Add GoReleaser, create SBOMs and upload artifacts to Azure (#171)

Author: lucacome

.github/workflows/ci.yml

@@ -27,6 +27,9 @@ concurrency:
   group: ${{ github.ref_name }}-ci
   cancel-in-progress: true
 
+env:
+  platforms: "linux/arm64, linux/amd64"
+
 jobs:
 
   vars:
@@ -36,19 +39,22 @@ jobs:
       sha: ${{ steps.vars.outputs.sha }}
       version: ${{ steps.vars.outputs.version }}
       date: ${{ steps.vars.outputs.date }}
+      go_path: ${{ steps.vars.outputs.go_path }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
+      - name: Setup Golang Environment
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+          cache: true
       - name: Output Variables
         id: vars
         run: |
           echo "::set-output name=sha::$(echo ${GITHUB_SHA} | cut -c1-7)"
           echo "::set-output name=version::$(grep "VERSION = " Makefile | cut -d " " -f 3)"
           echo "::set-output name=date::$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
-      - name: Setup Golang Environment
-        uses: actions/setup-go@v3
-        with:
-          go-version-file: go.mod
+          echo "::set-output name=go_path::$(go env GOPATH)"
       - name: Check if CRDs changed
         run: |
           make update-crds && git diff --name-only --exit-code deploy/manifests/crds/*
@@ -64,6 +70,7 @@ jobs:
         uses: actions/setup-go@v3
         with:
           go-version-file: go.mod
+          cache: true
       - name: Run Tests
         run: make unit-test
       - name: Upload Coverage Report
@@ -94,16 +101,33 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - name: Setup Golang Environment
         uses: actions/setup-go@v3
         with:
           go-version-file: go.mod
-      - name: Build Binary
-        run: make build
+          cache: true
+
+      - name: Download Syft
+        uses: anchore/sbom-action/download-syft@v0.11.0
+
+      - name: Build binary
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          version: latest
+          args: ${{ startsWith(github.ref, 'refs/tags/') && 'release' || 'build --snapshot' }} --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOPATH: ${{ needs.vars.outputs.go_path }}
+          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+          AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }}
+
       - name: Cache Artifacts
         uses: actions/cache@v3
         with:
-          path: ${{ github.workspace }}/build/.out/gateway
+          path: ${{ github.workspace }}/dist
           key: nginx-kubernetes-gateway-${{ github.run_id }}-${{ github.run_number }}
 
   build:
@@ -116,10 +140,14 @@ jobs:
       - name: Fetch Cached Artifacts
         uses: actions/cache@v3
         with:
-          path: ${{ github.workspace }}/build/.out/gateway
+          path: ${{ github.workspace }}/dist
           key: nginx-kubernetes-gateway-${{ github.run_id }}-${{ github.run_number }}
       - name: Docker Buildx
         uses: docker/setup-buildx-action@v2
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v2
+        with:
+          platforms: arm64
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         if: ${{ startsWith(github.ref, 'refs/tags') }}
@@ -138,17 +166,16 @@ jobs:
             type=edge
             type=ref,event=pr
             type=ref,event=branch,enable=${{ startsWith(github.ref, 'refs/heads/release') }}
-          flavor: |
-            latest=true
-      - name: Build Image Debian
+      - name: Build Docker Image
         uses: docker/build-push-action@v3
         with:
           file: build/Dockerfile
           context: '.'
-          target: local
+          target: goreleaser
           tags: ${{ steps.meta.outputs.tags }}
           load: ${{ !startsWith(github.ref, 'refs/tags') }}
           push: ${{ startsWith(github.ref, 'refs/tags') }}
+          platforms: ${{ startsWith(github.ref, 'refs/tags') && env.platforms || '' }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |

.gitignore

@@ -25,6 +25,7 @@ cover.html
 
 # Binary and Artifacts
 build/.out
+dist/
 
 # Node modules
 node_modules/

.goreleaser.yml

@@ -0,0 +1,39 @@
+env:
+  - CGO_ENABLED=0
+
+builds:
+  - id: gateway
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    flags:
+      - -trimpath
+    gcflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    asmflags:
+      - all=-trimpath={{.Env.GOPATH}}
+    main: ./cmd/gateway/
+    binary: gateway
+
+changelog:
+  skip: true
+
+checksum:
+  name_template: 'checksums.txt'
+
+archives:
+  - id: gateway
+
+sboms:
+  - artifacts: archive
+
+release:
+  ids: [gateway]
+
+blobs:
+  - provider: azblob
+    bucket: '{{.Env.AZURE_BUCKET_NAME}}'
+    extra_files:
+      - glob: ./dist/**.sbom

build/Dockerfile

@@ -1,3 +1,4 @@
+# syntax=docker/dockerfile:1.4
 FROM golang:1.19 as builder
 ARG VERSION
 ARG GIT_COMMIT
@@ -24,6 +25,11 @@ FROM capabilizer as container-capabilizer
 COPY --from=builder /go/src/github.com/nginxinc/nginx-kubernetes-gateway/cmd/gateway/gateway /usr/bin/
 RUN setcap 'cap_kill=+ep' /usr/bin/gateway
 
+FROM capabilizer as goreleaser-capabilizer
+ARG TARGETARCH
+COPY dist/gateway_linux_$TARGETARCH*/gateway /usr/bin/
+RUN setcap 'cap_kill=+ep' /usr/bin/gateway
+
 FROM scratch as common
 USER 1001:1001
 ENTRYPOINT [ "/usr/bin/gateway" ]
@@ -33,3 +39,6 @@ COPY --from=container-capabilizer /usr/bin/gateway /usr/bin/
 
 FROM common as local
 COPY --from=local-capabilizer /usr/bin/gateway /usr/bin/
+
+FROM common as goreleaser
+COPY --from=goreleaser-capabilizer /usr/bin/gateway /usr/bin/