feat: add docker, signing, nfpm, more (#1)

* feat: add docker, signing, nfpm, more

* fix: nfpm name

* fix: renames, dependabot

* fix: docker images

* ci: brew

Signed-off-by: Carlos Alexandro Becker <[email protected]>

* fix: stuff

* chore: cleanup

---------

Signed-off-by: Carlos Alexandro Becker <[email protected]>

Author: caarlos0

.github/dependabot.yml

@@ -0,0 +1,32 @@
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "08:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "08:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "08:00"
+    labels:
+      - "dependencies"
+    commit-message:
+      prefix: "chore"
+      include: "scope"

.github/workflows/build.yml

@@ -0,0 +1,35 @@
+name: build
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: cargo build --verbose
+      - run: cargo test --verbose
+  dependabot:
+    needs: [build]
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    steps:
+      - id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+      - run: |
+          gh pr review --approve "$PR_URL"
+          gh pr merge --squash --auto "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

.github/workflows/release.yml

@@ -1,18 +1,16 @@
-# .github/workflows/release.yml
 name: goreleaser
 
 on:
-  pull_request:
   push:
     # run only against tags
     tags:
       - "*"
 
 permissions:
   contents: write
-  # packages: write
-  # issues: write
-  # id-token: write
+  packages: write
+  issues: write
+  id-token: write
 
 jobs:
   goreleaser:
@@ -24,6 +22,15 @@ jobs:
       # More assembly might be required: Docker logins, GPG, etc.
       # It all depends on your needs.
       - uses: mlugg/setup-zig@v1
+      - uses: sigstore/[email protected]
+      - uses: anchore/sbom-action/[email protected]
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - uses: goreleaser/goreleaser-action@v6
         with:
           # either 'goreleaser' (default) or 'goreleaser-pro'
@@ -35,3 +42,4 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Your GoReleaser Pro key, if you are using the 'goreleaser-pro' distribution
           # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
+          GH_PAT: ${{ secrets.GH_PAT }}

.github/workflows/rust.yml

@@ -8,14 +8,18 @@
 
 version: 2
 
+# Project name should ideally match the project name in your Cargo.toml.
+project_name: example
+
+# Hooks ran before actually building anything.
+# Here we use them to prepare for building.
 before:
   hooks:
-    # if you don't do these things before calling goreleaser, it might be a
-    # good idea to do them here:
     - rustup default stable
     - cargo install --locked cargo-zigbuild
     - cargo fetch --locked
 
+# Actually builds the binaries.
 builds:
   - builder: rust
     targets:
@@ -25,6 +29,7 @@ builds:
       - aarch64-unknown-linux-gnu
       - aarch64-apple-darwin
 
+# Creates archives for each target.
 archives:
   - format: tar.gz
     # this name template makes the OS and Arch compatible with the results of `uname`.
@@ -39,16 +44,113 @@ archives:
       - goos: windows
         format: zip
 
+# Changelog configuration (will be in the github release).
 changelog:
   sort: asc
   filters:
     exclude:
       - "^docs:"
       - "^test:"
 
+# A footer to add to all releases.
 release:
   footer: >-
 
     ---
 
     Released by [GoReleaser](https://github.com/goreleaser/goreleaser).
+
+# Creates Linux packages.
+nfpms:
+  - file_name_template: "{{ .ConventionalFileName }}"
+    maintainer: Carlos Alexandro Becker <[email protected]>
+    formats:
+      - deb
+      - apk
+      - rpm
+
+# Creates Darwin universal binaries.
+universal_binaries:
+  - replace: true
+
+# Enables source archives.
+source:
+  enabled: true
+
+# SBOMs for the archives and source archives.
+sboms:
+  - artifacts: any
+
+# Sign binaries with cosign.
+signs:
+  - cmd: cosign
+    certificate: "${artifact}.pem"
+    args:
+      - sign-blob
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes"
+    artifacts: checksum
+
+# Create Docker images.
+# We create a manifest below, so here the images need the suffix with the
+# architecture.
+dockers:
+  - image_templates:
+      - "ghcr.io/goreleaser/example-rust:{{ .Tag }}-arm64"
+    dockerfile: Dockerfile
+    goarch: arm64
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source={{.GitURL}}"
+      - "--platform=linux/arm64"
+  - image_templates:
+      - "ghcr.io/goreleaser/example-rust:{{ .Tag }}-amd64"
+    dockerfile: Dockerfile
+    goarch: amd64
+    use: buildx
+    build_flag_templates:
+      - "--pull"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.name={{.ProjectName}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.source={{.GitURL}}"
+      - "--platform=linux/amd64"
+
+# Here we join both images into a Docker manifest.
+docker_manifests:
+  - name_template: "ghcr.io/goreleaser/example-rust:{{ .Tag }}"
+    image_templates:
+      - "ghcr.io/goreleaser/example-rust:{{ .Tag }}-arm64"
+      - "ghcr.io/goreleaser/example-rust:{{ .Tag }}-amd64"
+
+# Sign the Docker images with cosign as well.
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests
+    args:
+      - "sign"
+      - "${artifact}"
+      - "--yes"
+
+# Sets up homebrew-taps.
+# PS: this will require a personal access token, as it is cross-repository.
+brews:
+  - repository:
+      owner: goreleaser
+      name: example-homebrew-tap
+      token: "{{ .Env.GH_PAT }}"
+    directory: Formula
+    homepage: https://goreleaser.com
+    description: Example rust release.
+    license: MIT
+    # usually you don't need to set this, we do to prevent conflicts with other
+    # example-* repositories
+    name: example-rust

.goreleaser.yaml

@@ -1,5 +1,5 @@
 [package]
-name = "example-rust"
+name = "example"
 version = "0.1.0"
 edition = "2021"
 

Cargo.lock

@@ -0,0 +1,3 @@
+FROM ubuntu
+COPY example /usr/bin/example
+ENTRYPOINT [ "/usr/bin/example" ]