feat: add reproducible debian packaging with goreleaser & CI workflow

Author: MoeMahhouk

.github/workflows/checks.yml

@@ -64,10 +64,10 @@ jobs:
         run: go install mvdan.cc/[email protected]
 
       - name: Install staticcheck
-        run: go install honnef.co/go/tools/cmd/staticcheck@2025.1.1
+        run: go install honnef.co/go/tools/cmd/staticcheck@latest
 
       - name: Install golangci-lint
-        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.8
+        run: go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 
       # - name: Install NilAway
       #   run: go install go.uber.org/nilaway/cmd/[email protected]

.github/workflows/release.yaml

@@ -4,12 +4,20 @@ on:
   push:
     tags:
       - 'v*'
+  workflow_dispatch:
+    inputs:
+      snapshot:
+        description: 'Create snapshot release'
+        required: false
+        default: false
+        type: boolean
 
 permissions:
   contents: write
+  packages: write
 
 jobs:
-  build_and_release:
+  release:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -20,97 +28,115 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: ^v1.24
-
-      - name: Build
-        run: make build
+          go-version: '1.24'
+          cache: true
+
+      - name: Set SOURCE_DATE_EPOCH for reproducible builds
+        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)" >> $GITHUB_ENV
+
+      - name: Set up packaging dependencies
+        run: |
+          # Install nfpm for packaging
+          echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list
+          sudo apt-get update
+          sudo apt-get install -y nfpm
+
+      - name: Import GPG key (if available)
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@v6
+        if: env.GPG_PRIVATE_KEY != ''
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
 
-      # https://goreleaser.com/cmd/goreleaser_release/
-      - name: Run GoReleaser
+      - name: Run GoReleaser (Release)
         uses: goreleaser/goreleaser-action@v6
+        if: startsWith(github.ref, 'refs/tags/') && !inputs.snapshot
         with:
           distribution: goreleaser
           version: "~> v2"
-          args: release --config .goreleaser.yaml
+          args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }}
+          GPG_KEY_PATH: ${{ steps.import_gpg.outputs.keyid && format('/tmp/gpg-{0}.key', steps.import_gpg.outputs.keyid) || '' }}
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
-#   docker-image:
-#     name: Publish Docker Image
-#     runs-on: ubuntu-latest
-
-#     steps:
-#       - name: Checkout sources
-#         uses: actions/checkout@v2
-
-#       - name: Get tag version
-#         run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
-
-#       - name: Print version
-#         run: |
-#           echo $RELEASE_VERSION
-#           echo ${{ env.RELEASE_VERSION }}
-
-#       - name: Set up QEMU
-#         uses: docker/setup-qemu-action@v3
-
-#       - name: Set up Docker Buildx
-#         uses: docker/setup-buildx-action@v3
-
-#       - name: Extract metadata (tags, labels) for Docker
-#          id: meta
-#          uses: docker/metadata-action@v5
-#          with:
-#            images: flashbots/go-template
-#            tags: |
-#              type=sha
-#              type=pep440,pattern={{version}}
-#              type=pep440,pattern={{major}}.{{minor}}
-#              type=raw,value=latest,enable=${{ !contains(env.RELEASE_VERSION, '-') }}
-
-#       - name: Login to DockerHub
-#         uses: docker/login-action@v3
-#         with:
-#           username: ${{ secrets.DOCKERHUB_USERNAME }}
-#           password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-#      - name: Go Build Cache for Docker
-#        uses: actions/cache@v3
-#        with:
-#          path: go-build-cache
-#          key: ${{ runner.os }}-go-build-cache-${{ hashFiles('**/go.sum') }}
-
-#      - name: inject go-build-cache into docker
-#        uses: reproducible-containers/[email protected]
-#        with:
-#          cache-source: go-build-cache
-
-#       - name: Build and push
-#         uses: docker/build-push-action@v5
-#         with:
-#           context: .
-#           build-args: |
-#             VERSION=${{ env.RELEASE_VERSION }}
-#           push: true
-#           tags: ${{ steps.meta.outputs.tags }}
-#           labels: ${{ steps.meta.outputs.labels }}
-#           platforms: linux/amd64,linux/arm64
-#           cache-from: type=gha
-#           cache-to: type=gha,mode=max
+      - name: Run GoReleaser (Snapshot)
+        uses: goreleaser/goreleaser-action@v6
+        if: inputs.snapshot || (!startsWith(github.ref, 'refs/tags/'))
+        with:
+          distribution: goreleaser
+          version: "~> v2"
+          args: release --snapshot --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }}
+          GPG_KEY_PATH: ${{ steps.import_gpg.outputs.keyid && format('/tmp/gpg-{0}.key', steps.import_gpg.outputs.keyid) || '' }}
+          NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
-#   github-release:
-#     runs-on: ubuntu-latest
-#     steps:
-#       - name: Checkout sources
-#         uses: actions/checkout@v2
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: packages
+          path: |
+            dist/*.deb
+            dist/*.rpm
+            dist/*.tar.gz
+            dist/checksums.txt
+          retention-days: 30
+
+      - name: Test package installation
+        run: |
+          # Test Debian package installation
+          DEB_FILE=$(find dist -name "*httpserver*.deb" | head -1)
+          if [ -n "$DEB_FILE" ]; then
+            echo "Testing package installation: $DEB_FILE"
+            sudo dpkg -i "$DEB_FILE" || true
+            sudo apt-get -f install -y
+            
+            # Test if binary is installed and working
+            /usr/bin/go-template-httpserver --help
+            
+            # Test systemd service
+            sudo systemctl daemon-reload
+            sudo systemctl is-enabled go-template-httpserver
+            
+            echo "✅ Package installation test passed"
+          else
+            echo "❌ No .deb file found for testing"
+            exit 1
+          fi
+
+  reproducibility-test:
+    runs-on: ubuntu-latest
+    needs: release
+    if: always()
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
-#       - name: Create release
-#         id: create_release
-#         uses: actions/create-release@v1
-#         env:
-#           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-#         with:
-#           tag_name: ${{ github.ref }}
-#           release_name: ${{ github.ref }}
-#           draft: false
-#           prerelease: false
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.24'
+          cache: true
+
+      - name: Set SOURCE_DATE_EPOCH for reproducible builds
+        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --format=%ct)" >> $GITHUB_ENV
+
+      - name: Test reproducible builds
+        run: |
+          # Install GoReleaser
+          go install github.com/goreleaser/goreleaser/v2@latest
+          
+          # Run reproducibility test
+          make package-test-reproducible
+          
+          echo "✅ Reproducibility test passed"
+        env:
+          SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }}