-
Notifications
You must be signed in to change notification settings - Fork 34
172 lines (152 loc) · 5.91 KB
/
release.yaml
File metadata and controls
172 lines (152 loc) · 5.91 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# STACKIT CLI release workflow.
name: Release
# This GitHub action creates a release when a tag that matches one of the patterns below
# E.g. v0.1.0, v0.1.0-something.1, etc
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
workflow_dispatch:
# Releases need permissions to read and write the repository contents.
# GitHub considers creating releases and uploading assets as writing contents.
permissions:
contents: write
jobs:
goreleaser:
name: Release
runs-on: macOS-latest
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v6
with:
# Allow goreleaser to access older tag information.
fetch-depth: 0
- name: Install go
uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: true
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
# nfpm-rpm signing needs gpg provided as filepath
# https://goreleaser.com/customization/nfpm/
- name: Create GPG key file
run: |
KEY_PATH="$RUNNER_TEMP/gpg-private-key.asc"
printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" > "$KEY_PATH"
chmod 600 "$KEY_PATH"
echo "GPG_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV"
- name: Set up keychain
run: |
echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
KEYCHAIN_PATH=$RUNNER_TEMP/ios_signing_temp.keychain-db
security create-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
security default-keychain -s $KEYCHAIN_PATH
security unlock-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
# the keychain gets locked automatically after 300s, so we have to extend this interval to e.g. 900 seconds
security set-keychain-settings -lut 900
security import ./ApplicationID.p12 -P "${{ secrets.APPLICATION_ID }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
echo -n $AUTHKEY_BASE64 | base64 -d -o ./AuthKey.p8
xcrun notarytool store-credentials stackit-cli -i $APPLE_ISSUER -d $APPLE_KEY_ID -k AuthKey.p8 --keychain $KEYCHAIN_PATH
rm ./ApplicationID.p12
rm ./AuthKey.p8
env:
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
- name: Install Snapcraft
uses: samuelmeuli/action-snapcraft@v3
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v7
with:
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
GPG_KEY_PATH: ${{ env.GPG_KEY_PATH }}
# nfpm-rpm signing needs this env to be set.
NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Clean up GPG key file
if: always()
run: |
rm -f "$GPG_KEY_PATH"
- name: Upload artifacts to workflow
uses: actions/upload-artifact@v6
with:
name: goreleaser-dist-temp
path: dist
retention-days: 1
publish-apt:
name: Publish APT
runs-on: macOS-latest
needs: [goreleaser]
env:
# Needed to publish new packages to our S3-hosted APT repo
AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v6
# use the artifacts from the "goreleaser" job
- name: Download artifacts from workflow
uses: actions/download-artifact@v7
with:
name: goreleaser-dist-temp
path: dist
- name: Install Aptly
run: brew install aptly
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Publish packages to APT repo
if: contains(github.ref_name, '-') == false
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
run: ./scripts/publish-apt-packages.sh
publish-rpm:
name: Publish RPM
runs-on: ubuntu-latest
needs: [goreleaser]
env:
# Needed to publish new packages to our S3-hosted RPM repo
AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu01
AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Download artifacts from workflow
uses: actions/download-artifact@v7
with:
name: goreleaser-dist-temp
path: dist
- name: Install RPM tools
run: |
sudo apt-get update
sudo apt-get install -y createrepo-c
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Publish RPM packages
if: contains(github.ref_name, '-') == false
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
run: ./scripts/publish-rpm-packages.sh