project_name: rekor
env:
- GO111MODULE=on
- CGO_ENABLED=0
- DOCKER_CLI_EXPERIMENTAL=enabled
- COSIGN_EXPERIMENTAL=true
# Prevents parallel builds from stepping on eachothers toes downloading modules
before:
hooks:
- go mod tidy
gomod:
proxy: true
builds:
- id: rekor-server-linux
binary: rekor-server-linux-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/rekor-server
goos:
- linux
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.SERVER_LDFLAGS }}"
- id: rekor-cli
binary: rekor-cli-{{ .Os }}-{{ .Arch }}
no_unique_dist_dir: true
main: ./cmd/rekor-cli
goos:
- linux
- darwin
- windows
goarch:
- amd64
- arm64
- arm
- s390x
- ppc64le
goarm:
- 7
ignore:
- goos: windows
goarch: arm64
- goos: windows
goarch: arm
- goos: windows
goarch: s390x
- goos: windows
goarch: ppc64le
flags:
- -trimpath
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags:
- "{{ .Env.CLIENT_LDFLAGS }}"
signs:
- signature: "${artifact}.sig"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
artifacts: binary
# Keyless
- id: cosign-keyless
signature: "${artifact}-keyless.sig"
cmd: cosign
args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "${artifact}"]
artifacts: binary
archives:
- format: binary
name_template: "{{ .Binary }}"
allow_different_binary_count: true
checksum:
name_template: "{{ .ProjectName }}_checksums.txt"
snapshot:
name_template: SNAPSHOT-{{ .ShortCommit }}
release:
prerelease: allow # remove this when we start publishing non-prerelease or set to auto
draft: true # allow for manual edits
github:
owner: sigstore
name: rekor
footer: |
### Thanks for all contributors!
extra_files:
- glob: "./release/release-cosign.pub"