-
Notifications
You must be signed in to change notification settings - Fork 2
133 lines (117 loc) · 3.97 KB
/
Copy pathrelease-linux-packages.yml
File metadata and controls
133 lines (117 loc) · 3.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Linux packages
on:
push:
tags: ['v*']
pull_request:
paths:
- 'packaging/linux/**'
- '.github/workflows/release-linux-packages.yml'
- '.github/scripts/test-install.sh'
- 'cmd/proxy/**'
- 'internal/mitm/**'
- 'Makefile'
permissions:
contents: read
jobs:
build:
name: Build (${{ matrix.arch }})
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix:
arch: [amd64, arm64]
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
with:
go-version-file: go.mod
cache: true
- name: Install nfpm
# Pinned to v2.46.3 (sum-verified). Bumps require a review window;
# nfpm produces signed release artifacts so the build tool itself is
# a supply-chain entry point — see PR #120 review thread on this line.
run: |
go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.46.3
echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
- name: Build packages
run: make package-linux-${{ matrix.arch }}
- name: Upload packages
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: linux-${{ matrix.arch }}
path: dist/*
test-install:
name: Install round-trip (${{ matrix.image }})
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
image:
- jrei/systemd-ubuntu:22.04
- jrei/systemd-ubuntu:24.04
- jrei/systemd-debian:12
- almalinux:9
- fedora:latest
- opensuse/leap:15
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Download amd64 packages
uses: actions/download-artifact@448e3f862ab3ef47aa50ff917776823c9946035b # v7.0.0
with:
name: linux-amd64
path: dist/
- name: Install + verify + uninstall
run: |
docker run --rm --privileged \
-v "${{ github.workspace }}/dist:/dist:ro" \
-v "${{ github.workspace }}/.github/scripts:/scripts:ro" \
${{ matrix.image }} \
/scripts/test-install.sh
release:
name: Sign + publish
if: startsWith(github.ref, 'refs/tags/v')
needs: [build, test-install]
runs-on: ubuntu-latest
# Elevated permissions scoped to this job only: a compromise in build or
# test-install cannot mint OIDC tokens or push to the release.
permissions:
contents: write # release upload
id-token: write # cosign keyless signing via Fulcio/Rekor
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Download all packages
uses: actions/download-artifact@448e3f862ab3ef47aa50ff917776823c9946035b # v7.0.0
with:
path: dist/
merge-multiple: true
- name: Generate checksums
working-directory: dist
run: |
sha256sum *.deb *.rpm > SHA256SUMS
sha512sum *.deb *.rpm > SHA512SUMS
- name: Install cosign
uses: sigstore/cosign-installer@d7d6e113b16d7d56d4c136e46ea9d2f80ce5d4be # v3.7.0
- name: Sign release artifacts (keyless)
working-directory: dist
run: |
for f in *.deb *.rpm SHA256SUMS SHA512SUMS; do
cosign sign-blob --yes \
--output-signature "$f.sig" \
--output-certificate "$f.cert" \
"$f"
done
- name: Create GitHub release
uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
with:
files: dist/*
fail_on_unmatched_files: true