Merge pull request #2076 from smallstep/jdoss/repos

Configure GitHub Actions to publish RPMs and Debs to packages.smallstep.com

Author: jdoss

.github/workflows/release.yml

@@ -61,6 +61,9 @@ jobs:
       contents: write
       packages: write
     uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
+    with:
+      enable-packages-upload: true
+      is-prerelease: ${{ needs.create_release.outputs.is_prerelease == 'true' }}
     secrets: inherit
 
   build_upload_docker:

.gitignore

@@ -22,5 +22,10 @@ go.work.sum
 coverage.txt
 output
 vendor
+dist/
 .idea
 .envrc
+
+# Packages files
+0x889B19391F774443-Certify.key
+gha-creds-*.json

.goreleaser.yml

@@ -1,12 +1,23 @@
 # Documentation: https://goreleaser.com/customization/
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
 project_name: step-ca
 version: 2
 
+variables:
+  packageName: step-ca
+  packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
+
 before:
   hooks:
     # You may remove this if you don't use go modules.
     - go mod download
 
+after:
+  hooks:
+    # This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step.
+    - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
+      output: true
+
 builds:
   -
     id: step-ca
@@ -61,10 +72,16 @@ nfpms:
   # Package metadata: dpkg --info dist/step_....deb
   #
   - &NFPM
+    id: packages
     builds:
       - step-ca
-    package_name: step-ca
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    package_name: "{{ .Var.packageName }}"
+    release: "1"
+    file_name_template: >-
+      {{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
+      {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
+      {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
+      {{- .ConventionalExtension -}}
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/certificates
     maintainer: Smallstep <[email protected]>
@@ -80,6 +97,13 @@ nfpms:
     contents:
       - src: debian/copyright
         dst: /usr/share/doc/step-ca/copyright
+    rpm:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+    deb:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+          type: origin
   -
     << : *NFPM
     id: unversioned
@@ -101,6 +125,12 @@ signs:
   args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
+publishers:
+- name: Google Cloud Artifact Registry
+  ids:
+  - packages
+  cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
+
 snapshot:
   name_template: "{{ .Tag }}-next"
 
@@ -140,7 +170,10 @@ release:
     #### Linux
 
     - 📦 [step-ca_linux_{{ .Version }}_amd64.tar.gz](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_linux_{{ .Version }}_amd64.tar.gz)
-    - 📦 [step-ca_{{ .Version }}_amd64.deb](https://dl.smallstep.com/gh-release/certificates/gh-release-header/{{ .Tag }}/step-ca_{{ .Version }}_amd64.deb)
+    - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_amd64.deb)
+    - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.x86_64.rpm)
+    - 📦 [step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca_{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}_arm64.deb)
+    - 📦 [step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm](https://dl.smallstep.com/gh-release/cli/gh-release-header/{{ .Tag }}/step-ca-{{ replace .Version "-" "." }}-{{ .Var.packageRelease }}.aarch64.rpm)
 
     #### OSX Darwin
 
@@ -198,7 +231,7 @@ release:
   #  - glob: ./glob/foo/to/bar/file/foobar/override_from_previous
 
 winget:
-  - 
+  -
     # IDs of the archives to use.
     # Empty means all IDs.
     ids: [ default ]

scripts/package-repo-import.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -e
+
+: ${GCLOUD_LOCATION:=us-central1}
+: ${GCLOUD_RPM_REPO:=rpms}
+: ${GCLOUD_DEB_REPO:=debs}
+
+PACKAGE="${1}"
+VERSION="${2}"
+RELEASE="1"
+EPOCH="0"
+GORELEASER_PHASE=${GORELEASER_PHASE:-release}
+
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+
+check_package() {
+  local EXITCODE=0
+  local REPO="${1}"
+  local VER="${2}"
+  if [ ! -f /tmp/version-deleted.stamp ]; then
+    gcloud artifacts versions list \
+       --repository "${REPO}" \
+       --location "${GCLOUD_LOCATION}" \
+       --package "${PACKAGE}" \
+       --filter "VERSION:${VER}" \
+       --format json  2> /dev/null \
+       | jq -re '.[].name?' >/dev/null 2>&1 \
+       || EXITCODE=$?
+    if [[ "${EXITCODE}" -eq 0 ]]; then
+      echo "Package version already exists. Removing it..."
+      gcloud artifacts versions delete \
+      --quiet "${VER}" \
+      --package "${PACKAGE}" \
+      --repository "${REPO}" \
+      --location "${GCLOUD_LOCATION}"
+      touch /tmp/version-deleted.stamp
+    fi
+  fi
+}
+
+if [[ ${IS_PRERELEASE} == "true" ]]; then
+  echo "Skipping artifact import; IS_PRERELEASE is 'true'"
+  exit 0;
+fi
+
+check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}"
+gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*"
+
+check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"}
+gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*"

scripts/package-upload.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -e
+set -x
+
+FILE="${1}"
+PACKAGE="${2}"
+VERSION="${3}"
+
+echo "Package File: ${FILE}"
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+echo "Release: ${RELEASE}"
+echo "Location: ${GCLOUD_LOCATION}"
+
+if [ "${FILE: -4}" == ".deb" ]; then
+  if [[ "${FILE}" =~ "armhf6" ]]; then
+    echo "Skipping ${FILE} due to GCP Artifact Registry armhf conflict!"
+  else
+    gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/
+  fi
+else
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/
+fi