# This is an example .goreleaser.yml file with some sane defaults. # Make sure to check the documentation at http://goreleaser.com project_name: step-ca before: hooks: # You may remove this if you don't use go modules. - go mod download builds: - id: step-ca env: - CGO_ENABLED=0 targets: - darwin_amd64 - darwin_arm64 - freebsd_amd64 - linux_386 - linux_amd64 - linux_arm64 - linux_arm_5 - linux_arm_6 - linux_arm_7 - windows_amd64 flags: - -trimpath main: ./cmd/step-ca/main.go binary: step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} archives: - &ARCHIVE # Can be used to change the archive formats for specific GOOSs. # Most common use case is to archive as zip on Windows. # Default is empty. name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" format_overrides: - goos: windows format: zip files: - README.md - LICENSE allow_different_binary_count: true - << : *ARCHIVE id: unversioned name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" wrap_in_directory: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" nfpms: # Configure nFPM for .deb and .rpm releases # # See https://nfpm.goreleaser.com/configuration/ # and https://goreleaser.com/customization/nfpm/ # # Useful tools for debugging .debs: # List file contents: dpkg -c dist/step_...deb # Package metadata: dpkg --info dist/step_....deb # - &NFPM builds: - step-ca package_name: step-ca file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" vendor: Smallstep Labs homepage: https://github.com/smallstep/certificates maintainer: Smallstep description: > step-ca is an online certificate authority for secure, automated certificate management. license: Apache 2.0 section: utils formats: - deb - rpm priority: optional bindir: /usr/bin contents: - src: debian/copyright dst: /usr/share/doc/step-ca/copyright - << : *NFPM id: unversioned file_name_template: "{{ .PackageName }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" source: enabled: true name_template: '{{ .ProjectName }}_{{ .Version }}' checksum: name_template: 'checksums.txt' extra_files: - glob: ./.releases/* signs: - cmd: cosign signature: "${artifact}.sig" certificate: "${artifact}.pem" args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"] artifacts: all snapshot: name_template: "{{ .Tag }}-next" release: # Repo in which the release will be created. # Default is extracted from the origin remote URL or empty if its private hosted. # Note: it can only be one: either github, gitlab or gitea github: owner: smallstep name: certificates # IDs of the archives to use. # Defaults to all. #ids: # - foo # - bar # If set to true, will not auto-publish the release. # Default is false. draft: false # If set to auto, will mark the release as not ready for production # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 # If set to true, will mark the release as not ready for production. # Default is false. prerelease: auto # You can change the name of the release. # Default is `{{.Tag}}` name_template: "Step CA {{ .Tag }} ({{ .Env.RELEASE_DATE }})" # Header template for the release body. # Defaults to empty. header: | ## Official Release Artifacts #### Linux - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz) - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb) #### OSX Darwin - 📦 [step-ca_darwin_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_amd64.tar.gz) - 📦 [step-ca_darwin_{{ .Version }}_arm64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_darwin_{{ .Version }}_arm64.tar.gz) #### Windows - 📦 [step-ca_windows_{{ .Version }}_amd64.zip](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_windows_{{ .Version }}_amd64.zip) For more builds across platforms and architectures, see the `Assets` section below. And for packaged versions (Docker, k8s, Homebrew), see our [installation docs](https://smallstep.com/docs/step-ca/installation). Don't see the artifact you need? Open an issue [here](https://github.com/smallstep/certificates/issues/new/choose). ## Signatures and Checksums `step-ca` uses [sigstore/cosign](https://github.com/sigstore/cosign) for signing and verifying release artifacts. Below is an example using `cosign` to verify a release artifact: ``` cosign verify-blob \ --certificate step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig.pem \ --signature step-ca_darwin_{{ .Version }}_amd64.tar.gz.sig \ --certificate-identity-regexp "https://github\.com/smallstep/workflows/.*" \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ step-ca_darwin_{{ .Version }}_amd64.tar.gz ``` The `checksums.txt` file (in the `Assets` section below) contains a checksum for every artifact in the release. # Footer template for the release body. # Defaults to empty. footer: | ## Thanks! Those were the changes on {{ .Tag }}! Come join us on [Discord](https://discord.gg/X2RKGwEbV9) to ask questions, chat about PKI, or get a sneak peek at the freshest PKI memes. # You can disable this pipe in order to not upload any artifacts. # Defaults to false. #disable: true # You can add extra pre-existing files to the release. # The filename on the release will be the last part of the path (base). If # another file with the same name exists, the latest one found will be used. # Defaults to empty. extra_files: - glob: ./.releases/* #extra_files: # - glob: ./path/to/file.txt # - glob: ./glob/**/to/**/file/**/* # - glob: ./glob/foo/to/bar/file/foobar/override_from_previous winget: - # IDs of the archives to use. # Empty means all IDs. ids: [ default ] # # Default: ProjectName # Templates: allowed name: step-ca # Publisher name. # # Templates: allowed # Required. publisher: Smallstep # Your app's description. # # Templates: allowed # Required. short_description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management." # License name. # # Templates: allowed # Required. license: "Apache-2.0" # Publisher URL. # # Templates: allowed publisher_url: "https://smallstep.com" # Publisher support URL. # # Templates: allowed publisher_support_url: "https://github.com/smallstep/certificates/discussions" # URL which is determined by the given Token (github, gitlab or gitea). # # Default depends on the client. # Templates: allowed url_template: "https://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}" # Git author used to commit to the repository. commit_author: name: goreleaserbot email: goreleaser@smallstep.com # The project name and current git tag are used in the format string. # # Templates: allowed commit_msg_template: "{{ .PackageIdentifier }}: {{ .Tag }}" # Your app's homepage. homepage: "https://github.com/smallstep/certificates" # Your app's long description. # # Templates: allowed description: "" # License URL. # # Templates: allowed license_url: "https://github.com/smallstep/certificates/blob/master/LICENSE" # Release notes URL. # # Templates: allowed release_notes_url: "https://github.com/smallstep/certificates/releases/tag/{{ .Tag }}" # Create the PR - for testing skip_upload: auto # Tags. tags: - certificates - smallstep - tls # Repository to push the generated files to. repository: owner: smallstep name: winget-pkgs branch: "step-ca-{{.Version}}" # Optionally a token can be provided, if it differs from the token # provided to GoReleaser # Templates: allowed #token: "{{ .Env.GITHUB_PERSONAL_AUTH_TOKEN }}" # Sets up pull request creation instead of just pushing to the given branch. # Make sure the 'branch' property is different from base before enabling # it. # # Since: v1.17 pull_request: # Whether to enable it or not. enabled: true check_boxes: true # Whether to open the PR as a draft or not. # # Default: false # Since: v1.19 # draft: true # Base can also be another repository, in which case the owner and name # above will be used as HEAD, allowing cross-repository pull requests. # # Since: v1.19 base: owner: microsoft name: winget-pkgs branch: master scoops: - ids: [ default ] # Template for the url which is determined by the given Token (github or gitlab) # Default for github is "https://github.com///releases/download/{{ .Tag }}/{{ .ArtifactName }}" # Default for gitlab is "https://gitlab.com///uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}" # Default for gitea is "https://gitea.com///releases/download/{{ .Tag }}/{{ .ArtifactName }}" url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}" # Repository to push the app manifest to. repository: owner: smallstep name: scoop-bucket branch: main # Git author used to commit to the repository. # Defaults are shown. commit_author: name: goreleaserbot email: goreleaser@smallstep.com # The project name and current git tag are used in the format string. commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}" # Your app's homepage. # Default is empty. homepage: "https://smallstep.com/docs/step-ca" # Skip uploads for prerelease. skip_upload: auto # Your app's description. # Default is empty. description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH." # Your app's license # Default is empty. license: "Apache-2.0"