Skip to content

Commit

Permalink
Merge pull request #2076 from smallstep/jdoss/repos
Browse files Browse the repository at this point in the history
Configure GitHub Actions to publish RPMs and Debs to packages.smallstep.com
  • Loading branch information
jdoss authored Nov 19, 2024
2 parents 7c9e3ff + 354af7f commit f88a136
Show file tree
Hide file tree
Showing 5 changed files with 125 additions and 4 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,9 @@ jobs:
contents: write
packages: write
uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
with:
enable-packages-upload: true
is-prerelease: ${{ needs.create_release.outputs.is_prerelease == 'true' }}
secrets: inherit

build_upload_docker:
Expand Down
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -22,5 +22,10 @@ go.work.sum
coverage.txt
output
vendor
dist/
.idea
.envrc

# Packages files
0x889B19391F774443-Certify.key
gha-creds-*.json
41 changes: 37 additions & 4 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,12 +1,23 @@
# Documentation: https://goreleaser.com/customization/
# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
project_name: step-ca
version: 2

variables:
packageName: step-ca
packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this

before:
hooks:
# You may remove this if you don't use go modules.
- go mod download

after:
hooks:
# This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step.
- cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
output: true

builds:
-
id: step-ca
Expand Down Expand Up @@ -61,10 +72,16 @@ nfpms:
# Package metadata: dpkg --info dist/step_....deb
#
- &NFPM
id: packages
builds:
- step-ca
package_name: step-ca
file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
package_name: "{{ .Var.packageName }}"
release: "1"
file_name_template: >-
{{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
{{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
{{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
{{- .ConventionalExtension -}}
vendor: Smallstep Labs
homepage: https://github.com/smallstep/certificates
maintainer: Smallstep <[email protected]>
Expand All @@ -80,6 +97,13 @@ nfpms:
contents:
- src: debian/copyright
dst: /usr/share/doc/step-ca/copyright
rpm:
signature:
key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
deb:
signature:
key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
type: origin
-
<< : *NFPM
id: unversioned
Expand All @@ -101,6 +125,12 @@ signs:
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
artifacts: all

publishers:
- name: Google Cloud Artifact Registry
ids:
- packages
cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}

snapshot:
name_template: "{{ .Tag }}-next"

Expand Down Expand Up @@ -140,7 +170,10 @@ release:
#### Linux
- 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
- 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
- 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb)
- 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm)
- 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb)
- 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm)
#### OSX Darwin
Expand Down Expand Up @@ -198,7 +231,7 @@ release:
# - glob: ./glob/foo/to/bar/file/foobar/override_from_previous

winget:
-
-
# IDs of the archives to use.
# Empty means all IDs.
ids: [ default ]
Expand Down
56 changes: 56 additions & 0 deletions scripts/package-repo-import.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
#!/usr/bin/env bash

set -e

: ${GCLOUD_LOCATION:=us-central1}
: ${GCLOUD_RPM_REPO:=rpms}
: ${GCLOUD_DEB_REPO:=debs}

PACKAGE="${1}"
VERSION="${2}"
RELEASE="1"
EPOCH="0"
GORELEASER_PHASE=${GORELEASER_PHASE:-release}

echo "Package: ${PACKAGE}"
echo "Version: ${VERSION}"

check_package() {
local EXITCODE=0
local REPO="${1}"
local VER="${2}"
if [ ! -f /tmp/version-deleted.stamp ]; then
gcloud artifacts versions list \
--repository "${REPO}" \
--location "${GCLOUD_LOCATION}" \
--package "${PACKAGE}" \
--filter "VERSION:${VER}" \
--format json 2> /dev/null \
| jq -re '.[].name?' >/dev/null 2>&1 \
|| EXITCODE=$?
if [[ "${EXITCODE}" -eq 0 ]]; then
echo "Package version already exists. Removing it..."
gcloud artifacts versions delete \
--quiet "${VER}" \
--package "${PACKAGE}" \
--repository "${REPO}" \
--location "${GCLOUD_LOCATION}"
touch /tmp/version-deleted.stamp
fi
fi
}

if [[ ${IS_PRERELEASE} == "true" ]]; then
echo "Skipping artifact import; IS_PRERELEASE is 'true'"
exit 0;
fi

check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}"
gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \
--location "${GCLOUD_LOCATION}" \
--gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*"

check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"}
gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \
--location "${GCLOUD_LOCATION}" \
--gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*"
24 changes: 24 additions & 0 deletions scripts/package-upload.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash

set -e
set -x

FILE="${1}"
PACKAGE="${2}"
VERSION="${3}"

echo "Package File: ${FILE}"
echo "Package: ${PACKAGE}"
echo "Version: ${VERSION}"
echo "Release: ${RELEASE}"
echo "Location: ${GCLOUD_LOCATION}"

if [ "${FILE: -4}" == ".deb" ]; then
if [[ "${FILE}" =~ "armhf6" ]]; then
echo "Skipping ${FILE} due to GCP Artifact Registry armhf conflict!"
else
gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/
fi
else
gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/
fi

0 comments on commit f88a136

Please sign in to comment.