search

google / addlicense

A program which ensures source code files have copyright license headers by scanning directory patterns recursively
Apache License 2.0
724 stars 170 forks source link

feat: goreleaser release #101

Open developer-guy opened 2 years ago

developer-guy commented 2 years ago

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com Co-authored-by: Furkan Türkal furkan.turkal@trendyol.com

Fixes #100

cc: @willnorris

https://github.com/developer-guy/addlicense/releases/tag/v0.999.0

willnorris commented 2 years ago

Given GitHub's blog post yesterday, I tried using the purely Actions based cosign workflow on a personal project of mine, and it worked really well. I wonder if we just do that here as well? Any major downside that I'm not seeing?

developer-guy commented 2 years ago

Given GitHub's blog post yesterday, I tried using the purely Actions based cosign workflow on a personal project of mine, and it worked really well. I wonder if we just do that here as well? Any major downside that I'm not seeing?

No, there is no major downside at all. You're right. We can do it that way as well. Still, GoReleaser already supports that, but it should wait for cosign v1.4.x for the keyless feature, that's why I commented out the signs and docker_signs sections within the .goreleaser.yml file, but anyway, we can do it without using GoReleaser also if you want to move forward like this.

developer-guy commented 2 years ago

kindly ping @willnorris, cosign v1.4.1 with some bunch of fixes is released today, so, everything seems fine in cosign project which means that we can start using it to sign addlicense both binary and container image 🤩 similar works being done in several projects such as google/ko, goreleaser.

willnorris commented 2 years ago

ugh, I really hate how GitHub shows comments sometimes. I actually missed your reply here. sigh

So yeah, I think we should add signing support without goreleaser (at least for the docker images). But seriously, thanks for your patience with me on this PR. It's honestly been a lot of fun to learn about these things.

developer-guy commented 2 years ago

Hello @willnorris, GoReleaser v1.2.2 has just been released yesterday, and now, GoReleaser is capable of signing releases with a keyless approach using GitHub Actions OIDC flow, and also, another notable feature has been added with v1.2.2 is SBOM support, again, now, GoReleaser can generate an SBOMs for container images by using Syft tool under the hood, please see it all in action on a sample repository:

👉 https://github.com/goreleaser/supply-chain-example