neoctl/.github/workflows/release.yml at main · NetApp/neoctl · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write

jobs:
  release:
    name: Build (${{ matrix.goos }}/${{ matrix.goarch }})
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
        include:
          - goos: linux
            goarch: amd64
            os: ubuntu-latest
            asset_name: neoctl-linux-amd64
          - goos: linux
            goarch: arm64
            os: ubuntu-latest
            asset_name: neoctl-linux-arm64
          - goos: darwin
            goarch: amd64
            os: macos-latest
            asset_name: neoctl-darwin-amd64
          - goos: darwin
            goarch: arm64
            os: macos-latest
            asset_name: neoctl-darwin-arm64
          - goos: windows
            goarch: amd64
            os: ubuntu-latest
            asset_name: neoctl-windows-amd64.exe

    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
        with:
          egress-policy: audit

      - name: Checkout code
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

      - name: Set up Go
        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
        with:
          go-version: '1.22'
          check-latest: true

      - name: Build binary
        env:
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
        run: |
          VERSION=${GITHUB_REF#refs/tags/}
          COMMIT=$(git rev-parse HEAD)
          DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

          echo "Building for $GOOS/$GOARCH with version $VERSION"

          go build -ldflags "-s -w \
            -X 'netapp/neoctl/internal/version.Version=$VERSION' \
            -X 'netapp/neoctl/internal/version.Commit=$COMMIT' \
            -X 'netapp/neoctl/internal/version.Date=$DATE'" \
            -o build/${{ matrix.asset_name }} ./cmd/neoctl

      - name: Import Apple code-signing certificates
        if: matrix.goos == 'darwin'
        uses: step-security/import-codesign-certs@3aaeedc4d9edfab5de47ab78d22fd5a75dbc26c4 # v6.0.0
        with:
          p12-file-base64: ${{ secrets.MACOS_CERTIFICATE_P12_BASE64 }}
          p12-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}

      - name: Codesign the Go binary
        if: matrix.goos == 'darwin'
        run: |
          codesign --force --verbose --options runtime --sign "$TEAM_ID" build/"$ASSET_NAME"
        env:
          TEAM_ID: ${{ secrets.MACOS_CERTIFICATE_TEAMID }}
          ASSET_NAME: ${{ matrix.asset_name }}
      - name: Verify Codesign
        if: matrix.goos == 'darwin'
        run: |
          codesign --verify --verbose=2 build/"$ASSET_NAME"
        env:
          ASSET_NAME: ${{ matrix.asset_name }}

      - name: Compress binary (Unix)
        if: matrix.goos != 'windows'
        run: |
          cd build
          tar -czvf ${{ matrix.asset_name }}.tar.gz ${{ matrix.asset_name }}

      - name: Compress binary (Windows)
        if: matrix.goos == 'windows'
        run: |
          cd build
          zip ${{ matrix.asset_name }}.zip ${{ matrix.asset_name }}

      - name: Upload Release Asset
        uses: step-security/action-gh-release@dc29ef0d1f6f9a032a97ec797d9cb7ea788dde41 # v2.6.1
        with:
          files: |
            build/*.tar.gz
            build/*.zip