From 579a436ebb91df02aef031ab5f658667a61abeb3 Mon Sep 17 00:00:00 2001
From: max furman <mx.furman@gmail.com>
Date: Sat, 1 Oct 2022 11:03:14 -0700
Subject: [PATCH] [action] updates and first pass at goreleaser deb

---
 .github/workflows/ci.yml      |  6 +--
 .github/workflows/release.yml | 84 +++++++++++------------------------
 .goreleaser.yml               | 58 +++++++++++++++++++++++-
 3 files changed, 83 insertions(+), 65 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a67b766f..457da9cf 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,9 +8,6 @@ on:
     - "master"
   pull_request:
   workflow_call:
-    secrets:
-      GITLEAKS_LICENSE_KEY:
-        required: true
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -23,5 +20,4 @@ jobs:
       os-dependencies: "libpcsclite-dev"
       run-gitleaks: true
       run-codeql: true
-    secrets:
-      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bd434737..ffbd1c9c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,25 +8,17 @@ on:
 
 jobs:
   ci:
-    uses: smallstep/certificates/.github/workflows/ci.yml@main
+    uses: smallstep/certificates/.github/workflows/ci.yml@master
     secrets: inherit
 
   create_release:
     name: Create Release
-    needs: ci
+      #needs: ci
     runs-on: ubuntu-20.04
     outputs:
-      debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
       is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
     steps:
-      -
-        name: Extract Tag Names
-        id: extract-tag
-        run: |
-          DEB_VERSION=$(echo ${GITHUB_REF#refs/tags/v} | sed 's/-/./')
-          echo "::set-output name=DEB_VERSION::${DEB_VERSION}"
-      -
-        name: Is Pre-release
+      - name: Is Pre-release
         id: is_prerelease
         run: |
           set +e
@@ -34,8 +26,7 @@ jobs:
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
-      -
-        name: Create Release
+      - name: Create Release
         id: create_release
         uses: actions/create-release@v1
         env:
@@ -51,54 +42,33 @@ jobs:
     runs-on: ubuntu-20.04
     needs: create_release
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
         with:
           go-version: 1.19
-      -
-        name: APT Install
-        id: aptInstall
-        run: sudo apt-get -y install build-essential debhelper fakeroot
-      -
-        name: Build Debian package
-        id: make_debian
-        run: |
-          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
-          make debian
-          # need to restore the git state otherwise goreleaser fails due to dirty state
-          git restore debian/changelog
-          git clean -fd
-      -
-        name: Install cosign
-        uses: sigstore/cosign-installer@v1.1.0
+          check-latest: true
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.7.0
         with:
-          cosign-release: 'v1.1.0'
-      -
-        name: Write cosign key to disk
+          cosign-release: 'v1.12.1'
+      - name: Write cosign key to disk
         id: write_key
         run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-      -
-        name: Get Release Date
+      - name: Get Release Date
         id: release_date
         run: |
           RELEASE_DATE=$(date +"%y-%m-%d")
           echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
         with:
-          version: 'v1.7.0'
+          version: 'latest'
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.PAT }}
           COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-          DEB_VERSION: ${{ needs.create_release.outputs.debversion }}
           RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
 
   build_upload_docker:
@@ -106,25 +76,21 @@ jobs:
     runs-on: ubuntu-20.04
     needs: ci
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Setup Go
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
         with:
           go-version: '1.19'
-      -
-        name: Install cosign
+          check-latest: true
+      - name: Install cosign
         uses: sigstore/cosign-installer@v1.1.0
         with:
           cosign-release: 'v1.1.0'
-      -
-        name: Write cosign key to disk
+      - name: Write cosign key to disk
         id: write_key
         run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-      -
-        name: Build
+      - name: Build
         id: build
         run: |
           PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 7d57e657..3d82db95 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -71,6 +71,24 @@ builds:
     binary: bin/step-awskms-init
     ldflags:
       - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    # This build is specifically for nFPM targets (.deb and .rpm files).
+    # It's exactly the same as the default build above, except:
+    # - it only builds the archs we want to produce .deb and .rpm files for
+    # - the name of the output binary is step-cli
+    id: nfpm
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    flags:
+      - -trimpath
+    main: ./cmd/step-ca/main.go
+    binary: bin/step-ca
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
 
 archives:
   -
@@ -85,6 +103,44 @@ archives:
     files:
       - README.md
       - LICENSE
+    allow_different_binary_count: true
+
+nfpms:
+  # Configure nFPM for .deb and .rpm releases
+  #
+  # See https://nfpm.goreleaser.com/configuration/
+  # and https://goreleaser.com/customization/nfpm/
+  #
+  # Useful tools for debugging .debs:
+  # List file contents: dpkg -c dist/step_...deb
+  # Package metadata: dpkg --info dist/step_....deb
+  #
+  -
+    builds:
+      - nfpm
+    package_name: step-ca
+    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    vendor: Smallstep Labs
+    homepage: https://github.com/smallstep/certificates
+    maintainer: Smallstep <techadmin@smallstep.com>
+    description: >
+      step-ca is an online certificate authority for secure, automated certificate management.
+    license: Apache 2.0
+    section: utils
+    formats:
+      - deb
+      - rpm
+    priority: optional
+    bindir: /usr/bin
+    contents:
+      - src: debian/copyright
+        dst: /usr/share/doc/step-ca/copyright
+        # Ghost files are used for RPM and ignored elsewhere
+      - dst: /usr/bin/step-ca
+        type: ghost
+    scripts:
+      postinstall: scripts/postinstall.sh
+      postremove: scripts/postremove.sh
 
 source:
   enabled: true
@@ -98,7 +154,7 @@ checksum:
 signs:
 - cmd: cosign
   stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
+  args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
   artifacts: all
 
 snapshot: