Linux installation packages, signatures, publishing

.github/workflows/goreleaser.yaml

@@ -30,6 +30,11 @@ jobs:
       - 
         name: Set up QEMU
         uses: docker/setup-qemu-action@v3
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6

.goreleaser.yaml

@@ -1,5 +1,9 @@
 version: 2
 
+# Publish the binaries directly, without any archiving
+archives:
+  - formats: ["binary"]
+
 builds:
   # You can have multiple builds defined as a yaml list
   - #
@@ -42,34 +46,10 @@ builds:
       - "386"
       - "amd64"
       - "arm64"
-
-release:
-  # If set to auto, will mark the release as not ready for production
-  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
-  # If set to true, will mark the release as not ready for production.
-  # Default is false.
-  prerelease: "auto"
-
-  # If set to false, will NOT mark the release as "latest".
-  # This prevents it from being shown at the top of the release list,
-  # and from being returned when calling https://api.github.com/repos/OWNER/REPO/releases/latest.
-  #
-  # Available only for GitHub.
-  #
-  # Default is true.
-  # Since: v1.20
-  make_latest: true
-
-  # What to do with the release notes in case there the release already exists.
-  #
-  # Valid options are:
-  # - `keep-existing`: keep the existing notes
-  # - `append`: append the current release notes to the existing notes
-  # - `prepend`: prepend the current release notes to the existing notes
-  # - `replace`: replace existing notes
-  #
-  # Default is `keep-existing`.
-  mode: "append"
+    # List of combinations of GOOS + GOARCH + GOARM to ignore.
+    ignore:
+      - goos: "linux"
+        goarch: "386"
 
 checksum:
   # Algorithm to be used.
@@ -93,7 +73,7 @@ checksum:
   algorithm: "sha256"
 
   # If true, will create one checksum file for each artifact.
-  split: true
+  split: false
 
   # Disable the generation/upload of the checksum file.
   disable: false
@@ -240,3 +220,172 @@ docker_manifests:
     image_templates:
       - "pingidentity/pingcli:{{ .Tag }}-amd64"
       - "pingidentity/pingcli:{{ .Tag }}-arm64"
+
+nfpms:
+  # note that this is an array of nfpm configs
+  - #
+    # ID of the nfpm config, must be unique.
+    #
+    # Default: 'default'.
+    id: "pingcli"
+
+    # Name of the package.
+    #
+    # Default: ProjectName.
+    # Templates: allowed.
+    package_name: "pingcli"
+
+    # Your app's vendor.
+    vendor: "Ping Identity"
+
+    # Your app's homepage.
+    #
+    # Default: inferred from global metadata.
+    homepage: "https://github.com/pingidentity/pingcli"
+
+    # Your app's maintainer (probably you).
+    #
+    # Default: inferred from global metadata.
+    maintainer: "Ping Identity"
+
+    # Your app's description.
+    #
+    # Default: inferred from global metadata.
+    description: "The Ping CLI is a unified command line interface for configuring and managing Ping Identity Services."
+
+    # Your app's license.
+    #
+    # Default: inferred from global metadata.
+    license: "Apache 2.0"
+
+    # Formats to be generated.
+    formats:
+      - "apk"
+      - "deb"
+      - "rpm"
+
+    # Custom configuration applied only to the RPM packager.
+    rpm:
+      # The package summary.
+      #
+      # Default: first line of the description.
+      summary: "The Ping CLI is a unified command line interface for configuring and managing Ping Identity Services."
+
+      # The packager is used to identify the organization that actually packaged
+      # the software, as opposed to the author of the software.
+      # `maintainer` will be used as fallback if not specified.
+      # This will expand any env var you set in the field, eg packager: ${PACKAGER}
+      packager: "Ping Identity"
+
+    # Custom configuration applied only to the Deb packager.
+    deb:
+      # Additional fields for the control file. Empty fields are ignored.
+      # This will expand any env vars you set in the field values, e.g. Vcs-Browser: ${CI_PROJECT_URL}
+      fields:
+        Bugs: "https://github.com/pingidentity/pingcli/issues"
+
+    apk:
+      # The package is signed if a key_file is set
+      signature:
+        # The name of the signing key. When verifying a package, the signature
+        # is matched to the public key store in /etc/apk/keys/<key_name>.rsa.pub.
+        #
+        # Default: maintainer's email address.
+        # Templates: allowed.
+        key_name: "origin"
+
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  # If set to true, will mark the release as not ready for production.
+  # Default is false.
+  prerelease: "auto"
+
+  # If set to false, will NOT mark the release as "latest".
+  # This prevents it from being shown at the top of the release list,
+  # and from being returned when calling https://api.github.com/repos/OWNER/REPO/releases/latest.
+  #
+  # Available only for GitHub.
+  #
+  # Default is true.
+  # Since: v1.20
+  make_latest: true
+
+  # What to do with the release notes in case there the release already exists.
+  #
+  # Valid options are:
+  # - `keep-existing`: keep the existing notes
+  # - `append`: append the current release notes to the existing notes
+  # - `prepend`: prepend the current release notes to the existing notes
+  # - `replace`: replace existing notes
+  #
+  # Default is `keep-existing`.
+  mode: "append"
+
+signs:
+  - #
+    # ID of the sign config, must be unique.
+    #
+    # Default: 'default'.
+    id: "checksum"
+
+    # Which artifacts to sign
+    #
+    # Valid options are:
+    # - none        no signing
+    # - all:        all artifacts
+    # - checksum:   checksum files
+    # - source:     source archive
+    # - package:    Linux packages (deb, rpm, apk, etc)
+    # - installer:  Windows MSI installers (Pro only)
+    # - diskimage:  macOS DMG disk images (Pro only)
+    # - archive:    archives from archive pipe
+    # - sbom:       any SBOMs generated for other artifacts
+    # - binary:     binaries (only when `archives.format` is 'binary', use binaries_sign otherwise)
+    #
+    # Default: 'none'.
+    artifacts: "checksum"
+  - #
+    # ID of the sign config, must be unique.
+    #
+    # Default: 'default'.
+    id: "binary"
+
+    # Which artifacts to sign
+    #
+    # Valid options are:
+    # - none        no signing
+    # - all:        all artifacts
+    # - checksum:   checksum files
+    # - source:     source archive
+    # - package:    Linux packages (deb, rpm, apk, etc)
+    # - installer:  Windows MSI installers (Pro only)
+    # - diskimage:  macOS DMG disk images (Pro only)
+    # - archive:    archives from archive pipe
+    # - sbom:       any SBOMs generated for other artifacts
+    # - binary:     binaries (only when `archives.format` is 'binary', use binaries_sign otherwise)
+    #
+    # Default: 'none'.
+    artifacts: "binary"
+  - #
+    # ID of the sign config, must be unique.
+    #
+    # Default: 'default'.
+    id: "package"
+
+    # Which artifacts to sign
+    #
+    # Valid options are:
+    # - none        no signing
+    # - all:        all artifacts
+    # - checksum:   checksum files
+    # - source:     source archive
+    # - package:    Linux packages (deb, rpm, apk, etc)
+    # - installer:  Windows MSI installers (Pro only)
+    # - diskimage:  macOS DMG disk images (Pro only)
+    # - archive:    archives from archive pipe
+    # - sbom:       any SBOMs generated for other artifacts
+    # - binary:     binaries (only when `archives.format` is 'binary', use binaries_sign otherwise)
+    #
+    # Default: 'none'.
+    artifacts: "package"