Merge pull request #97 from iits-consulting/Ninja243/apk_keys #70
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
push: | |
tags: | |
- "*" | |
jobs: | |
goreleaser: | |
runs-on: macos-13 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set env | |
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
- name: Setup Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.20' | |
- name: Import Code-Signing Certificates | |
uses: apple-actions/import-codesign-certs@v1 | |
with: | |
p12-file-base64: ${{ secrets.MAC_CERT }} | |
p12-password: ${{ secrets.MAC_CERT_PASS }} | |
keychain: build | |
keychain-password: ${{ secrets.MAC_CERT_PASS }} | |
- name: Setup Keychain | |
run: | | |
KEYCHAIN=build.keychain | |
security default-keychain -s $KEYCHAIN | |
security unlock-keychain -p $MAC_CERT_PASS $KEYCHAIN | |
curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer | |
security import AppleWWDRCAG3.cer -k $KEYCHAIN -T /usr/bin/codesign | |
curl -o AppleRootCA.cer https://www.apple.com/appleca/AppleIncRootCertificate.cer | |
security import AppleRootCA.cer -k $KEYCHAIN -T /usr/bin/codesign | |
curl -o AppleDevIntermediate.cer https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer | |
security import AppleDevIntermediate.cer -k $KEYCHAIN -T /usr/bin/codesign | |
security find-identity -v $KEYCHAIN | |
rm *.cer | |
env: | |
MAC_CERT_PASS: ${{ secrets.MAC_CERT_PASS }} | |
- name: Add APK Signing Key | |
run: | | |
echo "${{ secrets.APK_PACKAGE_RSA }}" > abuild.rsa | |
chmod 600 abuild.rsa | |
ls -l | |
env: | |
APK_PACKAGE_RSA: ${{ secrets.APK_PACKAGE_RSA }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@v3 | |
with: | |
version: latest | |
args: release --clean | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
NOTARYTOOL_PASS: ${{ secrets.NOTARYTOOL_PASS }} | |
- name: Remove APK key | |
run: rm -rf abuild.rsa | |
- name: Read post build hook logs | |
if: always() | |
run: cat post_build_output.txt | |
dockerrelease: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set env | |
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build and push Docker images | |
uses: docker/build-push-action@v3 | |
with: | |
push: true | |
tags: | | |
ghcr.io/iits-consulting/otc-auth:latest | |
ghcr.io/iits-consulting/otc-auth:${{ env.RELEASE_VERSION }} | |
aur-publish: | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Prepare PKGBUILD | |
run: | | |
# We simply imply that ref is always a valid tag for now. | |
sed -e "s/__VERSION__/${GITHUB_REF_NAME}/" <PKGBUILD.template >PKGBUILD | |
- name: Publish AUR package | |
uses: KSXGitHub/[email protected] | |
with: | |
pkgname: otc-auth | |
pkgbuild: ./PKGBUILD | |
commit_username: ${{ secrets.AUR_USERNAME }} | |
commit_email: ${{ secrets.AUR_EMAIL }} | |
ssh_private_key: ${{ secrets.AUR_SSH_PRIVATE_KEY }} | |
commit_message: "Bump to ${{ github.github_ref_name }}" | |
ssh_keyscan_types: rsa,dsa,ecdsa,ed25519 | |
apk-publish: | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
container: | |
image: alpine:3.19.0 | |
steps: | |
- name: Get latest apks | |
uses: robinraju/[email protected] | |
with: | |
latest: true | |
fileName: "*.apk" | |
- name: Install dependencies | |
run: | | |
apk add alpine-sdk openssl | |
- name: Import keys | |
run: | | |
mkdir ~/.abuild | |
echo "$APK_PACKAGE_RSA" > ~/.abuild/abuild.rsa | |
openssl rsa -pubout -in ~/.abuild/abuild.rsa -out ~/.abuild/abuild.rsa.pub | |
echo "PACKAGER_PRIVKEY=\"~/.abuild/abuild.rsa\"" >> /etc/abuild.conf | |
cp ~/.abuild/abuild.rsa.pub /etc/apk/keys/ | |
env: | |
APK_PACKAGE_RSA: ${{ secrets.APK_PACKAGE_RSA }} | |
- name: Make and sign apkindex | |
run: | | |
apk index -o APKINDEX.tar.gz *.apk | |
abuild-sign -k ~/.abuild/abuild.rsa APKINDEX.tar.gz | |
- name: Create repo structure | |
run: | | |
cp ~/.abuild/abuild.rsa.pub otc-auth.rsa.pub | |
echo -e " # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth apk-repo \n This repo contains .apk files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n apk add curl \n curl -SsL -o /etc/apk/keys/otc-auth.rsa.pub https://iits-consulting.github.io/apk-repo otc-auth.rsa.pub \n apk add otc-auth --repository='https://iits-consulting.github.io/apk-repo' \n \`\`\`" > README.md; | |
- name: Cleanup | |
run: | | |
rm -rf ~/.abuild | |
- name: Push to APK repo | |
uses: cpina/github-action-push-to-another-repository@main | |
env: | |
SSH_DEPLOY_KEY: ${{ secrets.APK_SSH_DEPLOY_KEY }} | |
with: | |
source-directory: . | |
destination-github-username: 'iits-consulting' | |
destination-repository-name: 'apk-repo' | |
user-email: [email protected] | |
target-branch: main | |
rpm-publish: | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
container: | |
image: fedora:latest | |
steps: | |
- name: Get latest rpms | |
uses: robinraju/[email protected] | |
with: | |
latest: true | |
fileName: "*.rpm" | |
- name: Get dependencies | |
run: | | |
dnf install rpm-sign createrepo -y | |
- name: Generate keys | |
run: | | |
export GPG_TTY=`tty`; | |
echo "$GPG_PPA_PRIV_KEY" | base64 --decode | gpg --import --batch; | |
echo -e "pinentry-mode loopback \npassphrase ${GPG_PPA_PRIV_KEY_PASSPHRASE}" > ~/.gnupg/gpg.conf | |
echo -e "%_signature gpg \n%_gpg_name [email protected]" > /root/.rpmmacros | |
echo "Sanity check: $(cat /root/.rpmmacros)" | |
rpm --define "_gpg_name [email protected]" --addsign *.rpm | |
mkdir -p otc\-auth/packages | |
mv *.rpm otc\-auth/packages | |
cd otc\-auth/packages | |
createrepo . | |
gpg --detach-sign --armor --default-key "[email protected]" repodata/repomd.xml | |
gpg --armor --export "[email protected]" > KEY.gpg; | |
cd ../../ | |
echo -e "[rpm-repo]\nname=otc-auth RPM repo\nbaseurl=http://iits-consulting.github.io/rpm-repo/packages\nenabled=1\ngpgcheck=1\ngpgkey=http://iits-consulting.github.io/rpm-repo/KEY.gpg" > rpm-repo.repo | |
echo -e " # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth RPM Repo \n This repo contains .rpm files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n yum-config-manager --add-repo https://iits-consulting.github.io/rpm-repo.repo \n yum install -y hello-world \n \`\`\`" > README.md; | |
env: | |
GPG_PPA_PRIV_KEY: ${{ secrets.GPG_PPA_PRIV_KEY }} | |
GPG_PPA_PRIV_KEY_PASSPHRASE: ${{ secrets.GPG_PPA_PRIV_KEY_PASSPHRASE }} | |
- name: Push to RPM repo | |
uses: cpina/github-action-push-to-another-repository@main | |
env: | |
SSH_DEPLOY_KEY: ${{ secrets.RPM_SSH_DEPLOY_KEY }} | |
with: | |
source-directory: . | |
destination-github-username: 'iits-consulting' | |
destination-repository-name: 'rpm-repo' | |
user-email: [email protected] | |
target-branch: main | |
deb-publish: | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
steps: | |
- name: Get latest debs | |
uses: robinraju/[email protected] | |
with: | |
latest: true | |
fileName: "*.deb" | |
- name: Create PPA repo structure | |
run: | | |
dpkg-scanpackages --multiversion . > Packages; | |
gzip -k -f Packages; | |
apt-ftparchive release . > Release; | |
echo "deb [signed-by=/etc/apt/trusted.gpg.d/otc-auth_ppa.gpg] https://iits-consulting.github.io/ppa/debian ./" > otc-auth.list | |
echo -e " # <img src='https://github.com/iits-consulting/otc-auth/blob/main/static/images/iits-2024.svg' width="150"/> otc-auth PPA \n This repo (based on the one [here](https://github.com/assafmo/ppa)) contains .deb files built from the [latest version of otc-auth](https://github.com/iits-consulting/otc-auth/releases).\n\n ## Usage \n \`\`\`bash \n sudo curl -SsL -o /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg https://iits-consulting.github.io/ppa/debian/KEY.gpg \n sudo curl -SsL -o /etc/apt/sources.list.d/otc-auth.list https://iits-consulting.github.io/ppa/debian/otc-auth.list \n cat /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg | gpg --dearmor | tee /etc/apt/trusted.gpg.d/otc-auth_ppa.gpg >/dev/null \n sudo apt update \n sudo apt install otc-auth \n \`\`\`" > README.md; | |
- name: Generate keys | |
run: | | |
export GPG_TTY=`tty`; | |
echo "$GPG_PPA_PRIV_KEY" | base64 --decode | gpg --import --batch; | |
gpg --armor --export "[email protected]" > KEY.gpg; | |
echo "Sanity Check: $(ls -la Release)" | |
echo -e "pinentry-mode loopback \npassphrase ${GPG_PPA_PRIV_KEY_PASSPHRASE}" > ~/.gnupg/gpg.conf | |
gpg --default-key "[email protected]" -abs -o - Release > Release.gpg; | |
gpg --default-key "[email protected]" --clearsign -o - Release > InRelease; | |
sudo apt-get install -y debsigs | |
for package in *.deb; do | |
debsigs --sign=origin --default-key="[email protected]" "$package" | |
done | |
env: | |
GPG_PPA_PRIV_KEY: ${{ secrets.GPG_PPA_PRIV_KEY }} | |
GPG_PPA_PRIV_KEY_PASSPHRASE: ${{ secrets.GPG_PPA_PRIV_KEY_PASSPHRASE }} | |
- name: Final cleanup | |
run: | | |
mkdir .debian | |
mv README.md .README.md | |
mv * .debian | |
mv .README.md README.md | |
mv .debian debian | |
rm ~/.gnupg/gpg.conf | |
- name: Push to PPA repo | |
uses: cpina/github-action-push-to-another-repository@main | |
env: | |
SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }} | |
with: | |
source-directory: . | |
destination-github-username: 'iits-consulting' | |
destination-repository-name: 'ppa' | |
user-email: [email protected] | |
target-branch: main | |
brew-publish: | |
runs-on: ubuntu-latest | |
needs: goreleaser | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Set output | |
id: vars | |
run: | | |
echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
echo "revision=$(git rev-list -n 1 ${GITHUB_REF#refs/*/})" >> $GITHUB_OUTPUT | |
- name: Checkout brew repo | |
uses: actions/checkout@v2 | |
with: | |
repository: 'iits-consulting/homebrew-tap' | |
ref: main | |
fetch-depth: 0 | |
- name: Update otc-auth Formula | |
working-directory: Formula | |
env: | |
TAG: ${{ steps.vars.outputs.tag }} | |
REVISION: ${{ steps.vars.outputs.revision }} | |
run: | | |
set -e | |
echo $TAG | |
echo $REVISION | |
echo ${{ steps.vars.outputs.tag }} | |
echo ${{ steps.vars.outputs.revision }} | |
echo -e 'class OtcAuth < Formula\n desc "Open Source CLI for the Open Telekom Cloud written in go"\n homepage "https://github.com/iits-consulting/otc-auth"\n url "https://github.com/iits-consulting/otc-auth.git",\n tag: "'${TAG}'",\n revision: "'${REVISION}'"\n license "GPLv3"\n head "https://github.com/iits-consulting/otc-auth.git", branch: "main"\n depends_on "bash" => :build\n depends_on "coreutils" => :build\n depends_on "go" => :build\n uses_from_macos "rsync" => :build\n def install\n system "go", "build", "-ldflags", "-X main.version=#{version} -X main.date=#{Date.today}"\n bin.install "./otc-auth"\n end\n test do\n run_output = shell_output("#{bin}/otc-auth version 2>&1")\n assert run_output.start_with?("OTC-Auth #{version}")\n end\nend' > otc-auth.rb | |
- name: Push to brew repo | |
uses: cpina/github-action-push-to-another-repository@main | |
env: | |
SSH_DEPLOY_KEY: ${{ secrets.BREW_SSH_DEPLOY_KEY }} | |
with: | |
source-directory: Formula | |
target-directory: Formula | |
destination-github-username: 'iits-consulting' | |
destination-repository-name: 'homebrew-tap' | |
user-email: [email protected] | |
target-branch: main | |
wikiupdate: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup Go environment | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.20' | |
- name: Checkout | |
uses: actions/checkout@v2 | |
- name: Get dependencies | |
run: go mod download | |
- name: Build | |
run: go run main.go documentation | |
- name: Checkout wiki code | |
uses: actions/checkout@v2 | |
with: | |
repository: ${{github.repository}}.wiki | |
path: markdown | |
- name: Push to wiki | |
run: | | |
cp -r generated-documentation.md markdown/ | |
cd markdown | |
git config --local user.email "[email protected]" | |
git config --local user.name "GitHub Action" | |
git add . | |
git diff-index --quiet HEAD || git commit -m "Updated docs" && git push | |