From 6454f024b05de6f820aaec52965bd8294adb6740 Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Mon, 16 Mar 2026 10:47:10 -0400 Subject: [PATCH 1/7] ci: sign Windows binary --- .github/runs-on.yml | 0 .goreleaser.yaml | 0 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 .github/runs-on.yml create mode 100644 .goreleaser.yaml diff --git a/.github/runs-on.yml b/.github/runs-on.yml new file mode 100644 index 0000000..e69de29 diff --git a/.goreleaser.yaml b/.goreleaser.yaml new file mode 100644 index 0000000..e69de29 From ea562e5a2e6dfd9ce3b7ba2e6102c15383920036 Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Mon, 16 Mar 2026 10:47:36 -0400 Subject: [PATCH 2/7] ci: sign Windows binary --- .github/runs-on.yml | 2 + .github/workflows/release.yaml | 119 ++++++++++++++++++++++++--------- .goreleaser.yaml | 67 +++++++++++++++++++ 3 files changed, 157 insertions(+), 31 deletions(-) diff --git a/.github/runs-on.yml b/.github/runs-on.yml index e69de29..01cb22e 100644 --- a/.github/runs-on.yml +++ b/.github/runs-on.yml @@ -0,0 +1,2 @@ +_extends: .github-private + diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 420abac..c5e2e57 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,22 +11,21 @@ jobs: uses: ./.github/workflows/build.yaml release: needs: build - runs-on: ubuntu-latest - env: - BUILD_DIR: 'build' + runs-on: + - runs-on + - run-id=${{ github.run_id }} + - runner=md + - env=production-eu + - tag=build-${{ github.event.repository.name }} + environment: Release permissions: contents: write steps: - - uses: actions/checkout@v5 + - name: Checkout + uses: actions/checkout@v5 with: fetch-depth: 0 - - name: Set version - run: | - VERSION=${{ github.ref_name }} - VERSION=${VERSION#v} - echo "VERSION=$VERSION" >> $GITHUB_ENV - - name: Setup Go uses: actions/setup-go@v6 with: @@ -38,26 +37,84 @@ jobs: - name: Test run: go test --tags release -run TestReleaseVersionCheck -v ./... - - name: Build + - name: Setup Java 17 + run: | + mkdir -p tmp + pushd tmp + wget -q https://corretto.aws/downloads/latest/amazon-corretto-17-x64-linux-jdk.tar.gz + tar -xzf amazon-corretto-17-x64-linux-jdk.tar.gz + JAVA_DIR=$(find . -maxdepth 1 -type d -name "amazon-corretto-*" -print -quit | sed 's|^\./||') + echo "$PWD/$JAVA_DIR/bin" >> $GITHUB_PATH + echo "Java 17 installed: $JAVA_DIR" + popd + + - name: Download JSign + run: | + mkdir -p tmp + wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar -O tmp/jsign.jar + echo "JSIGN_JAR_PATH=${GITHUB_WORKSPACE}/tmp/jsign.jar" >> $GITHUB_ENV + echo "JSign downloaded successfully" + + - name: Create certificate chain file + run: | + mkdir -p tmp + echo "${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN }}" > tmp/signing_chain.pem + if [ ! -s tmp/signing_chain.pem ]; then + echo "ERROR: CODE_SIGNING_CERTIFICATE_CHAIN secret is empty or not set" + exit 1 + fi + echo "CODE_SIGNING_CERT_CHAIN_FILE=${GITHUB_WORKSPACE}/tmp/signing_chain.pem" >> $GITHUB_ENV + echo "Certificate chain file created" + + # RunsOn workers have the CodeSigningPolicy attached, which grants + # access to the KMS signing key via EC2 instance metadata (IMDSv2). + - name: Configure AWS credentials + run: | + TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + ROLE_NAME=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/) + CREDENTIALS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" -s http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE_NAME) + + ACCESS_KEY=$(echo $CREDENTIALS | jq -r .AccessKeyId) + SECRET_KEY=$(echo $CREDENTIALS | jq -r .SecretAccessKey) + SESSION_TOKEN=$(echo $CREDENTIALS | jq -r .Token) + + mkdir -p ~/.aws + echo "[default]" > ~/.aws/credentials + echo "aws_access_key_id = ${ACCESS_KEY}" >> ~/.aws/credentials + echo "aws_secret_access_key = ${SECRET_KEY}" >> ~/.aws/credentials + echo "aws_session_token = ${SESSION_TOKEN}" >> ~/.aws/credentials + + echo "[default]" > ~/.aws/config + echo "region = ${{ vars.CODE_SIGNING_AWS_REGION || 'eu-west-1' }}" >> ~/.aws/config + + echo "AWS credentials configured successfully" + + - name: Set signing environment variables run: | - GOFIPS140=v1.0.0 GOOS=linux GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-amd64 ./cmd/chip - GOFIPS140=v1.0.0 GOOS=linux GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-arm64 ./cmd/chip - GOFIPS140=v1.0.0 GOOS=darwin GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-amd64 ./cmd/chip - GOFIPS140=v1.0.0 GOOS=darwin GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-arm64 ./cmd/chip - GOFIPS140=v1.0.0 GOOS=windows GOARCH=amd64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-amd64.exe ./cmd/chip - GOFIPS140=v1.0.0 GOOS=windows GOARCH=arm64 go build -ldflags="-X 'github.com/collibra/chip/pkg/chip.Version=${{ env.VERSION }}'" -o ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-arm64.exe ./cmd/chip - - - name: Release - uses: softprops/action-gh-release@v2 + echo "CODE_SIGNING_AWS_REGION=${{ vars.CODE_SIGNING_AWS_REGION || 'eu-west-1' }}" >> $GITHUB_ENV + if [ -z "${{ secrets.KMS_SIGNING_KEY_ARN }}" ]; then + echo "ERROR: KMS_SIGNING_KEY_ARN secret is not set" + exit 1 + fi + echo "KMS_SIGNING_KEY_ARN=${{ secrets.KMS_SIGNING_KEY_ARN }}" >> $GITHUB_ENV + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v6 with: - files: | - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-amd64 - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-linux-arm64 - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-amd64 - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-mac-arm64 - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-amd64.exe - ${{ env.BUILD_DIR }}/chip-${{ env.VERSION }}-windows-arm64.exe - generate_release_notes: true - make_latest: true - draft: false - prerelease: false + distribution: goreleaser + version: latest + args: release --clean --verbose + env: + GORELEASER_CURRENT_TAG: ${{ github.ref_name }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + JSIGN_JAR_PATH: ${{ env.JSIGN_JAR_PATH }} + CODE_SIGNING_CERT_CHAIN_FILE: ${{ env.CODE_SIGNING_CERT_CHAIN_FILE }} + CODE_SIGNING_AWS_REGION: ${{ env.CODE_SIGNING_AWS_REGION }} + KMS_SIGNING_KEY_ARN: ${{ env.KMS_SIGNING_KEY_ARN }} + + - name: Cleanup + if: always() + run: | + rm -rf tmp ~/.aws + echo "Cleanup completed" + diff --git a/.goreleaser.yaml b/.goreleaser.yaml index e69de29..5df287a 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -0,0 +1,67 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +version: 2 + +project_name: chip +dist: ./build/dist + +builds: + - id: default + main: ./cmd/chip + env: + - CGO_ENABLED=0 + - GOFIPS140=v1.0.0 + goos: + - linux + - darwin + - windows + goarch: + - amd64 + - arm64 + binary: chip + ldflags: + - -X github.com/collibra/chip/pkg/chip.Version={{.Version}} + # Sign Windows binaries using AWS KMS and JSign (the signature is embedded in the binary) + hooks: + post: + - > + bash -c ' + if [ -n "${SKIP_SIGNING}" ]; then + echo "Skipping signing Windows binaries (SKIP_SIGNING is set)"; + exit 0; + fi; + if [ "{{ .Os }}" = "windows" ]; then + echo "Signing Windows binary {{ .Path }}"; + if [ ! -f "{{ .Path }}" ]; then + echo "ERROR Binary file does not exist: {{ .Path }}"; + exit 1; + fi; + java -jar "${JSIGN_JAR_PATH}" --storetype AWS --keystore "${CODE_SIGNING_AWS_REGION}" --alias "${KMS_SIGNING_KEY_ARN}" --certfile "${CODE_SIGNING_CERT_CHAIN_FILE}" --tsaurl http://timestamp.digicert.com "{{ .Path }}" || { + echo "ERROR Failed to sign {{ .Path }}"; + exit 1; + }; + if [ ! -f "{{ .Path }}" ]; then + echo "ERROR Binary file disappeared after signing {{ .Path }}"; + exit 1; + fi; + echo "✓ Signed {{ .Path }}"; + else + echo "Skipping non-Windows binary ({{ .Os }}) {{ .Path }}"; + fi + ' + +archives: + - id: default + formats: ["binary"] + name_template: '{{ .ProjectName }}-{{ .Version }}-{{ if eq .Os "darwin" }}mac{{ else }}{{ .Os }}{{ end }}-{{ .Arch }}' + +checksum: + name_template: 'checksums.txt' + +release: + draft: false + prerelease: auto + make_latest: true + +changelog: + use: github-native + From a548176a19aa18e99d2fef25b24e2e516b3bbdcf Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Mon, 16 Mar 2026 11:41:21 -0400 Subject: [PATCH 3/7] ci: sign Windows binary --- .github/workflows/release.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c5e2e57..252b599 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,7 +34,14 @@ jobs: - name: Install dependencies run: go mod download + - name: Set version + run: | + VERSION=${{ github.ref_name }} + VERSION=${VERSION#v} + echo "VERSION=$VERSION" >> $GITHUB_ENV + - name: Test + if: ${{ !contains(env.VERSION, '-') }} # Skip tests for pre-release versions (e.g., 1.0.0-beta) to avoid issues with version parsing in tests run: go test --tags release -run TestReleaseVersionCheck -v ./... - name: Setup Java 17 From a2dd696cbc57f03af96bd3fcdf48884c3ea8d549 Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Mon, 16 Mar 2026 12:06:17 -0400 Subject: [PATCH 4/7] ci: sign Windows binary --- .github/workflows/release.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 252b599..2ee8b02 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -46,8 +46,8 @@ jobs: - name: Setup Java 17 run: | - mkdir -p tmp - pushd tmp + mkdir -p /tmp/chip-signing + pushd /tmp/chip-signing wget -q https://corretto.aws/downloads/latest/amazon-corretto-17-x64-linux-jdk.tar.gz tar -xzf amazon-corretto-17-x64-linux-jdk.tar.gz JAVA_DIR=$(find . -maxdepth 1 -type d -name "amazon-corretto-*" -print -quit | sed 's|^\./||') @@ -57,20 +57,20 @@ jobs: - name: Download JSign run: | - mkdir -p tmp - wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar -O tmp/jsign.jar - echo "JSIGN_JAR_PATH=${GITHUB_WORKSPACE}/tmp/jsign.jar" >> $GITHUB_ENV + mkdir -p /tmp/chip-signing + wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar -O /tmp/chip-signing/jsign.jar + echo "JSIGN_JAR_PATH=/tmp/chip-signing/jsign.jar" >> $GITHUB_ENV echo "JSign downloaded successfully" - name: Create certificate chain file run: | - mkdir -p tmp - echo "${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN }}" > tmp/signing_chain.pem - if [ ! -s tmp/signing_chain.pem ]; then + mkdir -p /tmp/chip-signing + echo "${{ secrets.CODE_SIGNING_CERTIFICATE_CHAIN }}" > /tmp/chip-signing/signing_chain.pem + if [ ! -s /tmp/chip-signing/signing_chain.pem ]; then echo "ERROR: CODE_SIGNING_CERTIFICATE_CHAIN secret is empty or not set" exit 1 fi - echo "CODE_SIGNING_CERT_CHAIN_FILE=${GITHUB_WORKSPACE}/tmp/signing_chain.pem" >> $GITHUB_ENV + echo "CODE_SIGNING_CERT_CHAIN_FILE=/tmp/chip-signing/signing_chain.pem" >> $GITHUB_ENV echo "Certificate chain file created" # RunsOn workers have the CodeSigningPolicy attached, which grants @@ -122,6 +122,6 @@ jobs: - name: Cleanup if: always() run: | - rm -rf tmp ~/.aws + rm -rf /tmp/chip-signing ~/.aws echo "Cleanup completed" From 29b9d4c597babdca517faa2b51383c6e2ab3c935 Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Wed, 18 Mar 2026 09:53:43 -0400 Subject: [PATCH 5/7] ci: sign Windows binary --- .goreleaser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 5df287a..d1d1c39 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -60,7 +60,7 @@ checksum: release: draft: false prerelease: auto - make_latest: true + make_latest: auto changelog: use: github-native From c1e31a4de65a5a9b874d963888a03808de90cb11 Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Wed, 18 Mar 2026 10:41:14 -0400 Subject: [PATCH 6/7] ci: sign Windows binary --- .goreleaser.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index d1d1c39..cb8ed72 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -60,7 +60,7 @@ checksum: release: draft: false prerelease: auto - make_latest: auto + make_latest: legacy changelog: use: github-native From 86bff4a7c0071504388c015c218baf322e61db2a Mon Sep 17 00:00:00 2001 From: bobby-smedley Date: Thu, 19 Mar 2026 08:23:54 -0400 Subject: [PATCH 7/7] ci: sign Windows binary --- pkg/chip/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/chip/version.go b/pkg/chip/version.go index 28c05ec..0f27668 100644 --- a/pkg/chip/version.go +++ b/pkg/chip/version.go @@ -1,3 +1,3 @@ package chip -var Version = "0.0.26-SNAPSHOT" +var Version = "0.0.27-SNAPSHOT"