diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a67b766f7..457da9cfa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,9 +8,6 @@ on: - "master" pull_request: workflow_call: - secrets: - GITLEAKS_LICENSE_KEY: - required: true concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -23,5 +20,4 @@ jobs: os-dependencies: "libpcsclite-dev" run-gitleaks: true run-codeql: true - secrets: - GITLEAKS_LICENSE_KEY: ${{ secrets.GITLEAKS_LICENSE_KEY }} + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bd4347374..ffbd1c9c5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,25 +8,17 @@ on: jobs: ci: - uses: smallstep/certificates/.github/workflows/ci.yml@main + uses: smallstep/certificates/.github/workflows/ci.yml@master secrets: inherit create_release: name: Create Release - needs: ci + #needs: ci runs-on: ubuntu-20.04 outputs: - debversion: ${{ steps.extract-tag.outputs.DEB_VERSION }} is_prerelease: ${{ steps.is_prerelease.outputs.IS_PRERELEASE }} steps: - - - name: Extract Tag Names - id: extract-tag - run: | - DEB_VERSION=$(echo ${GITHUB_REF#refs/tags/v} | sed 's/-/./') - echo "::set-output name=DEB_VERSION::${DEB_VERSION}" - - - name: Is Pre-release + - name: Is Pre-release id: is_prerelease run: | set +e @@ -34,8 +26,7 @@ jobs: OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "::set-output name=IS_PRERELEASE::${IS_PRERELEASE}" - - - name: Create Release + - name: Create Release id: create_release uses: actions/create-release@v1 env: @@ -51,54 +42,33 @@ jobs: runs-on: ubuntu-20.04 needs: create_release steps: - - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - - name: Set up Go - uses: actions/setup-go@v2 + - name: Checkout + uses: actions/checkout@v3 + - name: Set up Go + uses: actions/setup-go@v3 with: go-version: 1.19 - - - name: APT Install - id: aptInstall - run: sudo apt-get -y install build-essential debhelper fakeroot - - - name: Build Debian package - id: make_debian - run: | - PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin - make debian - # need to restore the git state otherwise goreleaser fails due to dirty state - git restore debian/changelog - git clean -fd - - - name: Install cosign - uses: sigstore/cosign-installer@v1.1.0 + check-latest: true + - name: Install cosign + uses: sigstore/cosign-installer@v2.7.0 with: - cosign-release: 'v1.1.0' - - - name: Write cosign key to disk + cosign-release: 'v1.12.1' + - name: Write cosign key to disk id: write_key run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" - - - name: Get Release Date + - name: Get Release Date id: release_date run: | RELEASE_DATE=$(date +"%y-%m-%d") echo "::set-output name=RELEASE_DATE::${RELEASE_DATE}" - - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@5a54d7e660bda43b405e8463261b3d25631ffe86 # v2.7.0 + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v3 with: - version: 'v1.7.0' + version: 'latest' args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.PAT }} COSIGN_PWD: ${{ secrets.COSIGN_PWD }} - DEB_VERSION: ${{ needs.create_release.outputs.debversion }} RELEASE_DATE: ${{ steps.release_date.outputs.RELEASE_DATE }} build_upload_docker: @@ -106,25 +76,21 @@ jobs: runs-on: ubuntu-20.04 needs: ci steps: - - - name: Checkout - uses: actions/checkout@v2 - - - name: Setup Go - uses: actions/setup-go@v2 + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Go + uses: actions/setup-go@v3 with: go-version: '1.19' - - - name: Install cosign + check-latest: true + - name: Install cosign uses: sigstore/cosign-installer@v1.1.0 with: cosign-release: 'v1.1.0' - - - name: Write cosign key to disk + - name: Write cosign key to disk id: write_key run: echo "${{ secrets.COSIGN_KEY }}" > "/tmp/cosign.key" - - - name: Build + - name: Build id: build run: | PATH=$PATH:/usr/local/go/bin:/home/admin/go/bin diff --git a/.goreleaser.yml b/.goreleaser.yml index 7d57e657c..56a2ed03b 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -14,61 +14,79 @@ builds: - CGO_ENABLED=0 targets: - darwin_amd64 - - darwin_arm64 - - freebsd_amd64 - - linux_386 - - linux_amd64 - - linux_arm64 - - linux_arm_5 - - linux_arm_6 - - linux_arm_7 - - windows_amd64 + #- darwin_arm64 + #- freebsd_amd64 + #- linux_386 + #- linux_amd64 + #- linux_arm64 + #- linux_arm_5 + #- linux_arm_6 + #- linux_arm_7 + #- windows_amd64 flags: - -trimpath main: ./cmd/step-ca/main.go binary: bin/step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + #- + # id: step-cloudkms-init + # env: + # - CGO_ENABLED=0 + # targets: + # - darwin_amd64 + # - darwin_arm64 + # - freebsd_amd64 + # - linux_386 + # - linux_amd64 + # - linux_arm64 + # - linux_arm_5 + # - linux_arm_6 + # - linux_arm_7 + # - windows_amd64 + # flags: + # - -trimpath + # main: ./cmd/step-cloudkms-init/main.go + # binary: bin/step-cloudkms-init + # ldflags: + # - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} + #- + # id: step-awskms-init + # env: + # - CGO_ENABLED=0 + # targets: + # - darwin_amd64 + # - darwin_arm64 + # - freebsd_amd64 + # - linux_386 + # - linux_amd64 + # - linux_arm64 + # - linux_arm_5 + # - linux_arm_6 + # - linux_arm_7 + # - windows_amd64 + # flags: + # - -trimpath + # main: ./cmd/step-awskms-init/main.go + # binary: bin/step-awskms-init + # ldflags: + # - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - - id: step-cloudkms-init + # This build is specifically for nFPM targets (.deb and .rpm files). + # It's exactly the same as the default build above, except: + # - it only builds the archs we want to produce .deb and .rpm files for + # - the name of the output binary is step-cli + id: nfpm env: - CGO_ENABLED=0 - targets: - - darwin_amd64 - - darwin_arm64 - - freebsd_amd64 - - linux_386 - - linux_amd64 - - linux_arm64 - - linux_arm_5 - - linux_arm_6 - - linux_arm_7 - - windows_amd64 + goos: + - linux + goarch: + - amd64 flags: - -trimpath - main: ./cmd/step-cloudkms-init/main.go - binary: bin/step-cloudkms-init - ldflags: - - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} - - - id: step-awskms-init - env: - - CGO_ENABLED=0 - targets: - - darwin_amd64 - - darwin_arm64 - - freebsd_amd64 - - linux_386 - - linux_amd64 - - linux_arm64 - - linux_arm_5 - - linux_arm_6 - - linux_arm_7 - - windows_amd64 - flags: - - -trimpath - main: ./cmd/step-awskms-init/main.go - binary: bin/step-awskms-init + main: ./cmd/step-ca/main.go + binary: step-ca ldflags: - -w -X main.Version={{.Version}} -X main.BuildTime={{.Date}} @@ -85,6 +103,41 @@ archives: files: - README.md - LICENSE + allow_different_binary_count: true + +nfpms: + # Configure nFPM for .deb and .rpm releases + # + # See https://nfpm.goreleaser.com/configuration/ + # and https://goreleaser.com/customization/nfpm/ + # + # Useful tools for debugging .debs: + # List file contents: dpkg -c dist/step_...deb + # Package metadata: dpkg --info dist/step_....deb + # + - + builds: + - nfpm + package_name: step-ca + file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}" + vendor: Smallstep Labs + homepage: https://github.com/smallstep/certificates + maintainer: Smallstep + description: > + step-ca is an online certificate authority for secure, automated certificate management. + license: Apache 2.0 + section: utils + formats: + - deb + - rpm + priority: optional + bindir: /usr/bin + contents: + - src: debian/copyright + dst: /usr/share/doc/step-ca/copyright + scripts: + postinstall: scripts/postinstall.sh + postremove: scripts/postremove.sh source: enabled: true @@ -98,7 +151,7 @@ checksum: signs: - cmd: cosign stdin: '{{ .Env.COSIGN_PWD }}' - args: ["sign-blob", "-key=/tmp/cosign.key", "-output=${signature}", "${artifact}"] + args: ["sign-blob", "-key=/tmp/cosign.key", "-output-signature=${signature}", "${artifact}"] artifacts: all snapshot: diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh new file mode 100644 index 000000000..5e91950a1 --- /dev/null +++ b/scripts/postinstall.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +updateAlternatives() { + update-alternatives --install /usr/bin/step-ca step-ca /usr/bin/step-ca 50 +} + +cleanInstall() { + updateAlternatives + updateCompletion +} + +upgrade() { + updateAlternatives + updateCompletion +} + +action="$1" +if [ "$1" = "configure" ] && [ -z "$2" ]; then + action="install" +elif [ "$1" = "configure" ] && [ -n "$2" ]; then + action="upgrade" +fi + +case "$action" in + "1" | "install") + cleanInstall + ;; + "2" | "upgrade") + upgrade + ;; + *) + cleanInstall + ;; +esac diff --git a/scripts/postremove.sh b/scripts/postremove.sh new file mode 100644 index 000000000..cefbee2e9 --- /dev/null +++ b/scripts/postremove.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +removeAlternatives() { + update-alternatives --remove step /usr/bin/step-ca +} + +upgrade() { + : +} + +remove() { + removeAlternatives +} + +action="$1" +if [ "$1" = "remove" ]; then + action="remove" +elif [ "$1" = "upgrade" ] && [ -n "$2" ]; then + action="upgrade" +elif [ "$1" = "disappear" ]; then + action="remove" +fi + +case "$action" in + "0" | "remove") + remove + ;; + "1" | "upgrade") + upgrade + ;; + *) + remove + ;; +esac