feat: sign cfl and jtk darwin binaries with stable code-signing identities #775
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| jobs: | |
| detect-changes: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| cfl: ${{ steps.filter.outputs.cfl }} | |
| jtk: ${{ steps.filter.outputs.jtk }} | |
| shared: ${{ steps.filter.outputs.shared }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: dorny/paths-filter@v3 | |
| id: filter | |
| with: | |
| filters: | | |
| cfl: | |
| - 'tools/cfl/**' | |
| - '.goreleaser-cfl.yml' | |
| - '.github/workflows/ci.yml' | |
| - '.github/workflows/release-cfl.yml' | |
| jtk: | |
| - 'tools/jtk/**' | |
| - '.goreleaser-jtk.yml' | |
| - '.github/workflows/ci.yml' | |
| - '.github/workflows/release-jtk.yml' | |
| shared: | |
| - 'shared/**' | |
| - 'go.work' | |
| - 'Makefile' | |
| - '.github/workflows/ci.yml' | |
| build-test-cfl: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.cfl == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Tidy cfl | |
| run: cd tools/cfl && go mod tidy && git diff --exit-code go.mod go.sum | |
| - name: Build cfl | |
| run: go build -v ./tools/cfl/... | |
| - name: Static release build guard cfl | |
| run: | | |
| set -euo pipefail | |
| cd tools/cfl | |
| for target in linux/amd64 linux/arm64 windows/amd64 windows/arm64; do | |
| goos="${target%/*}" | |
| goarch="${target#*/}" | |
| CGO_ENABLED=0 GOOS="$goos" GOARCH="$goarch" \ | |
| go build -o "$RUNNER_TEMP/cfl-$goos-$goarch" ./cmd/cfl | |
| done | |
| for goarch in amd64 arm64; do | |
| deps=$(CGO_ENABLED=0 GOOS=linux GOARCH="$goarch" go list -deps ./cmd/cfl) | |
| if printf '%s\n' "$deps" | grep -E '^(github.com/byteness/keyring|github.com/1password/onepassword-sdk-go)(/|$)'; then | |
| echo "static Linux cfl $goarch build graph must not include byteness/keyring or onepassword-sdk-go" | |
| exit 1 | |
| fi | |
| done | |
| - name: Test cfl | |
| run: go test -v -race -coverprofile=coverage-cfl.out ./tools/cfl/... | |
| build-test-jtk: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.jtk == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Tidy jtk | |
| run: cd tools/jtk && go mod tidy && git diff --exit-code go.mod go.sum | |
| - name: Build jtk | |
| run: go build -v ./tools/jtk/... | |
| - name: Static release build guard jtk | |
| run: | | |
| set -euo pipefail | |
| cd tools/jtk | |
| for target in linux/amd64 linux/arm64 windows/amd64 windows/arm64; do | |
| goos="${target%/*}" | |
| goarch="${target#*/}" | |
| CGO_ENABLED=0 GOOS="$goos" GOARCH="$goarch" \ | |
| go build -o "$RUNNER_TEMP/jtk-$goos-$goarch" ./cmd/jtk | |
| done | |
| for goarch in amd64 arm64; do | |
| deps=$(CGO_ENABLED=0 GOOS=linux GOARCH="$goarch" go list -deps ./cmd/jtk) | |
| if printf '%s\n' "$deps" | grep -E '^(github.com/byteness/keyring|github.com/1password/onepassword-sdk-go)(/|$)'; then | |
| echo "static Linux jtk $goarch build graph must not include byteness/keyring or onepassword-sdk-go" | |
| exit 1 | |
| fi | |
| done | |
| - name: Test jtk | |
| run: go test -v -race -coverprofile=coverage-jtk.out ./tools/jtk/... | |
| lint-cfl: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.cfl == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - uses: golangci/golangci-lint-action@v7 | |
| with: | |
| working-directory: tools/cfl | |
| version: v2.12.2 | |
| lint-jtk: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.jtk == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - uses: golangci/golangci-lint-action@v7 | |
| with: | |
| working-directory: tools/jtk | |
| version: v2.12.2 | |
| build-test-shared: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - name: Tidy shared | |
| run: cd shared && go mod tidy && git diff --exit-code go.mod go.sum | |
| - name: Build shared | |
| run: go build -v ./shared/... | |
| - name: Static Linux build guard shared | |
| run: | | |
| set -euo pipefail | |
| cd shared | |
| for goarch in amd64 arm64; do | |
| CGO_ENABLED=0 GOOS=linux GOARCH="$goarch" go build ./... | |
| deps=$(CGO_ENABLED=0 GOOS=linux GOARCH="$goarch" go list -deps ./...) | |
| if printf '%s\n' "$deps" | grep -E '^(github.com/byteness/keyring|github.com/1password/onepassword-sdk-go)(/|$)'; then | |
| echo "static Linux shared $goarch build graph must not include byteness/keyring or onepassword-sdk-go" | |
| exit 1 | |
| fi | |
| done | |
| - name: Test shared | |
| run: go test -v -race -coverprofile=coverage-shared.out ./shared/... | |
| lint-shared: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.26' | |
| - uses: golangci/golangci-lint-action@v7 | |
| with: | |
| working-directory: shared | |
| version: v2.12.2 | |
| # Per-tool identity drift guard (distribution.md §8.2): assert each tool's | |
| # packaging/identity.yml matches its tool-native files. working-directory is | |
| # the tool root; repo-root defaults to "." so the root-relative | |
| # goreleaser_config resolves (distribution.md §8.3 / .github#15). | |
| identity-check-cfl: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.cfl == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: open-cli-collective/.github/actions/identity-check@v1 | |
| with: | |
| working-directory: tools/cfl | |
| identity-check-jtk: | |
| needs: detect-changes | |
| if: needs.detect-changes.outputs.jtk == 'true' || needs.detect-changes.outputs.shared == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: open-cli-collective/.github/actions/identity-check@v1 | |
| with: | |
| working-directory: tools/jtk | |
| pr-title: | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: open-cli-collective/.github/actions/pr-title@v1 | |
| with: | |
| title: ${{ github.event.pull_request.title }} |