Zh automatic signing releases in ci #159
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Main (test, releases) | |
| on: | |
| # # Indicates I want to run this workflow on all branches, PR, and tags | |
| push: | |
| branches: ["master"] | |
| tags: ["*"] | |
| pull_request: | |
| branches: [ "*" ] | |
| # TiDB versions used in tests - single source of truth | |
| # Latest version of each minor series: 6.1.x, 6.5.x, 7.1.x, 7.5.x, 8.1.x, 8.5.x | |
| env: | |
| TIDB_VERSIONS: "6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3" | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-22.04 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| command: | |
| - make vet | |
| - make fmtcheck | |
| steps: | |
| - name: Checkout Git repo | |
| uses: actions/checkout@v4 | |
| - name: Running ${{ matrix.command }} | |
| run: ${{ matrix.command }} | |
| prepare-dependencies: | |
| name: Prepare Dependencies | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout Git repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Validate TiDB versions sync | |
| run: | | |
| # Extract TiDB versions from test matrix and compare with env.TIDB_VERSIONS | |
| EXPECTED_VERSIONS="${{ env.TIDB_VERSIONS }}" | |
| MATRIX_VERSIONS=$(grep -A 20 "db_type: tidb" .github/workflows/main.yml | grep "db_version:" | sed 's/.*db_version: "\([0-9.]*\)".*/\1/' | tr '\n' ' ' | xargs) | |
| echo "Expected versions (from env): $EXPECTED_VERSIONS" | |
| echo "Matrix versions (from workflow): $MATRIX_VERSIONS" | |
| # Check if versions match (simple check - both should contain same versions) | |
| MISSING="" | |
| for version in $EXPECTED_VERSIONS; do | |
| if ! echo "$MATRIX_VERSIONS" | grep -q "$version"; then | |
| MISSING="$MISSING $version" | |
| fi | |
| done | |
| if [ -n "$MISSING" ]; then | |
| echo "ERROR: TiDB versions in env.TIDB_VERSIONS not found in test matrix: $MISSING" | |
| echo "Please ensure test matrix includes tidb entries for all versions in env.TIDB_VERSIONS" | |
| exit 1 | |
| fi | |
| echo "✓ TiDB versions are in sync" | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Download Terraform | |
| run: | | |
| mkdir -p bin | |
| curl -sfL https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip > bin/terraform.zip | |
| cd bin && unzip terraform.zip && rm terraform.zip && chmod +x terraform | |
| - name: Vendor Go dependencies | |
| run: go mod vendor | |
| # Note: Tests now use testcontainers - no mysql-client or Docker Buildx caching needed | |
| # Testcontainers handles container lifecycle and image pulling automatically | |
| - name: Upload Terraform binary | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: terraform-binary | |
| path: bin/terraform | |
| retention-days: 1 | |
| - name: Upload vendor directory | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: vendor-dir | |
| path: vendor/ | |
| retention-days: 1 | |
| compression-level: 6 | |
| tests: | |
| runs-on: ubuntu-22.04 | |
| needs: [prepare-dependencies] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| # MySQL versions | |
| - db_type: mysql | |
| db_version: "5.6" | |
| make_target: "test-mysql-5.6" | |
| - db_type: mysql | |
| db_version: "5.7" | |
| make_target: "test-mysql-5.7" | |
| - db_type: mysql | |
| db_version: "8.0" | |
| make_target: "test-mysql-8.0" | |
| # Percona versions | |
| - db_type: percona | |
| db_version: "5.7" | |
| make_target: "test-percona-5.7" | |
| - db_type: percona | |
| db_version: "8.0" | |
| make_target: "test-percona-8.0" | |
| # MariaDB versions | |
| - db_type: mariadb | |
| db_version: "10.3" | |
| make_target: "test-mariadb-10.3" | |
| - db_type: mariadb | |
| db_version: "10.8" | |
| make_target: "test-mariadb-10.8" | |
| - db_type: mariadb | |
| db_version: "10.10" | |
| make_target: "test-mariadb-10.10" | |
| # TiDB versions - must match env.TIDB_VERSIONS: 6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3 | |
| - db_type: tidb | |
| db_version: "6.1.7" | |
| make_target: "test-tidb-6.1.7" | |
| - db_type: tidb | |
| db_version: "6.5.12" | |
| make_target: "test-tidb-6.5.12" | |
| - db_type: tidb | |
| db_version: "7.1.6" | |
| make_target: "test-tidb-7.1.6" | |
| - db_type: tidb | |
| db_version: "7.5.7" | |
| make_target: "test-tidb-7.5.7" | |
| - db_type: tidb | |
| db_version: "8.1.2" | |
| make_target: "test-tidb-8.1.2" | |
| - db_type: tidb | |
| db_version: "8.5.3" | |
| make_target: "test-tidb-8.5.3" | |
| steps: | |
| - name: Checkout Git repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Download Terraform binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: terraform-binary | |
| path: bin/ | |
| - name: Download vendor directory | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: vendor-dir | |
| path: vendor/ | |
| - name: Make Terraform executable | |
| run: chmod +x bin/terraform | |
| # Note: Docker Buildx not needed - testcontainers handles Docker directly | |
| # Skipping Buildx prevents unnecessary image pulls during initialization | |
| - name: Run testcontainers tests via Makefile | |
| env: | |
| GOFLAGS: -mod=vendor | |
| TF_ACC: 1 | |
| GOTOOLCHAIN: auto | |
| run: | | |
| export PATH="${{ github.workspace }}/bin:$PATH" | |
| echo "Running ${{ matrix.db_type }} ${{ matrix.db_version }} tests using Makefile target: ${{ matrix.make_target }}" | |
| make ${{ matrix.make_target }} | |
| release: | |
| name: Release | |
| needs: [tests] | |
| # Can't use non-semvar for the testing tag | |
| # https://github.com/orgs/goreleaser/discussions/3708 | |
| if: ( startsWith( github.ref, 'refs/tags/v' ) || | |
| startsWith(github.ref, 'refs/tags/v0.0.0-rc') ) | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write # Required for creating releases | |
| steps: | |
| - name: Checkout Git repo | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history needed for changelog | |
| - name: Set up Go | |
| uses: actions/setup-go@v4 | |
| with: | |
| go-version-file: go.mod | |
| - name: Import GPG Subkey | |
| env: | |
| GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} | |
| GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| run: | | |
| # Create GPG directory | |
| mkdir -p ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| # Configure GPG for non-interactive use with passphrase | |
| echo "use-agent" >> ~/.gnupg/gpg.conf | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| echo "allow-loopback-pinentry" >> ~/.gnupg/gpg.conf | |
| # Start gpg-agent with loopback pinentry (ignore error if already running) | |
| gpg-agent --daemon --allow-loopback-pinentry 2>&1 || true | |
| # Import the subkey | |
| # Write key to temp file (key data is okay, but passphrase never touches disk) | |
| KEY_FILE=$(mktemp) | |
| echo "$GPG_PRIVATE_KEY" > "$KEY_FILE" | |
| # Get keygrip from the key without importing (dry-run with import-show) | |
| IMPORT_OUTPUT=$(gpg --batch --with-colons --import-options import-show --dry-run --import "$KEY_FILE" 2>&1 || true) | |
| KEYGRIP=$(echo "$IMPORT_OUTPUT" | grep -E "^grp:" | cut -d: -f10 | head -1) | |
| # If we found a keygrip, preset the passphrase in gpg-agent (passphrase never touches disk) | |
| # gpg-preset-passphrase communicates directly with gpg-agent via socket | |
| if [ -n "$KEYGRIP" ]; then | |
| echo "$GPG_PASSPHRASE" | gpg-preset-passphrase --preset "$KEYGRIP" 2>&1 || true | |
| fi | |
| # Now import the key (passphrase is cached in gpg-agent if keygrip was found) | |
| # If keygrip wasn't found, use passphrase-fd (passphrase from env var, not disk) | |
| if [ -n "$KEYGRIP" ]; then | |
| gpg --batch --yes --import "$KEY_FILE" | |
| else | |
| # Fallback: passphrase comes from environment variable via stdin, never written to disk | |
| echo "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import "$KEY_FILE" | |
| fi | |
| # Clean up temp file (only contains key data, not passphrase) | |
| rm -f "$KEY_FILE" | |
| # Trust the key (required for signing) | |
| # Use ultimate trust (6) for the subkey | |
| echo "$GPG_FINGERPRINT:6:" | gpg --import-ownertrust | |
| # Verify key is available and can sign | |
| gpg --list-secret-keys --keyid-format LONG | |
| # Test signing capability | |
| # Passphrase should be cached in gpg-agent from preset-passphrase above | |
| # If not cached, this will fail and we'll know import didn't work | |
| echo "test" | gpg --batch --pinentry-mode loopback --sign --armor > /dev/null 2>&1 && echo "✓ GPG signing test successful" || echo "⚠ GPG signing test failed - passphrase may not be cached" | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| distribution: goreleaser | |
| version: '~> v2' | |
| # Run goreleaser and ignore non-committed files (downloaded artifacts) | |
| args: release --clean --skip=validate | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }} | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| GPG_TTY: $(tty) | |
| # terraform-provider-release: | |
| # needs: [release] | |
| # name: 'Terraform Provider Release' | |
| # uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/community.yml@v5 | |
| # secrets: | |
| # gpg-private-key: '${{ secrets.GPG_PRIVATE_KEY }}' | |
| # with: | |
| # setup-go-version-file: 'go.mod' |