# This is an example .goreleaser.yml file with some sane defaults.
# Make sure to check the documentation at http://goreleaser.com
project_name : step-ca
before :
hooks :
# You may remove this if you don't use go modules.
- go mod download
builds :
-
id : step-ca
env :
- CGO_ENABLED=0
targets :
- darwin_amd64
- darwin_arm64
- freebsd_amd64
- linux_386
- linux_amd64
- linux_arm64
- linux_arm_5
- linux_arm_6
- linux_arm_7
- windows_amd64
flags :
- -trimpath
main : ./cmd/step-ca/main.go
binary : step-ca
ldflags :
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
archives :
- &ARCHIVE
# Can be used to change the archive formats for specific GOOSs.
# Most common use case is to archive as zip on Windows.
# Default is empty.
name_template : "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
format_overrides :
- goos : windows
format : zip
files :
- README.md
- LICENSE
allow_different_binary_count : true
-
<< : *ARCHIVE
id : unversioned
name_template : "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
wrap_in_directory : "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
nfpms :
# Configure nFPM for .deb and .rpm releases
#
# See https://nfpm.goreleaser.com/configuration/
# and https://goreleaser.com/customization/nfpm/
#
# Useful tools for debugging .debs:
# List file contents: dpkg -c dist/step_...deb
# Package metadata: dpkg --info dist/step_....deb
#
- &NFPM
builds :
- step-ca
package_name : step-ca
file_name_template : "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
vendor : Smallstep Labs
homepage : https://github.com/smallstep/certificates
maintainer : Smallstep <techadmin@smallstep.com>
description : >
step-ca is an online certificate authority for secure, automated certificate management.
license : Apache 2.0
section : utils
formats :
- deb
- rpm
priority : optional
bindir : /usr/bin
contents :
- src : debian/copyright
dst : /usr/share/doc/step-ca/copyright
-
<< : *NFPM
id : unversioned
file_name_template : "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
source :
enabled : true
name_template : '{{ .ProjectName }}_{{ .Version }}'
checksum :
name_template : 'checksums.txt'
extra_files :
- glob : ./.releases/*
signs :
- cmd : cosign
signature : "${artifact}.sig"
certificate : "${artifact}.pem"
args : [ "sign-blob" , "--oidc-issuer=https://token.actions.githubusercontent.com" , "--output-certificate=${certificate}" , "--output-signature=${signature}" , "${artifact}" ]
artifacts : all
snapshot :
name_template : "{{ .Tag }}-next"
release :
# Repo in which the release will be created.
# Default is extracted from the origin remote URL or empty if its private hosted.
# Note: it can only be one: either github, gitlab or gitea
github :
owner : smallstep
name : certificates
# IDs of the archives to use.
# Defaults to all.
#ids:
# - foo
# - bar
# If set to true, will not auto-publish the release.
# Default is false.
draft : false
# If set to auto, will mark the release as not ready for production
# in case there is an indicator for this in the tag e.g. v1.0.0-rc1
# If set to true, will mark the release as not ready for production.
# Default is false.
prerelease : auto
# You can change the name of the release.
# Default is `{{.Tag}}`
name_template : "Step CA {{ .Tag }} ({{ .Env.RELEASE_DATE }})"
# Header template for the release body.
# Defaults to empty.
header : |
## Official Release Artifacts
#### Linux
- 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
- 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
#### OSX Darwin
- 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz)
- 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz)
#### Windows
- 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip)
For more builds across platforms and architectures, see the `Assets` section below.
And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation).
Don't see the artifact you need? Open an issue [here](https://github.com/smallstep/certificates/issues/new/choose).
## Signatures and Checksums
`step-ca` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying release artifacts.
Below is an example using `cosign` to verify a release artifact :
```
cosign verify-blob \
--certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \
--signature step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \
--certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
step-ca_darwin_{{ .Version }}_amd64.tar.gz
```
The `checksums.txt` file (in the `Assets` section below) contains a checksum for every artifact in the release.
# Footer template for the release body.
# Defaults to empty.
footer : |
## Thanks!
Those were the changes on {{ .Tag }}!
Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peak at the freshest PKI memes.
# You can disable this pipe in order to not upload any artifacts.
# Defaults to false.
#disable: true
# You can add extra pre-existing files to the release.
# The filename on the release will be the last part of the path (base). If
# another file with the same name exists, the latest one found will be used.
# Defaults to empty.
extra_files :
- glob : ./.releases/*
#extra_files:
# - glob: ./path/to/file.txt
# - glob: ./glob/**/to/**/file/**/*
# - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
winget :
-
# IDs of the archives to use.
# Empty means all IDs.
ids : [ default ]
#
# Default: ProjectName
# Templates: allowed
name : step-ca
# Publisher name.
#
# Templates: allowed
# Required.
publisher : Smallstep
# Your app's description.
#
# Templates: allowed
# Required.
short_description : "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management."
# License name.
#
# Templates: allowed
# Required.
license : "Apache-2.0"
# Publisher URL.
#
# Templates: allowed
publisher_url : "https://smallstep.com"
# Publisher support URL.
#
# Templates: allowed
publisher_support_url : "https://github.com/smallstep/certificates/discussions"
# URL which is determined by the given Token (github, gitlab or gitea).
#
# Default depends on the client.
# Templates: allowed
url_template : "https://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Git author used to commit to the repository.
commit_author :
name : goreleaserbot
email : goreleaser@smallstep.com
# The project name and current git tag are used in the format string.
#
# Templates: allowed
commit_msg_template : "{{ .PackageIdentifier }}: {{ .Tag }}"
# Your app's homepage.
homepage : "https://github.com/smallstep/certificates"
# Your app's long description.
#
# Templates: allowed
description : ""
# License URL.
#
# Templates: allowed
license_url : "https://github.com/smallstep/certificates/blob/master/LICENSE"
# Release notes URL.
#
# Templates: allowed
release_notes_url : "https://github.com/smallstep/certificates/releases/tag/{{.Version}}"
# Create the PR - for testing
skip_upload : auto
# Tags.
tags :
- certificates
- smallstep
- tls
# Repository to push the generated files to.
repository :
owner : smallstep
name : winget-pkgs
branch : step
# Optionally a token can be provided, if it differs from the token
# provided to GoReleaser
# Templates: allowed
#token: "{{ .Env.GITHUB_PERSONAL_AUTH_TOKEN }}"
# Sets up pull request creation instead of just pushing to the given branch.
# Make sure the 'branch' property is different from base before enabling
# it.
#
# Since: v1.17
pull_request :
# Whether to enable it or not.
enabled : true
check_boxes : true
# Whether to open the PR as a draft or not.
#
# Default: false
# Since: v1.19
# draft: true
# Base can also be another repository, in which case the owner and name
# above will be used as HEAD, allowing cross-repository pull requests.
#
# Since: v1.19
base :
owner : microsoft
name : winget-pkgs
branch : master
scoops :
-
ids : [ default ]
# Template for the url which is determined by the given Token (github or gitlab)
# Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
# Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
url_template : "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
# Repository to push the app manifest to.
repository :
owner : smallstep
name : scoop-bucket
branch : main
# Git author used to commit to the repository.
# Defaults are shown.
commit_author :
name : goreleaserbot
email : goreleaser@smallstep.com
# The project name and current git tag are used in the format string.
commit_msg_template : "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
# Your app's homepage.
# Default is empty.
homepage : "https://smallstep.com/docs/step-ca"
# Skip uploads for prerelease.
skip_upload : auto
# Your app's description.
# Default is empty.
description : "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
# Your app's license
# Default is empty.
license : "Apache-2.0"