diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c27165d..0974b0c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -60,13 +60,20 @@ jobs: # We are on the main branch and do not have an existing tagged release if: "github.ref == 'refs/heads/main' && steps.changelog.outputs.version != steps.lasttag.outputs.version" run: make build + - name: Compress Binaries via UPX + uses: crazy-max/ghaction-upx@v1 + with: + version: latest + files: | + ./builds/* + args: -fq9 - name: GitHub Release - Non-Production if: "github.ref == 'refs/heads/main' && steps.changelog.outputs.version != steps.lasttag.outputs.version && steps.changelog.outputs.status == 'prerelease'" uses: softprops/action-gh-release@v1 with: token: ${{ secrets.GH_TOKEN }} files: | - builds/* + ./builds/* prerelease: true fail_on_unmatched_files: true draft: false @@ -76,6 +83,22 @@ jobs: ### Container Images * [cludo](https://hub.docker.com/r/superorbital/cludo) * [cludod](https://hub.docker.com/r/superorbital/cludod) + + #### Software Supply Chain Security + + We sign all release containers with [cosign](https://github.com/sigstore/cosign/blob/main/KEYLESS.md). + + You can verify these signatures using the following commands: + + ```sh + COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludo:${{ steps.changelog.outputs.version }} + COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludod:${{ steps.changelog.outputs.version }} + ``` + + ### Binaries + + * All binaries are compressed with [UPX](https://upx.github.io/), to save on bandwidth and storage space. + tag_name: ${{ steps.changelog.outputs.version }} name: Release ${{ steps.changelog.outputs.version }} - name: GitHub Release - Production @@ -94,6 +117,22 @@ jobs: ### Container Images * [cludo](https://hub.docker.com/r/superorbital/cludo) * [cludod](https://hub.docker.com/r/superorbital/cludod) + + #### Software Supply Chain Security + + We sign all release containers with [cosign](https://github.com/sigstore/cosign/blob/main/KEYLESS.md). + + You can verify these signatures using the following commands: + + ```sh + COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludo:${{ steps.changelog.outputs.version }} + COSIGN_EXPERIMENTAL=1 cosign verify superorbital/cludod:${{ steps.changelog.outputs.version }} + ``` + + ### Binaries + + * All binaries are compressed with [UPX](https://upx.github.io/), to save on bandwidth and storage space. + tag_name: ${{ steps.changelog.outputs.version }} name: Release ${{ steps.changelog.outputs.version }} - name: Install Cosign diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index f6019e4..19e3a02 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -95,6 +95,9 @@ The workflow looks something like this: * Build `cludo` and `cludod` binaries for Github release * We only do this step if: * We **ARE** on the `main` branch and a new version has been identified in `CHANGELOG.md`. + * Compress Binaries via UPX + * We only do this step if: + * We **ARE** on the `main` branch and a new version has been identified in `CHANGELOG.md`. * Create a **non-production release** on Github * We only do this step if: * We **ARE** on the `main` branch, a new version has been identified in `CHANGELOG.md`, and the release version has a suffix (*e.g. `v0.0.1-alpha`*) diff --git a/README.md b/README.md index ecdeb0a..9d522b1 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Cludo - Cloud Sudo +# Cludo (Cloud Sudo) * [Github Repo](https://github.com/superorbital/cludo) * [cludo](https://hub.docker.com/r/superorbital/cludo) and [cludod](https://hub.docker.com/r/superorbital/cludod) container images @@ -11,15 +11,17 @@ The `cludo` command is run locally on the developer machine. It gets temporary A `cludo` currently only supports AWS, but we plan to expand to many other backends in the future. -This README documents the client. See also [SERVER.md](SERVER.md) and [DEVELOPMENT.md](DEVELOPMENT.md). +This README primarily documents the client (`cludo`). [A list of additional documentation can be found here](#other-documentation). -## Installation +## Client Documentation + +### Installation ``` bash go get -u github.com/superorbital/cludo/cmd/cludo/cludo ``` -## Configuration +### Configuration The `cludo` client will read _both_ your user's `~/.cludo/cludo.yaml` file and the `cludo.yaml` file in your current working directory. This allows you to configure per-repo and per-user aspects separately. @@ -51,11 +53,11 @@ Key | Description | Environm `target` | URL of the `cludo-server` instance to connect to. | `CLUDO_TARGET` `ssh_key_paths` | Paths to the private keys used for authentication. | `CLUDO_SSH_KEY_PATHS` -## Authentication with the `cludod` server +### Authentication with the `cludod` server Cludo uses SSH keys for authentication. The client will try all of the keys listed in the `ssh_key_paths` setting when authenticating with the server until one succeeds (or they all fail). -## Usage +### Usage ``` cludo [options] @@ -79,7 +81,7 @@ You can add `--debug` to get some extra debugging output. We also provide a docker image (`superorbital/cludo`). Just provide a `/etc/cludo/cludo.yaml` config file! -## AWS +### AWS The AWS backend provides the following environment variables: @@ -92,6 +94,14 @@ Environment Variable | Description Each time a `cludo` command that uses an environment is run, a new AWS session token is generated. +## Other Documentation + +* [Changelog](./CHANGELOG.md) +* [Code of Conduct](./CODE_OF_CONDUCT.md) +* [Development](./DEVELOPMENT.md) +* [License](./LICENSE) +* [Server - cludod](./SERVER.md) + ## Comparisons to other tools Cludo is heavily inspired by [the venerable `aws-vault` tool](https://github.com/99designs/aws-vault). `aws-vault` is entirely client-side, meaning you don't need a centralized authentication server. But this also means that each developer is responsible for configuring the tool correctly and consistently. This also requires that the master credentials be stored on each workstation (via one of many encrypted backends). If you're a solo developer, then Cludo is overkill, and `aws-vault` is the right tool for you.