Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-04-21 13:37:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 91
fleet/.github/workflows/goreleaser-orbit.yaml
Victor Lyuboslavsky 25e7d326e8
Update actions/setup-go to v6.3.0 (#42152) 
Updating actions/setup-go to v6.3.0 from a mix of different versions.

This gets us faster CI runs, with improvements such as:
- built in Go module cache AND Go build cache (separate cache no longer
needed)
- using go.mod resulting in fewer cache invalidations
- faster Node 24 runtime
- using go.dev download URL, which is more reliable
2026-03-20 09:56:51 -05:00

274 lines
11 KiB
YAML
Raw Blame History

name: GoReleaser Orbit
on:
push:
tags:
- "orbit-*" # For testing, use a pre-release tag like 'orbit-1.24.0-1'
defaults:
run:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash
permissions:
contents: read
jobs:
goreleaser-macos:
runs-on: macos-latest
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
# supply-chain integrity goals, so we hack around it by replacing the tag.
- name: Replace tag
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Import signing keys
env:
APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
security find-identity -vv
rm certificate.p12
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-macos.yml # v2.4.4
env:
GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
CODESIGN_IDENTITY: 604D877399AAEB7630A78B84F288E2D28A2EDE42
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit-macos_darwin_all/orbit"
- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: orbit-macos
path: dist/orbit-macos_darwin_all/orbit
goreleaser-linux:
runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
# supply-chain integrity goals, so we hack around it by replacing the tag.
- name: Replace tag
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
- name: Install musl tools
run: sudo apt update && sudo apt install -y musl-tools
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux.yml # v2.4.4
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit_linux_amd64_v1/orbit"
- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: orbit-linux
path: dist/orbit_linux_amd64_v1/orbit
goreleaser-linux-arm64:
runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
# supply-chain integrity goals, so we hack around it by replacing the tag.
- name: Replace tag
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux-arm64.yml # v2.4.4
- name: Attest binary
continue-on-error: true
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
with:
subject-path: "dist/orbit_linux_arm64_v8.0/orbit"
- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: orbit-linux-arm64
path: dist/orbit_linux_arm64_v8.0/orbit
goreleaser-windows:
runs-on: windows-2022
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
# supply-chain integrity goals, so we hack around it by replacing the tag.
- name: Replace tag
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows.yml # v2.4.4
- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: unsigned-windows
path: dist/orbit_windows_amd64_v1/orbit.exe
code-sign-windows:
needs: goreleaser-windows
uses: ./.github/workflows/code-sign-windows.yml
permissions:
contents: read
id-token: write # required for attestations
attestations: write # required for attestations
with:
attest: true
filename: orbit.exe
upload_name: orbit-windows
secrets:
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
goreleaser-windows-arm64:
runs-on: windows-2022
permissions:
contents: write
id-token: write
attestations: write
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
# paid version. We pay for goreleaser, but using the closed source build would weaken our
# supply-chain integrity goals, so we hack around it by replacing the tag.
- name: Replace tag
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: "go.mod"
- name: Run GoReleaser
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows-arm64.yml # v2.4.4
- name: Upload
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
with:
name: unsigned-windows-arm64
path: dist/orbit_windows_arm64_v8.0/orbit.exe
code-sign-windows-arm64:
needs: goreleaser-windows-arm64
uses: ./.github/workflows/code-sign-windows.yml
permissions:
contents: read
id-token: write # required for attestations
attestations: write # required for attestations
with:
attest: true
filename: orbit.exe
upload_name: orbit-windows-arm64
download_name: unsigned-windows-arm64
secrets:
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
Reference in a new issue View git blame Copy permalink