release: outline release logic using GoReleaser

This adds the base for releasing using GoReleaser going forward in a
backwards compatible manner, which means:

- Publishing of artifacts in the same formats as previous releases
- Publishing of RPM and deb artifacts in the same formats as previous
  releases (although the metadata may need a bit of tweaking)

In addition, it includes:

- SBOM inclusion per binary artifact

It still needs work around:

- Artifact signing
- SLSA compliance
- Docker images
- GitHub release
- Changelog generation
- GitHub Action workflow

Signed-off-by: Hidde Beydals <hidde@hhh.computer>

.gitignore

@@ -1,4 +1,5 @@
-target
+dist/
+target/
 Cargo.lock
 vendor/
 coverage.txt

.goreleaser.yaml

@@ -0,0 +1,114 @@
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+
+project_name: sops
+
+# xref: https://goreleaser.com/customization/build/
+builds:
+  - id: binary-linux
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-darwin
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}.{{ .Os }}.{{ .Arch }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+  - id: binary-windows
+    main: ./cmd/sops
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    binary: "{{ .ProjectName }}-{{ .Version }}"
+    flags:
+      - -v
+      - -trimpath
+    ldflags:
+      - -s
+      - -w
+      - -X "go.mozilla.org/sops/v3/version.Version={{ .Version }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - windows
+    goarch:
+      - amd64
+    # Modified timestamp on the binary, set to ensure reproducible builds.
+    mod_timestamp: "{{ .CommitTimestamp }}"
+
+# xref: https://goreleaser.com/customization/universalbinaries/
+universal_binaries:
+  - ids:
+      - binary-darwin
+    # Specially crafted to ensure compatibility with release artifacts < v3.8.0.
+    # Before v3.8.0, this used to be _just_ the AMD64 binary.
+    name_template: '{{ .ProjectName }}-{{ .Version }}.darwin'
+    replace: false
+
+# xref: https://goreleaser.com/customization/nfpm/
+nfpms:
+  - id: deb
+    package_name: '{{ .ProjectName }}'
+    file_name_template: '{{ .ConventionalFileName }}'
+    vendor: SOPS (Secret OPerationS) project
+    homepage: https://github.com/getsops/sops
+    maintainer: SOPS maintainers <cncf-SOPS-maintainers@lists.cncf.io>
+    description: Simple and flexible tool for managing secrets
+    license: MPL-2.0
+    formats:
+      - deb
+      - rpm
+
+# xref: https://goreleaser.com/customization/checksum/
+checksum:
+  name_template: "{{ .ProjectName }}-{{ .Version }}.checksums.txt"
+  algorithm: sha256
+  ids:
+    - binary-linux
+    - binary-darwin
+    - binary-windows
+
+# xref: https://goreleaser.com/customization/snapshots/
+snapshot:
+  name_template: "{{ incpatch .Version }}-dev-{{ .ShortCommit }}"
+
+# xref: https://goreleaser.com/customization/archive/#disable-archiving
+archives:
+  - format: binary
+
+# xref: https://goreleaser.com/customization/sbom/
+sboms:
+  - id: binary-sbom
+    artifacts: binary
+    documents:
+      - "${artifact}.spdx.sbom.json"

Makefile

@@ -2,9 +2,9 @@
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-PROJECT		:= github.com/getsops/sops/v3
-GO 		:= GOPROXY=https://proxy.golang.org go
-GOLINT 		:= golint
+PROJECT := github.com/getsops/sops/v3
+GO      := GOPROXY=https://proxy.golang.org go
+GOLINT  := golint
 
 all: test vet generate install functional-tests
 origin-build: test vet generate install functional-tests-all

version/version.go

@@ -11,7 +11,7 @@ import (
 )
 
 // Version represents the value of the current semantic version
-const Version = "3.7.3"
+var Version = "3.7.3"
 
 // PrintVersion handles the version command for sops
 func PrintVersion(c *cli.Context) {