-
Notifications
You must be signed in to change notification settings - Fork 37
169 lines (149 loc) · 5.85 KB
/
release.yaml
File metadata and controls
169 lines (149 loc) · 5.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# STACKIT CLI release workflow.
name: Release
# This GitHub action creates a release when a tag that matches one of the patterns below
# E.g. v0.1.0, v0.1.0-something.1, etc
on:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
- "v[0-9]+.[0-9]+.[0-9]+-*"
workflow_dispatch:
# Releases need permissions to read and write the repository contents.
# GitHub considers creating releases and uploading assets as writing contents.
permissions:
contents: write
jobs:
goreleaser:
name: Release
runs-on: macOS-latest
env:
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
steps:
- name: Checkout
uses: actions/checkout@v5
with:
# Allow goreleaser to access older tag information.
fetch-depth: 0
- name: Install go
uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
cache: true
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Create GPG key file
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg-private-key.asc
chmod 600 gpg-private-key.asc
- name: Set up keychain
run: |
echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12
KEYCHAIN_PATH=$RUNNER_TEMP/ios_signing_temp.keychain-db
security create-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
security default-keychain -s $KEYCHAIN_PATH
security unlock-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH
# the keychain gets locked automatically after 300s, so we have to extend this interval to e.g. 900 seconds
security set-keychain-settings -lut 900
security import ./ApplicationID.p12 -P "${{ secrets.APPLICATION_ID }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
echo -n $AUTHKEY_BASE64 | base64 -d -o ./AuthKey.p8
xcrun notarytool store-credentials stackit-cli -i $APPLE_ISSUER -d $APPLE_KEY_ID -k AuthKey.p8 --keychain $KEYCHAIN_PATH
rm ./ApplicationID.p12
rm ./AuthKey.p8
env:
APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }}
APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
- name: Install Snapcraft
uses: samuelmeuli/action-snapcraft@v3
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
args: release --clean --skip=publish --skip=validate
env:
GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
GPG_KEY_PATH: ./gpg-private-key.asc
NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- name: Clean up GPG key file
run: |
rm -f gpg-private-key.asc
# artifacts need to be passed to the "publish-apt" job somehow
- name: Upload artifacts to workflow
uses: actions/upload-artifact@v4
with:
name: goreleaser-dist-temp
path: dist
retention-days: 1
publish-apt:
name: Publish APT
runs-on: macOS-latest
needs: [goreleaser]
env:
# Needed to publish new packages to our S3-hosted APT repo
AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu01
AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud
steps:
- name: Checkout
uses: actions/checkout@v5
# use the artifacts from the "goreleaser" job
- name: Download artifacts from workflow
uses: actions/download-artifact@v5
with:
name: goreleaser-dist-temp
path: dist
- name: Install Aptly
run: brew install aptly
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Publish packages to APT repo
# if: contains(github.ref_name, '-') == false
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
run: ./scripts/publish-apt-packages.sh
publish-rpm:
name: Publish RPM
runs-on: ubuntu-latest
needs: [goreleaser]
env:
# Needed to publish new packages to our S3-hosted RPM repo
AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: eu01
AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud
steps:
- name: Checkout
uses: actions/checkout@v5
- name: Download artifacts from workflow
uses: actions/download-artifact@v5
with:
name: goreleaser-dist-temp
path: dist
- name: Install RPM tools
run: |
sudo apt-get update
sudo apt-get install -y createrepo-c
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Publish RPM packages
# if: contains(github.ref_name, '-') == false
env:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
run: ./scripts/publish-rpm-packages.sh