Add UPX support (#70)

* Add UPX support * Rework documentation list
superorbital · Jan 6, 2022 · c4375ce · c4375ce
1 parent b0de132
commit c4375ce
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 8 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -60,13 +60,20 @@ jobs:
         # We are on the main branch and do not have an existing tagged release
         if: "github.ref == 'refs/heads/main' && steps.changelog.outputs.version != steps.lasttag.outputs.version"
         run: make build
+      - name: Compress Binaries via UPX
+        uses: crazy-max/ghaction-upx@v1
+        with:
+          version: latest
+          files: |
+            ./builds/*
+          args: -fq9
       - name: GitHub Release - Non-Production
         if: "github.ref == 'refs/heads/main' && steps.changelog.outputs.version != steps.lasttag.outputs.version && steps.changelog.outputs.status == 'prerelease'"
         uses: softprops/action-gh-release@v1
         with:
           token: ${{ secrets.GH_TOKEN }}
           files: |
-            builds/*
+            ./builds/*
           prerelease: true
           fail_on_unmatched_files: true
           draft: false
@@ -76,6 +83,22 @@ jobs:
             ### Container Images
             * [cludo](https://hub.docker.com/r/superorbital/cludo)
             * [cludod](https://hub.docker.com/r/superorbital/cludod)
+            
+            #### Software Supply Chain Security
+            
+            We sign all release containers with [cosign](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
+            
+            You can verify these signatures using the following commands:
+            
+            ```sh
+            COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludo:${{ steps.changelog.outputs.version }}
+            COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludod:${{ steps.changelog.outputs.version }}
+            ```
+            
+            ### Binaries
+            
+            * All binaries are compressed with [UPX](https://upx.github.io/), to save on bandwidth and storage space.
+            
           tag_name: ${{ steps.changelog.outputs.version }}
           name: Release ${{ steps.changelog.outputs.version }}
       - name: GitHub Release - Production
@@ -94,6 +117,22 @@ jobs:
             ### Container Images
             * [cludo](https://hub.docker.com/r/superorbital/cludo)
             * [cludod](https://hub.docker.com/r/superorbital/cludod)
+            
+            #### Software Supply Chain Security
+            
+            We sign all release containers with [cosign](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
+            
+            You can verify these signatures using the following commands:
+            
+            ```sh
+            COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludo:${{ steps.changelog.outputs.version }}
+            COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludod:${{ steps.changelog.outputs.version }}
+            ```
+            
+            ### Binaries
+            
+            * All binaries are compressed with [UPX](https://upx.github.io/), to save on bandwidth and storage space.
+            
           tag_name: ${{ steps.changelog.outputs.version }}
           name: Release ${{ steps.changelog.outputs.version }}
       - name: Install Cosign

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
@@ -95,6 +95,9 @@ The workflow looks something like this:
   * Build  `cludo` and `cludod` binaries for Github release
     * We only do this step if:
       * We **ARE** on the `main` branch and a new version has been identified in `CHANGELOG.md`.
+  * Compress Binaries via UPX
+    * We only do this step if:
+      * We **ARE** on the `main` branch and a new version has been identified in `CHANGELOG.md`.
   * Create a **non-production release** on Github
     * We only do this step if:
       * We **ARE** on the `main` branch, a new version has been identified in `CHANGELOG.md`, and the release version has a suffix (*e.g. `v0.0.1-alpha`*)

diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Cludo - Cloud Sudo
+# Cludo (Cloud Sudo)
 
 * [Github Repo](https://github.com/superorbital/cludo)
 * [cludo](https://hub.docker.com/r/superorbital/cludo) and  [cludod](https://hub.docker.com/r/superorbital/cludod) container images
@@ -11,15 +11,17 @@ The `cludo` command is run locally on the developer machine. It gets temporary A
 
 `cludo` currently only supports AWS, but we plan to expand to many other backends in the future.
 
-This README documents the client.  See also [SERVER.md](SERVER.md) and [DEVELOPMENT.md](DEVELOPMENT.md).
+This README primarily documents the client (`cludo`). [A list of additional documentation can be found here](#other-documentation).
 
-## Installation
+## Client Documentation
+
+### Installation
 
 ``` bash
 go get -u github.com/superorbital/cludo/cmd/cludo/cludo
 ```
 
-## Configuration
+### Configuration
 
 The `cludo` client will read _both_ your user's `~/.cludo/cludo.yaml` file and the `cludo.yaml` file in your current working directory.  This allows you to configure per-repo and per-user aspects separately.
 
@@ -51,11 +53,11 @@ Key             |  Description                                        | Environm
 `target`        |  URL of the `cludo-server` instance to connect to.  | `CLUDO_TARGET`
 `ssh_key_paths` |  Paths to the private keys used for authentication. | `CLUDO_SSH_KEY_PATHS`
 
-## Authentication with the `cludod` server
+### Authentication with the `cludod` server
 
 Cludo uses SSH keys for authentication.  The client will try all of the keys listed in the `ssh_key_paths` setting when authenticating with the server until one succeeds (or they all fail).
 
-## Usage
+### Usage
 
 ```
 cludo <command> [options]
@@ -79,7 +81,7 @@ You can add `--debug` to get some extra debugging output.
 
 We also provide a docker image (`superorbital/cludo`). Just provide a `/etc/cludo/cludo.yaml` config file!
 
-## AWS
+### AWS
 
 The AWS backend provides the following environment variables:
 
@@ -92,6 +94,14 @@ Environment Variable | Description
 
 Each time a `cludo` command that uses an environment is run, a new AWS session token is generated.
 
+## Other Documentation
+
+* [Changelog](./CHANGELOG.md)
+* [Code of Conduct](./CODE_OF_CONDUCT.md)
+* [Development](./DEVELOPMENT.md)
+* [License](./LICENSE)
+* [Server - cludod](./SERVER.md)
+
 ## Comparisons to other tools
 
 Cludo is heavily inspired by [the venerable `aws-vault` tool](https://github.com/99designs/aws-vault).  `aws-vault` is entirely client-side, meaning you don't need a centralized authentication server.  But this also means that each developer is responsible for configuring the tool correctly and consistently.  This also requires that the master credentials be stored on each workstation (via one of many encrypted backends).  If you're a solo developer, then Cludo is overkill, and `aws-vault` is the right tool for you.