From 2b4894a87136757bd01d1cf2be3c591f086b5572 Mon Sep 17 00:00:00 2001 From: Joe Doss Date: Mon, 18 Nov 2024 11:35:50 -0600 Subject: [PATCH 1/4] Configure GitHub Actions to publish RPMs and Debs to packages.smallstep.com. --- .github/workflows/release.yml | 3 ++ .gitignore | 5 +++ .goreleaser.yml | 41 ++++++++++++++++++++++--- scripts/package-repo-import.sh | 56 ++++++++++++++++++++++++++++++++++ scripts/package-upload.sh | 24 +++++++++++++++ 5 files changed, 125 insertions(+), 4 deletions(-) create mode 100644 scripts/package-repo-import.sh create mode 100644 scripts/package-upload.sh diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 98918edae..311ab00b1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,6 +61,9 @@ jobs: contents: write packages: write uses: smallstep/workflows/.github/workflows/goreleaser.yml@main + with: + enable-packages-upload: true + is-prerelease: ${{ needs.create_release.outputs.is_prerelease == 'true' }} secrets: inherit build_upload_docker: diff --git a/.gitignore b/.gitignore index 42e960498..c17ed53a2 100644 --- a/.gitignore +++ b/.gitignore @@ -22,5 +22,10 @@ go.work.sum coverage.txt output vendor +dist/ .idea .envrc + +# Packages files +0x889B19391F774443-Certify.key +gha-creds-*.json diff --git a/.goreleaser.yml b/.goreleaser.yml index 54368e97d..411ebae93 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,12 +1,23 @@ # Documentation: https://goreleaser.com/customization/ +# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json project_name: step-ca version: 2 +variables: + packageName: step-ca + packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this + before: hooks: # You may remove this if you don't use go modules. - go mod download +after: + hooks: + # This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step. + - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }} + output: true + builds: - id: step-ca @@ -61,10 +72,16 @@ nfpms: # Package metadata: dpkg --info dist/step_....deb # - &NFPM + id: packages builds: - step-ca - package_name: step-ca - file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" + package_name: "{{ .Var.packageName }}" + release: "1" + file_name_template: >- + {{- trimsuffix .ConventionalFileName .ConventionalExtension -}} + {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}} + {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}} + {{- .ConventionalExtension -}} vendor: Smallstep Labs homepage: https://github.com/smallstep/certificates maintainer: Smallstep @@ -80,6 +97,13 @@ nfpms: contents: - src: debian/copyright dst: /usr/share/doc/step-ca/copyright + rpm: + signature: + key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}" + deb: + signature: + key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}" + type: origin - << : *NFPM id: unversioned @@ -101,6 +125,12 @@ signs: args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"] artifacts: all +publishers: +- name: Google Cloud Artifact Registry + ids: + - packages + cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }} + snapshot: name_template: "{{ .Tag }}-next" @@ -140,7 +170,10 @@ release: #### Linux - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz) - - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb) + - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb) + - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm) + - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb) + - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm) #### OSX Darwin @@ -198,7 +231,7 @@ release: # - glob: ./glob/foo/to/bar/file/foobar/override_from_previous winget: - - + - # IDs of the archives to use. # Empty means all IDs. ids: [ default ] diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh new file mode 100644 index 000000000..679e0eff7 --- /dev/null +++ b/scripts/package-repo-import.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +set -e + +: ${GCLOUD_LOCATION:=us-central1} +: ${GCLOUD_RPM_REPO:=rpms} +: ${GCLOUD_DEB_REPO:=debs} + +PACKAGE="${1}" +VERSION="${2}" +RELEASE="1" +EPOCH="0" +GORELEASER_PHASE=${GORELEASER_PHASE:-release} + +echo "Package: ${PACKAGE}" +echo "Version: ${VERSION}" + +check_package() { + local EXITCODE=0 + local REPO="${1}" + local VER="${2}" + if [ ! -f /tmp/version-deleted.stamp ]; then + gcloud artifacts versions list \ + --repository "${REPO}" \ + --location "${GCLOUD_LOCATION}" \ + --package "${PACKAGE}" \ + --filter "VERSION:${VER}" \ + --format json 2> /dev/null \ + | jq -re '.[].name?' >/dev/null 2>&1 \ + || EXITCODE=$? + if [[ "${EXITCODE}" -eq 0 ]]; then + echo "Package version already exists. Removing it..." + gcloud artifacts versions delete \ + --quiet "${VER}" \ + --package "${PACKAGE}" \ + --repository "${REPO}" \ + --location "${GCLOUD_LOCATION}" + touch /tmp/version-deleted.stamp + fi + fi +} + +if [[ ${IS_PRERELEASE} == "true" ]]; then + echo "Skipping artifact import; IS_PRERELEASE is 'true'" + exit 0; +fi + +check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}" +gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \ + --location "${GCLOUD_LOCATION}" \ + --gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*" + +check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"} +gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \ + --location "${GCLOUD_LOCATION}" \ + --gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*" diff --git a/scripts/package-upload.sh b/scripts/package-upload.sh new file mode 100644 index 000000000..064dc4378 --- /dev/null +++ b/scripts/package-upload.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -e +set -x + +FILE="${1}" +PACKAGE="${2}" +VERSION="${3}" + +echo "Package File: ${FILE}" +echo "Package: ${PACKAGE}" +echo "Version: ${VERSION}" +echo "Release: ${RELEASE}" +echo "Location: ${GCLOUD_LOCATION}" + +if [ "${FILE: -4}" == ".deb" ]; then + if [[ "${FILE}" =~ "armhf6" ]]; then + echo "Skipping ${FILE} due to GCP Artifact Registry armhf conflict!" + else + gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/ + fi +else + gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/ +fi From e63b64904dc2659214e784bfb753cd968414471f Mon Sep 17 00:00:00 2001 From: Joe Doss Date: Tue, 19 Nov 2024 14:20:33 -0600 Subject: [PATCH 2/4] Make script +x. --- scripts/package-repo-import.sh | 0 scripts/package-upload.sh | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 scripts/package-repo-import.sh mode change 100644 => 100755 scripts/package-upload.sh diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh old mode 100644 new mode 100755 diff --git a/scripts/package-upload.sh b/scripts/package-upload.sh old mode 100644 new mode 100755 From cd57b50db2842cb19f36be7ae495ecee44af2632 Mon Sep 17 00:00:00 2001 From: Joe Doss Date: Tue, 19 Nov 2024 14:19:12 -0600 Subject: [PATCH 3/4] Add in PKCS11 packages. --- docker/Dockerfile.hsm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.hsm b/docker/Dockerfile.hsm index f6cec47a1..4ef150ae5 100644 --- a/docker/Dockerfile.hsm +++ b/docker/Dockerfile.hsm @@ -18,7 +18,7 @@ COPY --from=kms /usr/local/bin/step-kms-plugin /usr/local/bin/step-kms-plugin USER root RUN apt-get update -RUN apt-get install -y --no-install-recommends pcscd libpcsclite1 +RUN apt-get install -y --no-install-recommends opensc opensc-pkcs11 pcscd gnutls-bin libpcsclite1 RUN mkdir -p /run/pcscd RUN chown step:step /run/pcscd USER step From c0d41d70ac4727a4cfbe35dcbbfdb6e82866bde0 Mon Sep 17 00:00:00 2001 From: Joe Doss Date: Tue, 19 Nov 2024 14:38:11 -0600 Subject: [PATCH 4/4] Add p11-kit package. --- docker/Dockerfile.hsm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.hsm b/docker/Dockerfile.hsm index 4ef150ae5..d643e147f 100644 --- a/docker/Dockerfile.hsm +++ b/docker/Dockerfile.hsm @@ -18,7 +18,7 @@ COPY --from=kms /usr/local/bin/step-kms-plugin /usr/local/bin/step-kms-plugin USER root RUN apt-get update -RUN apt-get install -y --no-install-recommends opensc opensc-pkcs11 pcscd gnutls-bin libpcsclite1 +RUN apt-get install -y --no-install-recommends opensc opensc-pkcs11 pcscd gnutls-bin libpcsclite1 p11-kit RUN mkdir -p /run/pcscd RUN chown step:step /run/pcscd USER step