Improve github release artifacts (#6092)

Generate .deb packages for all currently configured Go versions
(usually the current and upcoming versions that we use in prod), rather
than just the one default version. Also ensure that the uploaded
artifacts have 8-character short hashes in their names.

Unfortunately this does require updating Go versions in one additional
place (the release.yml file), since we are no longer parsing it out of the
docker-compose.yml. This is unavoidable without hacks that I consider
to be even uglier than the repetition.

Fixes #6075
Fixes #6084

Author: aarongable

.github/workflows/release.yml

@@ -12,6 +12,12 @@ on:
 
 jobs:
   build-release:
+    strategy:
+      fail-fast: false
+      matrix:
+        GO_VERSION:
+          - 1.17.9
+          - 1.18.1
     runs-on: ubuntu-20.04
     permissions:
       contents: read
@@ -20,14 +26,22 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: build deb
+      # This step will create an output called `filename` which contains the
+      # path of the produced .deb file.
+      - name: Build .deb
+        id: build
+        env:
+          GO_VERSION: ${{ matrix.GO_VERSION }}
         run: ./tools/make-deb.sh
 
-      - name: upload deb
+      # Because each copy of this job (one for each entry in the matrix) uploads
+      # to the same artifact name, all of the files will live side-by-side in
+      # the same artifact, and can be downloaded as a single unit.
+      - name: Upload .deb
         uses: actions/upload-artifact@v3
         with:
-          name: boulder deb
-          path: boulder.deb
+          name: boulder_debs
+          path: ${{ steps.build.outputs.filename }}
 
   push-release:
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
@@ -36,18 +50,17 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v2
-        with:
-          persist-credentials: false
-
-      - name: Download release artifact
+      # This downloads every artifact uploaded by the matrix jobs above,
+      # directly into the current pwd.
+      - name: Download .debs
+        id: download
         uses: actions/download-artifact@v3
         with:
-          name: boulder deb
-      - name: rename
-        run: mv boulder.deb boulder-1.0.0-$(git rev-parse --short HEAD).x86_64.deb
-      - name: push release
+          name: boulder_debs
+
+      # We have to pass the -R flag here because this job skipped checkout.
+      - name: Create release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # https://cli.github.com/manual/gh_release_create
-        run: gh release create "${GITHUB_REF_NAME}" boulder-1.0.0-$(git rev-parse --short HEAD).x86_64.deb
+        run: gh release -R ${{ github.repository }} create "${GITHUB_REF_NAME}" boulder*.deb

tools/make-deb.sh

@@ -18,10 +18,8 @@ sudo apt-get install -y --no-install-recommends \
   ruby-dev \
   gcc
 
-# Parse our production Go version from our docker-compose file.
-GO_VERSION=$(grep "BOULDER_TOOLS_TAG:-" docker-compose.yml | sed -e 's/.*-go//' -e 's/_.*//')
-
-# Download and unpack our production go version.
+# Download and unpack our production go version. Ensure that $GO_VERSION is
+# already set in the environment (e.g. by the github actions release workflow).
 $(dirname -- "${0}")/fetch-and-verify-go.sh "${GO_VERSION}"
 sudo tar -C /usr/local -xzf go.tar.gz
 export PATH=/usr/local/go/bin:$PATH
@@ -37,8 +35,12 @@ sudo gem install --no-document -v 1.14.0 fpm
 # it to /tmp.
 export ARCHIVEDIR="${PWD}"
 
+# Set $VERSION to be a simulacrum of what is set in other build environments.
+export VERSION="${GO_VERSION}.$(date +%s)"
+
 # Build Boulder and produce a Debian Package at $PWD.
 make deb
 
-# Rename .deb to a predictable path.
-mv boulder-*.deb boulder.deb
+# We expect the final filename produced by `make deb` to be consistent.
+# Print it so that the github action can grab it as an output.
+echo ::set-output name=filename::boulder-${VERSION}-$(git rev-parse --short=8 HEAD).x86_64.deb