Zh automatic signing releases in ci #179

Workflow file for this run

	name: Main (test, releases)
	on:
	# # Indicates I want to run this workflow on all branches, PR, and tags
	push:
	branches: ["master"]
	tags: ["*"]
	pull_request:
	branches: [ "*" ]

	# TiDB versions used in tests - single source of truth
	# Latest version of each minor series: 6.1.x, 6.5.x, 7.1.x, 7.5.x, 8.1.x, 8.5.x
	env:
	TIDB_VERSIONS: "6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3"

	jobs:
	lint:
	runs-on: ubuntu-22.04
	strategy:
	fail-fast: false
	matrix:
	command:
	- make vet
	- make fmtcheck
	steps:
	- name: Checkout Git repo
	uses: actions/checkout@v4
	- name: Running ${{ matrix.command }}
	run: ${{ matrix.command }}

	prepare-dependencies:
	name: Prepare Dependencies
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout Git repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Validate TiDB versions sync
	run: \|
	# Extract TiDB versions from test matrix and compare with env.TIDB_VERSIONS
	EXPECTED_VERSIONS="${{ env.TIDB_VERSIONS }}"
	MATRIX_VERSIONS=$(grep -A 20 "db_type: tidb" .github/workflows/main.yml \| grep "db_version:" \| sed 's/.db_version: "$[0-9.]$".*/\1/' \| tr '\n' ' ' \| xargs)

	echo "Expected versions (from env): $EXPECTED_VERSIONS"
	echo "Matrix versions (from workflow): $MATRIX_VERSIONS"

	# Check if versions match (simple check - both should contain same versions)
	MISSING=""
	for version in $EXPECTED_VERSIONS; do
	if ! echo "$MATRIX_VERSIONS" \| grep -q "$version"; then
	MISSING="$MISSING $version"
	fi
	done

	if [ -n "$MISSING" ]; then
	echo "ERROR: TiDB versions in env.TIDB_VERSIONS not found in test matrix: $MISSING"
	echo "Please ensure test matrix includes tidb entries for all versions in env.TIDB_VERSIONS"
	exit 1
	fi

	echo "✓ TiDB versions are in sync"

	- name: Set up Go
	uses: actions/setup-go@v4
	with:
	go-version-file: go.mod

	- name: Download Terraform
	run: \|
	mkdir -p bin
	curl -sfL https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip > bin/terraform.zip
	cd bin && unzip terraform.zip && rm terraform.zip && chmod +x terraform

	- name: Vendor Go dependencies
	run: go mod vendor

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Build and cache TiUP Playground Docker image
	uses: docker/build-push-action@v5
	with:
	context: .
	file: ./Dockerfile.tiup-playground
	tags: terraform-provider-mysql-tiup-playground:latest
	cache-from: type=gha
	cache-to: type=gha,mode=max
	push: false
	load: true

	- name: Save TiUP Playground Docker image
	run: \|
	docker save terraform-provider-mysql-tiup-playground:latest \| gzip > tiup-playground-image.tar.gz
	echo "Image saved: $(du -h tiup-playground-image.tar.gz \| cut -f1)"

	# Note: Tests now use testcontainers - no mysql-client or Docker Buildx caching needed
	# Testcontainers handles container lifecycle and image pulling automatically
	# TiUP Playground image is pre-built above and saved as artifact for test jobs

	- name: Upload Terraform binary
	uses: actions/upload-artifact@v4
	with:
	name: terraform-binary
	path: bin/terraform
	retention-days: 1

	- name: Upload vendor directory
	uses: actions/upload-artifact@v4
	with:
	name: vendor-dir
	path: vendor/
	retention-days: 1
	compression-level: 6

	- name: Upload TiUP Playground Docker image
	uses: actions/upload-artifact@v4
	with:
	name: tiup-playground-image
	path: tiup-playground-image.tar.gz
	retention-days: 1
	compression-level: 6

	tests:
	runs-on: ubuntu-22.04
	needs: [prepare-dependencies]
	strategy:
	fail-fast: false
	matrix:
	include:
	# MySQL versions
	- db_type: mysql
	db_version: "5.6"
	make_target: "test-mysql-5.6"
	- db_type: mysql
	db_version: "5.7"
	make_target: "test-mysql-5.7"
	- db_type: mysql
	db_version: "8.0"
	make_target: "test-mysql-8.0"
	# Percona versions
	- db_type: percona
	db_version: "5.7"
	make_target: "test-percona-5.7"
	- db_type: percona
	db_version: "8.0"
	make_target: "test-percona-8.0"
	# MariaDB versions
	- db_type: mariadb
	db_version: "10.3"
	make_target: "test-mariadb-10.3"
	- db_type: mariadb
	db_version: "10.8"
	make_target: "test-mariadb-10.8"
	- db_type: mariadb
	db_version: "10.10"
	make_target: "test-mariadb-10.10"
	# TiDB versions - must match env.TIDB_VERSIONS: 6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3
	- db_type: tidb
	db_version: "6.1.7"
	make_target: "test-tidb-6.1.7"
	- db_type: tidb
	db_version: "6.5.12"
	make_target: "test-tidb-6.5.12"
	- db_type: tidb
	db_version: "7.1.6"
	make_target: "test-tidb-7.1.6"
	- db_type: tidb
	db_version: "7.5.7"
	make_target: "test-tidb-7.5.7"
	- db_type: tidb
	db_version: "8.1.2"
	make_target: "test-tidb-8.1.2"
	- db_type: tidb
	db_version: "8.5.3"
	make_target: "test-tidb-8.5.3"
	steps:
	- name: Checkout Git repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 1

	- name: Set up Go
	uses: actions/setup-go@v4
	with:
	go-version-file: go.mod

	- name: Download Terraform binary
	uses: actions/download-artifact@v4
	with:
	name: terraform-binary
	path: bin/

	- name: Download vendor directory
	uses: actions/download-artifact@v4
	with:
	name: vendor-dir
	path: vendor/

	- name: Make Terraform executable
	run: chmod +x bin/terraform

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3

	- name: Download TiUP Playground Docker image
	uses: actions/download-artifact@v4
	with:
	name: tiup-playground-image
	path: ./

	- name: Load TiUP Playground Docker image
	run: \|
	echo "Loading pre-built TiUP Playground Docker image..."
	gunzip -c tiup-playground-image.tar.gz \| docker load
	docker images \| grep terraform-provider-mysql-tiup-playground
	echo "✓ TiUP Playground image loaded successfully"

	# Note: TiUP Playground image is pre-built in prepare-dependencies and loaded here
	# This avoids rebuilding the image during each test run
	# Testcontainers handles container lifecycle and image pulling automatically

	- name: Run testcontainers tests via Makefile
	env:
	GOFLAGS: -mod=vendor
	TF_ACC: 1
	GOTOOLCHAIN: auto
	run: \|
	export PATH="${{ github.workspace }}/bin:$PATH"
	echo "Running ${{ matrix.db_type }} ${{ matrix.db_version }} tests using Makefile target: ${{ matrix.make_target }}"
	make ${{ matrix.make_target }}
	release:
	name: Release
	needs: [tests]
	# Can't use non-semvar for the testing tag
	# https://github.com/orgs/goreleaser/discussions/3708
	if: ( startsWith( github.ref, 'refs/tags/v' ) \|\|
	startsWith(github.ref, 'refs/tags/v0.0.0-rc') )
	runs-on: ubuntu-22.04
	permissions:
	contents: write # Required for creating releases
	steps:
	- name: Checkout Git repo
	uses: actions/checkout@v4
	with:
	fetch-depth: 0 # Full history needed for changelog

	- name: Set up Go
	uses: actions/setup-go@v4
	with:
	go-version-file: go.mod

	- name: Import GPG Subkey
	env:
	GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
	GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	run: \|
	# Install gnupg2 if not already available (includes gpg-preset-passphrase)
	sudo apt-get update && sudo apt-get install -y gnupg2 \|\| true

	# Create GPG directory
	mkdir -p ~/.gnupg
	chmod 700 ~/.gnupg

	# Configure GPG for non-interactive use
	# Note: allow-loopback-pinentry is a gpg-agent option, not gpg.conf option
	echo "use-agent" > ~/.gnupg/gpg.conf
	echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf

	# Configure gpg-agent for loopback pinentry
	echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
	chmod 600 ~/.gnupg/gpg-agent.conf

	# Start gpg-agent with loopback pinentry (ignore error if already running)
	gpg-agent --daemon --allow-loopback-pinentry 2>&1 \|\| true

	# Import the subkey
	# Write key to temp file (key data is okay, but passphrase never touches disk)
	KEY_FILE=$(mktemp)
	echo "$GPG_PRIVATE_KEY" > "$KEY_FILE"

	# Import the key with passphrase from stdin (never written to disk)
	echo "$GPG_PASSPHRASE" \| gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import "$KEY_FILE"

	# Clean up temp file (only contains key data, not passphrase)
	rm -f "$KEY_FILE"

	# Trust the key (required for signing)
	# Format: fingerprint:trust-level: (fingerprint must be uppercase, no spaces)
	# Use ultimate trust (6) for the subkey
	FINGERPRINT_UPPER=$(echo "$GPG_FINGERPRINT" \| tr '[:lower:]' '[:upper:]' \| tr -d ' ')
	echo "$FINGERPRINT_UPPER:6:" \| gpg --import-ownertrust

	# Verify key is available
	gpg --list-secret-keys --keyid-format LONG

	# Test signing capability (GoReleaser will test this anyway, but verify key is importable)
	# Note: We skip actual signing test here since --passphrase-fd consumes stdin
	# GoReleaser uses --passphrase flag directly, which works differently
	echo "✓ GPG key imported successfully"

	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@v6
	with:
	distribution: goreleaser
	version: '~> v2'
	# Run goreleaser and ignore non-committed files (downloaded artifacts)
	args: release --clean --skip=validate
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
	GPG_TTY: $(tty)

	# terraform-provider-release:
	# needs: [release]
	# name: 'Terraform Provider Release'
	# uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/community.yml@v5
	# secrets:
	# gpg-private-key: '${{ secrets.GPG_PRIVATE_KEY }}'
	# with:
	# setup-go-version-file: 'go.mod'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Zh automatic signing releases in ci #179

Workflow file

Zh automatic signing releases in ci #179

Uh oh!

Jobs

Run details

Workflow file for this run