Add scripts to generate signed checksums for binaries (#475)

* First draft on generating checksum for linux builds

* Add checksum and signing functions to Makefile

* Add Download and Veryfying binaries section to README

* Remove step for releasing latest versions from circleci

* Delete unnecessary release scripts

Author: f-moya

.circleci/config.yml

@@ -28,16 +28,6 @@ jobs:
       - run: make build-linux-all VERSION=head
       - run: make publish-head
 
-  release_linux:
-    <<: *linux_image
-    steps:
-      - checkout
-      - run: sudo apt-get install awscli
-      - run: make build-linux-all
-      - run: make build-linux-all VERSION=latest
-      - run: make publish-latest
-      - run: make publish-version
-
   test_macos:
     <<: *macos_image
     steps:
@@ -64,31 +54,6 @@ jobs:
             make build-darwin VERSION=head
             make publish-head
 
-  release_macos:
-    <<: *macos_image
-    steps:
-      - checkout
-      - run: pip install awscli
-      - run:
-          command: sh .circleci/xcode_install_go
-      - run:
-          name: Build & Upload artifacts to S3
-          command: |
-            cd $GOPATH/src/github.com/codeclimate/test-reporter
-            make build-darwin
-            make build-darwin VERSION=latest
-            make publish-latest
-            make publish-version
-
-  github_release:
-    <<: *linux_image
-    steps:
-      - run: sudo apt install hub
-      - checkout
-      - run:
-          name: Create new GH release
-          command: sh release-scripts/gh_release
-
 workflows:
   version: 2
   build_deploy:
@@ -111,26 +76,6 @@ workflows:
             branches:
               only:
                 - master
-      - release_linux:
-          requires:
-            - test_linux
-            - test_macos
-          filters:
-            branches:
-              only: /^v\d+\.\d+\.\d+$/
-      - release_macos:
-          requires:
-            - test_linux
-            - test_macos
-          filters:
-            branches:
-              only: /^v\d+\.\d+\.\d+$/
-      - github_release:
-          requires:
-            - release_linux
-          filters:
-            branches:
-              only: /^v\d+\.\d+\.\d+$/
 
 notify:
   webhooks:

Makefile

@@ -1,9 +1,10 @@
 .PHONY: test-docker build-docker build-linux-cgo release test-excoveralls
 
 AWS ?= $(shell which aws)
+SHA_SUM ?= $(shell which shasum)
+GPG ?= $(shell which gpg)
+TAR ?= $(shell which tar)
 DOCKER_RUN ?= $(shell which docker) run --rm
-GIT_PUSH ?= $(shell which git) push
-GIT_TAG ?= $(shell which git) tag --sign
 PANDOC ?= $(shell which pandoc)
 
 MAN_FILES = $(wildcard man/*.md)
@@ -14,6 +15,7 @@ VERSION ?= $(shell cat VERSIONING/VERSION)
 BUILD_VERSION = $(shell git log -1 --pretty=format:'%H')
 BUILD_TIME = $(shell date +%FT%T%z)
 LDFLAGS = -ldflags "-X $(PROJECT)/version.Version=${VERSION} -X $(PROJECT)/version.BuildVersion=${BUILD_VERSION} -X $(PROJECT)/version.BuildTime=${BUILD_TIME}"
+ARTIFACTS_OUTPUT = artifacts.tar.gz
 
 define upload_artifacts
 	$(AWS) s3 cp \
@@ -24,6 +26,12 @@ define upload_artifacts
 	  artifacts/bin/ s3://codeclimate/test-reporter/;
 endef
 
+define gen_signed_checksum
+	cd artifacts/bin && \
+	  $(SHA_SUM) -a 256 test-reporter-$(VERSION)-$(1) > test-reporter-$(VERSION)-$(1).sha256 && \
+	  $(GPG) --local-user $(GPG_CODECLIMATE_FINGERPRINT) --output test-reporter-$(VERSION)-$(1).sha256.sig --detach-sig test-reporter-$(VERSION)-$(1).sha256
+endef
+
 man/%: man/%.md
 	$(PANDOC) -s -t man $< -o $@
 
@@ -133,18 +141,36 @@ publish-latest:
 publish-version:
 	$(call upload_artifacts,$(VERSION))
 
+gen-linux-checksum:
+	$(call gen_signed_checksum,linux-amd64)
+
+gen-linux-cgo-checksum:
+	$(call gen_signed_checksum,netcgo-linux-amd64)
+
+gen-darwin-checksum:
+	$(call gen_signed_checksum,darwin-amd64)
+
 clean:
 	sudo $(RM) -r ./artifacts
 	$(RM) $(MAN_PAGES)
 
+tag:
+	$(TAR) -c -f ${ARTIFACTS_OUTPUT} ./artifacts/bin/test-reporter-${VERSION}-* && \
+	  hub release create -a ${ARTIFACTS_OUTPUT} -m "v${VERSION}" ${VERSION}
 
 # Must be run in a OS X machine. OS X binary is build natively.
 manual-release:
 	$(MAKE) build-docker-linux
 	$(MAKE) build-docker-linux-cgo
 	$(MAKE) build-darwin
+	$(MAKE) gen-linux-checksum
+	$(MAKE) gen-linux-cgo-checksum
+	$(MAKE) gen-darwin-checksum
 	$(MAKE) build-docker-linux VERSION=latest
 	$(MAKE) build-docker-linux-cgo VERSION=latest
 	$(MAKE) build-darwin VERSION=latest
+	$(MAKE) gen-linux-checksum VERSION=latest
+	$(MAKE) gen-linux-cgo-checksum VERSION=latest
+	$(MAKE) gen-darwin-checksum VERSION=latest
 	$(MAKE) publish-version
 	$(MAKE) publish-latest

README.md

@@ -13,13 +13,67 @@ For installation instructions, check out our docs on [Configuring Test Coverage]
 
 To sign up for Code Climate, head [here](https://codeclimate.com/quality/pricing/).
 
-## Releasing a new version
+# Versioning
+The test reporter's current version is documented in [VERSIONING/VERSION](https://github.com/codeclimate/test-reporter/blob/master/VERSIONING/VERSION), following the [Semantic Versioning](https://semver.org/) convention.
 
-Test reporter's new versions are released automatically when pushing to branches that match `vx.x.x`. The test reporter's current version is documented in [VERSIONING/VERSION](https://github.com/codeclimate/test-reporter/blob/master/VERSIONING/VERSION), following the [Semantic Versioning](https://semver.org/) convention.
+# Binaries
 
-There are two script helpers for creating a new release:
-- [release-scripts/prep-release](https://github.com/codeclimate/test-reporter/blob/master/release-scripts/prep-release) which will create a new pull request, patching the current version. If you need to create a new MINOR or MAJOR version creating a manual pull request is the way to go.
-- [release-scripts/release](https://github.com/codeclimate/test-reporter/blob/master/release-scripts/release) This script will create a new branch named `vx.x.x` that matches the version indicated in [VERSIONING/VERSION](https://github.com/codeclimate/test-reporter/blob/master/VERSIONING/VERSION), which should trigger the CI for creating a new release.
+## Download
+The test reporter is distributed as a pre-built binary named cc-test-reporter. You can fetch the pre-built binary from the following URLs:
+
+### Linux
+- [codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64)
+- [codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-linux-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-linux-amd64)
+
+
+### Linux netcgo (recommended if you're using a VPN)
+- [codeclimate.com/downloads/test-reporter/test-reporter-latest-netcgo-linux-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-latest-netcgo-linux-amd64)
+- [codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-netcgo-linux-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-netcgo-linux-amd64)
+
+### OS X
+- [codeclimate.com/downloads/test-reporter/test-reporter-latest-darwin-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-latest-darwin-amd64)
+- [codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64](https://codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64)
+
+
+#### e.g
+>```console
+>$ curl -O https://codeclimate.com/downloads/test-reporter/test-reporter-0.10.1-darwin-amd64
+>```
+
+## Verifying binaries
+
+Along with the binaries you can download a file with a SHA 256 checksum for the given version from the link shown below, or you can attach it to your clipboard from the [docs page](https://docs.codeclimate.com/docs/configuring-test-coverage#locations-of-pre-built-binaries).
+
+- [codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64.sha256](https://codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64.sha256)
+
+To download the file containing the checksum using `curl`:
+#### e.g
+>```console
+>$ curl -O https://codeclimate.com/downloads/test-reporter/test-reporter-0.10.1-darwin-amd64.sha256
+>```
+
+To check that a downloaded file matches the checksum, run it through `shasum` with a command such as:
+
+```console
+$ grep test-reporter-${VERSION}-darwin-amd64  test-reporter-${VERSION}-darwin-amd64.sha256 | shasum -a 256 -c -
+```
+
+The GPG detached signature of SHA checksums can be download analogously from the following url:
+
+- [codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64.sha256.sig](https://codeclimate.com/downloads/test-reporter/test-reporter-${VERSION}-darwin-amd64.sha256.sig)
+
+You can use it with `gpg` to verify the integrity of your downloaded checksum. You will first need to import
+the GPG publick key. To import the key:
+
+```console
+$ gpg --keyserver  keys.openpgp.org --recv-keys 9BD9E2DD46DA965A537E5B0A5CBF320243B6FD85
+```
+
+Then use the following command to verify the file's signature.
+
+```console
+$ gpg --verify test-reporter-${VERSION}-darwin-amd64.sha256.sig test-reporter-${VERSION}-darwin-amd64.sha256
+```
 
 ## Copyright