diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a4edaffe..3331be3a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: "Release" +name: Release on: push: @@ -14,17 +14,55 @@ jobs: run: rm -rf /opt/hostedtoolcache - uses: actions/checkout@v4 - with: - fetch-depth: 0 - name: Set up Go uses: actions/setup-go@v5 with: - go-version: 1.22 + go-version: 1.23 - run: echo https://github.com/icon-project/centralized-relay/blob/${GITHUB_REF#refs/tags/}/CHANGELOG.md#${GITHUB_REF#refs/tags/} > ../release_notes.md - name: release publish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} run: make release + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: linux/amd64,linux/arm64 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build relayer image + id: build-and-push-relayer + uses: docker/build-push-action@v6 + with: + context: https://github.com/icon-project/relayer-docker.git#relayer + platforms: linux/amd64,linux/arm64 + push: true + build-args: | + - RELAYER_VERSION=${{ github.ref }} + tags: | + iconcommunity/centralized-relay:latest + iconcommunity/centralized-relay:${{ github.ref }} + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + + - name: Sign relayer image + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + run: | + cosign sign --key env://COSIGN_PRIVATE_KEY iconcommunity/centralized-relay:latest + cosign sign --key env://COSIGN_PRIVATE_KEY iconcommunity/centralized-relay:${{ github.ref }} diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 7c52f991..74e9f109 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -104,4 +104,17 @@ checksum: release: prerelease: auto - draft: true + draft: false + extra_files: + - glob: dist/*.sig + +signs: + - cmd: cosign + stdin: "{{ .Env.COSIGN_PASSWORD }}" + args: + - "sign-blob" + - "${artifact}" + - "--key=env://COSIGN_PRIVATE_KEY" + - "--output-signature=${signature}" + - "--yes" + artifacts: all diff --git a/Makefile b/Makefile index 60ed959b..bb7a634b 100644 --- a/Makefile +++ b/Makefile @@ -47,7 +47,7 @@ test-all: @go test -v ./... PACKAGE_NAME := github.com/icon-project/centralized-relay -GOLANG_CROSS_VERSION ?= v1.22.4 +GOLANG_CROSS_VERSION ?= v1.23.3 LIBWASM_VERSION ?= v2.1.0 SYSROOT_DIR ?= sysroots @@ -56,9 +56,12 @@ SYSROOT_ARCHIVE ?= sysroots.tar.bz2 .PHONY: release-dry-run release-dry-run: + @echo "dry-run release..." @docker run \ --rm \ --env LIBWASM_VERSION=$(LIBWASM_VERSION) \ + --env COSIGN_PASSWORD=$(COSIGN_PASSWORD) \ + --env COSIGN_PRIVATE_KEY=$(COSIGN_PRIVATE_KEY) \ -v /var/run/docker.sock:/var/run/docker.sock \ -v `pwd`:/go/src/$(PACKAGE_NAME) \ -w /go/src/$(PACKAGE_NAME) \ @@ -66,11 +69,12 @@ release-dry-run: --clean --auto-snapshot .PHONY: release -release: docker run \ --rm \ --env GITHUB_TOKEN \ --env LIBWASM_VERSION=$(LIBWASM_VERSION) \ + --env COSIGN_PASSWORD=(env COSIGN_PASSWORD) \ + --env COSIGN_PRIVATE_KEY(env COSIGN_PRIVATE_KEY) \ -v /var/run/docker.sock:/var/run/docker.sock \ -v `pwd`:/go/src/$(PACKAGE_NAME) \ -w /go/src/$(PACKAGE_NAME) \ diff --git a/release/cosign.pub b/release/cosign.pub new file mode 100644 index 00000000..5a52e143 --- /dev/null +++ b/release/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEA8aqhFqounF+m2BwOy2N/kYL59tO +7tKk12iIR5mKhhhfA4ptXopAxGlo79cddKjqXDHtVUzNQg4tccwKK1tWEw== +-----END PUBLIC KEY-----