From 5bf571f7cef96aa37e0d83231bae7e334f0aada4 Mon Sep 17 00:00:00 2001 From: kumari tanushree <38600853+kumaritanushree@users.noreply.github.com> Date: Thu, 18 Jan 2024 11:09:22 +0530 Subject: [PATCH] updated release notes to have installtion and verification of artefacts steps included (#354) Signed-off-by: kumari tanushree Co-authored-by: kumari tanushree --- .goreleaser.yml | 57 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/.goreleaser.yml b/.goreleaser.yml index 6fb2d137..776ac465 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -69,6 +69,63 @@ release: # Defaults to false. disable: false + header: | +
+ +

Installation and signature verification

+ + ### Installation + + #### By downloading binary from the release + + For instance, if you are using Linux on an AMD64 architecture: + ```shell + # Download the binary + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/{{ .ProjectName }}-linux-amd64 + + # Move the binary in to your PATH + mv vendir-linux-amd64 /usr/local/bin/vendir + + # Make the binary executable + chmod +x /usr/local/bin/vendir + ``` + + #### Via Homebrew (macOS or Linux) + ```shell + $ brew tap carvel-dev/carvel + $ brew install vendir + $ vendir version + ``` + + ### Verify checksums file signature + + Install cosign on your system https://docs.sigstore.dev/system_config/installation/ + + The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: + + ```shell + # Download the checksums file, certificate and signature + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem + curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig + + # Verify the checksums file + cosign verify-blob checksums.txt \ + --certificate checksums.txt.pem \ + --signature checksums.txt.sig \ + --certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ + --certificate-oidc-issuer=https://token.actions.githubusercontent.com + ``` + + ### Verify binary integrity + + To verify the integrity of the downloaded binary, you can utilize the checksums file after having validated its signature. + ```shell + # Verify the binary using the checksums file + sha256sum -c checksums.txt --ignore-missing + ``` +
+ changelog: # Set it to true if you wish to skip the changelog generation. # This may result in an empty release notes on GitHub/GitLab/Gitea.