-
Notifications
You must be signed in to change notification settings - Fork 19
353 lines (326 loc) · 16.1 KB
/
release_rpms.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
# Manual action to build, sign, and attach a release's RPMs
# ------------------------------------------------------------------------------
#
# NOTICE: **This file is maintained with puppetsync**
#
# This file is updated automatically as part of a puppet module baseline.
#
# The next baseline sync will overwrite any local changes to this file!
#
# ==============================================================================
# This pipeline uses the following GitHub Action Secrets:
#
# GitHub Secret variable Notes
# ------------------------------- ---------------------------------------
# SIMP_CORE_REF_FOR_BUILDING_RPMS simp-core ref (tag) to use to build
# RPMs with `rake pkg:single` against
# `build/rpms/dependencies.yaml`
# SIMP_DEV_GPG_SIGNING_KEY GPG signing key's secret key
# SIMP_DEV_GPG_SIGNING_KEY_ID User ID (name) of signing key
# SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE Passphrase to use GPG signing key
#
# ------------------------------------------------------------------------------
#
# * This is a workflow_dispatch action, which can be triggered manually or from
# other workflows/API.
#
# * If triggered by another workflow, it will be necessary to provide a GitHub
# access token via the the `target_repo_token` parameter
#
#
---
name: 'RELENG: Build + attach RPMs to GitHub Release'
on:
workflow_dispatch:
inputs:
release_tag:
description: "Release tag"
required: true
clobber:
description: "Clobber identical assets?"
required: false
default: 'yes'
clean:
description: "Wipe all release assets first?"
required: false
default: 'no'
autocreate_release:
# A GitHub release is needed to upload artifacts to, and some repos
# (e.g., forked mirrors) only have tags.
description: "Create release if missing? (tag must exist)"
required: false
default: 'yes'
build_container_os:
description: "Build container OS"
required: true
default: 'centos8'
target_repo:
description: "Target repo (instead of this one)"
required: false
# WARNING: To avoid exposing secrets in the log, only use this token with
# action/script's `github-token` parameter, NEVER in `env:` vars
target_repo_token:
description: "API token for uploading to target repo"
required: false
path_to_build:
# Example: simp-core builds pupmod from . and simp* from src/assets/simp
description: "Subpath to alternative RPM project"
required: false
dry_run:
description: "Dry run (Test-build RPMs)"
required: false
default: 'no'
#verbose:
# description: 'Verbose RPM builds when "yes"'
# required: false
# default: 'no'
rebuild_number:
description: 'If this is an RPM rebuild, put the number of the rebuild here'
required: false
default: ''
env:
TARGET_REPO: ${{ (github.event.inputs.target_repo != null && format('{0}/{1}', github.repository_owner, github.event.inputs.target_repo)) || github.repository }}
RELEASE_TAG: ${{ github.event.inputs.release_tag }}
jobs:
create-and-attach-rpms-to-github-release:
name: >
Build and attach RPMs to Release:
${{ (github.event.inputs.target_repo != null && format('{0}/{1}', github.repository_owner, github.event.inputs.target_repo)) || github.repository }}
${{ github.event.inputs.release_tag }}
(build os: ${{ github.event.inputs.build_container_os }})
runs-on: ubuntu-20.04
steps:
- name: "Validate inputs"
id: validate-inputs
run: |
if ! [[ "$TARGET_REPO" =~ ^[a-z0-9][a-z0-9-]+/[a-z0-9][a-z0-9_-]+$ ]]; then
printf '::error ::Target repository name has invalid format: %s\n' "$TARGET_REPO"
exit 88
fi
if [[ "$RELEASE_TAG" =~ ^(simp-|v)?([0-9]+\.[0-9]+\.[0-9]+)(-(rc|RC|[Aa]lpha|[Bb]eta|pre|post)?([0-9]+)?)?$ ]]; then
if [ -n "${BASH_REMATCH[5]}" ]; then
echo "{prebuild_number}={${BASH_REMATCH[5]#-}}" >> $GITHUB_OUTPUT
fi
if [ -n "${BASH_REMATCH[3]}" ]; then
echo "{prebuild_suffix}={${BASH_REMATCH[3]#-}}" >> $GITHUB_OUTPUT
fi
if [ -n "${BASH_REMATCH[2]}" ]; then
echo "{build_semver}={${BASH_REMATCH[2]}}" >> $GITHUB_OUTPUT
fi
else
printf '::error ::Release Tag format is not SemVer, X.Y.Z-R, X.Y.Z-<prerelease>: "%s"\n' "$RELEASE_TAG"
exit 88
fi
- name: >
Query info for ${{ env.TARGET_REPO }}
release ${{ github.event.inputs.release_tag }} ${{ steps.validate-inputs.outputs.prebuild_suffix }}
build os ${{ github.event.inputs.build_container_os }}
(autocreate_release = '${{ github.event.inputs.autocreate_release }}')
id: release-api
env:
AUTOCREATE_RELEASE: ${{ github.event.inputs.autocreate_release }}
PREBUILD_TAG: ${{ steps.validate-inputs.outputs.prebuild_suffix }}
uses: actions/github-script@v6
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const [owner, repo] = process.env.TARGET_REPO.split('/')
const tag = process.env.RELEASE_TAG
const autocreate_release = (process.env.AUTOCREATE_RELEASE == 'yes')
const owner_data = { owner: owner, repo: repo }
const release_data = Object.assign( {tag: tag}, owner_data )
const prerelease = process.env.PREBUILD_TAG ? true : false
const create_release_data = Object.assign( {tag_name: tag, prerelease: prerelease}, owner_data )
const tag_data = Object.assign( {ref: `tags/${tag}`}, owner_data )
function id_from_release(data) {
console.log( ` >> Release for ${owner}/${repo}, tag ${tag}` )
console.log( ` >>>> release_id: ${data.id}` )
return data.id
}
function throw_error_unless_should_autocreate_release(err){
if (!( err.name == 'HttpError' && err.status == 404 && autocreate_release )){
core.error(`Error finding release for tag ${tag}: ${err.name}`)
throw err
}
}
async function autocreate_release_if_appropriate(err){
throw_error_unless_should_autocreate_release(err)
core.warning(`Can't find release for tag ${tag} and tag exists, auto-creating release`)
return await github.request( 'GET /repos/{owner}/{repo}/git/matching-refs/{ref}', tag_data ).then (
result => {
// Must already have a tag
if (result.data.length == 0) { throw `Can't find tag ${tag} in repo ${owner}/${repo}` }
return result
}
).then(
async result => {
return await github.request( 'POST /repos/{owner}/{repo}/releases', create_release_data).then(
result=>{
release_id = id_from_release(result.data)
console.log(` ++ created auto release ${release_id}` )
return release_id
},
post_err =>{
core.error('Error auto-creating release')
throw post_err
}
)
}
)
}
await github.request('GET /repos/{owner}/{repo}/releases/tags/{tag}', release_data ).then(
async result => { return await id_from_release(result.data) },
async err => { return await autocreate_release_if_appropriate(err) }
).then(
release_id => {
if (!release_id){
throw `Could not get release for ${tag} for repo ${owner}:${repo}`
}
console.log( ` **** release_id: ${release_id}` )
core.setOutput('id', release_id)
},
err => { throw err }
)
- name: Checkout code
uses: actions/checkout@v3
with:
repository: ${{ env.TARGET_REPO }}
ref: ${{ env.RELEASE_TAG }}
clean: true
fetch-depth: 0
- name: 'Customize RPM Release tag via build/rpm_metadata/release (pre-release only)'
if: steps.validate-inputs.outputs.prebuild_suffix
env:
BUILD_SEMVER: ${{ steps.validate-inputs.outputs.build_semver }}
PREBUILD_TAG: ${{ steps.validate-inputs.outputs.prebuild_suffix }}
PREBUILD_NUMBER: ${{ steps.validate-inputs.outputs.prebuild_number }}
# Note: To accomodate the capabilities of EL7's version of RPM, the
# release number is formatted according to the Fedora Packaging
# Guidelines' "Traditional versioning" conventions:
#
# - https://fedoraproject.org/en-US/packaging-guidelines/Versioning/
# - https://fedoraproject.org/wiki/Package_Versioning_Examples
#
run: |
mkdir -p build/rpm_metadata
# Special case for simp-doc's unique data format in /release
if [[ "$TARGET_REPO" =~ ^simp\/simp-doc$ ]]; then
echo "version: $BUILD_SEMVER" > build/rpm_metadata/release
echo "release: 0.${PREBUILD_NUMBER:-$GITHUB_RUN_NUMBER}.${PREBUILD_TAG}" >> build/rpm_metadata/release
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)"
else
echo "0.${PREBUILD_NUMBER:-$GITHUB_RUN_NUMBER}.${PREBUILD_TAG}" > build/rpm_metadata/release
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)"
fi
- name: 'Customize RPM Release tag via build/rpm_metadata/release (RPM rebuild)'
if: ${{ github.event.inputs.rebuild_number != '' }}
env:
BUILD_SEMVER: ${{ steps.validate-inputs.outputs.build_semver }}
REBUILD_NUMBER: ${{ github.event.inputs.rebuild_number }}
run: |
mkdir -p build/rpm_metadata
# simp-doc uses a unique data format in /release
if [[ "$TARGET_REPO" =~ ^simp\/simp-doc$ ]]; then
echo "version: $BUILD_SEMVER" > build/rpm_metadata/release
echo "release: $REBUILD_NUMBER" > build/rpm_metadata/release
else
echo "$REBUILD_NUMBER" > build/rpm_metadata/release
fi
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)"
- name: >
Build & Sign RPMs for
${{ github.event.inputs.release_tag }}
Release (${{ github.event.inputs.build_container_os }})
uses: simp/github-action-build-and-sign-pkg-single-rpm@v2
id: build-and-sign-rpm
with:
gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }}
gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }}
gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }}
simp_core_ref_for_building_rpms: ${{ secrets.SIMP_CORE_REF_FOR_BUILDING_RPMS }}
simp_builder_docker_image: 'docker.io/simpproject/simp_build_${{ github.event.inputs.build_container_os }}:latest'
path_to_build: "${{ (github.event.inputs.path_to_build != null && format('{0}/{1}', github.workspace, github.event.inputs.path_to_build)) || github.workspace }}"
verbose: 'no' #${{ github.event.inputs.verbose }}
- name: "Wipe all previous assets from GitHub Release (when clean == 'yes')"
if: ${{ github.event.inputs.clean == 'yes' && github.event.inputs.dry_run != 'yes' }}
uses: actions/github-script@v6
env:
release_id: ${{ steps.release-api.outputs.id }}
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const release_id = process.env.release_id
const [owner, repo] = process.env.TARGET_REPO.split('/')
const existingAssets = await github.rest.repos.listReleaseAssets({ owner, repo, release_id })
console.log( ` !! !! Wiping ALL uploaded assets for ${owner}/${repo} release (id: ${release_id})`)
existingAssets.data.forEach(async function(asset){
asset_id = asset.id
console.log( ` !! !! !! Wiping existing asset for ${asset.name} (id: ${asset_id})`)
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id })
})
- name: "Upload RPM file(s) to GitHub Release (dry_run != 'yes')"
if: ${{ github.event.inputs.dry_run != 'yes' }}
uses: actions/github-script@v6
env:
rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }}
rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }}
release_id: ${{ steps.release-api.outputs.id }}
clobber: ${{ github.event.inputs.clobber }}
clean: ${{ github.event.inputs.clean }}
dry_run: ${{ github.event.inputs.dry_run }}
with:
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }}
script: |
const path = require('path')
const fs = require('fs')
async function clobberAsset (name, owner, repo, release_id ){
console.log( ` -- clobber asset ${name}: owner: ${owner} repo: ${repo} release_id: ${release_id}` )
const existingAssets = await github.rest.repos.listReleaseAssets({ owner, repo, release_id })
const matchingAssets = existingAssets.data.filter(item => item.name == name);
if ( matchingAssets.length > 0 ){
asset_id = matchingAssets[0].id
console.log( ` !! !! Clobbering existing asset for ${name} (id: ${asset_id})`)
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id })
return(true)
}
return(false)
}
async function uploadAsset(owner, repo, release_id, file, assetContentType ){
console.log( `\n\n -- uploadAsset: owner: ${owner} repo: ${repo} release_id: ${release_id}, file: ${file}\n` )
const name = path.basename(file)
const data = fs.readFileSync(file)
const contentLength = fs.statSync(file).size
const headers = {
'content-type': assetContentType,
'content-length': contentLength
};
console.log( ` == Uploading asset ${name}: ${assetContentType}` )
const uploadAssetResponse = await github.rest.repos.uploadReleaseAsset({
owner, repo, release_id, data, name, headers,
})
return( uploadAssetResponse );
}
console.log('== start');
const release_id = process.env.release_id
const [owner, repo] = process.env.TARGET_REPO.split('/')
const clobber = process.env.clobber == 'yes';
const rpm_files = process.env.rpm_file_paths.split(/[\r\n]+/);
const rpm_gpg_file = process.env.rpm_gpg_file;
let uploaded_files = rpm_files.concat(rpm_gpg_file).map(function(file){
const name = path.basename(file)
var content_type = 'application/pgp-keys'
if( name.match(/\.rpm$/) ){
content_type = 'application/octet-stream'
}
let conditionalClobber = new Promise((resolve,reject) => {
if ( clobber ){
resolve(clobberAsset( name, owner, repo, release_id ))
return
}
resolve( false )
})
conditionalClobber.then((clobbered)=> {
uploadAsset(owner, repo, release_id, file, content_type )
}).then(result => result )
})
console.log('== done')