chore: add release pipeline

Signed-off-by: Matthew Penner <[email protected]>

.github/workflows/ci.yaml

@@ -11,14 +11,14 @@ on:
 jobs:
   tests:
     name: Test
-    permissions:
-      contents: read
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-22.04]
         go: ["1.21.10", "1.22.3"]
+    permissions:
+      contents: read
 
     steps:
       - name: Setup Go

.github/workflows/release.yaml

@@ -0,0 +1,47 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  release:
+    name: Release
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-22.04]
+        go: ["1.22.3"]
+    permissions:
+      attestations: write
+      id-token: write
+      contents: write
+      packages: write
+    steps:
+      - name: Setup Go
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        with:
+          go-version: ${{ matrix.go }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
+
+      - name: Code checkout
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          fetch-depth: 0
+
+      # https://github.com/actions/checkout/issues/290#issuecomment-680260080
+      - name: Fetch upstream tags
+        run: git fetch --tags --force
+
+      - name: Run Goreleaser
+        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_EXPERIMENTAL: 1

.goreleaser.yaml

@@ -0,0 +1,91 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+version: 1
+
+metadata:
+  mod_timestamp: "{{ .CommitTimestamp }}"
+
+report_sizes: true
+
+builds:
+  - main: github.com/caddyserver/gateway/cmd
+    binary: caddy-gateway
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    flags:
+      - -trimpath
+
+kos:
+  - repository: ghcr.io/caddyserver/gateway
+    platforms:
+      - linux/amd64
+      - linux/arm64
+    tags:
+      - '{{.Version}}'
+      # TODO: find a way to set the latest package tag, only when the release gets published on GitHub.
+      # we can trigger an action on release_published, but we then need to write a system that "pushes"
+      # the `latest` manifest.
+      # - latest
+    creation_time: '{{.CommitTimestamp}}'
+    ko_data_creation_time: '{{.CommitTimestamp}}'
+    sbom: 'spdx'
+    bare: true
+    base_import_paths: true
+    preserve_import_paths: false
+
+checksum:
+  algorithm: sha512
+  name_template: "CHECKSUMS.txt"
+
+sboms:
+  - artifacts: binary
+    cmd: syft
+    args:
+      - "$artifact"
+      - "--file"
+      - "${document}"
+      - "--output"
+      - "spdx-json"
+
+signs:
+  - cmd: cosign
+    artifacts: all
+    output: true
+    args:
+      - sign-blob
+      - --yes
+      - "--output-certificate=${certificate}"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+
+docker_signs:
+  - cmd: cosign
+    artifacts: manifests # TODO: all?
+    output: true
+    args:
+      - sign
+      - --yes
+      - "${artifact}@${digest}"
+
+release:
+  draft: true
+  prerelease: auto
+  github:
+    owner: caddyserver
+    name: gateway
+
+changelog:
+  use: github
+  sort: asc
+  filters:
+    exclude:
+    - '^chore:'
+    - '^ci:'
+    - '^docs?:'
+    - '^readme:'
+    - '^tests?:'
+    - '^\w+\s+' # a hack to remove commit messages without colons thus don't correspond to a package