From 7fcbad464818d1448b0a8c2ca22573d736b21523 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Tue, 23 Jul 2024 14:10:04 -0500
Subject: [PATCH 01/12] Add support in for signing and publishing RPM and Deb
 packages to GCP Artifact Registry.

---
 .goreleaser.yml                | 21 +++++++++++++++-
 scripts/package-repo-import.sh | 46 ++++++++++++++++++++++++++++++++++
 scripts/package-upload.sh      | 19 ++++++++++++++
 3 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100755 scripts/package-repo-import.sh
 create mode 100755 scripts/package-upload.sh

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 95e1efdf5..bf4fa3e5b 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -6,6 +6,11 @@ before:
   hooks:
     - go mod download
 
+after:
+  hooks:
+    - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
+      output: true
+
 builds:
   - &BUILD
     id: default
@@ -87,7 +92,7 @@ nfpms:
     builds:
       - nfpm
     package_name: step-cli
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    file_name_template: "{{.ConventionalFileName}}"
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/cli
     maintainer: Smallstep <techadmin@smallstep.com>
@@ -113,6 +118,13 @@ nfpms:
     scripts:
       postinstall: scripts/postinstall.sh
       postremove: scripts/postremove.sh
+    rpm:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+    deb:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+          type: origin
   -
     << : *NFPM
     id: unversioned
@@ -134,6 +146,13 @@ signs:
   args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
+publishers:
+- name: Google Cloud Artifact Registry
+  ids:
+  - packages
+  cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
+  disable: "{{ if .IsNightly }}true{{ end }}"
+
 snapshot:
   name_template: "{{ .Tag }}-next"
 
diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh
new file mode 100755
index 000000000..19ca2c7e9
--- /dev/null
+++ b/scripts/package-repo-import.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+: ${GCLOUD_LOCATION:=us-central1}
+: ${GCLOUD_RPM_REPO:=rpms}
+: ${GCLOUD_DEB_REPO:=debs}
+
+PACKAGE="${1}"
+VERSION="${2}"
+RELEASE="1"
+EPOCH="0"
+GORELEASER_PHASE=${GORELEASER_PHASE:-release}
+
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+
+check_package() {
+  local EXITCODE=0
+  local REPO="${1}"
+  local VER="${2}"
+  if [ ! -f /tmp/version-deleted.stamp ]; then
+    gcloud artifacts versions list --repository "${REPO}" --location "${GCLOUD_LOCATION}" --package "${PACKAGE}" \
+    --filter "VERSION:${VER}" --format json  2> /dev/null |jq -re '.[].name?' >/dev/null 2>&1 || EXITCODE=$?
+    if [[ "${EXITCODE}" -eq 0 ]]; then
+      echo "Package version already exists. Removing it..."
+      gcloud artifacts versions delete --quiet "${VER}" --package "${PACKAGE}" --repository "${REPO}" --location "${GCLOUD_LOCATION}"
+      touch /tmp/version-deleted.stamp
+    fi
+  fi
+}
+
+if [[ ${GORELEASER_PHASE} != "publish" ]]; then
+  echo "Skipping artifact import; GORELEASER_PHASE is not 'publish'"
+  exit 0;
+fi
+
+check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}"
+gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*"
+
+check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"}
+gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*"
diff --git a/scripts/package-upload.sh b/scripts/package-upload.sh
new file mode 100755
index 000000000..c34d1d78e
--- /dev/null
+++ b/scripts/package-upload.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -e
+
+FILE="${1}"
+PACKAGE="${2}"
+VERSION="${3}"
+
+echo "Package File: ${FILE}"
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+echo "Release: ${RELEASE}"
+echo "Location: ${GCLOUD_LOCATION}"
+
+if [ "${FILE: -4}" == ".deb" ]; then
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/
+else
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/
+fi

From 648e2adf5e0c73a0b77e972fdfba3aa0506710c7 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Tue, 23 Jul 2024 14:17:21 -0500
Subject: [PATCH 02/12] Add yaml-language-server modline to set the YAML schema
 to Goreleaser Pro.

---
 .goreleaser.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index bf4fa3e5b..94725c756 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,4 +1,5 @@
 # Documentation: https://goreleaser.com/customization/
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
 version: 2
 project_name: step
 

From afedfdc84438db4bc90a5626e0edcb38214d370e Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@users.noreply.github.com>
Date: Tue, 23 Jul 2024 14:37:38 -0500
Subject: [PATCH 03/12] Update scripts/package-repo-import.sh

Co-authored-by: Carl Tashian <carl@smallstep.com>
---
 scripts/package-repo-import.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh
index 19ca2c7e9..739ebda08 100755
--- a/scripts/package-repo-import.sh
+++ b/scripts/package-repo-import.sh
@@ -20,8 +20,14 @@ check_package() {
   local REPO="${1}"
   local VER="${2}"
   if [ ! -f /tmp/version-deleted.stamp ]; then
-    gcloud artifacts versions list --repository "${REPO}" --location "${GCLOUD_LOCATION}" --package "${PACKAGE}" \
-    --filter "VERSION:${VER}" --format json  2> /dev/null |jq -re '.[].name?' >/dev/null 2>&1 || EXITCODE=$?
+    gcloud artifacts versions list \
+       --repository "${REPO}" \
+       --location "${GCLOUD_LOCATION}" \
+       --package "${PACKAGE}" \
+       --filter "VERSION:${VER}" \
+       --format json  2> /dev/null \
+       | jq -re '.[].name?' >/dev/null 2>&1 \
+       || EXITCODE=$?
     if [[ "${EXITCODE}" -eq 0 ]]; then
       echo "Package version already exists. Removing it..."
       gcloud artifacts versions delete --quiet "${VER}" --package "${PACKAGE}" --repository "${REPO}" --location "${GCLOUD_LOCATION}"

From cc4ceb68de66cb976578615f7c535370e14b819f Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@users.noreply.github.com>
Date: Tue, 23 Jul 2024 14:37:48 -0500
Subject: [PATCH 04/12] Update scripts/package-repo-import.sh

Co-authored-by: Carl Tashian <carl@smallstep.com>
---
 scripts/package-repo-import.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh
index 739ebda08..89ab5ab21 100755
--- a/scripts/package-repo-import.sh
+++ b/scripts/package-repo-import.sh
@@ -30,7 +30,11 @@ check_package() {
        || EXITCODE=$?
     if [[ "${EXITCODE}" -eq 0 ]]; then
       echo "Package version already exists. Removing it..."
-      gcloud artifacts versions delete --quiet "${VER}" --package "${PACKAGE}" --repository "${REPO}" --location "${GCLOUD_LOCATION}"
+      gcloud artifacts versions delete \
+      --quiet "${VER}" \
+      --package "${PACKAGE}" \
+      --repository "${REPO}" \
+      --location "${GCLOUD_LOCATION}"
       touch /tmp/version-deleted.stamp
     fi
   fi

From ee2cf66b5b6d222eeb8498d4c2b49470acdf88c7 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Tue, 23 Jul 2024 14:45:13 -0500
Subject: [PATCH 05/12] Add missing variables.

---
 .goreleaser.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 94725c756..7f7159df0 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -3,6 +3,10 @@
 version: 2
 project_name: step
 
+variables:
+  packageName: step-cli
+  packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
+
 before:
   hooks:
     - go mod download
@@ -92,7 +96,8 @@ nfpms:
   - &NFPM
     builds:
       - nfpm
-    package_name: step-cli
+    package_name: "{{ .Var.packageName }}"
+    release: "1"
     file_name_template: "{{.ConventionalFileName}}"
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/cli

From 4db4cf9676f954387f4406af0a6f93887d03b237 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Tue, 23 Jul 2024 14:48:31 -0500
Subject: [PATCH 06/12] Fix conditional for uploading packages

---
 .goreleaser.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 7f7159df0..1b4f752cb 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -157,7 +157,7 @@ publishers:
   ids:
   - packages
   cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
-  disable: "{{ if .IsNightly }}true{{ end }}"
+  disable: "{{ if .Prerelease }}true{{ end }}"
 
 snapshot:
   name_template: "{{ .Tag }}-next"

From 6aae40ef5d0133cad07857026bb65b77aff004f1 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Thu, 8 Aug 2024 14:30:29 -0500
Subject: [PATCH 07/12] Use goreleaser.yml@jdoss/Package_Repos for testing.

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 46fc02c07..98ee7689e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -67,7 +67,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
-    uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
+    uses: smallstep/workflows/.github/workflows/goreleaser.yml@jdoss/Package_Repos
     secrets: inherit
 
   build_upload_docker:

From 54d3e3bee8d0915678b4b2427b883c2bb9c14b37 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Thu, 8 Aug 2024 14:37:59 -0500
Subject: [PATCH 08/12] Add packages: write.

---
 .github/workflows/release.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 98ee7689e..b02556cb3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -67,6 +67,7 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     uses: smallstep/workflows/.github/workflows/goreleaser.yml@jdoss/Package_Repos
     secrets: inherit
 

From d40a6c1ac1749023b05a87193a3f56e129d23dce Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Thu, 8 Aug 2024 15:27:11 -0500
Subject: [PATCH 09/12] Set enable-packages-upload: true.

---
 .github/workflows/release.yml | 2 ++
 .gitignore                    | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b02556cb3..337781939 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -69,6 +69,8 @@ jobs:
       contents: write
       packages: write
     uses: smallstep/workflows/.github/workflows/goreleaser.yml@jdoss/Package_Repos
+    with:
+      enable-packages-upload: true
     secrets: inherit
 
   build_upload_docker:
diff --git a/.gitignore b/.gitignore
index c399faf07..386605b46 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,7 @@ vendor
 step
 .idea
 .envrc
+
+# Packages files
+0x889B19391F774443-Certify.key
+gha-creds-*.json

From d3ac1b7f83e87531683d96bcd06904badc92f97f Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Fri, 9 Aug 2024 11:33:33 -0500
Subject: [PATCH 10/12] Ignore goreleaser dist/ directory.

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 386605b46..1ae321b4b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ go.work.sum
 coverage.txt
 output
 vendor
+dist/
 step
 .idea
 .envrc

From 1130654362626a55cd0a7e3d222e9f912baa3ce8 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Fri, 9 Aug 2024 13:34:59 -0500
Subject: [PATCH 11/12] Fix Debian ARMv6 and ARMv7 duplicated package names.

---
 .goreleaser.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.goreleaser.yml b/.goreleaser.yml
index 1b4f752cb..0fae972d9 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -98,7 +98,11 @@ nfpms:
       - nfpm
     package_name: "{{ .Var.packageName }}"
     release: "1"
-    file_name_template: "{{.ConventionalFileName}}"
+    file_name_template: >-
+      {{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
+      {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
+      {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
+      {{- .ConventionalExtension -}}
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/cli
     maintainer: Smallstep <techadmin@smallstep.com>

From 082fe65aafc962253dd2b54585b2c11f4682210e Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Tue, 13 Aug 2024 12:33:44 -0500
Subject: [PATCH 12/12] Switch back to goreleaser.yml@main.

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 337781939..ce8509844 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,7 +68,7 @@ jobs:
       id-token: write
       contents: write
       packages: write
-    uses: smallstep/workflows/.github/workflows/goreleaser.yml@jdoss/Package_Repos
+    uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
     with:
       enable-packages-upload: true
     secrets: inherit