diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 546a924b..418ab5d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,13 @@ jobs: with: go-version-file: 'go.mod' + - name: Import GPG key + id: import_gpg + uses: crazy-max/ghaction-import-gpg@v6 + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY_FILE }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: @@ -37,3 +44,14 @@ jobs: AWS_ACCESS_KEY_ID: ${{ secrets.ORG_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.ORG_AWS_SECRET_ACCESS_KEY }} AWS_REGION: us-east-1 + # macOS code signing and notarization + MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} + MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} + MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} + MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} + MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} + # GPG signing for Linux packages and checksums + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_FILE: ${{ secrets.GPG_PRIVATE_KEY_FILE }} + NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index a81e90bf..29ede21c 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -51,6 +51,34 @@ archives: - LICENSE - NOTICE +# GPG signing for checksums and archives (optional - only if env vars are set) +signs: + - cmd: gpg + args: + - --batch + - --local-user + - "{{ .Env.GPG_FINGERPRINT }}" + - --output + - "${signature}" + - --detach-sign + - "${artifact}" + artifacts: checksum + stdin: "{{ .Env.GPG_PASSPHRASE }}" + +# macOS code signing and notarization (optional - only if env vars are set) +notarize: + macos: + - enabled: true + ids: + - tiger-cli + sign: + certificate: "{{.Env.MACOS_SIGN_P12}}" + password: "{{.Env.MACOS_SIGN_PASSWORD}}" + notarize: + issuer_id: "{{.Env.MACOS_NOTARY_ISSUER_ID}}" + key_id: "{{.Env.MACOS_NOTARY_KEY_ID}}" + key: "{{.Env.MACOS_NOTARY_KEY}}" + # Linux package configuration (APT, RPM, etc.) nfpms: - id: packages @@ -71,9 +99,16 @@ nfpms: file_name_template: "{{ .ConventionalFileName }}" rpm: group: Unspecified + signature: + key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}' deb: + signature: + key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}' lintian_overrides: - statically-linked-binary + apk: + signature: + key_file: '{{ .Env.GPG_PRIVATE_KEY_FILE }}' # S3 Blob Storage Configuration @@ -117,14 +152,6 @@ homebrew_casks: skip_upload: auto url: template: "https://tiger-cli-releases.s3.us-east-1.amazonaws.com/releases/{{ .Tag }}/{{ .ArtifactName }}" - hooks: - # TODO: Sign and notarize instead of removing quarantine bit - # See: https://goreleaser.com/customization/homebrew_casks/#signing-and-notarizing - post: - install: | - if OS.mac? - system_command "/usr/bin/xattr", args: ["-dr", "com.apple.quarantine", "#{staged_path}/tiger"] - end # Optional: Add caveats for user instructions caveats: | Tiger CLI has been installed successfully!