chore(linux): add packaged releases#45
Conversation
There was a problem hiding this comment.
Pull request overview
Expands the release pipeline to produce and publish Linux/Windows artifacts alongside macOS, including Linux .deb/.rpm packages, and documents the updated release/verification process.
Changes:
- Extend GoReleaser configuration to build Linux targets and generate
.deb/.rpmpackages via nfpm. - Update the GitHub Actions release workflow to locate, sign (cosign), upload, and attest additional artifacts.
- Update release process documentation and add a Makefile target for building Linux locally.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
docs/release-process.md |
Documents new Windows/Linux artifacts, package install steps, and Linux verification instructions. |
Makefile |
Adds build-linux target for local Linux amd64 builds. |
.goreleaser.yml |
Adds Linux to build matrix, adjusts archive naming, and introduces nfpm packaging for deb/rpm. |
.github/workflows/release.yml |
Extends release workflow to find/sign/upload/attest Linux binaries and deb/rpm packages. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `stepsecurity-dev-machine-guard-VERSION-darwin_unnotarized.bundle` | Sigstore cosign bundle for the unnotarized binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-windows_amd64.exe` | Windows 64-bit binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-windows_amd64.exe.bundle` | Sigstore cosign bundle for the Windows amd64 binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-windows_arm64.exe` | Windows ARM64 binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-windows_arm64.exe.bundle` | Sigstore cosign bundle for the Windows arm64 binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-linux_amd64` | Linux 64-bit binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-linux_amd64.bundle` | Sigstore cosign bundle for the Linux amd64 binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-linux_arm64` | Linux ARM64 binary | | ||
| | `stepsecurity-dev-machine-guard-VERSION-linux_arm64.bundle` | Sigstore cosign bundle for the Linux arm64 binary | |
There was a problem hiding this comment.
The documented cosign bundle filenames include VERSION-... (e.g., ...-VERSION-darwin_unnotarized.bundle, ...-VERSION-windows_amd64.exe.bundle, ...-VERSION-linux_amd64.bundle), but the release workflow currently uploads unversioned bundles for the darwin/windows/linux binaries (only the deb/rpm bundles are versioned because they’re derived from the package filename). Please align the docs with what is actually uploaded, or update the workflow to generate/upload versioned bundle names so the verification commands here work as written.
| | `stepsecurity-dev-machine-guard-VERSION-darwin_unnotarized.bundle` | Sigstore cosign bundle for the unnotarized binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_amd64.exe` | Windows 64-bit binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_amd64.exe.bundle` | Sigstore cosign bundle for the Windows amd64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_arm64.exe` | Windows ARM64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_arm64.exe.bundle` | Sigstore cosign bundle for the Windows arm64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_amd64` | Linux 64-bit binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_amd64.bundle` | Sigstore cosign bundle for the Linux amd64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_arm64` | Linux ARM64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_arm64.bundle` | Sigstore cosign bundle for the Linux arm64 binary | | |
| | `stepsecurity-dev-machine-guard-darwin_unnotarized.bundle` | Sigstore cosign bundle for the unnotarized binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_amd64.exe` | Windows 64-bit binary | | |
| | `stepsecurity-dev-machine-guard-windows_amd64.exe.bundle` | Sigstore cosign bundle for the Windows amd64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-windows_arm64.exe` | Windows ARM64 binary | | |
| | `stepsecurity-dev-machine-guard-windows_arm64.exe.bundle` | Sigstore cosign bundle for the Windows arm64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_amd64` | Linux 64-bit binary | | |
| | `stepsecurity-dev-machine-guard-linux_amd64.bundle` | Sigstore cosign bundle for the Linux amd64 binary | | |
| | `stepsecurity-dev-machine-guard-VERSION-linux_arm64` | Linux ARM64 binary | | |
| | `stepsecurity-dev-machine-guard-linux_arm64.bundle` | Sigstore cosign bundle for the Linux arm64 binary | |
| cosign verify-blob "stepsecurity-dev-machine-guard-${VERSION}-linux_${ARCH}" \ | ||
| --bundle "stepsecurity-dev-machine-guard-${VERSION}-linux_${ARCH}.bundle" \ | ||
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | ||
| --certificate-identity-regexp "github.com/.*/dev-machine-guard" |
There was a problem hiding this comment.
The --certificate-identity-regexp "github.com/.*/dev-machine-guard" pattern is overly broad for release verification: it would accept certificates from forks with the same repo name. Consider restricting the identity to the exact repo and workflow/ref (e.g., step-security/dev-machine-guard release workflow at the tag), so users can’t be tricked into trusting artifacts signed by a different repository.
| --certificate-identity-regexp "github.com/.*/dev-machine-guard" | |
| --certificate-identity-regexp "^https://github.com/step-security/dev-machine-guard/.github/workflows/[^@]+@refs/tags/v${VERSION}$" |
| sign_with_retry "${{ steps.binaries.outputs.linux_amd64 }}" \ | ||
| "dist/stepsecurity-dev-machine-guard-linux_amd64.bundle" | ||
| sign_with_retry "${{ steps.binaries.outputs.linux_arm64 }}" \ | ||
| "dist/stepsecurity-dev-machine-guard-linux_arm64.bundle" |
There was a problem hiding this comment.
The newly added Linux cosign bundle outputs are written to fixed, unversioned filenames (e.g., dist/stepsecurity-dev-machine-guard-linux_amd64.bundle). This doesn’t match the release artifact naming documented in docs/release-process.md (which expects versioned bundle names) and makes it harder to correlate bundles to artifacts. Consider including ${{ steps.version.outputs.version }} in the bundle filenames (and updating the upload list accordingly) so bundle names are consistent with the signed artifact names.
| build-linux: | ||
| GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY)-linux ./cmd/stepsecurity-dev-machine-guard |
There was a problem hiding this comment.
build-linux produces an additional output file ($(BINARY)-linux), but make clean currently only removes $(BINARY), so running clean will leave the Linux binary behind. Consider either outputting to a consistent filename pattern used elsewhere and/or extending the clean target to remove the Linux build artifact.
|
LGTM 🙌 |
Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>
swarit-stepsecurity
force-pushed
the
swarit/chore/linux-bin-release
branch
from
510fb52 to
02186f4
Compare
What does this PR do?
Type of change
Testing
./stepsecurity-dev-machine-guard --verbose./stepsecurity-dev-machine-guard --json | python3 -m json.toolmake lintmake testRelated Issues