.goreleaser.yml

project_name: cosign

env:
  - GO111MODULE=on
  - CGO_ENABLED=1
  - DOCKER_CLI_EXPERIMENTAL=enabled
  - COSIGN_EXPERIMENTAL=true

# Prevents parallel builds from stepping on each others toes downloading modules
before:
  hooks:
  - go mod tidy

gomod:
  proxy: true

sboms:
- artifacts: binary

builds:
- id: linux
  binary: cosign-linux-{{ .Arch }}
  no_unique_dist_dir: true
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - linux
  goarch:
    - amd64
    - arm64
    - arm
    - s390x
    - ppc64le
  goarm:
    - '7'
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  env:
    - CGO_ENABLED=0

- id: linux-pivkey-pkcs11key-amd64
  binary: cosign-linux-pivkey-pkcs11key-amd64
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - linux
  goarch:
    - amd64
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key
  hooks:
    pre:
      - apt-get update
      - apt-get -y install libpcsclite-dev
  env:
    - PKG_CONFIG_PATH="/usr/lib/x86_64-linux-gnu/pkgconfig/"

- id: darwin-amd64
  binary: cosign-darwin-amd64
  no_unique_dist_dir: true
  env:
    - CC=o64-clang
    - CXX=o64-clang++
  main: ./cmd/cosign
  flags:
    - -trimpath
  mod_timestamp: '{{ .CommitTimestamp }}'
  goos:
    - darwin
  goarch:
    - amd64
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key

- id: darwin-arm64
  binary: cosign-darwin-arm64
  no_unique_dist_dir: true
  env:
    - CC=aarch64-apple-darwin20.2-clang
    - CXX=aarch64-apple-darwin20.2-clang++
  main: ./cmd/cosign
  flags:
    - -trimpath
  goos:
    - darwin
  goarch:
    - arm64
  tags:
    - pivkey
    - pkcs11key
  ldflags:
    - "{{.Env.LDFLAGS}}"

- id: windows-amd64
  binary: cosign-windows-amd64
  no_unique_dist_dir: true
  env:
    - CC=x86_64-w64-mingw32-gcc
    - CXX=x86_64-w64-mingw32-g++
  main: ./cmd/cosign
  mod_timestamp: '{{ .CommitTimestamp }}'
  flags:
    - -trimpath
  goos:
    - windows
  goarch:
    - amd64
  ldflags:
    - -buildmode=exe
    - "{{ .Env.LDFLAGS }}"
  tags:
    - pivkey
    - pkcs11key

- id: linux-cosigned
  binary: cosigned-linux-{{ .Arch }}
  no_unique_dist_dir: true
  main: ./cmd/cosign/webhook
  mod_timestamp: '{{ .CommitTimestamp }}'
  flags:
    - -trimpath
  goos:
    - linux
  goarch:
    - amd64
    - arm64
    - arm
    - s390x
    - ppc64le
  goarm:
    - 7
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  env:
    - CGO_ENABLED=0

- id: sget
  binary: sget-{{ .Os }}-{{ .Arch }}
  no_unique_dist_dir: true
  mod_timestamp: '{{ .CommitTimestamp }}'
  main: ./cmd/sget
  flags:
    - -trimpath
  goos:
    - linux
    - darwin
    - windows
  goarch:
    - amd64
    - arm64
    - arm
    - s390x
    - ppc64le
  goarm:
    - 7
  ignore:
    - goos: windows
      goarch: arm64
    - goos: windows
      goarch: arm
    - goos: windows
      goarch: s390x
    - goos: windows
      goarch: ppc64le
  ldflags:
    - "{{ .Env.LDFLAGS }}"
  env:
    - CGO_ENABLED=0

signs:
  - id: cosign
    signature: "${artifact}.sig"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
  - id: cosigned
    signature: "${artifact}.sig"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
    ids:
      - linux-cosigned
  - id: sget
    signature: "${artifact}.sig"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
    artifacts: binary
    ids:
      - sget
  # Keyless
  - id: cosign-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
  - id: cosigned-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
    ids:
      - linux-cosigned
  - id: sget-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: binary
    ids:
      - sget
  - id: checksum-keyless
    signature: "${artifact}-keyless.sig"
    certificate: "${artifact}-keyless.pem"
    cmd: ./dist/cosign-linux-amd64
    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
    artifacts: checksum

archives:
- format: binary
  name_template: "{{ .Binary }}"
  allow_different_binary_count: true

checksum:
  name_template: "{{ .ProjectName }}_checksums.txt"

snapshot:
  name_template: SNAPSHOT-{{ .ShortCommit }}

release:
  prerelease: allow # remove this when we start publishing non-prerelease or set to auto
  draft: true # allow for manual edits
  github:
    owner: sigstore
    name: cosign
  footer: |
    ### Thanks for all contributors!

  extra_files:
    - glob: "./release/release-cosign.pub"

rigs:
  - rig:
      owner: sigstore
      name: fish-food
    commit_author:
      name: sigstore-bot
      email: 86837369+sigstore-bot@users.noreply.github.com
    homepage: https://sigstore.dev
    description: Container Signing, Verification and Storage in an OCI registry.
    license: "Apache License 2.0"