Skip to content

Migrate to gha only #614

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
james-nesbitt wants to merge 6 commits into from
Closed

Migrate to gha only #614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c45b8eb
ci: update release workflow to use a single checksums.txt file
james-nesbitt Mar 26, 2026
9f0a01a
fix: correct local build target in Makefile
james-nesbitt Mar 26, 2026
75affb6
build: remove release-related Makefile targets
james-nesbitt Mar 26, 2026
cbbc8c4
fix: remove duplicate go statements in go.mod
james-nesbitt Mar 26, 2026
d138b64
ci: add comprehensive PR validation workflow
james-nesbitt Mar 26, 2026
f6cb3ef
ci: restrict GITHUB_TOKEN permissions in PR workflow
james-nesbitt Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# Build and test workflow for Launchpad
# Triggered on PRs and pushes to main.

name: Build and Test

on:
push:
branches: [ main ]
pull_request:
branches: [ main ]

jobs:
build:
name: Build Binaries
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Build binaries
run: |
mkdir -p dist
platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64")
for platform in "${platforms[@]}"; do
GOOS=${platform%/*}
GOARCH=${platform#*/}
output_name="dist/launchpad_${GOOS}_${GOARCH}"
if [ "$GOOS" = "windows" ]; then
output_name+=".exe"
fi
echo "Building $output_name"
GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
done

- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: launchpad-binaries
path: dist/

test:
Comment on lines +14 to +46

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly declare a minimal permissions block for the workflow or each job, limiting GITHUB_TOKEN to the least privilege required. For this workflow, the actions used (actions/checkout, actions/setup-go, go test, actions/upload-artifact) do not need to write to repository contents or pull requests, so contents: read at the workflow level is sufficient. No other fine-grained scopes (like pull-requests: write) are needed based on the shown steps.

The best way to fix this without changing functionality is to add a top-level permissions block right after the name: Build and Test line in .github/workflows/build.yml. This will apply to all jobs that do not override permissions, covering both build and test jobs. The block should be:

permissions:
  contents: read

No imports or additional definitions are needed, since this is just YAML configuration. The only file to modify is .github/workflows/build.yml, and the changes are confined to adding the new lines after the name: line (line 4 in the provided snippet).

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,6 +2,8 @@
 # Triggered on PRs and pushes to main.
 
 name: Build and Test
+permissions:
+  contents: read
 
 on:
   push:
EOF
@@ -2,6 +2,8 @@
# Triggered on PRs and pushes to main.

name: Build and Test
permissions:
contents: read

on:
push:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Run Tests
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.22"

- name: Run unit tests
run: go test -v ./...

- name: Run integration tests
run: go test -v -tags=integration ./test/integration
Comment on lines +47 to +63

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, fix this by adding a permissions block that grants only the scopes required by the jobs. Since this workflow only checks out code, builds, runs tests, and uploads artifacts (which do not require repository write permissions), it can use read-only repository access.

The best minimal fix without changing behavior is to add a workflow-level permissions block (applies to all jobs) under the name: or on: section, setting contents: read. Neither the build nor test job needs finer-grained or write permissions, and actions/checkout, actions/setup-go, and actions/upload-artifact all work with read-only contents. No additional imports or external dependencies are required; this is purely a YAML configuration change inside .github/workflows/build.yml.

Concretely:

  • Edit .github/workflows/build.yml.
  • Insert:
permissions:
  contents: read

between the name: Build and Test line and the on: block (or immediately under on:; either is fine, but top-level is clearer). No other changes are necessary.

Suggested changeset 1
.github/workflows/build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,6 +3,9 @@
 
 name: Build and Test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]
EOF
@@ -3,6 +3,9 @@

name: Build and Test

permissions:
contents: read

on:
push:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
99 changes: 99 additions & 0 deletions .github/workflows/pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
# PR validation workflow for Launchpad
# Triggered on PRs to main branch.

name: PR Validation

on:
pull_request:
branches: [ main ]

jobs:
lint:
name: Lint Code
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Run golangci-lint
run: make lint

unit-test:
Comment on lines +12 to +26

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly define a permissions: block that limits the GITHUB_TOKEN to the least privileges required. For this workflow, all jobs only need to read repository contents (for actions/checkout) and do not interact with issues, PRs, or other GitHub resources, so contents: read at the workflow level is sufficient.

The best change with no functional impact is to add a top-level permissions: block immediately after the name: and before on: in .github/workflows/pr.yml. This will apply to all jobs in the workflow (since none currently define their own permissions: blocks) and will restrict GITHUB_TOKEN to read-only access to repository contents. No per-job overrides are needed, and no additional imports or changes inside job steps are required.

Concretely:

  • Edit .github/workflows/pr.yml.
  • Insert:
permissions:
  contents: read

between the existing name: PR Validation line and the on: block. No other files or lines need to change.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -3,6 +3,9 @@
 
 name: PR Validation
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
EOF
@@ -3,6 +3,9 @@

name: PR Validation

permissions:
contents: read

on:
pull_request:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: Unit Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Run unit tests
run: make unit-test

integration-test:
Comment on lines +27 to +41

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, fix this by adding an explicit permissions block that grants only the scopes needed by the jobs. Since all jobs in this workflow just check out code and run local commands, they only need read access to repository contents. The simplest, least‑privilege approach is to set permissions: contents: read at the workflow root so it applies to all jobs, unless overridden.

The single best fix without changing existing functionality is: in .github/workflows/pr.yml, immediately after the name: PR Validation line (line 4), add a root‑level permissions: block:

name: PR Validation

permissions:
  contents: read

on:
  pull_request:
    branches: [ main ]

This restricts the GITHUB_TOKEN to read‑only repository contents for all jobs (lint, unit-test, integration-test, build-verification, security-scan). No additional imports, methods, or definitions are needed because this is a YAML configuration change only.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -3,6 +3,9 @@
 
 name: PR Validation
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
EOF
@@ -3,6 +3,9 @@

name: PR Validation

permissions:
contents: read

on:
pull_request:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: Integration Tests
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Run integration tests
run: make integration-test

build-verification:
Comment on lines +42 to +56

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly define the GITHUB_TOKEN permissions at the workflow or job level, granting only what is needed. Since all jobs in this workflow only perform read operations on the repository (checkout, build, test, security scan) and do not create or modify issues, PRs, releases, etc., they can safely run with contents: read. The simplest and clearest change is to add a root-level permissions block right after name: PR Validation. That way, the minimal permissions apply to all jobs, and we avoid repeating the same block for each job.

Concretely, in .github/workflows/pr.yml, insert:

permissions:
  contents: read

between the name: PR Validation line and the on: block. No additional methods, imports, or other definitions are required; this is purely a YAML configuration change within the workflow.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -3,6 +3,9 @@
 
 name: PR Validation
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
EOF
@@ -3,6 +3,9 @@

name: PR Validation

permissions:
contents: read

on:
pull_request:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
name: Build Verification
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Build binaries
run: |
mkdir -p dist
platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64")
for platform in "${platforms[@]}"; do
GOOS=${platform%/*}
GOARCH=${platform#*/}
output_name="dist/launchpad_${GOOS}_${GOARCH}"
if [ "$GOOS" = "windows" ]; then
output_name+=".exe"
fi
echo "Building $output_name"
GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
done

security-scan:
Comment on lines +57 to +83

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix the problem, explicitly restrict the GITHUB_TOKEN permissions used by this workflow so they follow the principle of least privilege. Since all jobs only need to read the repository contents (to run make commands, tests, builds, and scans) and do not push changes, update PRs, or modify issues, we can set contents: read at the workflow level. This will apply to all jobs in the file unless overridden, and it avoids duplicating the same block for each job.

Concretely, in .github/workflows/pr.yml, add a permissions: block near the top-level (alongside name: and on:). For example, directly after the name: PR Validation line, insert:

permissions:
  contents: read

No other imports, methods, or definitions are required; this is purely a YAML configuration change inside the existing workflow file. This change does not alter the functional behavior of the jobs, because they only require read access to the repository.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -2,6 +2,8 @@
 # Triggered on PRs to main branch.
 
 name: PR Validation
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -2,6 +2,8 @@
# Triggered on PRs to main branch.

name: PR Validation
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest

- name: Run security scan
run: govulncheck ./...
Comment on lines +84 to +99

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

In general, the fix is to explicitly declare the minimal GITHUB_TOKEN permissions needed by the workflow, either at the root of the workflow (applying to all jobs) or per job. This workflow only checks out code and runs Go tooling; it does not need to write to the repo or modify issues/PRs. Therefore, the best fix is to add a workflow‑level permissions block that sets contents: read, which is the minimal useful scope for actions/checkout and covers all current jobs without changing their functionality.

Concretely, in .github/workflows/pr.yml, add a permissions: section near the top of the file (for example, right after the name: line) with contents: read. This will apply to all jobs (lint, unit-test, integration-test, build-verification, security-scan) unless overridden later, and satisfies CodeQL’s requirement while enforcing least privilege. No imports, methods, or additional definitions are required for this change.

Suggested changeset 1
.github/workflows/pr.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -3,6 +3,9 @@
 
 name: PR Validation
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [ main ]
EOF
@@ -3,6 +3,9 @@

name: PR Validation

permissions:
contents: read

on:
pull_request:
branches: [ main ]
Copilot is powered by AI and may make mistakes. Always verify output.
66 changes: 66 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
# Release workflow for Launchpad
# Triggered on tags (e.g., v1.5.16).

name: Release

on:
push:
tags:
- "v*"

jobs:
build:
name: Build Release Binaries
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: "1.25"

- name: Build binaries
run: |
mkdir -p dist
platforms=("linux/amd64" "linux/arm64" "windows/amd64" "windows/arm64" "darwin/amd64" "darwin/arm64")
for platform in "${platforms[@]}"; do
GOOS=${platform%/*}
GOARCH=${platform#*/}
output_name="dist/launchpad_${GOOS}_${GOARCH}"
if [ "$GOOS" = "windows" ]; then
output_name+=".exe"
fi
echo "Building $output_name"
GOOS=$GOOS GOARCH=$GOARCH go build -o "$output_name" ./main.go
done

- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: launchpad-release-binaries
path: dist/

release:
Comment on lines +13 to +45

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 3 months ago

To fix the problem, explicitly set a permissions block to scope down the GITHUB_TOKEN for each job, instead of relying on potentially broad repository defaults. The build job only needs to read repository contents and use artifacts, so contents: read is sufficient. The release job needs to create a GitHub Release, which requires contents: write, but does not obviously require other write scopes.

The best minimal fix without changing functionality is:

  • Add a permissions block under build: with contents: read.
  • Add a permissions block under release: with contents: write.

We do not need to modify steps, environment variables, or add imports; the change is purely in .github/workflows/release.yml. The new permissions entries should be added right under each job definition line (build: and release:) so they apply at the job level. No other files are involved.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,6 +12,8 @@
   build:
     name: Build Release Binaries
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -46,6 +48,8 @@
     name: Create GitHub Release
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: write
     steps:
       - name: Download binaries
         uses: actions/download-artifact@v4
EOF
@@ -12,6 +12,8 @@
build:
name: Build Release Binaries
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
@@ -46,6 +48,8 @@
name: Create GitHub Release
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
steps:
- name: Download binaries
uses: actions/download-artifact@v4
Copilot is powered by AI and may make mistakes. Always verify output.
name: Create GitHub Release
runs-on: ubuntu-latest
needs: build
steps:
- name: Download binaries
uses: actions/download-artifact@v4
with:
name: launchpad-release-binaries
path: dist/

- name: Create GitHub Release
uses: softprops/action-gh-release@v1
with:
files: dist/*
generate_release_notes: true
draft: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# TODO: Add Digicert signing here.
# TODO: Push signed artifacts to S3 here.
Comment on lines +46 to +66

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 3 months ago

In general, fix this by explicitly defining a permissions block that grants the least privileges needed. You can define it at the workflow root (applies to all jobs unless overridden) and, if a specific job needs more privileges, override just for that job.

For this workflow:

  • The build job only checks out code, sets up Go, builds binaries, and uploads artifacts. It requires only read access to repository contents and the ability to read artifacts; it does not need any write permissions.
  • The release job downloads artifacts and creates a GitHub Release via softprops/action-gh-release, which needs contents: write (to create the release and upload assets). It does not obviously need write access to issues, pull requests, or other scopes.

The best minimal change is:

  1. Add a root‑level permissions block with contents: read so both jobs default to read‑only.
  2. Add a permissions block under the release job that sets contents: write (overriding the root for that job only).

This leaves existing functionality unchanged (the release can still be created) while explicitly documenting and constraining token capabilities.

Concretely:

  • At the top level, after name: Release and before on:, add: 
    permissions:
  contents: read
  • Under the release job (same indentation level as name: Create GitHub Release and runs-on), add: 
      permissions:
    contents: write

No imports or extra methods are needed because this is a YAML workflow configuration change only.

Suggested changeset 1
.github/workflows/release.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,6 +3,9 @@
 
 name: Release
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
@@ -46,6 +49,8 @@
     name: Create GitHub Release
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: write
     steps:
       - name: Download binaries
         uses: actions/download-artifact@v4
EOF
@@ -3,6 +3,9 @@

name: Release

permissions:
contents: read

on:
push:
tags:
@@ -46,6 +49,8 @@
name: Create GitHub Release
runs-on: ubuntu-latest
needs: build
permissions:
contents: write
steps:
- name: Download binaries
uses: actions/download-artifact@v4
Copilot is powered by AI and may make mistakes. Always verify output.
60 changes: 11 additions & 49 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,7 @@

GO=$(shell which go)

RELEASE_FOLDER=dist/release

CHECKSUM=$(shell which sha256sum)

VOLUME_MOUNTS=-v "$(CURDIR):/v"
SIGN?=docker run --rm -i $(VOLUME_MOUNTS) -e SM_API_KEY -e SM_CLIENT_CERT_PASSWORD -e SM_CLIENT_CERT_FILE -v "$(SM_CLIENT_CERT_FILE):$(SM_CLIENT_CERT_FILE)" -w "/v" registry.mirantis.com/prodeng/digicert-keytools-jsign:latest sign

GOLANGCI_LINT?=docker run -t --rm -v "$(CURDIR):/data" -w "/data" golangci/golangci-lint:latest golangci-lint

Expand All @@ -16,53 +11,20 @@ SEGMENT_TOKEN?=""
clean:
rm -fr dist

# Sign release binaries (Windows)
# (build may need to be run in a separate make run)
.PHONY: sign-release
sign-release: $(RELEASE_FOLDER)
for f in `find $(RELEASE_FOLDER)/*.exe`; do echo $(SIGN) "$$f"; done

# Force a clean build of the artifacts by first cleaning
# and then building
.PHONY: build-release
build-release: clean $(RELEASE_FOLDER)
# build all the binaries for release, using goreleaser, but
# don't use any of the other features of goreleaser - because
# we need to use digicert to sign the binaries first, and
# goreleaser doesn't allow for that (some pro features may
# allow it in a round about way.)
#
# If you are using more than one tag for a commit, then use
# the GORELEASER_CURRENT_TAG env var to clarify the version to
# avoid having the wrong tag version applied
$(RELEASE_FOLDER):
SEGMENT_TOKEN=${SEGMENT_TOKEN} goreleaser build --clean --config=.goreleaser.release.yml

.PHONY: create-checksum
create-checksum:
cd $(RELEASE_FOLDER) && \
for f in *; do \
$(CHECKSUM) $$f > $$f.sha256; \
done

.PHONY: verify-checksum
verify-checksum:
for f in $(RELEASE_FOLDER)/*.sha256; do \
$(CHECKSUM) -c $$f; \
echo "Verified checksum for $$f"; \
done

# clean out any existing release build
.PHONY: clean-release
clean-release:
rm -fr $(RELEASE_FOLDER)
# TODO: Digicert signing will be reimplemented in GitHub Actions.

# Local build of the plugin. This saves time building platforms that you
# won't test locally. To use it, find the path to your build binary path
# and alias it.
# Local build of the plugin. This saves time building only the host platform.
# Uses native Go commands to avoid Goreleaser dependency.
.PHONY: local
local:
SEGMENT_TOKEN=${SEGMENT_TOKEN} goreleaser build --clean --single-target --skip=validate --snapshot --config .goreleaser.local.yml
mkdir -p dist
GOOS=$(shell go env GOOS) GOARCH=$(shell go env GOARCH) \
output_name="dist/launchpad_$${GOOS}_$${GOARCH}"; \
if [ "$${GOOS}" = "windows" ]; then \
output_name="$${output_name}.exe"; \
fi; \
$(GO) build -o "$${output_name}" ./main.go && \
./$${output_name} --help

# run linting
.PHONY: lint
Expand Down
3 changes: 2 additions & 1 deletion go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
module github.com/Mirantis/launchpad
go 1.25


go 1.25.0

require (
al.essio.dev/pkg/shellescape v1.6.0
Expand Down
Loading