Merge pull request #1246 from smallstep/jdoss/Package_Repos

Add support in for signing and publishing RPM and Deb packages to GCP Artifact Registry

Author: jdoss

.github/workflows/release.yml

@@ -67,7 +67,10 @@ jobs:
     permissions:
       id-token: write
       contents: write
+      packages: write
     uses: smallstep/workflows/.github/workflows/goreleaser.yml@main
+    with:
+      enable-packages-upload: true
     secrets: inherit
 
   build_upload_docker:

.gitignore

@@ -22,6 +22,11 @@ go.work.sum
 coverage.txt
 output
 vendor
+dist/
 step
 .idea
 .envrc
+
+# Packages files
+0x889B19391F774443-Certify.key
+gha-creds-*.json

.goreleaser.yml

@@ -1,11 +1,21 @@
 # Documentation: https://goreleaser.com/customization/
+# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json
 version: 2
 project_name: step
 
+variables:
+  packageName: step-cli
+  packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
+
 before:
   hooks:
     - go mod download
 
+after:
+  hooks:
+    - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
+      output: true
+
 builds:
   - &BUILD
     id: default
@@ -86,8 +96,13 @@ nfpms:
   - &NFPM
     builds:
       - nfpm
-    package_name: step-cli
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    package_name: "{{ .Var.packageName }}"
+    release: "1"
+    file_name_template: >-
+      {{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
+      {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
+      {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
+      {{- .ConventionalExtension -}}
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/cli
     maintainer: Smallstep <[email protected]>
@@ -113,6 +128,13 @@ nfpms:
     scripts:
       postinstall: scripts/postinstall.sh
       postremove: scripts/postremove.sh
+    rpm:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+    deb:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+          type: origin
   -
     << : *NFPM
     id: unversioned
@@ -134,6 +156,13 @@ signs:
   args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output-certificate=${certificate}", "--output-signature=${signature}", "${artifact}", "--yes"]
   artifacts: all
 
+publishers:
+- name: Google Cloud Artifact Registry
+  ids:
+  - packages
+  cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
+  disable: "{{ if .Prerelease }}true{{ end }}"
+
 snapshot:
   name_template: "{{ .Tag }}-next"
 

scripts/package-repo-import.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -e
+
+: ${GCLOUD_LOCATION:=us-central1}
+: ${GCLOUD_RPM_REPO:=rpms}
+: ${GCLOUD_DEB_REPO:=debs}
+
+PACKAGE="${1}"
+VERSION="${2}"
+RELEASE="1"
+EPOCH="0"
+GORELEASER_PHASE=${GORELEASER_PHASE:-release}
+
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+
+check_package() {
+  local EXITCODE=0
+  local REPO="${1}"
+  local VER="${2}"
+  if [ ! -f /tmp/version-deleted.stamp ]; then
+    gcloud artifacts versions list \
+       --repository "${REPO}" \
+       --location "${GCLOUD_LOCATION}" \
+       --package "${PACKAGE}" \
+       --filter "VERSION:${VER}" \
+       --format json  2> /dev/null \
+       | jq -re '.[].name?' >/dev/null 2>&1 \
+       || EXITCODE=$?
+    if [[ "${EXITCODE}" -eq 0 ]]; then
+      echo "Package version already exists. Removing it..."
+      gcloud artifacts versions delete \
+      --quiet "${VER}" \
+      --package "${PACKAGE}" \
+      --repository "${REPO}" \
+      --location "${GCLOUD_LOCATION}"
+      touch /tmp/version-deleted.stamp
+    fi
+  fi
+}
+
+if [[ ${GORELEASER_PHASE} != "publish" ]]; then
+  echo "Skipping artifact import; GORELEASER_PHASE is not 'publish'"
+  exit 0;
+fi
+
+check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}"
+gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*"
+
+check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"}
+gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*"

scripts/package-upload.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -e
+
+FILE="${1}"
+PACKAGE="${2}"
+VERSION="${3}"
+
+echo "Package File: ${FILE}"
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+echo "Release: ${RELEASE}"
+echo "Location: ${GCLOUD_LOCATION}"
+
+if [ "${FILE: -4}" == ".deb" ]; then
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/
+else
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/
+fi