Merge pull request #485 from smallstep/max/actions

Convert to github actions

.github/workflows/release.yml

@@ -0,0 +1,146 @@
+name: Create Release & Upload Assets
+
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+    - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+jobs:
+  test:
+    name: Lint, Test, Build
+    runs-on: ubuntu-20.04
+    outputs:
+      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.8'
+      -
+        name: Install Deps
+        id: install-deps
+        run: sudo apt-get -y install libpcsclite-dev
+      -
+        name: Lint, Test, Build
+        id: lint_test_build
+        run: V=1 make -j1 bootstrap ci
+      -
+        name: Is Pre-release
+        id: is_prerelease
+        run: |
+          set +e
+          echo ${{ github.ref }} | grep "\-rc.*"
+          OUT=$?
+          if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
+          echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
+
+  create_release:
+    name: Create Release
+    needs: test
+    runs-on: ubuntu-20.04
+    outputs:
+      is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
+    steps:
+      -
+        name: Is Pre-release
+        id: is_prerelease
+        run: |
+          set +e
+          echo ${{ github.ref }} | grep "\-rc.*"
+          OUT=$?
+          if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
+          echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}"
+      -
+        name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }}
+
+  goreleaser:
+    name: Upload Assets To Github w/ goreleaser
+    runs-on: ubuntu-20.04
+    needs: create_release
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@56f5b77f7fa4a8fe068bf22b732ec036cc9bc13f # v2.4.1
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.PAT }}
+
+  release_deb:
+    name: Build & Upload Debian Package To Github
+    runs-on: ubuntu-20.04
+    needs: create_release
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.8'
+      -
+        name: APT Install
+        id: aptInstall
+        run: sudo apt-get -y install build-essential debhelper fakeroot
+      -
+        name: Build Debian package
+        id: build
+        run: |
+          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
+          make debian
+      -
+        name: Upload Debian Package
+        id: upload_deb
+        run: |
+          tag_name="${GITHUB_REF##*/}"
+          hub release edit $(find ./.releases -type f -printf "-a %p ") -m "" "$tag_name"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  build_upload_docker:
+    name: Build & Upload Docker Images
+    runs-on: ubuntu-20.04
+    needs: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.8'
+      - name: Build
+        id: build
+        run: |
+          PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin
+          make docker-artifacts
+        env:
+          DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

.github/workflows/test.yml

@@ -0,0 +1,34 @@
+name: Lint, Test, Build
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "**"
+  pull_request:
+
+jobs:
+  lintTestBuild:
+    name: Lint, Test, Build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '^1.15.6'
+      - name: Install Deps
+        id: install-deps
+        run: sudo apt-get -y install libpcsclite-dev
+      - name: Lint, Test, Build
+        id: lintTestBuild
+        run: V=1 make -j1 bootstrap ci
+      - name: Codecov
+        uses: codecov/codecov-action@v1.2.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }} # not required for public repos
+          file: ./coverage.out # optional
+          name: codecov-umbrella # optional
+          fail_ci_if_error: true # optional (default = false)

.goreleaser.yml

@@ -0,0 +1,200 @@
+# This is an example .goreleaser.yml file with some sane defaults.
+# Make sure to check the documentation at http://goreleaser.com
+project_name: step-ca
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod download
+builds:
+  -
+    id: step-ca
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm
+      - arm64
+      - 386
+    goarm:
+      - 7
+    flags:
+      - -trimpath
+    main: ./cmd/step-ca/main.go
+    binary: bin/step-ca
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    id: step-cloudkms-init
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm
+      - arm64
+      - 386
+    goarm:
+      - 7
+    flags:
+      - -trimpath
+    main: ./cmd/step-cloudkms-init/main.go
+    binary: bin/step-cloudkms-init
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+  -
+    id: step-awskms-init
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - darwin
+    goarch:
+      - amd64
+      - arm
+      - arm64
+      - 386
+    goarm:
+      - 7
+    flags:
+      - -trimpath
+    main: ./cmd/step-awskms-init/main.go
+    binary: bin/step-awskms-init
+    ldflags:
+      - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}}
+archives:
+  -
+    # Can be used to change the archive formats for specific GOOSs.
+    # Most common use case is to archive as zip on Windows.
+    # Default is empty.
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    wrap_in_directory: "{{ .ProjectName }}_{{ .Version }}"
+    files:
+      - README.md
+      - LICENSE
+source:
+  enabled: true
+  name_template: '{{ .ProjectName }}_{{ .Version }}'
+checksum:
+  name_template: 'checksums.txt'
+snapshot:
+  name_template: "{{ .Tag }}-next"
+release:
+  # Repo in which the release will be created.
+  # Default is extracted from the origin remote URL or empty if its private hosted.
+  # Note: it can only be one: either github, gitlab or gitea
+  github:
+    owner: smallstep
+    name: certificates
+
+  # IDs of the archives to use.
+  # Defaults to all.
+  #ids:
+  #  - foo
+  #  - bar
+
+  # If set to true, will not auto-publish the release.
+  # Default is false.
+  draft: true
+
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  # If set to true, will mark the release as not ready for production.
+  # Default is false.
+  prerelease: false
+
+  # You can change the name of the release.
+  # Default is `{{.Tag}}`
+  #name_template: "{{.ProjectName}}-v{{.Version}} {{.Env.USER}}"
+
+  # You can disable this pipe in order to not upload any artifacts.
+  # Defaults to false.
+  #disable: true
+
+  # You can add extra pre-existing files to the release.
+  # The filename on the release will be the last part of the path (base). If
+  # another file with the same name exists, the latest one found will be used.
+  # Defaults to empty.
+  #extra_files:
+  #  - glob: ./path/to/file.txt
+  #  - glob: ./glob/**/to/**/file/**/*
+  #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
+
+  #scoop:
+  #  # Template for the url which is determined by the given Token (github or gitlab)
+  #  # Default for github is "https://github.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  #  # Default for gitlab is "https://gitlab.com/<repo_owner>/<repo_name>/uploads/{{ .ArtifactUploadHash }}/{{ .ArtifactName }}"
+  #  # Default for gitea is "https://gitea.com/<repo_owner>/<repo_name>/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  #  url_template: "http://github.com/smallstep/certificates/releases/download/{{ .Tag }}/{{ .ArtifactName }}"
+  #
+  #  # Repository to push the app manifest to.
+  #  bucket:
+  #    owner: smallstep
+  #    name: scoop-bucket
+  #
+  #  # Git author used to commit to the repository.
+  #  # Defaults are shown.
+  #  commit_author:
+  #    name: goreleaserbot
+  #    email: goreleaser@smallstep.com
+  #
+  #  # The project name and current git tag are used in the format string.
+  #  commit_msg_template: "Scoop update for {{ .ProjectName }} version {{ .Tag }}"
+  #
+  #  # Your app's homepage.
+  #  # Default is empty.
+  #  homepage: "https://smallstep.com/docs/step-ca"
+  #
+  #  # Skip uploads for prerelease.
+  #  skip_upload: auto
+  #
+  #  # Your app's description.
+  #  # Default is empty.
+  #  description: "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH."
+  #
+  #  # Your app's license
+  #  # Default is empty.
+  #  license: "Apache-2.0"
+
+  #dockers:
+  #  - dockerfile: docker/Dockerfile
+  #    goos: linux
+  #    goarch: amd64
+  #    use_buildx: true
+  #    image_templates:
+  #    - "smallstep/step-cli:latest"
+  #    - "smallstep/step-cli:{{ .Tag }}"
+  #    build_flag_templates:
+  #    - "--platform=linux/amd64"
+  #  - dockerfile: docker/Dockerfile
+  #    goos: linux
+  #    goarch: 386
+  #    use_buildx: true
+  #    image_templates:
+  #    - "smallstep/step-cli:latest"
+  #    - "smallstep/step-cli:{{ .Tag }}"
+  #    build_flag_templates:
+  #    - "--platform=linux/386"
+  #  - dockerfile: docker/Dockerfile
+  #    goos: linux
+  #    goarch: arm
+  #    goarm: 7
+  #    use_buildx: true
+  #    image_templates:
+  #    - "smallstep/step-cli:latest"
+  #    - "smallstep/step-cli:{{ .Tag }}"
+  #    build_flag_templates:
+  #    - "--platform=linux/arm/v7"
+  #  - dockerfile: docker/Dockerfile
+  #    goos: linux
+  #    goarch: arm64
+  #    use_buildx: true
+  #    image_templates:
+  #    - "smallstep/step-cli:latest"
+  #    - "smallstep/step-cli:{{ .Tag }}"
+  #    build_flag_templates:
+  #    - "--platform=linux/arm64/v8"

.travis.yml

@@ -1,37 +0,0 @@
-language: go
-os: linux
-dist: focal
-services:
-  - docker
-go:
-  - 1.14.x
-addons:
-  apt:
-    packages:
-      - debhelper
-      - fakeroot
-      - bash-completion
-      - libpcsclite-dev
-env:
-  global:
-    - V=1
-before_script:
-  - make bootstrap
-script:
-  - make travis
-  - make artifacts
-after_success:
-  - bash <(curl -s https://codecov.io/bash) -t "$CODECOV_TOKEN" || echo "Codecov did
-    not collect coverage reports"
-notifications:
-  email: false
-deploy:
-  provider: releases
-  skip_cleanup: true
-  token:
-    secure: EVV43Vkqn67hhKGYn4WhQp2YO6KFmUDSkLXjYXYGX07Fm8p5KjRFBPOz9LV83QrvVmLigvg0CtR8Jqqcnq2SUhus3nhZaN2g19NhMypZLioyOVP0kAkas8ocuvxkwz3YxIK/yMrmTKbQ7JGXtbc8IjAox9ovNo1fFIQmVMAzPfu++OWBJ0j+gUqKtpaNA7gzsSv8UOw3/T3hNm6E1IbpWxl9BPSOzUOE9F/QOThANzifGfdxvqNJFkAgqu5DVPz8zQNbMrz4zH+KwASKxd6hjhzSSMzouKzOEHTA/elDCHEjke0Jos29MkGWHcIydLtCD95DGecqM8BFSC9f2acHDjmUO1rdfoLA3Pt+UiZJuTwyQm/jrHHhRnH8oJpK15G5LvxSqzY9YDWpAk38+jMw/udW6wt7BGAU8FEXLbq0bsFL3yfTepeWjmzT5WS0YXdiBz2SEK+Og9R2bSdtl4owghRzKNio5DNPuYAbqbpi+jqzqQVLj27x7LWoQ0MHvZcz9U+oO00r6M1tDCmFVRdtfgb2H+MIDY69qYGo5qoGMfH1btCWR8bA9wSYB/Z7hW/xZT9r7f/d5/P40k8yKINmTZqyUTQeplrE3y4BPVzKksclczBZa67syIUQ49I35QppnH4GFQHUwlra7r3W9zfZRvaLnp5qOIKAQe3MAIZqtLg=
-  file_glob: true
-  file: .travis-releases/*
-  on:
-    repo: smallstep/certificates
-    tags: true

Makefile

@@ -18,9 +18,9 @@ OUTPUT_ROOT=output/
 
 all: lint test build
 
-travis: lintcgo testcgo build
+ci: lintcgo testcgo build
 
-.PHONY: all travis
+.PHONY: all ci
 
 #########################################
 # Bootstrapping
@@ -39,6 +39,15 @@ bootstra%:
 # If TRAVIS_TAG is set then we know this ref has been tagged.
 ifdef TRAVIS_TAG
 VERSION := $(TRAVIS_TAG)
+NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
+	ifeq ($(NOT_RC),)
+PUSHTYPE := release-candidate
+	else
+PUSHTYPE := release
+	endif
+# GITHUB Actions
+else ifdef GITHUB_REF
+VERSION := $(shell echo $(GITHUB_REF) | sed 's/^refs\/tags\///')
 NOT_RC  := $(shell echo $(VERSION) | grep -v -e -rc)
 	ifeq ($(NOT_RC),)
 PUSHTYPE := release-candidate
@@ -62,6 +71,7 @@ DEB_VERSION := $(shell echo $(VERSION) | sed 's/-/~/g')
 
 ifdef V
 $(info    TRAVIS_TAG is $(TRAVIS_TAG))
+$(info    GITHUB_REF is $(GITHUB_REF))
 $(info    VERSION is $(VERSION))
 $(info    DEB_VERSION is $(DEB_VERSION))
 $(info    PUSHTYPE is $(PUSHTYPE))
@@ -266,39 +276,10 @@ bundle-darwin: binary-darwin
 
 .PHONY: binary-linux binary-darwin bundle-linux bundle-darwin
 
-#################################################
-# Targets for creating OS specific artifacts and archives
-#################################################
-
-artifacts-linux-tag: bundle-linux debian
-
-artifacts-darwin-tag: bundle-darwin
-
-artifacts-archive-tag:
-	$Q mkdir -p $(RELEASE)
-	$Q git archive v$(VERSION) | gzip > $(RELEASE)/step-certificates_$(VERSION).tar.gz
-
-artifacts-tag: artifacts-linux-tag artifacts-darwin-tag artifacts-archive-tag
-
-.PHONY: artifacts-linux-tag artifacts-darwin-tag artifacts-archive-tag artifacts-tag
-
 #################################################
 # Targets for creating step artifacts
 #################################################
 
-# For all builds that are not tagged and not on the master branch
-artifacts-branch:
+docker-artifacts: docker-$(PUSHTYPE)
 
-# For all builds that are not tagged
-artifacts-master:
-
-# For all builds with a release-candidate (-rc) tag
-artifacts-release-candidate: artifacts-tag
-
-# For all builds with a release tag
-artifacts-release: artifacts-tag
-
-# This command is called by travis directly *after* a successful build
-artifacts: artifacts-$(PUSHTYPE) docker-$(PUSHTYPE)
-
-.PHONY: artifacts-master artifacts-release-candidate artifacts-release artifacts
+.PHONY: docker-artifacts

api/api.go

@@ -3,7 +3,7 @@ package api
 import (
 	"context"
 	"crypto"
-	"crypto/dsa"
+	"crypto/dsa" //nolint
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/x509"

api/api_test.go

@@ -4,7 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto"
-	"crypto/dsa"
+	"crypto/dsa" //nolint
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"

distribution.md

@@ -16,7 +16,6 @@ e.g. `v1.0.2`
 `-rc*` suffix. e.g. `v1.0.2-rc` or `v1.0.2-rc.4`
 
 ---
-
 1. **Tag it!**
 
     1. Find the most recent tag.

kms/softkms/softkms_test.go

@@ -83,7 +83,7 @@ func TestSoftKMS_CreateSigner(t *testing.T) {
 		t.Fatal(err)
 	}
 	block, _ := pem.Decode(b)
-	block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass"))
+	block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) //nolint
 	if err != nil {
 		t.Fatal(err)
 	}

kms/sshagentkms/sshagentkms_test.go

@@ -295,7 +295,7 @@ func TestSSHAgentKMS_CreateSigner(t *testing.T) {
 		t.Fatal(err)
 	}
 	block, _ := pem.Decode(b)
-	block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass"))
+	block.Bytes, err = x509.DecryptPEMBlock(block, []byte("pass")) //nolint
 	if err != nil {
 		t.Fatal(err)
 	}