webdestroya · webdestroya · Apr 16, 2026 · May 13, 2025 · Apr 16, 2026 · Apr 16, 2026
@@ -14,37 +14,45 @@ permissions:
   id-token: write # needed for keyless signing
   packages: write # needed for ghcr access
   attestations: write # needed for provenance
+  artifact-metadata: write
 
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version-file: go.mod
+          go-version-file: .tool-versions
 
-      - uses: sigstore/cosign-installer@v3.8.0 # installs cosign
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
 
-      - uses: anchore/sbom-action/download-syft@v0.18.0 # installs syft
+      - uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
 
-      - uses: docker/login-action@v3 # login to ghcr
+      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
+
+      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: goreleaser/goreleaser-action@v6 # run goreleaser
+      - name: Get GoReleaser version
+        id: goreleaser-version
+        run: echo "version=v$(grep '^goreleaser ' .tool-versions | awk '{print $2}')" >> "$GITHUB_OUTPUT"
+
+      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
         with:
-          version: '~> v2'
+          distribution: goreleaser
+          version: ${{ steps.goreleaser-version.outputs.version }}
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_SCOOP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_SCOOP_GITHUB_TOKEN }}
 
-      - uses: actions/attest-build-provenance@v2
+      - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4
         with:
           subject-checksums: ./dist/checksums.txt
@@ -0,0 +1,32 @@
+name: Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - .github/workflows/test.yml
+      - .tool-versions
+      - internal/**
+      - cmd/**
+      - go.mod
+      - go.sum
+      - main.go
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Go Tests
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version-file: .tool-versions
+
+      - name: Run tests
+        run: go test -v -race -count=1 ./...
@@ -41,7 +41,8 @@ gomod:
   proxy: true
 
 archives:
-  - formats:
+  - id: homebrew
+    formats:
       - tar.gz
     name_template: >-
       {{ .ProjectName }}_
@@ -57,27 +58,31 @@ archives:
     files:
       - completions/*
 
-brews:
-  - repository:
+homebrew_casks:
+  - ids:
+      - homebrew
+    name: awssso
+    repository:
       owner: webdestroya
       name: homebrew-tap
       branch: main
       token: "{{ .Env.HOMEBREW_SCOOP_GITHUB_TOKEN }}"
-    directory: Formula
     homepage: https://github.com/webdestroya/aws-sso
-    url_template: "https://github.com/webdestroya/aws-sso/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+    url:
+      template: "https://github.com/webdestroya/aws-sso/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
     description: "Writes credentials for AWS SSO'd accounts so that older applications can use them."
     skip_upload: auto
     license: "MIT"
+    binaries:
+      - awssso
     commit_author:
       name: cloud87bot
       email: 114977785+cloud87bot@users.noreply.github.com
-    test: |
-      system "#{bin}/awssso --help"
-    extra_install: |
-      bash_completion.install "completions/awssso.bash" => "awssso"
-      fish_completion.install "completions/awssso.fish" => "awssso.fish"
-      zsh_completion.install "completions/awssso.zsh" => "_awssso"
+    hooks:
+      post:
+        install: |
+          system_command "/usr/bin/xattr", args: ["-dr", "com.apple.quarantine", "#{staged_path}/groundskeeper"]
+
 
 scoops:
   - repository:
@@ -134,13 +139,11 @@ sboms:
 
 signs:
   - cmd: cosign
-    certificate: "${artifact}.pem"
     args:
       - sign-blob
-      - "--output-certificate=${certificate}"
-      - "--output-signature=${signature}"
+      - "--bundle=${signature}"
       - "${artifact}"
-      - "--yes" # needed on cosign 2.0.0+
+      - "--yes"
     artifacts: checksum
     output: true
 
@@ -151,23 +154,23 @@ changelog:
       - "^docs:"
       - "^test:"
 
-dockers:
-  - image_templates:
-      - "ghcr.io/webdestroya/aws-sso:{{ .Tag }}"
-    dockerfile: Dockerfile
-    build_flag_templates:
-      - "--pull"
-      - "--label=org.opencontainers.image.created={{.Date}}"
-      - "--label=org.opencontainers.image.name={{.ProjectName}}"
-      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-      - "--label=org.opencontainers.image.version={{.Version}}"
-      - "--label=org.opencontainers.image.source={{.GitURL}}"
+dockers_v2:
+  - images:
+      - "ghcr.io/webdestroya/aws-sso"
+    tags:
+      - "v{{ .Version }}"
+      - latest
+    labels:
+      "org.opencontainers.image.created": "{{.Date}}"
+      "org.opencontainers.image.name": "{{.ProjectName}}"
+      "org.opencontainers.image.revision": "{{.FullCommit}}"
+      "org.opencontainers.image.version": "{{.Version}}"
+      "org.opencontainers.image.source": "{{.GitURL}}"
 
 docker_signs:
   - cmd: cosign
-    artifacts: images
     output: true
     args:
       - "sign"
-      - "${artifact}"
+      - "${artifact}@${digest}"
       - "--yes"
@@ -1 +1,3 @@
-golang 1.24.0
+golang 1.26.0
+goreleaser 2.14.0
+golangci-lint 2.10.1
@@ -0,0 +1,3 @@
+{
+  "go.testTags": "testmode,nodev"
+}
@@ -1,3 +1,12 @@
+FROM --platform=$BUILDPLATFORM alpine:latest AS certloader
+RUN apk add --no-cache ca-certificates
+RUN update-ca-certificates
+
 FROM scratch
-COPY awssso /usr/bin/awssso
+ARG TARGETPLATFORM
+
+# Copy CA Certificates
+COPY --from=certloader /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+COPY ${TARGETPLATFORM}/awssso /usr/bin/awssso
 ENTRYPOINT [ "/usr/bin/awssso" ]
@@ -0,0 +1,17 @@
+version: '3'
+
+tasks:
+  test:release:
+    desc: Build a snapshot release locally
+    silent: true
+    cmd: goreleaser release --skip publish,sign,docker --clean --snapshot
+
+  test:
+    desc: Run all tests
+    silent: true
+    cmd: go test -v -timeout 30s -tags nodev,testmode ./...
+
+  outdated:
+    desc: List outdated direct dependencies
+    silent: true
+    cmd: go list -u -m -f '{{`{{if not .Indirect}}{{if .Update}}{{.}}{{end}}{{end}}`}}' all