diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 262bbc785..b52d48598 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,43 +1,41 @@ +# Terraform Provider release workflow. name: Release +# This GitHub action creates a release when a tag that matches the pattern +# "v*" (e.g. v0.1.0) is created. on: push: tags: - - 'v[0-9]+.[0-9]+.[0-9]+*' + - 'v*' +# Releases need permissions to read and write the repository contents. +# GitHub considers creating releases and uploading assets as writing contents. permissions: contents: write jobs: - release-notes: + goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: + # Allow goreleaser to access older tag information. fetch-depth: 0 - - name: Generate Release Notes - run: sed -n -e "1{/# /d;}" -e "2{/^$/d;}" -e "/# $(git describe --abbrev=0 --exclude="$(git describe --abbrev=0 --match='v*.*.*' --tags)" --match='v*.*.*' --tags | tr -d v)/q;p" CHANGELOG.md > release-notes.txt - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - name: release-notes - path: release-notes.txt - retention-days: 1 - terraform-provider-release: - name: 'Terraform Provider Release' - needs: [release-notes] - uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/hashicorp.yml@01981baad5d35ce2342924e60ae91cf69fe31fd0 # v2.3.0 - secrets: - hc-releases-key-prod: '${{ secrets.HC_RELEASES_KEY_PROD }}' - hc-releases-key-staging: '${{ secrets.HC_RELEASES_KEY_STAGING }}' - hc-releases-github-token: '${{ secrets.HASHI_RELEASES_GITHUB_TOKEN }}' - hc-releases-terraform-registry-sync-token: '${{ secrets.TF_PROVIDER_RELEASE_TERRAFORM_REGISTRY_SYNC_TOKEN }}' - setup-signore-github-token: '${{ secrets.HASHI_SIGNORE_GITHUB_TOKEN }}' - signore-client-id: '${{ secrets.SIGNORE_CLIENT_ID }}' - signore-client-secret: '${{ secrets.SIGNORE_CLIENT_SECRET }}' - hc-releases-host-staging: '${{ secrets.HC_RELEASES_HOST_STAGING }}' - hc-releases-host-prod: '${{ secrets.HC_RELEASES_HOST_PROD }}' - with: - release-notes: true - setup-go-version-file: 'go.mod' - # Product Version (e.g. v1.2.3 or github.ref_name) - product-version: '${{ github.ref_name }}' + go-version-file: 'go.mod' + cache: true + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5.3.0 + id: import_gpg + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.PASSPHRASE }} + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0 + with: + args: release --clean + env: + # GitHub sets the GITHUB_TOKEN secret automatically. + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 4eff5747a..9bb0aa711 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,75 +1,60 @@ -archives: - - files: - # Ensure only built binary is archived - - 'none*' - format: zip - name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' +# Visit https://goreleaser.com for documentation on how to customize this +# behavior. before: hooks: - - 'go mod download' + # this is just an example and not a requirement for provider building/publishing + - go mod tidy builds: - - # Binary naming only required for Terraform CLI 0.12 - binary: '{{ .ProjectName }}_v{{ .Version }}_x5' - env: - - CGO_ENABLED=0 - flags: - - -trimpath - goos: - - darwin - - freebsd - - linux - - windows - goarch: - - '386' - - amd64 - - arm - - arm64 - ignore: - - goarch: arm - goos: windows - - goarch: arm64 - goos: freebsd - - goarch: arm64 - goos: windows - ldflags: - - -s -w -X main.Version={{.Version}} - mod_timestamp: '{{ .CommitTimestamp }}' +- env: + # goreleaser does not work with CGO, it could also complicate + # usage by users in CI/CD systems like Terraform Cloud where + # they are unable to install libraries. + - CGO_ENABLED=0 + mod_timestamp: '{{ .CommitTimestamp }}' + flags: + - -trimpath + ldflags: + - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}' + goos: + - freebsd + - windows + - linux + - darwin + goarch: + - amd64 + - '386' + - arm + - arm64 + ignore: + - goos: darwin + goarch: '386' + binary: '{{ .ProjectName }}_v{{ .Version }}' +archives: +- format: zip + name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}' checksum: - algorithm: sha256 extra_files: - glob: 'terraform-registry-manifest.json' name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS' -publishers: - - checksum: true - # Terraform CLI 0.10 - 0.11 perform discovery via HTTP headers on releases.hashicorp.com - # For providers which have existed since those CLI versions, exclude - # discovery by setting the protocol version headers to 5. - env: - - HC_RELEASES_HOST={{ .Env.HC_RELEASES_HOST }} - - HC_RELEASES_KEY={{ .Env.HC_RELEASES_KEY }} - cmd: | - hc-releases upload -product {{ .ProjectName }} -version {{ .Version }} -file={{ .ArtifactPath }}={{ .ArtifactName }} -header=x-terraform-protocol-version=5 -header=x-terraform-protocol-versions=5.0 - extra_files: - - glob: 'terraform-registry-manifest.json' - name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' - name: upload - signature: true + algorithm: sha256 +signs: + - artifacts: checksum + args: + # if you are using this in a GitHub action or some other automated pipeline, you + # need to pass the batch flag to indicate its not interactive. + - "--batch" + - "--local-user" + - "{{ .Env.GPG_FINGERPRINT }}" # set this environment variable for your signing key + - "--output" + - "${signature}" + - "--detach-sign" + - "${artifact}" release: extra_files: - glob: 'terraform-registry-manifest.json' name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json' - ids: - - none -signs: - - args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"] - artifacts: checksum - cmd: signore - signature: ${artifact}.sig - - args: ["sign", "--dearmor", "--file", "${artifact}", "--out", "${signature}"] - artifacts: checksum - cmd: signore - id: key-id - signature: ${artifact}.72D7468F.sig -snapshot: - name_template: "{{ .Tag }}-next" + # If you want to manually examine the release before its live, uncomment this line: + # draft: true +changelog: + skip: true