fix(workflows): example workflow has race condition and needs new deps for build (#83)

* fix(workflows): remove gcc installation from Makefile
* chore(workflows): update build tools for building test app
* fix: buildx leaves a metadata file that can't be downloaded.

Author: arrowplum

.github/workflows/example_reusable-integration.yaml

@@ -211,7 +211,7 @@ jobs:
       dry-run: false
   build-docker-deploy:
     uses: aerospike/shared-workflows/.github/workflows/[email protected]
-    needs: extract-version
+    needs: [extract-version, package-built-artifacts] #don't really need package-built-artifacts but we need that to finish first.
     with:
       jf-project: test
       image-name: test-image
@@ -335,7 +335,7 @@ jobs:
           echo "the test binary says:"
           hi
   create-release-bundle:
-    needs: [use-artifacts, extract-version, deploy-artifacts]
+    needs: [use-artifacts, use-rpm-artifacts, extract-version, deploy-artifacts]
     uses: aerospike/shared-workflows/.github/workflows/[email protected]
     if: github.event_name == 'workflow_dispatch'
     with:

.github/workflows/execute-build/test_apps/hi/Makefile

@@ -93,7 +93,16 @@ else
 	docker run --rm -v $(PWD):/workspace -w /workspace \
 		-e ARCH=$(ARCH) -e EMULATED=$(EMULATED) \
 		$(DOCKER_IMAGE) \
-		bash -c 'yum install -y --allowerasing gcc make && \
+		bash -c 'set -e; \
+		if command -v dnf >/dev/null 2>&1; then \
+		  dnf -y clean all && dnf -y distro-sync --refresh || dnf -y upgrade --refresh; \
+		  dnf -y makecache; \
+		  dnf -y install --allowerasing --setopt=install_weak_deps=False gcc glibc-devel make; \
+		else \
+		  yum -y clean all && yum -y update; \
+		  yum -y makecache; \
+		  yum -y install --allowerasing gcc glibc-devel make; \
+		fi; \
 		CC=${CC} && \
 		echo "Using CC: $$CC" && \
 		echo "ARCH: $$ARCH, EMULATED: $$EMULATED" && \

.github/workflows/reusable_sign-artifacts.yaml

@@ -34,6 +34,11 @@ on:
         required: false
         type: string
         default: ubuntu-22.04
+      nuget-environment:
+        description: The environment to use for the NuGet packages
+        required: false
+        type: string
+        default: PROD
 
     secrets:
       gpg-private-key:
@@ -42,6 +47,15 @@ on:
         required: true
       gpg-key-pass:
         required: true
+      es-username:
+        required: false
+      es-password:
+        required: false
+      credential_id:
+        required: false
+      es-totp_secret:
+        required: false
+
     outputs:
       gh-artifact-name:
         description: The name of the uploaded signed artifacts on github
@@ -63,7 +77,13 @@ jobs:
           name: ${{ inputs.gh-unsigned-artifacts }}
           path: unsigned-artifacts
           merge-multiple: true
-
+      - name: Get nuget packages
+        id: nuget-packages
+        run: |
+          mkdir -p unsigned-nuget-packages
+          find unsigned-artifacts -name "*.nupkg" -exec mv {} unsigned-nuget-packages/ \;
+          echo "unsigned-nuget-packages=$(ls unsigned-nuget-packages/)" >> $GITHUB_OUTPUT
+          echo "count=$(ls unsigned-nuget-packages/ | wc -l)" >> $GITHUB_OUTPUT
       - name: Checkout shared-workflows repository
         uses: actions/checkout@v5
         with:
@@ -78,6 +98,29 @@ jobs:
           gpg-private-key: ${{ secrets.gpg-private-key }}
           gpg-public-key: ${{ secrets.gpg-public-key }}
           gpg-key-pass: ${{ secrets.gpg-key-pass }}
+      - name: Validate nuget secrets present
+        if: steps.nuget-packages.outputs.count > 0
+        run: |
+          if [ -z "${{ secrets.es-username }}" ] || [ -z "${{ secrets.es-password }}" ] || [ -z "${{ secrets.credential_id }}" ] || [ -z "${{ secrets.es-totp_secret }}" ]; then
+            echo "missing required secrets for NuGet signing"
+            exit 1
+          fi
+      - name: Sign NuGet Packages with SSL.com
+        uses: sslcom/esigner-codesign@a272724cb13abe0abc579c6c40f7899969b6942b # v1.3.1
+        if: steps.nuget-packages.outputs.count > 0
+        with:
+          command: batch_sign
+          username: ${{ secrets.es-username }}
+          password: ${{ secrets.es-password }}
+          credential_id: ${{ secrets.credential_id }}
+          totp_secret: ${{ secrets.es-totp_secret }}
+          dir_path: unsigned-nuget-packages
+          output_path: ${{ inputs.gh-artifact-name }}/nuget
+          # malware_block: true
+          environment_name: ${{ inputs.nuget-environment }}
+          clean_logs: true
+          signing_method: v1
+
       - name: Install dpkg-sig
         run: |
           sudo apt-get update && sudo apt-get install dpkg-sig dpkg-dev -y