feat: add checkpointing into the backfill so we can resume from the l…

.github/workflows/validate-release.yml

@@ -67,6 +67,7 @@ jobs:
         env:
           PROJECT_ID: honk-fake-project
           RUNTIME_IMAGE: gcr.io/distroless/static:debug-nonroot
+          GORELEASER_CONFIG: .goreleaser.ci.yml
 
       - name: check binaries
         run: |

.goreleaser.ci.yml

@@ -0,0 +1,96 @@
+project_name: rekor
+version: 2
+
+env:
+  - GO111MODULE=on
+  - CGO_ENABLED=0
+  - DOCKER_CLI_EXPERIMENTAL=enabled
+  - COSIGN_YES=true
+
+# Prevents parallel builds from stepping on eachothers toes downloading modules
+before:
+  hooks:
+    - go mod tidy
+    - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
+# if running a release we will generate the images in this step
+# if running in the CI the CI env va is set by github action runner and we dont run the ko steps
+# this is needed because we are generating files that goreleaser was not aware to push to GH project release
+    - /bin/bash -c 'if [ -z "$CI" ]; then make sign-container-release; fi'
+
+gomod:
+  proxy: true
+
+sboms:
+  - artifacts: binary
+
+builds:
+  - id: rekor-server-linux
+    binary: rekor-server-linux-{{ .Arch }}
+    no_unique_dist_dir: true
+    main: ./cmd/rekor-server
+    goos:
+      - linux
+    goarch:
+      - amd64
+    flags:
+      - -trimpath
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    ldflags:
+      - "{{ .Env.SERVER_LDFLAGS }}"
+
+  - id: rekor-cli
+    binary: rekor-cli-{{ .Os }}-{{ .Arch }}
+    no_unique_dist_dir: true
+    main: ./cmd/rekor-cli
+    goos:
+      - linux
+    goarch:
+      - amd64
+    flags:
+      - -trimpath
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    ldflags:
+     - "{{ .Env.CLI_LDFLAGS }}"
+
+signs:
+  - id: rekor
+    signature: "${artifact}.sig"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--key", "gcpkms://projects/{{ .Env.PROJECT_ID }}/locations/{{ .Env.KEY_LOCATION }}/keyRings/{{ .Env.KEY_RING }}/cryptoKeys/{{ .Env.KEY_NAME }}/versions/{{ .Env.KEY_VERSION }}", "${artifact}"]
+    artifacts: binary
+  # Keyless
+  - id: rekor-keyless
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
+    artifacts: binary
+  - id: checksum-keyless
+    signature: "${artifact}-keyless.sig"
+    certificate: "${artifact}-keyless.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}-keyless.sig", "--output-certificate", "${artifact}-keyless.pem", "${artifact}"]
+    artifacts: checksum
+
+archives:
+  - format: binary
+    name_template: "{{ .Binary }}"
+    allow_different_binary_count: true
+
+checksum:
+  name_template: "{{ .ProjectName }}_checksums.txt"
+
+snapshot:
+  name_template: SNAPSHOT-{{ .ShortCommit }}
+
+release:
+  prerelease: allow # remove this when we start publishing non-prerelease or set to auto
+  draft: true # allow for manual edits
+  github:
+    owner: sigstore
+    name: rekor
+  footer: |
+    ### Thanks for all contributors!
+
+  extra_files:
+    - glob: "./rekor*.yaml"