCHIVE_DIR: ${{env.BUILD_ID}}/${{env.VERSION}}
+          ARCHIVE_PATH: ${{env.BUILD_ID}}--${{matrix.GOOS}}--${{matrix.GOARCH}}.tar
         run: |
-          env CGO_ENABLED=1 GOEXPERIMENT=boringcrypto \
-          go build \
-            -trimpath -ldflags="-s -w -X 'main.version=${{env.VERSION}}-fips'" \
-            -o artifacts/${{env.EXECUTABLE}}-fips/${{matrix.GOOS}}/${{matrix.GOARCH}}/bin/${{env.EXECUTABLE}} \
-            ./cmd/${{env.EXECUTABLE}}
+          mkdir -p ${{env.ARCHIVE_DIR}}/bin/
+          mv ${{ steps.build.outputs.executable-path }} ${{env.ARCHIVE_DIR}}/bin/
+          mv ${{ steps.attest.outputs.bundle-path }} ${{env.ARCHIVE_DIR}}/
+          tar -czvf ${{env.ARCHIVE_PATH}} ${{env.ARCHIVE_DIR}}/
+          echo "archive-path=${{env.ARCHIVE_PATH}}" >> $GITHUB_OUTPUT
 
-      - name: Upload FIPS build artifact
+      - name: Upload build artifact
+        id: upload
         uses: actions/upload-artifact@v4
         with:
-          name: ${{env.EXECUTABLE}}-fips--${{matrix.GOOS}}--${{matrix.GOARCH}}
-          path: artifacts/${{env.EXECUTABLE}}-fips/${{matrix.GOOS}}/${{matrix.GOARCH}}/bin/${{env.EXECUTABLE}}
+          name: ${{env.BUILD_ID}}--${{matrix.GOOS}}--${{matrix.GOARCH}}
+          path: |
+            ${{steps.archive.outputs.archive-path}}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,33 @@
+# .github/workflows/release.yml
+name: goreleaser
+
+on:
+  push:
+    # run only against tags
+    tags:
+      - "*"
+
+permissions:
+  contents: write # upload archives to GitHub release
+  packages: write # push images and packages to ghcr.io
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+      - name: Set up ko
+        uses: ko-build/setup-ko@v0.6
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -25,4 +25,5 @@ cask.json
 internal/apis/formulae.brew.sh/v3/homebrew-1.pem
 
 /codereport*
-*.pdf
+*.pdf
+dist/
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,99 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 1
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - id: hops
+    main: ./cmd/hops
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+    ldflags:
+      - "-s -w -X main.version={{.Version}}"
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+  - id: hops-fips
+    main: ./cmd/hops
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+    flags:
+      - -trimpath
+    ldflags:
+      - "-s -w -X main.version={{.Version}}+FIPS"
+    goos:
+      - linux
+    goarch:
+      - amd64
+
+archives:
+  - format: tar.gz
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+kos:
+  - id: hops
+    build: hops
+    base_image: cgr.dev/chainguard/static
+    labels:
+      commit-ref: "$CI_COMMIT_REF_NAME"
+      commit-sha: "$CI_COMMIT_SHA"
+      pipeline-url: "$CI_PIPELINE_URL"
+      org.opencontainers.image.title: "hops"
+    repository: ghcr.io/act3-ai/hops/distroless
+    platforms:
+      - all
+    tags:
+      - "{{if not .Prerelease}}latest{{end}}"
+      - "{{if not .Prerelease}}stable{{end}}"
+      - "{{.Tag}}"
+    creation_time: "{{.CommitTimestamp}}"
+    ko_data_creation_time: "{{.CommitTimestamp}}"
+    sbom: spdx
+    base_import_paths: true
+
+report_sizes: true
+
+release:
+  prerelease: auto
+  extra_files:
+    - glob: ./path/to/file.txt
+    - glob: ./glob/**/to/**/file/**/*
+    - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
+    - glob: ./single_file.txt
+      name_template: file.txt # note that this only works if glob matches 1 file only
+  include_meta: true
+
+changelog:
+  use: github-native
diff --git a/.releaserc b/.releaserc
@@ -1,3 +1,4 @@
+# yaml-language-server: $schema=https://json.schemastore.org/semantic-release.json
 branches:
   - master
   - main

diff --git a/docs/cli/index.md b/docs/cli/index.md
@@ -17,7 +17,7 @@ Homebrew OCI Package Sipper
 
 Hops is an experimental client for installing Homebrew bottles.
 
-> [CAUTION]: Hops is not recommended for full use yet. Package management is a complex task 
+> [CAUTION]: Hops is a experimental software. Package management is a complex task 
 >            and there are serious risks with modifying your packages.
 
 ## Options
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,4 +25,5 @@ cask.json @@
     internal/apis/formulae.brew.sh/v3/homebrew-1.pem
     /codereport*
-    *.pdf
+    *.pdf
+    dist/