Skip to content

⭐️ inventory template support (#1285) #234

⭐️ inventory template support (#1285)

⭐️ inventory template support (#1285) #234

Workflow file for this run

name: goreleaser
on:
push:
tags:
- "*"
workflow_dispatch:
inputs:
skip-publish:
description: "Skip publishing to releases.mondoo.com?"
type: boolean
required: false
default: false
env:
REGISTRY: docker.io
jobs:
goreleaser:
permissions:
# Add "contents" to write release
contents: "write"
# Add "id-token" for google-github-actions/auth
id-token: "write"
runs-on: self-hosted
timeout-minutes: 120
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Import environment variables from file
run: cat ".github/env" >> $GITHUB_ENV
- name: Skip Publish for Alpha and Beta Tags
id: skip-publish
if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') || inputs.skip-publish == 'true'
run: |
echo "Skipping publish for alpha and beta tags"
echo "skip-publish=true" >> $GITHUB_OUTPUT
echo "skip-publish=true" >> $GITHUB_ENV
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: ">=${{ env.golang-version }}"
cache: false
- name: "Authenticate to Google Cloud"
uses: "google-github-actions/auth@v2"
with:
workload_identity_provider: ${{ secrets.GCP_WIP }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- id: "gcp_secrets"
uses: "google-github-actions/get-secretmanager-secrets@v2"
with:
secrets: |-
code_sign_cert_b64:mondoo-base-infra/mondoo_code_sign_certificate_pfx_b64
code_sign_cert_challenge:mondoo-base-infra/mondoo_code_sign_challenge
- name: "Write RPM Signing Cert"
run: |
gpgkey="$(mktemp -t gpgkey.XXX)"
base64 -d <<<"$GPG_KEY" > "$gpgkey"
echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV
env:
GPG_KEY: "${{ secrets.GPG_KEY}}"
- name: Configure DigiCert Signing Variables
shell: bash
run: |
# CertLocker Authentication Certifiate
CERT_PATH="$(mktemp -t cert.XXX)"
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > ${CERT_PATH}
echo "SM_CLIENT_CERT_FILE=${CERT_PATH}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
# CertLocker API Key & Host
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
# DigiCert CertLocker Code Signing Certificate
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "SM_CERT_ALIAS=${{ secrets.SM_CERT_ALIAS }}" >> "$GITHUB_ENV"
- name: Install Quill for Mac Signing and Notarization
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /tmp
/tmp/quill help
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Run GoReleaser
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: latest
args: release --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
QUILL_SIGN_PASSWORD: ""
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Run GoReleaser unstable
if: ${{ steps.skip-publish.outputs.skip-publish == 'true' }}
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser
version: latest
args: release -f .github/.goreleaser-unstable.yml --clean --timeout 120m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }}
QUILL_SIGN_PASSWORD: ""
QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
- name: Check RPMs
run: |
rpm -qpi dist/*.rpm
- name: Cleanup Signing Cert
if: always()
run: rm -f ${CERT_PATH}
- name: Publish Release to releases.mondoo.com
if: ${{ ! steps.skip-publish.outputs.skip-publish }}
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/releasr"
event-type: publish-release
client-payload: '{
"repository": "${{ github.event.repository.name }}",
"version": "${{ github.ref_name }}"
}'
mondoo-operator-cnspec:
name: Trigger Mondoo Operator cnspec image release
runs-on: ubuntu-latest
needs: goreleaser
steps:
- name: Repository Dispatch
uses: peter-evans/repository-dispatch@v3
with:
token: ${{ secrets.REPO_DISPATCH_TOKEN }}
repository: mondoohq/mondoo-operator
event-type: update
client-payload: '{"version": "${{ github.ref_name }}"}'
release-installer:
name: Trigger installer release
runs-on: ubuntu-latest
if: ${{ ! inputs.skip-publish }}
needs: goreleaser
steps:
- name: Run installer release workfow
env:
GH_TOKEN: ${{ secrets.REPO_API_TOKEN }}
run: gh workflow run release.yml --repo "mondoohq/installer" --field version=${{ github.ref_name }}