crypt/step-ca-cli
crypt/step-ca-cli
1
0
Fork 0
mirror of https://github.com/smallstep/cli.git synced 2025-04-19 10:42:15 +03:00
Code
step-ca-cli/.goreleaser.yml
Herman Slatman c60d625eda
Use envOrDefault for GPG_PRIVATE_KEY_FILE environment variable 
By using `envOrDefault` an issue is prevented in evaluating the
template before a release is created. By setting the default value
to `ENV_VAR_GPG_PRIVATE_KEY_FILE_NOT_SET`, this value is then shown
in the error message at signing time.

The reason for changing this is so that it becomes possible to
create local, unsigned releases when creating a release as follows:

 `goreleaser release --snapshot --clean --skip sign,after`
2025-04-16 13:18:22 +02:00

507 lines
17 KiB
YAML
Raw Permalink Blame History

# Documentation: https://goreleaser.com/customization/
# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
version: 2
project_name: step
# Enable GoReleaser OSS to read Pro configs: https://goreleaser.com/errors/version/#using-a-pro-configuration-file-with-goreleaser-oss
pro: true
variables:
packageName: step-cli
packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
before:
hooks:
- go mod download
after:
hooks:
# This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step.
- cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
output: true
builds:
- &BUILD
id: default
env:
- CGO_ENABLED=0
main: ./cmd/step
flags:
- -trimpath
ldflags:
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
gcflags:
- >-
{{- if ne (index .Env "DEBUG") "" }}all=-N -l{{- end }}
targets:
- darwin_amd64
- darwin_arm64
- freebsd_amd64
- linux_386
- linux_amd64
- linux_arm64
- linux_arm_5
- linux_arm_6
- linux_arm_7
- linux_mips
- linux_mips64
- linux_ppc64le
- windows_amd64
- windows_arm64
binary: bin/step
-
# This build is specifically for nFPM targets (.deb and .rpm files).
# It's exactly the same as the default build above, except:
# - it only builds the archs we want to produce .deb and .rpm files for
# - the name of the output binary is step-cli
<< : *BUILD
id: nfpm
targets:
- linux_amd64
- linux_arm64
binary: step-cli
archives:
- &ARCHIVE
id: default
# Can be used to change the archive formats for specific GOOSs.
# Most common use case is to archive as zip on Windows.
# Default is empty.
name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
format_overrides:
- goos: windows
formats: ['zip']
ids:
- default
wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}"
files:
- README.md
- LICENSE
- autocomplete/*
-
<< : *ARCHIVE
id: unversioned
name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
wrap_in_directory: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
nfpms:
# Configure nFPM for .deb and .rpm releases
#
# See https://nfpm.goreleaser.com/configuration/
# and https://goreleaser.com/customization/nfpm/
#
# Useful tools for debugging .debs:
# List file contents: dpkg -c dist/step_...deb
# Package metadata: dpkg --info dist/step_....deb
#
- &NFPM
id: packages
ids:
- nfpm
package_name: "{{ .Var.packageName }}"
release: "1"
file_name_template: >-
{{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
{{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
{{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
{{- .ConventionalExtension -}}
vendor: Smallstep Labs
homepage: https://github.com/smallstep/cli
maintainer: Smallstep <techadmin@smallstep.com>
description: >
step-cli lets you build, operate, and automate Public Key Infrastructure (PKI) systems and workflows.
It's a swiss army knife for authenticated encryption (X.509, TLS), single sign-on (OAuth OIDC, SAML), multi-factor authentication (OATH OTP, FIDO U2F), encryption mechanisms (JSON Web Encryption, NaCl), and verifiable claims (JWT, SAML assertions).
license: Apache 2.0
section: utils
formats:
- deb
- rpm
priority: optional
bindir: /usr/bin
contents:
- src: debian/copyright
dst: /usr/share/doc/step-cli/copyright
# Ghost files are used for RPM and ignored elsewhere
- dst: /usr/bin/step
type: ghost
- dst: /usr/share/bash-completion/completions/step
type: ghost
scripts:
postinstall: scripts/postinstall.sh
postremove: scripts/postremove.sh
rpm:
signature:
key_file: '{{ envOrDefault "GPG_PRIVATE_KEY_FILE" "ENV_VAR_GPG_PRIVATE_KEY_FILE_NOT_SET" }}'
deb:
signature:
key_file: '{{ envOrDefault "GPG_PRIVATE_KEY_FILE" "ENV_VAR_GPG_PRIVATE_KEY_FILE_NOT_SET" }}'
type: origin
-
<< : *NFPM
id: unversioned
file_name_template: "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
source:
enabled: true
name_template: '{{ .ProjectName }}_{{ .Version }}'
checksum:
name_template: 'checksums.txt'
extra_files:
- glob: ./.releases/*
signs:
- cmd: cosign
signature: "${artifact}.sig"
certificate: "${artifact}.pem"
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
artifacts: all
publishers:
- name: Google Cloud Artifact Registry
ids:
- packages
cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
snapshot:
version_template: "{{ .Tag }}-next"
release:
# Repo in which the release will be created.
# Default is extracted from the origin remote URL or empty if its private hosted.
# Note: it can only be one: either github, gitlab or gitea
github:
owner: smallstep
name: cli
# IDs of the archives to use.
# Defaults to all.
#ids:
# - default
# - bar
# If set to true, will not auto-publish the release.
# Default is false.
draft: false
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
# If set to true, will mark the release as not ready for production.
# Default is false.
prerelease: auto
# You can change the name of the release.
# Default is `{{.Tag}}`
name_template: "Step CLI {{ .Tag }} ({{ .Env.RELEASE_DATE }})"
# Header template for the release body.
# Defaults to empty.
header: |
## Official Release Artifacts
Below are the most popular artifacts for `step` on each platform.
For packaged versions (Homebrew, Scoop, etc.), see our [installation docs](https://smallstep.com/docs/step-cli/installation).
#### Linux
- 📦 [step_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_amd64.tar.gz)
- 📦 [step_linux_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_arm64.tar.gz)
- 📦 [step_linux_{{ .Version }}_armv7.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_linux_{{ .Version }}_armv7.tar.gz)
- 📦 [step-cli_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb)
- 📦 [step-cli-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm)
- 📦 [step-cli_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb)
- 📦 [step-cli-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-cli-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm)
- see `Assets` below for more builds
#### macOS Darwin
- 📦 [step_darwin_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_darwin_{{ .Version }}_amd64.tar.gz)
- 📦 [step_darwin_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_darwin_{{ .Version }}_arm64.tar.gz)
#### Windows
- 📦 [step_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_windows_{{ .Version }}_amd64.zip)
- 📦 [step_windows_{{ .Version }}_arm64.zip](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step_windows_{{ .Version }}_arm64.zip)
## Signatures and Checksums
`step` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying release artifacts.
Below is an example using `cosign` to verify a release artifact:
```
cosign verify-blob \
--certificate ~/Download/step_darwin_{{ .Version }}_amd64.tar.gz.pem \
--signature ~/Downloads/step_darwin_{{ .Version }}_amd64.tar.gz.sig \
--certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
~/Downloads/step_darwin_{{ .Version }}_amd64.tar.gz
```
The `checksums.txt` file (in the 'Assets' section below) contains a checksum for every artifact in the release.
# Footer template for the release body.
# Defaults to empty.
footer: |
## Thanks!
Those were the changes on {{ .Tag }}!
Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes.
# You can disable this pipe in order to not upload any artifacts.
# Defaults to false.
#disable: true
# You can add extra preexisting files to the release.
# The filename on the release will be the last part of the path (base). If
# another file with the same name exists, the latest one found will be used.
# Defaults to empty.
extra_files:
- glob: ./.releases/*
# - glob: ./glob/**/to/**/file/**/*
# - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
blobs:
- &S3_VERSIONED
provider: s3
disable: 'false'
ids:
- default
bucket: '{{ .Env.AWS_S3_BUCKET }}'
region: '{{ .Env.AWS_S3_REGION }}'
directory: '/'
acl: public-read
extra_files:
- glob: ./dist/default_darwin_amd64_v1/bin/step
name_template: step_{{ .Version }}_darwin_amd64
- glob: ./dist/default_darwin_arm64*/bin/step
name_template: step_{{ .Version }}_darwin_arm64
- glob: ./dist/default_linux_amd64_v1/bin/step
name_template: step_{{ .Version }}_linux_amd64
- glob: ./dist/default_linux_arm64*/bin/step
name_template: step_{{ .Version }}_linux_arm64
- glob: ./dist/default_windows_amd64_v1/bin/step.exe
name_template: step_{{ .Version }}_windows_amd64.exe
- glob: ./dist/default_freebsd_*/bin/step
name_template: step_{{ .Version }}_freebsd_amd64
extra_files_only: true
# Unversioned (`latest`) copies of binaries.
# This section should only run on full releases (not prereleases).
-
<< : *S3_VERSIONED
disable: '{{ if .Prerelease }}true{{ else }}false{{ end }}'
extra_files:
- glob: ./dist/default_darwin_amd64_v1/bin/step
name_template: step_latest_darwin_amd64
- glob: ./dist/default_darwin_arm64*/bin/step
name_template: step_latest_darwin_arm64
- glob: ./dist/default_linux_amd64_v1/bin/step
name_template: step_latest_linux_amd64
- glob: ./dist/default_linux_arm64*/bin/step
name_template: step_latest_linux_arm64
- glob: ./dist/default_windows_amd64_v1/bin/step.exe
name_template: step_latest_windows_amd64.exe
- glob: ./dist/default_freebsd_*/bin/step
name_template: step_latest_freebsd_amd64
extra_files_only: true
winget:
-
# IDs of the archives to use.
# Empty means all IDs.
ids: [ default ]
#
# Default: ProjectName
# Templates: allowed
name: step
# Publisher name.
#
# Templates: allowed
# Required.
publisher: Smallstep
# Your app's description.
#
# Templates: allowed
# Required.
short_description: "A Swiss army knife for working with X.509 certificates, JWTs, etc."
# License name.
#
# Templates: allowed
# Required.
license: "Apache-2.0"
# Publisher URL.
#
# Templates: allowed
publisher_url: "https://smallstep.com"
# Publisher support URL.
#
# Templates: allowed
publisher_support_url: "https://github.com/smallstep/certificates/discussions"
# URL which is determined by the given Token (github, gitlab or gitea).
#
# Default depends on the client.
# Templates: allowed
url_template: "https://github.com/smallstep/cli/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Git author used to commit to the repository.
commit_author:
name: goreleaserbot
email: goreleaser@smallstep.com
# The project name and current git tag are used in the format string.
#
# Templates: allowed
commit_msg_template: "{{ .PackageIdentifier }}: {{ .Tag }}"
# Your app's homepage.
homepage: "https://github.com/smallstep/cli"
# Your app's long description.
#
# Templates: allowed
description: ""
# License URL.
#
# Templates: allowed
license_url: "https://github.com/smallstep/cli/blob/master/LICENSE"
# Release notes URL.
#
# Templates: allowed
release_notes_url: "https://github.com/smallstep/cli/releases/tag/{{ .Tag }}"
# Create the PR - for testing
skip_upload: auto
# Tags.
tags:
- cli
- smallstep
# Repository to push the generated files to.
repository:
owner: smallstep
name: winget-pkgs
branch: "step-{{.Version}}"
# Optionally a token can be provided, if it differs from the token
# provided to GoReleaser
# Templates: allowed
#token: "{{ .Env.GITHUB_PERSONAL_AUTH_TOKEN }}"
# Sets up pull request creation instead of just pushing to the given branch.
# Make sure the 'branch' property is different from base before enabling
# it.
#
# Since: v1.17
pull_request:
# Whether to enable it or not.
enabled: true
check_boxes: true
# Whether to open the PR as a draft or not.
#
# Default: false
# Since: v1.19
# draft: true
# Base can also be another repository, in which case the owner and name
# above will be used as HEAD, allowing cross-repository pull requests.
#
# Since: v1.19
base:
owner: microsoft
name: winget-pkgs
branch: master
scoops:
-
ids: [ default ]
name: step
# Template for the url which is determined by the given Token (github or gitlab)
# Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
# Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
url_template: "http://github.com/smallstep/cli/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Repository to push the app manifest to.
repository:
owner: smallstep
name: scoop-bucket
branch: main
# Git author used to commit to the repository.
# Defaults are shown.
commit_author:
name: goreleaserbot
email: goreleaser@smallstep.com
# The project name and current git tag are used in the format string.
commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
# Your app's homepage.
# Default is empty.
homepage: "https://smallstep.com/"
# Skip uploads for prerelease.
skip_upload: auto
# Your app's description.
# Default is empty.
description: "Crypto toolkit for working with X.509, OAuth, JWT, OATH OTP, etc."
# Your app's license
# Default is empty.
license: "Apache-2.0"
#dockers:
# - dockerfile: docker/Dockerfile
# goos: linux
# goarch: amd64
# use_buildx: true
# image_templates:
# - "smallstep/step-cli:latest"
# - "smallstep/step-cli:{{ .Tag }}"
# build_flag_templates:
# - "--platform=linux/amd64"
# - dockerfile: docker/Dockerfile
# goos: linux
# goarch: 386
# use_buildx: true
# image_templates:
# - "smallstep/step-cli:latest"
# - "smallstep/step-cli:{{ .Tag }}"
# build_flag_templates:
# - "--platform=linux/386"
# - dockerfile: docker/Dockerfile
# goos: linux
# goarch: arm
# goarm: 7
# use_buildx: true
# image_templates:
# - "smallstep/step-cli:latest"
# - "smallstep/step-cli:{{ .Tag }}"
# build_flag_templates:
# - "--platform=linux/arm/v7"
# - dockerfile: docker/Dockerfile
# goos: linux
# goarch: arm64
# use_buildx: true
# image_templates:
# - "smallstep/step-cli:latest"
# - "smallstep/step-cli:{{ .Tag }}"
# build_flag_templates:
# - "--platform=linux/arm64/v8"
View Git Blame Copy Permalink