From e4e588709c97a7e4f56c16504dd50a21e8c8b4bc Mon Sep 17 00:00:00 2001
From: Carles Garcia Cabot <carles.garciacabot@grafana.com>
Date: Thu, 2 Jan 2025 14:31:02 +0100
Subject: [PATCH] Migrate release pipeline from Drone to GHA

---
 .drone/drone.jsonnet                  | 128 --------------------------
 .drone/drone.yml                      |  95 +------------------
 .github/workflows/release.yml         |  64 +++++++++++++
 tools/packaging/verify-deb-install.sh |  28 ++----
 tools/packaging/verify-rpm-install.sh |  30 ++----
 5 files changed, 80 insertions(+), 265 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.drone/drone.jsonnet b/.drone/drone.jsonnet
index 18e29f72e3d..b0060b7a23b 100644
--- a/.drone/drone.jsonnet
+++ b/.drone/drone.jsonnet
@@ -61,135 +61,7 @@ local aws_prod_secret_access_key = secret('AWS_SECRET_ACCESS_KEY-prod', 'infra/d
 local alpine_git_image = 'alpine/git:v2.30.2';
 
 //# Pipelines & resources
-
 [
-  local ghTokenFilename = '/drone/src/gh-token.txt';
-  // Build and release packages
-  // Tested by installing the packages on a systemd container
-  pipeline('release') {
-    trigger: {
-      event: ['tag', 'pull_request'],
-    },
-    image_pull_secrets: [
-      docker_config_json_secret.name,
-    ],
-    volumes+: [
-      {
-        name: 'cgroup',
-        host: {
-          path: '/sys/fs/cgroup',
-        },
-      },
-      {
-        name: 'docker',
-        host: {
-          path: '/var/run/docker.sock',
-        },
-      },
-    ],
-    // Launch systemd containers to test the packages
-    services: [
-      {
-        name: 'systemd-debian',
-        image: 'jrei/systemd-debian:12',
-        volumes: [
-          {
-            name: 'cgroup',
-            path: '/sys/fs/cgroup',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'systemd-centos',
-        image: 'jrei/systemd-centos:8',
-        volumes: [
-          {
-            name: 'cgroup',
-            path: '/sys/fs/cgroup',
-          },
-        ],
-        privileged: true,
-      },
-    ],
-    steps+: [
-      {
-        name: 'fetch',
-        image: 'docker:git',
-        commands: ['git fetch --tags'],
-      },
-      {
-        name: 'Generate GitHub token',
-        image: 'us.gcr.io/kubernetes-dev/github-app-secret-writer:latest',
-        environment: {
-          GITHUB_APP_ID: { from_secret:  tempo_app_id_secret.name },
-          GITHUB_APP_INSTALLATION_ID: { from_secret:  tempo_app_installation_id_secret.name },
-          GITHUB_APP_PRIVATE_KEY: { from_secret: tempo_app_private_key_secret.name },
-        },
-        commands: [
-          '/usr/bin/github-app-external-token > %s' % ghTokenFilename,
-        ],
-      },
-      {
-        name: 'write-key',
-        image: 'golang:1.23',
-        commands: ['printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE'],
-        environment: {
-          NFPM_SIGNING_KEY: { from_secret: gpg_private_key.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-      },
-      {
-        name: 'test release',
-        image: 'golang:1.23',
-        commands: ['make release-snapshot'],
-        environment: {
-          NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-      },
-      {
-        name: 'test deb package',
-        image: 'docker',
-        commands: ['./tools/packaging/verify-deb-install.sh'],
-        volumes: [
-          {
-            name: 'docker',
-            path: '/var/run/docker.sock',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'test rpm package',
-        image: 'docker',
-        commands: ['./tools/packaging/verify-rpm-install.sh'],
-        volumes: [
-          {
-            name: 'docker',
-            path: '/var/run/docker.sock',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'release',
-        image: 'golang:1.23',
-        commands: [
-          'export GITHUB_TOKEN=$(cat %s)' % ghTokenFilename,
-          'make release'
-        ],
-        environment: {
-          NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-        when: {
-          event: ['tag'],
-        },
-      },
-    ],
-  },
-] + [
   docker_username_secret,
   docker_password_secret,
   docker_config_json_secret,
diff --git a/.drone/drone.yml b/.drone/drone.yml
index 34ccebee52f..4dd33f6e7bb 100644
--- a/.drone/drone.yml
+++ b/.drone/drone.yml
@@ -1,97 +1,4 @@
 ---
-depends_on: []
-image_pull_secrets:
-- dockerconfigjson
-kind: pipeline
-name: release
-platform:
-  arch: amd64
-  os: linux
-services:
-- image: jrei/systemd-debian:12
-  name: systemd-debian
-  privileged: true
-  volumes:
-  - name: cgroup
-    path: /sys/fs/cgroup
-- image: jrei/systemd-centos:8
-  name: systemd-centos
-  privileged: true
-  volumes:
-  - name: cgroup
-    path: /sys/fs/cgroup
-steps:
-- commands:
-  - git fetch --tags
-  image: docker:git
-  name: fetch
-- commands:
-  - /usr/bin/github-app-external-token > /drone/src/gh-token.txt
-  environment:
-    GITHUB_APP_ID:
-      from_secret: tempo_app_id_secret
-    GITHUB_APP_INSTALLATION_ID:
-      from_secret: tempo_app_installation_id_secret
-    GITHUB_APP_PRIVATE_KEY:
-      from_secret: tempo_app_private_key_secret
-  image: us.gcr.io/kubernetes-dev/github-app-secret-writer:latest
-  name: Generate GitHub token
-- commands:
-  - printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE
-  environment:
-    NFPM_SIGNING_KEY:
-      from_secret: gpg_private_key
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: write-key
-- commands:
-  - make release-snapshot
-  environment:
-    NFPM_DEFAULT_PASSPHRASE:
-      from_secret: gpg_passphrase
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: test release
-- commands:
-  - ./tools/packaging/verify-deb-install.sh
-  image: docker
-  name: test deb package
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - ./tools/packaging/verify-rpm-install.sh
-  image: docker
-  name: test rpm package
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - export GITHUB_TOKEN=$(cat /drone/src/gh-token.txt)
-  - make release
-  environment:
-    NFPM_DEFAULT_PASSPHRASE:
-      from_secret: gpg_passphrase
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: release
-  when:
-    event:
-    - tag
-trigger:
-  event:
-  - tag
-  - pull_request
-volumes:
-- host:
-    path: /sys/fs/cgroup
-  name: cgroup
-- host:
-    path: /var/run/docker.sock
-  name: docker
----
 get:
   name: username
   path: infra/data/ci/docker_hub
@@ -171,6 +78,6 @@ kind: secret
 name: gpg_passphrase
 ---
 kind: signature
-hmac: 829444ce9d30e58a656ca6369a79ecdb01aa76e56c2562c77eb734bf15677eda
+hmac: 3c75d5aee874c3a55608d626bfdca5d28ef23ecefebc5b9cdfc43aa8f6a19cec
 
 ...
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 00000000000..3935526826c
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,64 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+
+# Needed to login to DockerHub
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+
+  release:
+    if: github.repository == 'grafana/tempo'  # skip in forks
+    runs-on: ubuntu-24.04
+    env:
+      NFPM_SIGNING_KEY_FILE: /tmp/nfpm-private-key.key
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: fetch tags
+        run: git fetch --tags
+
+      - id: "get-secrets"
+        name: "get nfpm signing keys"
+        uses: "grafana/shared-workflows/actions/get-vault-secrets@main"
+        with:
+          common_secrets: |
+            NFPM_SIGNING_KEY=packages-gpg:private-key
+            NFPM_DEFAULT_PASSPHRASE=packages-gpg:passphrase
+
+      - name: write-key
+        run: printenv NFPM_SIGNING_KEY > $NFPM_SIGNING_KEY_FILE
+
+      - name: test release
+        run: make release-snapshot
+
+      - name: test deb package
+        run: |
+          # podman is simpler to make it work with systemd inside containers
+          podman run -d --name systemd-debian --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-debian:12
+          podman cp ./dist/tempo_*_linux_amd64.deb systemd-debian:.
+          podman cp ./tools/packaging/verify-deb-install.sh systemd-debian:.
+          podman cp ./tools/packaging/wait-for-ready.sh systemd-debian:. 
+          podman exec systemd-debian ./verify-deb-install.sh
+          podman rm -f systemd-debian
+
+      - name: test rpm package
+        run: |
+          podman run -d --name systemd-centos --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro jrei/systemd-centos:8
+          podman cp ./dist/tempo_*_linux_amd64.rpm systemd-centos:.
+          podman cp ./tools/packaging/verify-rpm-install.sh systemd-centos:.
+          podman cp ./tools/packaging/wait-for-ready.sh systemd-centos:.
+          podman exec systemd-centos ./verify-rpm-install.sh
+          podman rm -f systemd-centos
+
+      - name: release
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: make release
diff --git a/tools/packaging/verify-deb-install.sh b/tools/packaging/verify-deb-install.sh
index 90c0cc41e3e..374f4f131bc 100755
--- a/tools/packaging/verify-deb-install.sh
+++ b/tools/packaging/verify-deb-install.sh
@@ -1,25 +1,11 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 
 set -euxo pipefail
 
-docker ps
-image="$(docker ps --filter ancestor=jrei/systemd-debian:12 --latest --format "{{.ID}}")"
-echo "Running on container: ${image}"
+# Install tempo and check it's running
+dpkg -i ./tempo_*_linux_amd64.deb
+[ "$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
 
-dir="."
-if [ -n "${CI}" ]; then
-    dir="/drone/src"
-fi
-echo "Running on directory: ${dir}"
-
-cat <<EOF | docker exec --interactive "${image}" sh
-    set -x
-
-    # Install tempo and check it's running
-    dpkg -i ${dir}/dist/tempo*_amd64.deb
-    [ "\$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
-
-    # Wait for tempo to be ready. The script is cat-ed because it is passed to docker exec
-    apt update && apt install -y curl
-    $(cat ${dir}/tools/packaging/wait-for-ready.sh)
-EOF
\ No newline at end of file
+# Wait for tempo to be ready.
+apt update && apt install -y curl
+./wait-for-ready.sh
diff --git a/tools/packaging/verify-rpm-install.sh b/tools/packaging/verify-rpm-install.sh
index 198d65f80fe..bb40eacd170 100755
--- a/tools/packaging/verify-rpm-install.sh
+++ b/tools/packaging/verify-rpm-install.sh
@@ -1,27 +1,13 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 
 set -euxo pipefail
 
-docker ps
-image="$(docker ps --filter ancestor=jrei/systemd-centos:8 --latest --format "{{.ID}}")"
-echo "Running on container: ${image}"
+# Import the Grafana GPG key
+rpm --import https://packages.grafana.com/gpg.key
 
-dir="."
-if [ -n "${CI}" ]; then
-    dir="/drone/src"
-fi
-echo "Running on directory: ${dir}"
+# Install tempo and check it's running
+rpm -i ./tempo_*_linux_amd64.rpm
+[ "$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
 
-cat <<EOF | docker exec --interactive "${image}" sh
-    set -x
-
-    # Import the Grafana GPG key
-    rpm --import https://packages.grafana.com/gpg.key
-
-    # Install tempo and check it's running
-    rpm -i ${dir}/dist/tempo*_amd64.rpm
-    [ "\$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
-
-    # Wait for tempo to be ready. The script is cat-ed because it is passed to docker exec
-    $(cat ${dir}/tools/packaging/wait-for-ready.sh)
-EOF
\ No newline at end of file
+# Wait for tempo to be ready.
+./wait-for-ready.sh