mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

[action] updates and first pass at goreleaser deb

Browse source
This commit is contained in:
max furman 2022-10-01 11:03:14 -07:00
parent 8139179084
commit 579a436ebb
No known key found for this signature in database
3 changed files with 83 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.github/workflows/ci.yml vendored
View file

@ -8,9 +8,6 @@ on:
- "master" - "master"
pull_request: pull_request:
workflow_call: workflow_call:
secrets:
GITLEAKS_LICENSE_KEY:
required: true
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@ -23,5 +20,4 @@ jobs:
os-dependencies: "libpcsclite-dev" os-dependencies: "libpcsclite-dev"
run-gitleaks: true run-gitleaks: true
run-codeql: true run-codeql: true
secrets: secrets: inherit
GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }}

84
.github/workflows/release.yml vendored
View file

@ -8,25 +8,17 @@ on:
jobs: jobs:
ci: ci:
uses: smallstep/certificates/.github/workflows/ci.yml@main uses: smallstep/certificates/.github/workflows/ci.yml@master
secrets: inherit secrets: inherit
create_release: create_release:
name: Create Release name: Create Release
needs: ci #needs: ci
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
outputs: outputs:
debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }}
is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
steps: steps:
- - name: Is Pre-release
name: Extract Tag Names
id: extract-tag
run: |
DEB_VERSION=$(echo ${GITHUB_REF#refs/tags/v} | sed 's/-/./')
echo "::set-output name=DEB_VERSION::${DEB_VERSION}"
-
name: Is Pre-release
id: is_prerelease id: is_prerelease
run: | run: |
set +e set +e
@ -34,8 +26,7 @@ jobs:
OUT=$? OUT=$?
if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
- - name: Create Release
name: Create Release
id: create_release id: create_release
uses: actions/create-release@v1 uses: actions/create-release@v1
env: env:
@ -51,54 +42,33 @@ jobs:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: create_release needs: create_release
steps: steps:
- - name: Checkout
name: Checkout uses: actions/checkout@v3
uses: actions/checkout@v2 - name: Set up Go
with: uses: actions/setup-go@v3
fetch-depth: 0
-
name: Set up Go
uses: actions/setup-go@v2
with: with:
go-version: 1.19 go-version: 1.19
- check-latest: true
name: APT Install - name: Install cosign
id: aptInstall uses: sigstore/cosign-installer@v2.7.0
run: sudo apt-get -y install build-essential debhelper fakeroot
-
name: Build Debian package
id: make_debian
run: |
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
make debian
# need to restore the git state otherwise goreleaser fails due to dirty state
git restore debian/changelog
git clean -fd
-
name: Install cosign
uses: sigstore/cosign-installer@v1.1.0
with: with:
cosign-release: 'v1.1.0' cosign-release: 'v1.12.1'
- - name: Write cosign key to disk
name: Write cosign key to disk
id: write_key id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- - name: Get Release Date
name: Get Release Date
id: release_date id: release_date
run: | run: |
RELEASE_DATE=$(date +"%y-%m-%d") RELEASE_DATE=$(date +"%y-%m-%d")
echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}"
- - name: Run GoReleaser
name: Run GoReleaser uses: goreleaser/goreleaser-action@v3
uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0
with: with:
version: 'v1.7.0' version: 'latest'
args: release --rm-dist args: release --rm-dist
env: env:
GITHUB_TOKEN: ${{ secrets.PAT }} GITHUB_TOKEN: ${{ secrets.PAT }}
COSIGN_PWD: ${{ secrets.COSIGN_PWD }} COSIGN_PWD: ${{ secrets.COSIGN_PWD }}
DEB_VERSION: ${{ needs.create_release.outputs.debversion }}
RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }}
build_upload_docker: build_upload_docker:
@ -106,25 +76,21 @@ jobs:
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
needs: ci needs: ci
steps: steps:
- - name: Checkout
name: Checkout uses: actions/checkout@v3
uses: actions/checkout@v2 - name: Setup Go
- uses: actions/setup-go@v3
name: Setup Go
uses: actions/setup-go@v2
with: with:
go-version: '1.19' go-version: '1.19'
- check-latest: true
name: Install cosign - name: Install cosign
uses: sigstore/cosign-installer@v1.1.0 uses: sigstore/cosign-installer@v1.1.0
with: with:
cosign-release: 'v1.1.0' cosign-release: 'v1.1.0'
- - name: Write cosign key to disk
name: Write cosign key to disk
id: write_key id: write_key
run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key"
- - name: Build
name: Build
id: build id: build
run: | run: |
PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin

58
.goreleaser.yml
View file

@ -71,6 +71,24 @@ builds:
binary: bin/step-awskms-init binary: bin/step-awskms-init
ldflags: ldflags:
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
-
# This build is specifically for nFPM targets (.deb and .rpm files).
# It's exactly the same as the default build above, except:
# - it only builds the archs we want to produce .deb and .rpm files for
# - the name of the output binary is step-cli
id: nfpm
env:
- CGO_ENABLED=0
goos:
- linux
goarch:
- amd64
flags:
- -trimpath
main: ./cmd/step-ca/main.go
binary: bin/step-ca
ldflags:
- -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
archives: archives:
- -
@ -85,6 +103,44 @@ archives:
files: files:
- README.md - README.md
- LICENSE - LICENSE
allow_different_binary_count: true
nfpms:
# Configure nFPM for .deb and .rpm releases
#
# See https://nfpm.goreleaser.com/configuration/
# and https://goreleaser.com/customization/nfpm/
#
# Useful tools for debugging .debs:
# List file contents: dpkg -c dist/step_...deb
# Package metadata: dpkg --info dist/step_....deb
#
-
builds:
- nfpm
package_name: step-ca
file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
vendor: Smallstep Labs
homepage: https://github.com/smallstep/certificates
maintainer: Smallstep <techadmin@smallstep.com>
description: >
step-ca is an online certificate authority for secure, automated certificate management.
license: Apache 2.0
section: utils
formats:
- deb
- rpm
priority: optional
bindir: /usr/bin
contents:
- src: debian/copyright
dst: /usr/share/doc/step-ca/copyright
# Ghost files are used for RPM and ignored elsewhere
- dst: /usr/bin/step-ca
type: ghost
scripts:
postinstall: scripts/postinstall.sh
postremove: scripts/postremove.sh
source: source:
enabled: true enabled: true
@ -98,7 +154,7 @@ checksum:
signs: signs:
- cmd: cosign - cmd: cosign
stdin: '{{ .Env.COSIGN_PWD }}' stdin: '{{ .Env.COSIGN_PWD }}'
args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"] args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"]
artifacts: all artifacts: all
snapshot: snapshot: