constellation/.github/workflows/release-cli.yml

name: Build CLI and prepare release

on:
  workflow_dispatch:

jobs:
  build-cli:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        id: checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
        with:
          ref: ${{ github.head_ref }}

      - name: Setup Go environment
        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
        with:
          go-version: "1.19.3"

      - name: Build cli-linux-amd64
        uses: ./.github/actions/build_cli
        with:
          targetOS: linux
          targetArch: amd64
          enterpriseCLI: true
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Build cli-linux-arm64
        uses: ./.github/actions/build_cli
        with:
          targetOS: linux
          targetArch: arm64
          enterpriseCLI: true
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Build cli-darwin-amd64
        uses: ./.github/actions/build_cli
        with:
          targetOS: darwin
          targetArch: amd64
          enterpriseCLI: true
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Build cli-darwin-arm64
        uses: ./.github/actions/build_cli
        with:
          targetOS: darwin
          targetArch: arm64
          enterpriseCLI: true
          cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Login to Azure
        uses: ./.github/actions/login_azure
        with:
          azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Login to GCP
        uses: ./.github/actions/login_gcp
        with:
          gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Build version manifest
        run: |
          cd hack/build-manifest/
          AZURE_SUBSCRIPTION_ID=0d202bbb-4fa7-4af8-8125-58c269a05435 go run . > versions-manifest.json
          cat versions-manifest.json          

      - name: Download syft & grype
        run: |
          SYFT_VERSION=0.59.0
          GRYPE_VERSION=0.50.2
          curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
          tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
          ./syft version
          curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
          tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
          ./grype version
          pwd >> "$GITHUB_PATH"          
        shell: bash

      - name: Build signed SBOMs
        run: |
          syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
          cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
          grype constellation.spdx.sbom --fail-on high --only-fixed          
        env:
          COSIGN_EXPERIMENTAL: 1
          COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
          COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
          COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}

      - name: Create release with artifacts
        # GitHub endorsed release project. See: https://github.com/actions/create-release
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        if: startsWith(github.ref, 'refs/tags/v')
        with:
          draft: true
          files: |
            build/constellation-*
            build/cosign.pub
            hack/build-manifest/versions-manifest.json
            constellation.spdx.sbom
            constellation.spdx.sbom.sig