forked from TrueCloudLab/certificates
[action] updates and first pass at goreleaser deb
This commit is contained in:
parent
8139179084
commit
485427ef47
5 changed files with 192 additions and 145 deletions
6
.github/workflows/ci.yml
vendored
6
.github/workflows/ci.yml
vendored
|
@ -8,9 +8,6 @@ on:
|
|||
- "master"
|
||||
pull_request:
|
||||
workflow_call:
|
||||
secrets:
|
||||
GITLEAKS_LICENSE_KEY:
|
||||
required: true
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
||||
|
@ -23,5 +20,4 @@ jobs:
|
|||
os-dependencies: "libpcsclite-dev"
|
||||
run-gitleaks: true
|
||||
run-codeql: true
|
||||
secrets:
|
||||
GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}
|
||||
secrets: inherit
|
||||
|
|
84
.github/workflows/release.yml
vendored
84
.github/workflows/release.yml
vendored
|
@ -8,25 +8,17 @@ on:
|
|||
|
||||
jobs:
|
||||
ci:
|
||||
uses: smallstep/certificates/.github/workflows/ci.yml@main
|
||||
uses: smallstep/certificates/.github/workflows/ci.yml@master
|
||||
secrets: inherit
|
||||
|
||||
create_release:
|
||||
name: Create Release
|
||||
needs: ci
|
||||
#needs: ci
|
||||
runs-on: ubuntu-20.04
|
||||
outputs:
|
||||
debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
|
||||
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
|
||||
steps:
|
||||
-
|
||||
name: Extract Tag Names
|
||||
id: extract-tag
|
||||
run: |
|
||||
DEB_VERSION=$(echo ${GITHUB_REF#refs/tags/v} | sed 's/-/./')
|
||||
echo "::set-output name=DEB_VERSION::${DEB_VERSION}"
|
||||
-
|
||||
name: Is Pre-release
|
||||
- name: Is Pre-release
|
||||
id: is_prerelease
|
||||
run: |
|
||||
set +e
|
||||
|
@ -34,8 +26,7 @@ jobs:
|
|||
OUT=$?
|
||||
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
|
||||
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
|
||||
-
|
||||
name: Create Release
|
||||
- name: Create Release
|
||||
id: create_release
|
||||
uses: actions/create-release@v1
|
||||
env:
|
||||
|
@ -51,54 +42,33 @@ jobs:
|
|||
runs-on: ubuntu-20.04
|
||||
needs: create_release
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
with:
|
||||
fetch-depth: 0
|
||||
-
|
||||
name: Set up Go
|
||||
uses: actions/setup-go@v2
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: 1.19
|
||||
-
|
||||
name: APT Install
|
||||
id: aptInstall
|
||||
run: sudo apt-get -y install build-essential debhelper fakeroot
|
||||
-
|
||||
name: Build Debian package
|
||||
id: make_debian
|
||||
run: |
|
||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
||||
make debian
|
||||
# need to restore the git state otherwise goreleaser fails due to dirty state
|
||||
git restore debian/changelog
|
||||
git clean -fd
|
||||
-
|
||||
name: Install cosign
|
||||
uses: sigstore/cosign-installer@v1.1.0
|
||||
check-latest: true
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v2.7.0
|
||||
with:
|
||||
cosign-release: 'v1.1.0'
|
||||
-
|
||||
name: Write cosign key to disk
|
||||
cosign-release: 'v1.12.1'
|
||||
- name: Write cosign key to disk
|
||||
id: write_key
|
||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||
-
|
||||
name: Get Release Date
|
||||
- name: Get Release Date
|
||||
id: release_date
|
||||
run: |
|
||||
RELEASE_DATE=$(date +"%y-%m-%d")
|
||||
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
|
||||
-
|
||||
name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
|
||||
- name: Run GoReleaser
|
||||
uses: goreleaser/goreleaser-action@v3
|
||||
with:
|
||||
version: 'v1.7.0'
|
||||
version: 'latest'
|
||||
args: release --rm-dist
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.PAT }}
|
||||
COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
|
||||
DEB_VERSION: ${{ needs.create_release.outputs.debversion }}
|
||||
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
|
||||
|
||||
build_upload_docker:
|
||||
|
@ -106,25 +76,21 @@ jobs:
|
|||
runs-on: ubuntu-20.04
|
||||
needs: ci
|
||||
steps:
|
||||
-
|
||||
name: Checkout
|
||||
uses: actions/checkout@v2
|
||||
-
|
||||
name: Setup Go
|
||||
uses: actions/setup-go@v2
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
- name: Setup Go
|
||||
uses: actions/setup-go@v3
|
||||
with:
|
||||
go-version: '1.19'
|
||||
-
|
||||
name: Install cosign
|
||||
check-latest: true
|
||||
- name: Install cosign
|
||||
uses: sigstore/cosign-installer@v1.1.0
|
||||
with:
|
||||
cosign-release: 'v1.1.0'
|
||||
-
|
||||
name: Write cosign key to disk
|
||||
- name: Write cosign key to disk
|
||||
id: write_key
|
||||
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
|
||||
-
|
||||
name: Build
|
||||
- name: Build
|
||||
id: build
|
||||
run: |
|
||||
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
|
||||
|
|
179
.goreleaser.yml
179
.goreleaser.yml
|
@ -14,61 +14,79 @@ builds:
|
|||
- CGO_ENABLED=0
|
||||
targets:
|
||||
- darwin_amd64
|
||||
- darwin_arm64
|
||||
- freebsd_amd64
|
||||
- linux_386
|
||||
- linux_amd64
|
||||
- linux_arm64
|
||||
- linux_arm_5
|
||||
- linux_arm_6
|
||||
- linux_arm_7
|
||||
- windows_amd64
|
||||
#- darwin_arm64
|
||||
#- freebsd_amd64
|
||||
#- linux_386
|
||||
#- linux_amd64
|
||||
#- linux_arm64
|
||||
#- linux_arm_5
|
||||
#- linux_arm_6
|
||||
#- linux_arm_7
|
||||
#- windows_amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
main: ./cmd/step-ca/main.go
|
||||
binary: bin/step-ca
|
||||
ldflags:
|
||||
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
||||
#-
|
||||
# id: step-cloudkms-init
|
||||
# env:
|
||||
# - CGO_ENABLED=0
|
||||
# targets:
|
||||
# - darwin_amd64
|
||||
# - darwin_arm64
|
||||
# - freebsd_amd64
|
||||
# - linux_386
|
||||
# - linux_amd64
|
||||
# - linux_arm64
|
||||
# - linux_arm_5
|
||||
# - linux_arm_6
|
||||
# - linux_arm_7
|
||||
# - windows_amd64
|
||||
# flags:
|
||||
# - -trimpath
|
||||
# main: ./cmd/step-cloudkms-init/main.go
|
||||
# binary: bin/step-cloudkms-init
|
||||
# ldflags:
|
||||
# - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
||||
#-
|
||||
# id: step-awskms-init
|
||||
# env:
|
||||
# - CGO_ENABLED=0
|
||||
# targets:
|
||||
# - darwin_amd64
|
||||
# - darwin_arm64
|
||||
# - freebsd_amd64
|
||||
# - linux_386
|
||||
# - linux_amd64
|
||||
# - linux_arm64
|
||||
# - linux_arm_5
|
||||
# - linux_arm_6
|
||||
# - linux_arm_7
|
||||
# - windows_amd64
|
||||
# flags:
|
||||
# - -trimpath
|
||||
# main: ./cmd/step-awskms-init/main.go
|
||||
# binary: bin/step-awskms-init
|
||||
# ldflags:
|
||||
# - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
||||
-
|
||||
id: step-cloudkms-init
|
||||
# This build is specifically for nFPM targets (.deb and .rpm files).
|
||||
# It's exactly the same as the default build above, except:
|
||||
# - it only builds the archs we want to produce .deb and .rpm files for
|
||||
# - the name of the output binary is step-cli
|
||||
id: nfpm
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
targets:
|
||||
- darwin_amd64
|
||||
- darwin_arm64
|
||||
- freebsd_amd64
|
||||
- linux_386
|
||||
- linux_amd64
|
||||
- linux_arm64
|
||||
- linux_arm_5
|
||||
- linux_arm_6
|
||||
- linux_arm_7
|
||||
- windows_amd64
|
||||
goos:
|
||||
- linux
|
||||
goarch:
|
||||
- amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
main: ./cmd/step-cloudkms-init/main.go
|
||||
binary: bin/step-cloudkms-init
|
||||
ldflags:
|
||||
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
||||
-
|
||||
id: step-awskms-init
|
||||
env:
|
||||
- CGO_ENABLED=0
|
||||
targets:
|
||||
- darwin_amd64
|
||||
- darwin_arm64
|
||||
- freebsd_amd64
|
||||
- linux_386
|
||||
- linux_amd64
|
||||
- linux_arm64
|
||||
- linux_arm_5
|
||||
- linux_arm_6
|
||||
- linux_arm_7
|
||||
- windows_amd64
|
||||
flags:
|
||||
- -trimpath
|
||||
main: ./cmd/step-awskms-init/main.go
|
||||
binary: bin/step-awskms-init
|
||||
main: ./cmd/step-ca/main.go
|
||||
binary: step-ca
|
||||
ldflags:
|
||||
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
|
||||
|
||||
|
@ -85,6 +103,41 @@ archives:
|
|||
files:
|
||||
- README.md
|
||||
- LICENSE
|
||||
allow_different_binary_count: true
|
||||
|
||||
nfpms:
|
||||
# Configure nFPM for .deb and .rpm releases
|
||||
#
|
||||
# See https://nfpm.goreleaser.com/configuration/
|
||||
# and https://goreleaser.com/customization/nfpm/
|
||||
#
|
||||
# Useful tools for debugging .debs:
|
||||
# List file contents: dpkg -c dist/step_...deb
|
||||
# Package metadata: dpkg --info dist/step_....deb
|
||||
#
|
||||
-
|
||||
builds:
|
||||
- nfpm
|
||||
package_name: step-ca
|
||||
file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
|
||||
vendor: Smallstep Labs
|
||||
homepage: https://github.com/smallstep/certificates
|
||||
maintainer: Smallstep <techadmin@smallstep.com>
|
||||
description: >
|
||||
step-ca is an online certificate authority for secure, automated certificate management.
|
||||
license: Apache 2.0
|
||||
section: utils
|
||||
formats:
|
||||
- deb
|
||||
- rpm
|
||||
priority: optional
|
||||
bindir: /usr/bin
|
||||
contents:
|
||||
- src: debian/copyright
|
||||
dst: /usr/share/doc/step-ca/copyright
|
||||
scripts:
|
||||
postinstall: scripts/postinstall.sh
|
||||
postremove: scripts/postremove.sh
|
||||
|
||||
source:
|
||||
enabled: true
|
||||
|
@ -98,7 +151,7 @@ checksum:
|
|||
signs:
|
||||
- cmd: cosign
|
||||
stdin: '{{ .Env.COSIGN_PWD }}'
|
||||
args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"]
|
||||
args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
|
||||
artifacts: all
|
||||
|
||||
snapshot:
|
||||
|
@ -194,39 +247,3 @@ release:
|
|||
# - glob: ./path/to/file.txt
|
||||
# - glob: ./glob/**/to/**/file/**/*
|
||||
# - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
|
||||
|
||||
scoop:
|
||||
# Template for the url which is determined by the given Token (github or gitlab)
|
||||
# Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
|
||||
# Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
|
||||
# Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
|
||||
url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
|
||||
|
||||
# Repository to push the app manifest to.
|
||||
bucket:
|
||||
owner: smallstep
|
||||
name: scoop-bucket
|
||||
|
||||
# Git author used to commit to the repository.
|
||||
# Defaults are shown.
|
||||
commit_author:
|
||||
name: goreleaserbot
|
||||
email: goreleaser@smallstep.com
|
||||
|
||||
# The project name and current git tag are used in the format string.
|
||||
commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
|
||||
|
||||
# Your app's homepage.
|
||||
# Default is empty.
|
||||
homepage: "https://smallstep.com/docs/step-ca"
|
||||
|
||||
# Skip uploads for prerelease.
|
||||
skip_upload: auto
|
||||
|
||||
# Your app's description.
|
||||
# Default is empty.
|
||||
description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
|
||||
|
||||
# Your app's license
|
||||
# Default is empty.
|
||||
license: "Apache-2.0"
|
||||
|
|
34
scripts/postinstall.sh
Normal file
34
scripts/postinstall.sh
Normal file
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
|
||||
updateAlternatives() {
|
||||
update-alternatives --install /usr/bin/step-ca step-ca /usr/bin/step-ca 50
|
||||
}
|
||||
|
||||
cleanInstall() {
|
||||
updateAlternatives
|
||||
updateCompletion
|
||||
}
|
||||
|
||||
upgrade() {
|
||||
updateAlternatives
|
||||
updateCompletion
|
||||
}
|
||||
|
||||
action="$1"
|
||||
if [ "$1" = "configure" ] && [ -z "$2" ]; then
|
||||
action="install"
|
||||
elif [ "$1" = "configure" ] && [ -n "$2" ]; then
|
||||
action="upgrade"
|
||||
fi
|
||||
|
||||
case "$action" in
|
||||
"1" | "install")
|
||||
cleanInstall
|
||||
;;
|
||||
"2" | "upgrade")
|
||||
upgrade
|
||||
;;
|
||||
*)
|
||||
cleanInstall
|
||||
;;
|
||||
esac
|
34
scripts/postremove.sh
Normal file
34
scripts/postremove.sh
Normal file
|
@ -0,0 +1,34 @@
|
|||
#!/bin/sh
|
||||
|
||||
removeAlternatives() {
|
||||
update-alternatives --remove step /usr/bin/step-ca
|
||||
}
|
||||
|
||||
upgrade() {
|
||||
:
|
||||
}
|
||||
|
||||
remove() {
|
||||
removeAlternatives
|
||||
}
|
||||
|
||||
action="$1"
|
||||
if [ "$1" = "remove" ]; then
|
||||
action="remove"
|
||||
elif [ "$1" = "upgrade" ] && [ -n "$2" ]; then
|
||||
action="upgrade"
|
||||
elif [ "$1" = "disappear" ]; then
|
||||
action="remove"
|
||||
fi
|
||||
|
||||
case "$action" in
|
||||
"0" | "remove")
|
||||
remove
|
||||
;;
|
||||
"1" | "upgrade")
|
||||
upgrade
|
||||
;;
|
||||
*)
|
||||
remove
|
||||
;;
|
||||
esac
|
Loading…
Reference in a new issue