From 314a82331223179522a6537cf51aa24f84bce3b1 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:44:18 +0200
Subject: [PATCH 1/9] trigger release from PR

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 135 +++++++++++++++++----------------
 1 file changed, 68 insertions(+), 67 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 7b25439..dd7af12 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,9 +1,10 @@
 name: Release
 
 on:
-  push:
-    tags:
-      - "v*.*.*"
+  pull_request:
+  # push:
+  #   tags:
+  #     - "v*.*.*"
 
 jobs:
   release:
@@ -14,22 +15,22 @@ jobs:
       packages: write
       contents: write # required for goreleaser
     steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@main
-        with:
-          cosign-release: 'v2.2.3'
+      # - name: Install Cosign
+      #   uses: sigstore/cosign-installer@main
+      #   with:
+      #     cosign-release: 'v2.2.3'
 
-      - name: Install Chainloop
-        run: |
-          curl -sfL https://docs.chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
+      # - name: Install Chainloop
+      #   run: |
+      #     curl -sfL https://docs.chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
 
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
+      # - name: Checkout
+      #   uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      #   with:
+      #     fetch-depth: 0
 
-      - name: Initialize Attestation
-        run: chainloop attestation init # --contract-revision 2
+      # - name: Initialize Attestation
+      #   run: chainloop attestation init # --contract-revision 2
 
       - name: Set up Go
         uses: actions/setup-go@v3
@@ -55,57 +56,57 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
 
-      - uses: anchore/sbom-action@v0
-        with:
-          image: ${{ env.IMAGE }}
-          format: cyclonedx-json
-          artifact-name: sbom.cyclonedx.json
-          output-file: /tmp/sbom.cyclonedx.json
-        env:
-          IMAGE: ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
-
-      - uses: anchore/sbom-action@v0
-        with:
-          image: ${{ env.IMAGE }}
-          format: spdx-json
-          artifact-name: sbom.spdx.json
-          output-file: /tmp/sbom.spdx.json
-        env:
-          IMAGE: ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
-
-      - name: Add Container Image Artifact
-        run: chainloop attestation add --name image --value ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
-
-      - name: Add CycloneDX SBOM Artifact
-        run: chainloop attestation add --name sbom --value /tmp/sbom.cyclonedx.json
-
-      - name: Add SPDX SBOM Artifact
-        run: chainloop attestation add --name sbom-spdx --value /tmp/sbom.spdx.json
-
-      - name: Add Binary Artifact
-        run: |
-          BINARY_PATH="$(echo -n '${{ steps.release.outputs.metadata }}' | jq -r '"dist/" + .project_name + "_" + .version + "_" + .runtime.goos + "_" + .runtime.goarch + ".tar.gz"')"
-
-          chainloop attestation add --name binary --value ${BINARY_PATH}
-
-      - name: Finish and Record Attestation
-        if: ${{ success() }}
-        run: |
-          chainloop attestation status --full
-          chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
-        env:
-          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-
-      - name: Mark attestation as failed
-        if: ${{ failure() }}
-        run: |
-          chainloop attestation reset
-
-      - name: Mark attestation as cancelled
-        if: ${{ cancelled() }}
-        run: |
-          chainloop attestation reset --trigger cancellation
+      # - uses: anchore/sbom-action@v0
+      #   with:
+      #     image: ${{ env.IMAGE }}
+      #     format: cyclonedx-json
+      #     artifact-name: sbom.cyclonedx.json
+      #     output-file: /tmp/sbom.cyclonedx.json
+      #   env:
+      #     IMAGE: ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
+
+      # - uses: anchore/sbom-action@v0
+      #   with:
+      #     image: ${{ env.IMAGE }}
+      #     format: spdx-json
+      #     artifact-name: sbom.spdx.json
+      #     output-file: /tmp/sbom.spdx.json
+      #   env:
+      #     IMAGE: ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
+
+      # - name: Add Container Image Artifact
+      #   run: chainloop attestation add --name image --value ghcr.io/chainloop-dev/integration-demo:${{ github.ref_name }}
+
+      # - name: Add CycloneDX SBOM Artifact
+      #   run: chainloop attestation add --name sbom --value /tmp/sbom.cyclonedx.json
+
+      # - name: Add SPDX SBOM Artifact
+      #   run: chainloop attestation add --name sbom-spdx --value /tmp/sbom.spdx.json
+
+      # - name: Add Binary Artifact
+      #   run: |
+      #     BINARY_PATH="$(echo -n '${{ steps.release.outputs.metadata }}' | jq -r '"dist/" + .project_name + "_" + .version + "_" + .runtime.goos + "_" + .runtime.goarch + ".tar.gz"')"
+
+      #     chainloop attestation add --name binary --value ${BINARY_PATH}
+
+      # - name: Finish and Record Attestation
+      #   if: ${{ success() }}
+      #   run: |
+      #     chainloop attestation status --full
+      #     chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
+      #   env:
+      #     CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      #     CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+
+      # - name: Mark attestation as failed
+      #   if: ${{ failure() }}
+      #   run: |
+      #     chainloop attestation reset
+
+      # - name: Mark attestation as cancelled
+      #   if: ${{ cancelled() }}
+      #   run: |
+      #     chainloop attestation reset --trigger cancellation
     env:
       CHAINLOOP_VERSION: 0.89.0
       CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }}

From 6bed54622591c72f41d13f5096ae38584792a4c1 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:45:17 +0200
Subject: [PATCH 2/9] Remove tag condition

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index dd7af12..e54a780 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    if: github.ref_type == 'tag'
+    # if: github.ref_type == 'tag'
     permissions:
       packages: write
       contents: write # required for goreleaser

From 1448bef57b3e77ef4098450fbb5bbbe372dd7fa1 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:46:12 +0200
Subject: [PATCH 3/9] Uncomment checkout action

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e54a780..a0d80cd 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,10 +24,10 @@ jobs:
       #   run: |
       #     curl -sfL https://docs.chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
 
-      # - name: Checkout
-      #   uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      #   with:
-      #     fetch-depth: 0
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
 
       # - name: Initialize Attestation
       #   run: chainloop attestation init # --contract-revision 2

From 02280a5fdbdfd5591d79b1cdd25578701ee0ce5a Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:47:23 +0200
Subject: [PATCH 4/9] avoid signing

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .goreleaser.yml | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 6127515..aaa46f5 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -8,27 +8,27 @@ builds:
     targets:
       - linux_amd64
 
-signs:
-  # COSIGN_PASSWORD is also required to be present
-  - cmd: cosign
-    args:
-      [
-        "sign-blob",
-        "--key=env://COSIGN_PRIVATE_KEY",
-        "--output-signature=${signature}",
-        "--yes",
-        "${artifact}",
-      ]
-    artifacts: all
+# signs:
+#   # COSIGN_PASSWORD is also required to be present
+#   - cmd: cosign
+#     args:
+#       [
+#         "sign-blob",
+#         "--key=env://COSIGN_PRIVATE_KEY",
+#         "--output-signature=${signature}",
+#         "--yes",
+#         "${artifact}",
+#       ]
+#     artifacts: all
 
-docker_signs:
-  - cmd: cosign
-    args: ["sign", "--yes", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"]
-    artifacts: all
+# docker_signs:
+#   - cmd: cosign
+#     args: ["sign", "--yes", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"]
+#     artifacts: all
 
-dockers:
-  - dockerfile: Dockerfile.goreleaser
-    ids:
-      - server
-    image_templates:
-      - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"
+# dockers:
+#   - dockerfile: Dockerfile.goreleaser
+#     ids:
+#       - server
+#     image_templates:
+#       - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"

From 42671c6ce6c57dfe1aef897f6c436a5a8783c385 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:54:39 +0200
Subject: [PATCH 5/9] Modify .goreleaser to release

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .goreleaser.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index aaa46f5..9a368c3 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -8,6 +8,10 @@ builds:
     targets:
       - linux_amd64
 
+archives:
+  - builds:
+    - server
+
 # signs:
 #   # COSIGN_PASSWORD is also required to be present
 #   - cmd: cosign
@@ -32,3 +36,5 @@ builds:
 #       - server
 #     image_templates:
 #       - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"
+
+release:

From 114f786da08ee745f2659dbebe1685b27ca16d94 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 15:58:29 +0200
Subject: [PATCH 6/9] add signing

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml |  8 +++----
 .goreleaser.yml                | 44 +++++++++++++++++-----------------
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a0d80cd..16a60ed 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -15,10 +15,10 @@ jobs:
       packages: write
       contents: write # required for goreleaser
     steps:
-      # - name: Install Cosign
-      #   uses: sigstore/cosign-installer@main
-      #   with:
-      #     cosign-release: 'v2.2.3'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v2.2.3'
 
       # - name: Install Chainloop
       #   run: |
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9a368c3..9df02b8 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -12,29 +12,29 @@ archives:
   - builds:
     - server
 
-# signs:
-#   # COSIGN_PASSWORD is also required to be present
-#   - cmd: cosign
-#     args:
-#       [
-#         "sign-blob",
-#         "--key=env://COSIGN_PRIVATE_KEY",
-#         "--output-signature=${signature}",
-#         "--yes",
-#         "${artifact}",
-#       ]
-#     artifacts: all
+signs:
+  # COSIGN_PASSWORD is also required to be present
+  - cmd: cosign
+    args:
+      [
+        "sign-blob",
+        "--key=env://COSIGN_PRIVATE_KEY",
+        "--output-signature=${signature}",
+        "--yes",
+        "${artifact}",
+      ]
+    artifacts: all
 
-# docker_signs:
-#   - cmd: cosign
-#     args: ["sign", "--yes", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"]
-#     artifacts: all
+docker_signs:
+  - cmd: cosign
+    args: ["sign", "--yes", "--key=env://COSIGN_PRIVATE_KEY", "${artifact}"]
+    artifacts: all
 
-# dockers:
-#   - dockerfile: Dockerfile.goreleaser
-#     ids:
-#       - server
-#     image_templates:
-#       - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"
+dockers:
+  - dockerfile: Dockerfile.goreleaser
+    ids:
+      - server
+    image_templates:
+      - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"
 
 release:

From 0463a3aa8461ea1d66ee7cb72f05d7b96ddc8aa3 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 16:01:11 +0200
Subject: [PATCH 7/9] hardcode version

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 16a60ed..f0b1a97 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -49,7 +49,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v3
         with:
           distribution: goreleaser
-          version: latest
+          version: v0.0.48
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 15b7b443e22df0e12e3125ad65c7079f886076d3 Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 16:04:59 +0200
Subject: [PATCH 8/9] fix version of goreleaser and include meta

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 2 +-
 .goreleaser.yml                | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f0b1a97..16a60ed 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -49,7 +49,7 @@ jobs:
         uses: goreleaser/goreleaser-action@v3
         with:
           distribution: goreleaser
-          version: v0.0.48
+          version: latest
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 9df02b8..75b02da 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -38,3 +38,4 @@ dockers:
       - "ghcr.io/chainloop-dev/integration-demo:{{ .Tag }}"
 
 release:
+  include_meta: true
\ No newline at end of file

From b19b063d32a282384577b16b52bb74693cb43a3f Mon Sep 17 00:00:00 2001
From: Javier Rodriguez <javier@chainloop.dev>
Date: Thu, 30 May 2024 16:13:02 +0200
Subject: [PATCH 9/9] force tag

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/release.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 16a60ed..e462b87 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -55,6 +55,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
           COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          GORELEASER_CURRENT_TAG: v1.0.0
 
       # - uses: anchore/sbom-action@v0
       #   with: