Build Orbit releases in GitHub Actions (#3413)

Complete build including macOS signing+notarization.

.github/workflows/goreleaser-orbit.yaml

@@ -1,34 +1,50 @@
-name: goreleaser
+name: GoReleaser Orbit
 
 on:
   push:
-    tags:
-      - 'orbit-*'
-
+   tags:
+     - 'orbit-*'
+     
 permissions:
   contents: write
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     environment: Docker Hub
     steps:
       - name: Checkout
         uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # Needed for goreleaser
+
+      # Note that goreleaser does not like the orbit- prefixed flag unless you use the closed-source
+      # paid version. We pay for goreleaser, but using the closed source build would weaken our
+      # supply-chain integrity goals, so we hack around it by replacing the tag.
+      - name: Replace tag
+        run: git tag $(echo ${{ github.ref_name }} | sed -e 's/orbit-//g')
+
+      - name: Import signing keys
+        env: 
+          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
+          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
+          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+          security find-identity -vv
 
       - name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17.2
+          go-version: 1.17
 
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@ac067437f516133269923265894e77920c3dce18 # v2.6.1
-        with:
-          distribution: goreleaser-pro
-          version: latest
-          args: release --rm-dist -f orbit/.goreleaser.yml
+        run: go run github.com/goreleaser/goreleaser release --rm-dist --snapshot -f orbit/.goreleaser.yml
         env:
-          GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
+          AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
+          CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

go.mod

@@ -3,14 +3,14 @@ module github.com/fleetdm/fleet/v4
 go 1.16
 
 require (
-	cloud.google.com/go/pubsub v1.5.0
+	cloud.google.com/go/pubsub v1.16.0
 	github.com/AbGuthrie/goquery/v2 v2.0.1
 	github.com/DATA-DOG/go-sqlmock v1.5.0
 	github.com/OneOfOne/xxhash v1.2.8 // indirect
 	github.com/VividCortex/gohistogram v1.0.0 // indirect
 	github.com/VividCortex/mysqlerr v0.0.0-20170204212430-6c6b55f8796f
 	github.com/WatchBeam/clock v0.0.0-20170901150240-b08e6b4da7ea
-	github.com/aws/aws-sdk-go v1.36.30
+	github.com/aws/aws-sdk-go v1.40.34
 	github.com/beevik/etree v1.1.0
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/briandowns/spinner v1.13.0
@@ -25,9 +25,7 @@ require (
 	github.com/facebookincubator/nvdtools v0.1.4
 	github.com/fatih/color v1.12.0
 	github.com/fleetdm/goose v0.0.0-20210209032905-c3c01484bacb
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
 	github.com/ghodss/yaml v1.0.0
-	github.com/go-git/go-git/v5 v5.2.0 // indirect
 	github.com/go-kit/kit v0.9.0
 	github.com/go-logfmt/logfmt v0.5.0 // indirect
 	github.com/go-sql-driver/mysql v1.6.0
@@ -36,11 +34,11 @@ require (
 	github.com/google/go-cmp v0.5.6
 	github.com/google/go-github/v37 v37.0.0
 	github.com/google/uuid v1.3.0
-	github.com/goreleaser/nfpm/v2 v2.2.2
+	github.com/goreleaser/goreleaser v1.1.0
+	github.com/goreleaser/nfpm/v2 v2.10.0
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.4.2
 	github.com/gosuri/uilive v0.0.4
-	github.com/groob/mockimpl v0.0.0-20170306012045-dfa944a2a940 // indirect
 	github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95
 	github.com/igm/sockjs-go/v3 v3.0.0
 	github.com/jinzhu/copier v0.3.2
@@ -65,29 +63,24 @@ require (
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.4.1 // indirect
 	github.com/prometheus/procfs v0.2.0 // indirect
-	github.com/quasilyte/go-ruleguard/dsl v0.3.10 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
 	github.com/rotisserie/eris v0.5.1
 	github.com/rs/zerolog v1.20.0
 	github.com/russellhaering/goxmldsig v1.1.0
-	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
-	github.com/spf13/afero v1.6.0 // indirect
 	github.com/spf13/cast v1.3.1
-	github.com/spf13/cobra v1.1.1
-	github.com/spf13/viper v1.8.0
+	github.com/spf13/cobra v1.2.1
+	github.com/spf13/viper v1.8.1
+	github.com/stretchr/objx v0.3.0 // indirect
 	github.com/stretchr/testify v1.7.0
 	github.com/theupdateframework/go-tuf v0.0.0-20210929155205-2707f22b6f31
 	github.com/throttled/throttled/v2 v2.8.0
 	github.com/urfave/cli/v2 v2.3.0
 	github.com/valyala/fasthttp v1.31.0
 	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
-	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	golang.org/x/sys v0.0.0-20211123173158-ef496fb156ab
-	golang.org/x/tools v0.1.7 // indirect
-	google.golang.org/grpc v1.38.0
+	google.golang.org/grpc v1.40.0
 	gopkg.in/guregu/null.v3 v3.4.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0-20170531160350-a96e63847dc3
 	gopkg.in/yaml.v2 v2.4.0

orbit/.gon.hcl

@@ -0,0 +1,6 @@
+# Use default credentials from environment
+
+notarize {
+  path = "./dist/orbit_darwin_amd64.zip"
+  bundle_id = "com.fleetdm.orbit"
+}

orbit/.goreleaser.yml

@@ -1,9 +1,5 @@
 project_name: orbit
 
-monorepo:
-  tag_prefix: orbit-
-  dir: orbit
-
 before:
   hooks:
     - go mod download
@@ -25,22 +21,6 @@ builds:
     hooks:
       post: ./orbit/tools/build/sign-macos.sh {{ .Path }}
 
-  - id: orbit-package
-    dir: ./orbit/cmd/package/
-    binary: orbit-package
-    env:
-      - CGO_ENABLED=0
-    goos:
-      - darwin
-      - linux
-      - windows
-    goarch:
-      - amd64
-    ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.Date}} -X main.builtBy=goreleaser
-    hooks:
-      post: ./orbit/tools/build/sign-macos.sh {{ .Path }}
-
 archives:
   - id: orbit
     builds:
@@ -52,30 +32,12 @@ archives:
       - goos: windows
         format: zip
 
-  - id: orbit-package
-    builds:
-      - orbit-package
-    name_template: orbit-package_{{.Version}}_{{.Os}}
-    replacements:
-      darwin: macos
-    format_overrides:
-      - goos: windows
-        format: zip
-
 checksum:
   name_template: 'checksums.txt'
 
 snapshot:
   name_template: "{{ .Tag }}-untagged"
 
-changelog:
-  skip: true
-  sort: asc
-  filters:
-    exclude:
-      - '^docs:'
-      - '^test:'
-
 release:
   github:
     owner: fleetdm

orbit/tools/build/sign-macos.sh

@@ -21,5 +21,7 @@ then
 fi
 
 codesign -s "$CODESIGN_IDENTITY" -i com.fleetdm.orbit -f -v --timestamp --options runtime "$1"
+zip -r dist/orbit_darwin_amd64 dist/orbit_darwin_amd64
+go run github.com/mitchellh/gon/cmd/gon orbit/.gon.hcl
 
 echo "Signed successfully"

tools.go

@@ -5,5 +5,7 @@ package tools
 
 import (
 	_ "github.com/fleetdm/goose"
+	_ "github.com/goreleaser/goreleaser"
 	_ "github.com/kevinburke/go-bindata"
+	_ "github.com/mitchellh/gon/cmd/gon"
 )