[action] updates and first pass at goreleaser deb

2 years ago · d8a16fedb3
parent 8139179084
commit d8a16fedb3
3 changed files with 85 additions and 67 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -8,9 +8,6 @@ on:
    - "master"
  pull_request:
  workflow_call:
-    secrets:
-      GITLEAKS_LICENSE_KEY:
-        required: true

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@ -23,5 +20,4 @@ jobs:
      os-dependencies: "libpcsclite-dev"
      run-gitleaks: true
      run-codeql: true
-    secrets:
-      GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
+    secrets: inherit
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -7,26 +7,18 @@ on:
    - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10

 jobs:
-  ci:
-    uses: smallstep/certificates/.github/workflows/ci.yml@main
-    secrets: inherit
+  #ci:
+  #  uses: smallstep/certificates/.github/workflows/ci.yml@master
+  #  secrets: inherit

  create_release:
    name: Create Release
-    needs: ci
+      #needs: ci
    runs-on: ubuntu-20.04
    outputs:
-      debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
    steps:
-      -
-        name: Extract Tag Names
-        id: extract-tag
-        run: |
-          DEB_VERSION=$(echo ${GITHUB_REF#refs/tags/v} | sed 's/-/./')
-          echo "::set-output name=DEB_VERSION::${DEB_VERSION}"
-      -
-        name: Is Pre-release
+      - name: Is Pre-release
        id: is_prerelease
        run: |
          set +e
@ -34,8 +26,7 @@ jobs:
          OUT=$?
          if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
          echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
-      -
-        name: Create Release
+      - name: Create Release
        id: create_release
        uses: actions/create-release@v1
        env:
@ -51,54 +42,33 @@ jobs:
    runs-on: ubuntu-20.04
    needs: create_release
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Go
+        uses: actions/setup-go@v3
        with:
          go-version: 1.19
-      -
-        name: APT Install
-        id: aptInstall
-        run: sudo apt-get -y install build-essential debhelper fakeroot
-      -
-        name: Build Debian package
-        id: make_debian
-        run: |
-          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
-          make debian
-          # need to restore the git state otherwise goreleaser fails due to dirty state
-          git restore debian/changelog
-          git clean -fd
-      -
-        name: Install cosign
-        uses: sigstore/cosign-installer@v1.1.0
+          check-latest: true
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v2.7.0
        with:
-          cosign-release: 'v1.1.0'
-      -
-        name: Write cosign key to disk
+          cosign-release: 'v1.12.1'
+      - name: Write cosign key to disk
        id: write_key
        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-      -
-        name: Get Release Date
+      - name: Get Release Date
        id: release_date
        run: |
          RELEASE_DATE=$(date +"%y-%m-%d")
          echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
        with:
-          version: 'v1.7.0'
+          version: 'latest'
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.PAT }}
          COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
-          DEB_VERSION: ${{ needs.create_release.outputs.debversion }}
          RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}

  build_upload_docker:
@ -106,25 +76,21 @@ jobs:
    runs-on: ubuntu-20.04
    needs: ci
    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
-      -
-        name: Setup Go
-        uses: actions/setup-go@v2
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@v3
        with:
          go-version: '1.19'
-      -
-        name: Install cosign
+          check-latest: true
+      - name: Install cosign
        uses: sigstore/cosign-installer@v1.1.0
        with:
          cosign-release: 'v1.1.0'
-      -
-        name: Write cosign key to disk
+      - name: Write cosign key to disk
        id: write_key
        run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
-      -
-        name: Build
+      - name: Build
        id: build
        run: |
          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -71,6 +71,24 @@ builds:
    binary: bin/step-awskms-init
    ldflags:
      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    # This build is specifically for nFPM targets (.deb and .rpm files).
+    # It's exactly the same as the default build above, except:
+    # - it only builds the archs we want to produce .deb and .rpm files for
+    # - the name of the output binary is step-cli
+    id: nfpm
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    flags:
+      - -trimpath
+    main: ./cmd/step-ca/main.go
+    binary: bin/step-ca
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}

 archives:
  -
@ -85,6 +103,44 @@ archives:
    files:
      - README.md
      - LICENSE
+    allow_different_binary_count: true
+
+nfpms:
+  # Configure nFPM for .deb and .rpm releases
+  #
+  # See https://nfpm.goreleaser.com/configuration/
+  # and https://goreleaser.com/customization/nfpm/
+  #
+  # Useful tools for debugging .debs:
+  # List file contents: dpkg -c dist/step_...deb
+  # Package metadata: dpkg --info dist/step_....deb
+  #
+  -
+    builds:
+      - nfpm
+    package_name: step-ca
+    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    vendor: Smallstep Labs
+    homepage: https://github.com/smallstep/certificates
+    maintainer: Smallstep <techadmin@smallstep.com>
+    description: >
+      step-ca is an online certificate authority for secure, automated certificate management.
+    license: Apache 2.0
+    section: utils
+    formats:
+      - deb
+      - rpm
+    priority: optional
+    bindir: /usr/bin
+    contents:
+      - src: debian/copyright
+        dst: /usr/share/doc/step-ca/copyright
+        # Ghost files are used for RPM and ignored elsewhere
+      - dst: /usr/bin/step-ca
+        type: ghost
+    scripts:
+      postinstall: scripts/postinstall.sh
+      postremove: scripts/postremove.sh

 source:
  enabled: true
@ -98,7 +154,7 @@ checksum:
 signs:
 - cmd: cosign
  stdin: '{{ .Env.COSIGN_PWD }}'
-  args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
+  args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
  artifacts: all

 snapshot: