mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 21:47:20 +00:00
18256bdf0e
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Upgraded security protections across build and deployment workflows
for enhanced runner environment hardening.
* Strengthened CI/CD infrastructure security measures throughout
automated processes.
* No direct user-facing changes.
<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
274 lines
11 KiB
YAML
274 lines
11 KiB
YAML
name: GoReleaser Orbit
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "orbit-*" # For testing, use a pre-release tag like 'orbit-1.24.0-1'
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
goreleaser-macos:
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Import signing keys
|
|
env:
|
|
APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
|
|
APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
|
|
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
|
run: |
|
|
echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
|
|
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
|
|
security find-identity -vv
|
|
rm certificate.p12
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-macos.yml # v2.4.4
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
|
|
AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
|
|
AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
|
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit-macos_darwin_all/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-macos
|
|
path: dist/orbit-macos_darwin_all/orbit
|
|
|
|
goreleaser-linux:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Install musl tools
|
|
run: sudo apt update && sudo apt install -y musl-tools
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux.yml # v2.4.4
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit_linux_amd64_v1/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-linux
|
|
path: dist/orbit_linux_amd64_v1/orbit
|
|
|
|
goreleaser-linux-arm64:
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-linux-arm64.yml # v2.4.4
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "dist/orbit_linux_arm64_v8.0/orbit"
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: orbit-linux-arm64
|
|
path: dist/orbit_linux_arm64_v8.0/orbit
|
|
|
|
goreleaser-windows:
|
|
runs-on: windows-2022
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows.yml # v2.4.4
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: unsigned-windows
|
|
path: dist/orbit_windows_amd64_v1/orbit.exe
|
|
|
|
code-sign-windows:
|
|
needs: goreleaser-windows
|
|
uses: ./.github/workflows/code-sign-windows.yml
|
|
permissions:
|
|
contents: read
|
|
id-token: write # required for attestations
|
|
attestations: write # required for attestations
|
|
with:
|
|
attest: true
|
|
filename: orbit.exe
|
|
upload_name: orbit-windows
|
|
secrets:
|
|
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
|
|
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
|
|
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
|
|
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
|
|
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
|
|
|
|
goreleaser-windows-arm64:
|
|
runs-on: windows-2022
|
|
permissions:
|
|
contents: write
|
|
id-token: write
|
|
attestations: write
|
|
packages: write
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
|
|
# paid version. We pay for goreleaser, but using the closed source build would weaken our
|
|
# supply-chain integrity goals, so we hack around it by replacing the tag.
|
|
- name: Replace tag
|
|
run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g') && git tag -d ${{ github.ref_name }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
|
|
- name: Run GoReleaser
|
|
run: go run github.com/goreleaser/goreleaser/v2@606c0e724fe9b980cd01090d08cbebff63cd0f72 release --verbose --clean --skip=publish -f orbit/goreleaser-windows-arm64.yml # v2.4.4
|
|
|
|
- name: Upload
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: unsigned-windows-arm64
|
|
path: dist/orbit_windows_arm64_v8.0/orbit.exe
|
|
|
|
code-sign-windows-arm64:
|
|
needs: goreleaser-windows-arm64
|
|
uses: ./.github/workflows/code-sign-windows.yml
|
|
permissions:
|
|
contents: read
|
|
id-token: write # required for attestations
|
|
attestations: write # required for attestations
|
|
with:
|
|
attest: true
|
|
filename: orbit.exe
|
|
upload_name: orbit-windows-arm64
|
|
download_name: unsigned-windows-arm64
|
|
secrets:
|
|
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
|
|
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
|
|
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
|
|
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
|
|
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
|