diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..dc65b334 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,146 @@ +name: Create Release & Upload Assets + +on: + push: + # Sequence of patterns matched against refs/tags + tags: + - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 + +jobs: + test: + name: Lint, Test, Build + runs-on: ubuntu-20.04 + outputs: + is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} + steps: + - + name: Checkout + uses: actions/checkout@v2 + - + name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.15.8' + - + name: Install Deps + id: install-deps + run: sudo apt-get -y install libpcsclite-dev + - + name: Lint, Test, Build + id: lint_test_build + run: V=1 make -j1 bootstrap ci + - + name: Is Pre-release + id: is_prerelease + run: | + set +e + echo ${{ github.ref }} | grep "\-rc.*" + OUT=$? + if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi + echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" + + create_release: + name: Create Release + needs: test + runs-on: ubuntu-20.04 + outputs: + is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} + steps: + - + name: Is Pre-release + id: is_prerelease + run: | + set +e + echo ${{ github.ref }} | grep "\-rc.*" + OUT=$? + if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi + echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" + - + name: Create Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref }} + draft: false + prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} + + goreleaser: + name: Upload Assets To Github w/ goreleaser + runs-on: ubuntu-20.04 + needs: create_release + steps: + - + name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - + name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.16 + - + name: Run GoReleaser + uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.PAT }} + + release_deb: + name: Build & Upload Debian Package To Github + runs-on: ubuntu-20.04 + needs: create_release + steps: + - + name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + - + name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: '^1.15.8' + - + name: APT Install + id: aptInstall + run: sudo apt-get -y install build-essential debhelper fakeroot + - + name: Build Debian package + id: build + run: | + PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin + make debian + - + name: Upload Debian Package + id: upload_deb + run: | + tag_name="${GITHUB_REF##*/}" + hub release edit $(find ./.releases -type f -printf "-a %p ") -m "" "$tag_name" + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + build_upload_docker: + name: Build & Upload Docker Images + runs-on: ubuntu-20.04 + needs: test + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.15.8' + - name: Build + id: build + run: | + PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin + make docker-artifacts + env: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..4ddc6d21 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,34 @@ +name: Lint, Test, Build + +on: + push: + tags-ignore: + - 'v*' + branches: + - "**" + pull_request: + +jobs: + lintTestBuild: + name: Lint, Test, Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Setup Go + uses: actions/setup-go@v2 + with: + go-version: '^1.15.6' + - name: Install Deps + id: install-deps + run: sudo apt-get -y install libpcsclite-dev + - name: Lint, Test, Build + id: lintTestBuild + run: V=1 make -j1 bootstrap ci + - name: Codecov + uses: codecov/codecov-action@v1.2.1 + with: + token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos + file: ./coverage.out # optional + name: codecov-umbrella # optional + fail_ci_if_error: true # optional (default = false) diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 00000000..880a3f4a --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,200 @@ +# This is an example .goreleaser.yml file with some sane defaults. +# Make sure to check the documentation at http://goreleaser.com +project_name: step-ca +before: + hooks: + # You may remove this if you don't use go modules. + - go mod download +builds: + - + id: step-ca + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm + - arm64 + - 386 + goarm: + - 7 + flags: + - -trimpath + main: ./cmd/step-ca/main.go + binary: bin/step-ca + ldflags: + - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + - + id: step-cloudkms-init + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm + - arm64 + - 386 + goarm: + - 7 + flags: + - -trimpath + main: ./cmd/step-cloudkms-init/main.go + binary: bin/step-cloudkms-init + ldflags: + - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + - + id: step-awskms-init + env: + - CGO_ENABLED=0 + goos: + - linux + - darwin + goarch: + - amd64 + - arm + - arm64 + - 386 + goarm: + - 7 + flags: + - -trimpath + main: ./cmd/step-awskms-init/main.go + binary: bin/step-awskms-init + ldflags: + - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} +archives: + - + # Can be used to change the archive formats for specific GOOSs. + # Most common use case is to archive as zip on Windows. + # Default is empty. + name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" + wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}" + files: + - README.md + - LICENSE +source: + enabled: true + name_template: '{{ .ProjectName }}_{{ .Version }}' +checksum: + name_template: 'checksums.txt' +snapshot: + name_template: "{{ .Tag }}-next" +release: + # Repo in which the release will be created. + # Default is extracted from the origin remote URL or empty if its private hosted. + # Note: it can only be one: either github, gitlab or gitea + github: + owner: smallstep + name: certificates + + # IDs of the archives to use. + # Defaults to all. + #ids: + # - foo + # - bar + + # If set to true, will not auto-publish the release. + # Default is false. + draft: true + + # If set to auto, will mark the release as not ready for production + # in case there is an indicator for this in the tag e.g. v1.0.0-rc1 + # If set to true, will mark the release as not ready for production. + # Default is false. + prerelease: false + + # You can change the name of the release. + # Default is `{{.Tag}}` + #name_template: "{{.ProjectName}}-v{{.Version}} {{.Env.USER}}" + + # You can disable this pipe in order to not upload any artifacts. + # Defaults to false. + #disable: true + + # You can add extra pre-existing files to the release. + # The filename on the release will be the last part of the path (base). If + # another file with the same name exists, the latest one found will be used. + # Defaults to empty. + #extra_files: + # - glob: ./path/to/file.txt + # - glob: ./glob/**/to/**/file/**/* + # - glob: ./glob/foo/to/bar/file/foobar/override_from_previous + + #scoop: + # # Template for the url which is determined by the given Token (github or gitlab) + # # Default for github is "https://github.com///releases/download/{{ .Tag }}/{{ .ArtifactName }}" + # # Default for gitlab is "https://gitlab.com///uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}" + # # Default for gitea is "https://gitea.com///releases/download/{{ .Tag }}/{{ .ArtifactName }}" + # url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}" + # + # # Repository to push the app manifest to. + # bucket: + # owner: smallstep + # name: scoop-bucket + # + # # Git author used to commit to the repository. + # # Defaults are shown. + # commit_author: + # name: goreleaserbot + # email: goreleaser@smallstep.com + # + # # The project name and current git tag are used in the format string. + # commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}" + # + # # Your app's homepage. + # # Default is empty. + # homepage: "https://smallstep.com/docs/step-ca" + # + # # Skip uploads for prerelease. + # skip_upload: auto + # + # # Your app's description. + # # Default is empty. + # description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH." + # + # # Your app's license + # # Default is empty. + # license: "Apache-2.0" + + #dockers: + # - dockerfile: docker/Dockerfile + # goos: linux + # goarch: amd64 + # use_buildx: true + # image_templates: + # - "smallstep/step-cli:latest" + # - "smallstep/step-cli:{{ .Tag }}" + # build_flag_templates: + # - "--platform=linux/amd64" + # - dockerfile: docker/Dockerfile + # goos: linux + # goarch: 386 + # use_buildx: true + # image_templates: + # - "smallstep/step-cli:latest" + # - "smallstep/step-cli:{{ .Tag }}" + # build_flag_templates: + # - "--platform=linux/386" + # - dockerfile: docker/Dockerfile + # goos: linux + # goarch: arm + # goarm: 7 + # use_buildx: true + # image_templates: + # - "smallstep/step-cli:latest" + # - "smallstep/step-cli:{{ .Tag }}" + # build_flag_templates: + # - "--platform=linux/arm/v7" + # - dockerfile: docker/Dockerfile + # goos: linux + # goarch: arm64 + # use_buildx: true + # image_templates: + # - "smallstep/step-cli:latest" + # - "smallstep/step-cli:{{ .Tag }}" + # build_flag_templates: + # - "--platform=linux/arm64/v8" diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index fcf73d2d..00000000 --- a/.travis.yml +++ /dev/null @@ -1,37 +0,0 @@ -language: go -os: linux -dist: focal -services: - - docker -go: - - 1.14.x -addons: - apt: - packages: - - debhelper - - fakeroot - - bash-completion - - libpcsclite-dev -env: - global: - - V=1 -before_script: - - make bootstrap -script: - - make travis - - make artifacts -after_success: - - bash <(curl -s https://codecov.io/bash) -t "$CODECOV_TOKEN" || echo "Codecov did - not collect coverage reports" -notifications: - email: false -deploy: - provider: releases - skip_cleanup: true - token: - secure: EVV43Vkqn67hhKGYn4WhQp2YO6KFmUDSkLXjYXYGX07Fm8p5KjRFBPOz9LV83QrvVmLigvg0CtR8Jqqcnq2SUhus3nhZaN2g19NhMypZLioyOVP0kAkas8ocuvxkwz3YxIK/yMrmTKbQ7JGXtbc8IjAox9ovNo1fFIQmVMAzPfu++OWBJ0j+gUqKtpaNA7gzsSv8UOw3/T3hNm6E1IbpWxl9BPSOzUOE9F/QOThANzifGfdxvqNJFkAgqu5DVPz8zQNbMrz4zH+KwASKxd6hjhzSSMzouKzOEHTA/elDCHEjke0Jos29MkGWHcIydLtCD95DGecqM8BFSC9f2acHDjmUO1rdfoLA3Pt+UiZJuTwyQm/jrHHhRnH8oJpK15G5LvxSqzY9YDWpAk38+jMw/udW6wt7BGAU8FEXLbq0bsFL3yfTepeWjmzT5WS0YXdiBz2SEK+Og9R2bSdtl4owghRzKNio5DNPuYAbqbpi+jqzqQVLj27x7LWoQ0MHvZcz9U+oO00r6M1tDCmFVRdtfgb2H+MIDY69qYGo5qoGMfH1btCWR8bA9wSYB/Z7hW/xZT9r7f/d5/P40k8yKINmTZqyUTQeplrE3y4BPVzKksclczBZa67syIUQ49I35QppnH4GFQHUwlra7r3W9zfZRvaLnp5qOIKAQe3MAIZqtLg= - file_glob: true - file: .travis-releases/* - on: - repo: smallstep/certificates - tags: true diff --git a/Makefile b/Makefile index c9b453e1..37539348 100644 --- a/Makefile +++ b/Makefile @@ -18,9 +18,9 @@ OUTPUT_ROOT=output/ all: lint test build -travis: lintcgo testcgo build +ci: lintcgo testcgo build -.PHONY: all travis +.PHONY: all ci ######################################### # Bootstrapping @@ -39,6 +39,15 @@ bootstra%: # If TRAVIS_TAG is set then we know this ref has been tagged. ifdef TRAVIS_TAG VERSION := $(TRAVIS_TAG) +NOT_RC := $(shell echo $(VERSION) | grep -v -e -rc) + ifeq ($(NOT_RC),) +PUSHTYPE := release-candidate + else +PUSHTYPE := release + endif +# GITHUB Actions +else ifdef GITHUB_REF +VERSION := $(shell echo $(GITHUB_REF) | sed 's/^refs\/tags\///') NOT_RC := $(shell echo $(VERSION) | grep -v -e -rc) ifeq ($(NOT_RC),) PUSHTYPE := release-candidate @@ -62,6 +71,7 @@ DEB_VERSION := $(shell echo $(VERSION) | sed 's/-/~/g') ifdef V $(info TRAVIS_TAG is $(TRAVIS_TAG)) +$(info GITHUB_REF is $(GITHUB_REF)) $(info VERSION is $(VERSION)) $(info DEB_VERSION is $(DEB_VERSION)) $(info PUSHTYPE is $(PUSHTYPE)) @@ -266,39 +276,10 @@ bundle-darwin: binary-darwin .PHONY: binary-linux binary-darwin bundle-linux bundle-darwin -################################################# -# Targets for creating OS specific artifacts and archives -################################################# - -artifacts-linux-tag: bundle-linux debian - -artifacts-darwin-tag: bundle-darwin - -artifacts-archive-tag: - $Q mkdir -p $(RELEASE) - $Q git archive v$(VERSION) | gzip > $(RELEASE)/step-certificates_$(VERSION).tar.gz - -artifacts-tag: artifacts-linux-tag artifacts-darwin-tag artifacts-archive-tag - -.PHONY: artifacts-linux-tag artifacts-darwin-tag artifacts-archive-tag artifacts-tag - ################################################# # Targets for creating step artifacts ################################################# -# For all builds that are not tagged and not on the master branch -artifacts-branch: +docker-artifacts: docker-$(PUSHTYPE) -# For all builds that are not tagged -artifacts-master: - -# For all builds with a release-candidate (-rc) tag -artifacts-release-candidate: artifacts-tag - -# For all builds with a release tag -artifacts-release: artifacts-tag - -# This command is called by travis directly *after* a successful build -artifacts: artifacts-$(PUSHTYPE) docker-$(PUSHTYPE) - -.PHONY: artifacts-master artifacts-release-candidate artifacts-release artifacts +.PHONY: docker-artifacts diff --git a/api/api.go b/api/api.go index 699092a7..2ae6e6e8 100644 --- a/api/api.go +++ b/api/api.go @@ -3,7 +3,7 @@ package api import ( "context" "crypto" - "crypto/dsa" + "crypto/dsa" //nolint "crypto/ecdsa" "crypto/rsa" "crypto/x509" diff --git a/api/api_test.go b/api/api_test.go index 190e5a2a..944927ff 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -4,7 +4,7 @@ import ( "bytes" "context" "crypto" - "crypto/dsa" + "crypto/dsa" //nolint "crypto/ecdsa" "crypto/elliptic" "crypto/rand" diff --git a/distribution.md b/distribution.md index 5e3e4727..703be042 100644 --- a/distribution.md +++ b/distribution.md @@ -16,7 +16,6 @@ e.g. `v1.0.2` `-rc*` suffix. e.g. `v1.0.2-rc` or `v1.0.2-rc.4` --- - 1. **Tag it!** 1. Find the most recent tag. diff --git a/kms/softkms/softkms_test.go b/kms/softkms/softkms_test.go index 11c0cdd1..607a5a51 100644 --- a/kms/softkms/softkms_test.go +++ b/kms/softkms/softkms_test.go @@ -83,7 +83,7 @@ func TestSoftKMS_CreateSigner(t *testing.T) { t.Fatal(err) } block, _ := pem.Decode(b) - block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) + block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) //nolint if err != nil { t.Fatal(err) } diff --git a/kms/sshagentkms/sshagentkms_test.go b/kms/sshagentkms/sshagentkms_test.go index 4c572530..30edd5d1 100644 --- a/kms/sshagentkms/sshagentkms_test.go +++ b/kms/sshagentkms/sshagentkms_test.go @@ -295,7 +295,7 @@ func TestSSHAgentKMS_CreateSigner(t *testing.T) { t.Fatal(err) } block, _ := pem.Decode(b) - block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) + block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) //nolint if err != nil { t.Fatal(err) }