From 056f8792b7f55690bf749f3a31ad06382ee3a898 Mon Sep 17 00:00:00 2001
From: CrazyMax <crazy-max@users.noreply.github.com>
Date: Sun, 28 Aug 2022 20:53:38 +0200
Subject: [PATCH] release target with checksums

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
---
 .github/workflows/build.yml | 13 +++-----
 Dockerfile                  | 64 +++++++++++++++++++++++++------------
 Makefile                    | 39 ++++++----------------
 README.md                   |  2 +-
 docker-bake.hcl             |  6 ++++
 hack/git-meta               | 16 ++++++++++
 hack/release                | 59 ++++++++++++++++++++++++++++++++++
 7 files changed, 138 insertions(+), 61 deletions(-)
 create mode 100755 hack/git-meta
 create mode 100755 hack/release

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 67a3451..cac543c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -138,16 +138,11 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: binaries
-          set: |
-            *.cache-from=type=gha,scope=build
-            *.cache-to=type=gha,scope=build,mode=max
-      -
-        name: Move artifacts
         run: |
-          mv ${{ env.DESTDIR }}/**/* ${{ env.DESTDIR }}/
+          make release
+        env:
+          CACHE_FROM: type=gha,scope=build
+          CACHE_TO: type=gha,scope=build,mode=max
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3
diff --git a/Dockerfile b/Dockerfile
index 8137f38..13296a4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -85,54 +85,76 @@ EOT
 FROM scratch AS test-coverage
 COPY --from=test /out /
 
+FROM gobase AS version
+RUN --mount=target=. \
+    echo -n "$(./hack/git-meta version)" | tee /tmp/.version ; echo -n "$(./hack/git-meta revision)" | tee /tmp/.revision
+
 FROM base AS build-linux
 ARG PACKAGE
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod <<EOT
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  make build-secretservice PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-secretservice-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
+  make build-pass build-secretservice PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-pass
+  xx-verify /out/docker-credential-secretservice
 EOT
 
 FROM base AS build-darwin
 ARG PACKAGE
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
     --mount=type=cache,target=/go/pkg/mod \
-    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk <<EOT
+    --mount=type=bind,from=osxcross,src=/osxsdk,target=/xx-sdk \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
   go install std
-  make build-osxkeychain PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-osxkeychain-${TARGETARCH}${TARGETVARIANT}
-  make build-pass PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
-  xx-verify /out/docker-credential-pass-${TARGETOS}-${TARGETARCH}${TARGETVARIANT}
+  make build-osxkeychain build-pass PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  xx-verify /out/docker-credential-osxkeychain
+  xx-verify /out/docker-credential-pass
 EOT
 
 FROM base AS build-windows
 ARG PACKAGE
-ARG TARGETARCH
-ARG TARGETVARIANT
 RUN --mount=type=bind,target=. \
     --mount=type=cache,target=/root/.cache \
-    --mount=type=cache,target=/go/pkg/mod <<EOT
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+    --mount=type=bind,source=/tmp/.revision,target=/tmp/.revision,from=version <<EOT
   set -ex
   xx-go --wrap
-  make build-wincred PACKAGE=$PACKAGE DESTDIR=/out BINNAME=docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
-  xx-verify /out/docker-credential-wincred-${TARGETARCH}${TARGETVARIANT}.exe
+  make build-wincred PACKAGE=$PACKAGE VERSION=$(cat /tmp/.version) REVISION=$(cat /tmp/.revision) DESTDIR=/out
+  mv /out/docker-credential-wincred /out/docker-credential-wincred.exe
+  xx-verify /out/docker-credential-wincred.exe
 EOT
 
 FROM build-$TARGETOS AS build
 
 FROM scratch AS binaries
 COPY --from=build /out /
+
+FROM --platform=$BUILDPLATFORM alpine AS releaser
+WORKDIR /work
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+RUN --mount=from=binaries \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version <<EOT
+  set -e
+  mkdir /out
+  version="$(cat /tmp/.version)"
+  [ "$TARGETOS" = "windows" ] && ext=".exe"
+  for f in *; do
+    cp "$f" "/out/${f%.*}-${version}.${TARGETOS}-${TARGETARCH}${TARGETVARIANT}${ext}"
+  done
+EOT
+
+FROM scratch AS release
+COPY --from=releaser /out/ /
+
+FROM binaries
diff --git a/Makefile b/Makefile
index 4bad9a8..ceb860f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 PACKAGE ?= github.com/docker/docker-credential-helpers
-VERSION ?= $(shell git describe --match 'v[0-9]*' --dirty='.m' --always --tags)
-REVISION ?= $(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)
+VERSION ?= $(shell ./hack/git-meta version)
+REVISION ?= $(shell ./hack/git-meta revision)
 
 GO_PKG = github.com/docker/docker-credential-helpers
 GO_LDFLAGS = -s -w -X ${GO_PKG}/credentials.Version=${VERSION} -X ${GO_PKG}/credentials.Revision=${REVISION} -X ${GO_PKG}/credentials.Package=${PACKAGE}
@@ -17,8 +17,7 @@ clean:
 
 .PHONY: build-%
 build-%: # build, can be one of build-osxkeychain build-pass build-secretservice build-wincred
-	$(eval BINNAME := docker-credential-$*)
-	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o $(DESTDIR)/$(BINNAME) ./$*/cmd/
+	go build -trimpath -ldflags="$(GO_LDFLAGS) -X ${GO_PKG}/credentials.Name=docker-credential-$*" -o "$(DESTDIR)/docker-credential-$*" ./$*/cmd/
 
 # aliases for build-* targets
 .PHONY: osxkeychain secretservice pass wincred
@@ -27,36 +26,16 @@ secretservice: build-secretservice
 pass: build-pass
 wincred: build-wincred
 
-.PHONY: osxcodesign
-osxcodesign: build-osxkeychain
-	$(eval SIGNINGHASH = $(shell security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4))
-	xcrun -log codesign -s $(SIGNINGHASH) --force --verbose bin/build/docker-credential-osxkeychain
-	xcrun codesign --verify --deep --strict --verbose=2 --display bin/build/docker-credential-osxkeychain
-
-.PHONY: linuxrelease
-linuxrelease:
-	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-amd64.tar.gz docker-credential-pass
-	cd bin && tar cvfz ../release/docker-credential-secretservice-$(VERSION)-amd64.tar.gz docker-credential-secretservice
-
-.PHONY: osxrelease
-osxrelease:
-	mkdir -p release
-	cd bin && tar cvfz ../release/docker-credential-osxkeychain-$(VERSION)-amd64.tar.gz docker-credential-osxkeychain
-	cd bin && tar cvfz ../release/docker-credential-pass-$(VERSION)-darwin-amd64.tar.gz docker-credential-pass
-
-.PHONY: winrelease
-winrelease:
-	mkdir -p release
-	cd bin && zip ../release/docker-credential-wincred-$(VERSION)-amd64.zip docker-credential-wincred.exe
-
 .PHONY: cross
 cross: # cross build all supported credential helpers
-	$(BUILDX_CMD) bake cross
+	$(BUILDX_CMD) bake binaries
+
+.PHONY: release
+release: # create release
+	./hack/release
 
 .PHONY: test
-test:
-	# tests all packages except vendor
+test: # tests all packages except vendor
 	go test -v `go list ./... | grep -v /vendor/`
 
 .PHONY: lint
diff --git a/README.md b/README.md
index c9a41f4..7c7a45e 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ $ make osxkeychain
 3 - Put that binary in your `$PATH`, so Docker can find it.
 
 ```shell
-$ cp bin/docker-credential-osxkeychain /usr/local/bin/
+$ cp bin/build/docker-credential-osxkeychain /usr/local/bin/
 ```
 
 ## Usage
diff --git a/docker-bake.hcl b/docker-bake.hcl
index 4cc91ae..74c3097 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -65,3 +65,9 @@ target "binaries" {
     "windows/amd64"
   ]
 }
+
+target "release" {
+  inherits = ["binaries"]
+  target = "release"
+  output = [bindir("release")]
+}
diff --git a/hack/git-meta b/hack/git-meta
new file mode 100755
index 0000000..ed4bfb8
--- /dev/null
+++ b/hack/git-meta
@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -e
+
+case $1 in
+	"version")
+		git describe --match 'v[0-9]*' --dirty='.m' --always --tags
+		;;
+	"revision")
+		echo "$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi)"
+		;;
+	*)
+		echo "usage: ./hack/git-meta <version|revision>"
+		exit 1
+		;;
+esac
diff --git a/hack/release b/hack/release
new file mode 100755
index 0000000..aff1c64
--- /dev/null
+++ b/hack/release
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+set -e
+
+: "${BUILDX_CMD=docker buildx}"
+: "${DESTDIR=./bin/release}"
+: "${CACHE_FROM=}"
+: "${CACHE_TO=}"
+
+: "${SIGN=}"
+: "${PFX=}"
+: "${PFXPASSWORD=}"
+
+if [ -n "$CACHE_FROM" ]; then
+	for cfrom in $CACHE_FROM; do
+		cacheFlags+=(--set "*.cache-from=$cfrom")
+	done
+fi
+if [ -n "$CACHE_TO" ]; then
+	for cto in $CACHE_TO; do
+		cacheFlags+=(--set "*.cache-to=$cto")
+	done
+fi
+
+dockerpfx=$(mktemp -t dockercredhelper-pfx.XXXXXXXXXX)
+function clean {
+	rm -f "$dockerpfx"
+}
+trap clean EXIT
+
+# release
+(
+	set -x
+	${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release
+)
+
+# wrap binaries
+mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
+find ./${DESTDIR} -type d -empty -delete
+
+# sign binaries
+if [ -n "$SIGN" ]; then
+	for f in "${DESTDIR}"/*".darwin-"*; do
+		SIGNINGHASH=$(security find-identity -v -p codesigning | grep "Developer ID Application: Docker Inc" | cut -d ' ' -f 4)
+		xcrun -log codesign -s "$SIGNINGHASH" --force --verbose "$f"
+		xcrun codesign --verify --deep --strict --verbose=2 --display "$f"
+	done
+	for f in "${DESTDIR}"/*".windows-"*; do
+		echo ${PFX} | base64 -d > "$dockerpfx"
+		signtool sign /fd SHA256 /a /f pfx /p ${PFXPASSWORD} /d Docker /du https://www.docker.com /t http://timestamp.verisign.com/scripts/timestamp.dll "$f"
+	done
+fi
+
+# checksums
+(
+  cd ${DESTDIR}
+  sha256sum -b docker-credential-* > ./checksums.txt
+  sha256sum -c --strict checksums.txt
+)