forked from simp/pupmod-simp-auditd
-
Notifications
You must be signed in to change notification settings - Fork 0
274 lines (250 loc) · 11.9 KB
/
release_rpms.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
# Manual action to build, sign, and attach a release's RPMs
# ------------------------------------------------------------------------------
#
# NOTICE: **This file is maintained with puppetsync**
#
# This file is updated automatically as part of a puppet module baseline.
#
# The next baseline sync will overwrite any local changes to this file!
#
# ==============================================================================
# This pipeline uses the following GitHub Action Secrets:
#
# GitHub Secret variable Notes
# ------------------------------- ---------------------------------------
# SIMP_CORE_REF_FOR_BUILDING_RPMS simp-core ref (tag) to use to build
# RPMs with `rake pkg:single`
# SIMP_DEV_GPG_SIGNING_KEY GPG signing key's secret key
# SIMP_DEV_GPG_SIGNING_KEY_ID User ID (name) of signing key
# SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE Passphrase to use GPG signing key
#
# ------------------------------------------------------------------------------
#
# * This is a workflow_dispatch action, which can be triggered manually or from
# other workflows/API.
#
# * If triggered by another workflow, it will be necessary to provide a GitHub
# access token via the the `target_repo_token` parameter
#
---
name: 'RELENG: Build + attach RPMs to GitHub Release'
on:
workflow_dispatch:
inputs:
release_tag:
description: "Release tag"
required: true
clobber:
description: "Clobber identical assets?"
required: false
default: 'yes'
clean:
description: "Wipe all release assets first?"
required: false
default: 'no'
autocreate_release:
# A GitHub release is needed to upload artifacts to, and some repos
# (e.g., forked mirrors) only have tags.
description: "Create release if missing? (tag must exist)"
required: false
default: 'yes'
build_container_os:
description: "Build container OS"
required: true
default: 'centos8'
target_repo:
description: "Target repo (instead of this one)"
required: false
# WARNING: To avoid exposing secrets in the log, only use this token with
# action/script's `github-token` parameter, NEVER in `env:` vars
target_repo_token:
description: "API token for uploading to target repo"
required: false
dry_run:
description: "Dry run (Test-build RPMs)"
required: false
default: 'no'
env:
TARGET_REPO: ${{ (github.event.inputs.target_repo != null && format('{0}/{1}', github.repository_owner, github.event.inputs.target_repo)) || github.repository }}
RELEASE_TAG: ${{ github.event.inputs.release_tag }}
jobs:
create-and-attach-rpms-to-github-release:
name: Build and attach RPMs to Release
runs-on: ubuntu-20.04
steps:
- name: "Validate inputs"
run: |
if ! [[ "$TARGET_REPO" =~ ^[a-z0-9][a-z0-9-]+/[a-z0-9][a-z0-9_-]+$ ]]; then
printf '::error ::Target repository name has invalid format: %s\n' "$TARGET_REPO"
exit 88
fi
if ! [[ "$RELEASE_TAG" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-(rc|alpha|beta|pre)?([0-9]+)?)?$ ]]; then
printf '::error ::Release Tag format is not SemVer or SemVer-ish RPM: %s\n' "$RELEASE_TAG"
exit 88
fi
- name: >
Query info for ${{ env.TARGET_REPO }}
release ${{ github.event.inputs.release_tag }}
(autocreate_release = '${{ github.event.inputs.autocreate_release }}')
id: release-api
env:
AUTOCREATE_RELEASE: ${{ github.event.inputs.autocreate_release }}
uses: actions/github-script@v4
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const [owner, repo] = process.env.TARGET_REPO.split('/')
const tag = process.env.RELEASE_TAG
const autocreate_release = (process.env.AUTOCREATE_RELEASE == 'yes')
const owner_data = { owner: owner, repo: repo }
const release_data = Object.assign( {tag: tag}, owner_data )
const create_release_data = Object.assign( {tag_name: tag}, owner_data )
const tag_data = Object.assign( {ref: `tags/${tag}`}, owner_data )
function id_from_release(data) {
console.log( ` >> Release for ${owner}/${repo}, tag ${tag}` )
console.log( ` >>>> release_id: ${data.id}` )
return data.id
}
function throw_error_unless_should_autocreate_release(err){
if (!( err.name == 'HttpError' && err.status == 404 && autocreate_release )){
core.error(`Error finding release for tag ${tag}: ${err.name}`)
throw err
}
}
async function autocreate_release_if_appropriate(err){
throw_error_unless_should_autocreate_release(err)
core.warning(`Can't find release for tag ${tag} and tag exists, auto-creating release`)
return await github.request( 'GET /repos/{owner}/{repo}/git/matching-refs/{ref}', tag_data ).then (
result => {
// Must already have a tag
if (result.data.length == 0) { throw `Can't find tag ${tag} in repo ${owner}/${repo}` }
return result
}
).then(
async result => {
return await github.request( 'POST /repos/{owner}/{repo}/releases', create_release_data).then(
result=>{
release_id = id_from_release(result.data)
console.log(` ++ created auto release ${release_id}` )
return release_id
},
post_err =>{
core.error('Error auto-creating release')
throw post_err
}
)
}
)
}
await github.request('GET /repos/{owner}/{repo}/releases/tags/{tag}', release_data ).then(
async result => { return await id_from_release(result.data) },
async err => { return await autocreate_release_if_appropriate(err) }
).then(
release_id => {
if (!release_id){
throw `Could not get release for ${tag} for repo ${owner}:${repo}`
}
console.log( ` **** release_id: ${release_id}` )
core.setOutput('id', release_id)
},
err => { throw err }
)
- name: Checkout code
uses: actions/checkout@v2
with:
repository: ${{ env.TARGET_REPO }}
ref: ${{ env.RELEASE_TAG }}
clean: true
fetch-depth: 0
- name: 'Build & Sign RPMs for ${{ github.event.inputs.release_tag }} Release'
uses: simp/github-action-build-and-sign-pkg-single-rpm@v2
id: build-and-sign-rpm
with:
gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}
gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}
gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}
simp_core_ref_for_building_rpms: ${{ secrets.SIMP_CORE_REF_FOR_BUILDING_RPMS }}
simp_builder_docker_image: 'docker.io/simpproject/simp_build_${{ github.event.inputs.build_container_os }}:latest'
- name: "Wipe all previous assets from GitHub Release (when clean == 'yes')"
if: ${{ github.event.inputs.clean == 'yes' && github.event.inputs.dry_run != 'yes' }}
uses: actions/github-script@v4
env:
release_id: ${{ steps.release-api.outputs.id }}
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const release_id = process.env.release_id
const [owner, repo] = process.env.TARGET_REPO.split('/')
const existingAssets = await github.repos.listReleaseAssets({ owner, repo, release_id })
console.log( ` !! !! Wiping ALL uploaded assets for ${owner}/${repo} release (id: ${release_id})`)
existingAssets.data.forEach(async function(asset){
asset_id = asset.id
console.log( ` !! !! !! Wiping existing asset for ${asset.name} (id: ${asset_id})`)
await github.repos.deleteReleaseAsset({ owner, repo, asset_id })
})
- name: 'Upload RPM file(s) to GitHub Release (github-script)'
if: ${{ github.event.inputs.dry_run != 'yes' }}
uses: actions/github-script@v4
env:
rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}
rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}
release_id: ${{ steps.release-api.outputs.id }}
clobber: ${{ github.event.inputs.clobber }}
clean: ${{ github.event.inputs.clean }}
dry_run: ${{ github.event.inputs.dry_run }}
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const path = require('path')
const fs = require('fs')
async function clobberAsset (name, owner, repo, release_id ){
console.log( ` -- clobber asset ${name}: owner: ${owner} repo: ${repo} release_id: ${release_id}` )
const existingAssets = await github.repos.listReleaseAssets({ owner, repo, release_id })
const matchingAssets = existingAssets.data.filter(item => item.name == name);
if ( matchingAssets.length > 0 ){
asset_id = matchingAssets[0].id
console.log( ` !! !! Clobbering existing asset for ${name} (id: ${asset_id})`)
await github.repos.deleteReleaseAsset({ owner, repo, asset_id })
return(true)
}
return(false)
}
async function uploadAsset(owner, repo, release_id, file, assetContentType ){
console.log( `\n\n -- uploadAsset: owner: ${owner} repo: ${repo} release_id: ${release_id}, file: ${file}\n` )
const name = path.basename(file)
const data = fs.readFileSync(file)
const contentLength = fs.statSync(file).size
const headers = {
'content-type': assetContentType,
'content-length': contentLength
};
console.log( ` == Uploading asset ${name}: ${assetContentType}` )
const uploadAssetResponse = await github.repos.uploadReleaseAsset({
owner, repo, release_id, data, name, headers,
})
return( uploadAssetResponse );
}
console.log('== start');
const release_id = process.env.release_id
const [owner, repo] = process.env.TARGET_REPO.split('/')
const clobber = process.env.clobber == 'yes';
const rpm_files = process.env.rpm_file_paths.split(/[\r\n]+/);
const rpm_gpg_file = process.env.rpm_gpg_file;
let uploaded_files = rpm_files.concat(rpm_gpg_file).map(function(file){
const name = path.basename(file)
var content_type = 'application/pgp-keys'
if( name.match(/\.rpm$/) ){
content_type = 'application/octet-stream'
}
let conditionalClobber = new Promise((resolve,reject) => {
if ( clobber ){
resolve(clobberAsset( name, owner, repo, release_id ))
return
}
resolve( false )
})
conditionalClobber.then((clobbered)=> {
uploadAsset(owner, repo, release_id, file, content_type )
}).then(result => result )
})
console.log('== done')