ci: automate build and release chores

.github/workflows/go-ci.yml

@@ -0,0 +1,86 @@
+name: Go - CI
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  lint-and-test:
+    name: Lint And Test Code
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+      with:
+        go-version-file: go.mod
+        cache: false
+    - name: Run GolangCI linter
+      uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
+      with:
+        args: '--timeout=5m'
+        skip-cache: true
+        skip-save-cache: true
+    - name: Run Go test coverage
+      run: go test -race -coverprofile=coverage.out -covermode=atomic ./...
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5
+      env:
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  build:
+    name: Build Artifacts
+    needs: ["lint-and-test"]
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      pull-requests: write
+    uses: ./.github/workflows/tpl-packaging.yml
+    secrets: inherit
+    with:
+      goreleaser-args: "release --clean --snapshot"
+      artifacts-cache: true
+      artifacts-cache-key: "dist-${{ github.run_id }}"
+      artifacts-publish-ci: true
+      artifacts-identifier: "${{ github.event.number == 0 && 'snapshot' || format('pr-{0}', github.event.number) }}"
+
+  upload:
+    name: Upload Artifacts - ${{ matrix.os.name }}
+    needs: ["build"]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+        - name: Linux
+          id: linux
+        - name: MacOS
+          id: darwin
+        - name: Windows
+          id: windows
+    steps:
+    - name: Get Cached Artifacts
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      with:
+        path: dist
+        key: dist-${{ github.run_id }}
+    - run: find dist
+    # The upload-artifact action doesn't support multi upload with different names.
+    - name: Upload Artifacts - AMD
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      with:
+        name: kube-rbac-extractor-${{ matrix.os.id }}-amd
+        path: |
+          dist/kube-rbac-extractor_*_${{ matrix.os.id }}_amd*
+          dist/*checksums.txt*
+    - name: Upload Artifacts - ARM
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      with:
+        name: kube-rbac-extractor-${{ matrix.os.id }}-arm
+        path: |
+          dist/kube-rbac-extractor_*_${{ matrix.os.id }}_arm*
+          dist/*checksums.txt*

.github/workflows/go-pre-release.yml

@@ -0,0 +1,54 @@
+name: Go - Pre Release
+
+on:
+  push:
+    branches:
+    - main
+
+permissions:
+  contents: read
+
+jobs:
+  pre-release:
+    name: Pre Release
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      pull-requests: write
+    steps:
+    - name: Run Release Please
+      uses: GoogleCloudPlatform/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3
+      id: release
+      with:
+        release-type: go
+        package-name: kube-rbac-extractor
+        changelog-types: |
+          [
+            {
+              "type": "feat",
+              "section": "Features",
+              "hidden": false
+            },
+            {
+              "type": "refactor",
+              "section": "Refactors",
+              "hidden": false
+            },
+            {
+              "type": "fix",
+              "section": "Bug Fixes",
+              "hidden": false
+            },
+            {
+              "type": "docs",
+              "section": "Documentation",
+              "hidden": false
+            },
+            {
+              "type": "ci",
+              "section": "Continuous Integration",
+              "hidden": false
+            }
+          ]

.github/workflows/tpl-packaging.yml

@@ -0,0 +1,95 @@
+name: Packaging
+
+on:
+  workflow_call:
+    inputs:
+      goreleaser-version:
+        default: '~> v2'
+        type: string
+      goreleaser-args:
+        required: true
+        type: string
+      artifacts-cache:
+        default: false
+        type: boolean
+      artifacts-identifier:
+        default: latest
+        type: string
+      artifacts-publish-ci:
+        default: false
+        type: boolean
+      artifacts-cache-key:
+        default: dist
+        type: string
+      artifacts-cache-path:
+        default: dist
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  run:
+    name: Run GoReleaser
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+    - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4
+      with:
+        go-version-file: go.mod
+        cache: false
+    - name: Setup Golang Caches
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+    - name: Setup Cosign
+      uses: sigstore/cosign-installer@main
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup QEMU
+      uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5
+      with:
+        version: "${{ inputs.goreleaser-version }}"
+        args: "${{ inputs.goreleaser-args }}"
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    # - name: Cleanup CI Docker Image
+    #   if: ${{ inputs.artifacts-publish-ci }}
+    #   uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
+    #   with:
+    #     token: ${{ secrets.GITHUB_TOKEN }}
+    #     package-name: kube-rbac-extractor-ci
+    #     package-type: container
+    #     min-versions-to-keep: 10
+    - name: Publish CI Docker Image
+      if: ${{ inputs.artifacts-publish-ci }}
+      run: |
+        for xarch in amd64 arm64; do
+          docker_image_src="ghcr.io/devopshivehq/kube-rbac-extractor:latest-${xarch}"
+          docker_image_dst="ghcr.io/devopshivehq/kube-rbac-extractor-ci:${{ inputs.artifacts-identifier }}-${xarch}"
+          echo "Tag and push image: ${docker_image_dst}"
+          docker tag ${docker_image_src} ${docker_image_dst}
+          docker push ${docker_image_dst}
+        done
+    - name: Cache Artifacts
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      if: ${{ inputs.artifacts-cache }}
+      with:
+        path: "${{ inputs.artifacts-cache-path }}"
+        key: "${{ inputs.artifacts-cache-key }}"

.golangci.yml

@@ -0,0 +1,64 @@
+---
+linters-settings:
+  funlen:
+    lines: 100
+    statements: 50
+  gocyclo:
+    min-complexity: 15
+  goimports:
+    local-prefixes: github.com/DevOpsHiveHQ/kube-rbac-extractor
+  govet:
+    check: true
+  misspell:
+    locale: US
+  nolintlint:
+    allow-leading-space: false # require machine-readable nolint directives (with no leading space)
+    allow-unused: false # report any unused nolint directives
+    require-explanation: true # require an explanation for nolint directives
+    require-specific: false # don't require nolint directives to be specific about which linter is being skipped
+  revive:
+    confidence: 0
+
+linters:
+  disable-all: true
+  enable:
+    - bodyclose
+    - dogsled
+    - dupl
+    - errcheck
+    - copyloopvar
+    - funlen
+    - gochecknoinits
+    - gocritic
+    - goconst
+    - gocyclo
+    - gofumpt
+    - goimports
+    - revive
+    - rowserrcheck
+    - goprintffuncname
+    - gosec
+    - gosimple
+    - govet
+    - ineffassign
+    - misspell
+    - nakedret
+    - noctx
+    - nolintlint
+    - staticcheck
+    - stylecheck
+    - sqlclosecheck
+    - typecheck
+    - unconvert
+    - unparam
+    - unused
+    - whitespace
+
+issues:
+  # Disable default exclusions.
+  # https://golangci-lint.run/usage/false-positives/#default-exclusions
+  exclude-use-default: false
+  exclude:
+  - "package-comments: .+"
+  - "ST1000: package comment should be of the form"
+  - "G304: Potential file inclusion via variable"