feat(distribution): provide rpm packages via rpm repository (#1012) #254
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # STACKIT CLI release workflow. | |
| name: Release | |
| # This GitHub action creates a release when a tag that matches one of the patterns below | |
| # E.g. v0.1.0, v0.1.0-something.1, etc | |
| on: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" | |
| - "v[0-9]+.[0-9]+.[0-9]+-*" | |
| workflow_dispatch: | |
| # Releases need permissions to read and write the repository contents. | |
| # GitHub considers creating releases and uploading assets as writing contents. | |
| permissions: | |
| contents: write | |
| jobs: | |
| goreleaser: | |
| name: Release | |
| runs-on: macOS-latest | |
| env: | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| with: | |
| # Allow goreleaser to access older tag information. | |
| fetch-depth: 0 | |
| - name: Install go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: "go.mod" | |
| cache: true | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| id: import_gpg | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| # nfpm-rpm signing needs gpg provided as filepath | |
| # https://goreleaser.com/customization/nfpm/ | |
| - name: Create GPG key file | |
| run: | | |
| KEY_PATH="$RUNNER_TEMP/gpg-private-key.asc" | |
| printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" > "$KEY_PATH" | |
| chmod 600 "$KEY_PATH" | |
| echo "GPG_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV" | |
| - name: Set up keychain | |
| run: | | |
| echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12 | |
| KEYCHAIN_PATH=$RUNNER_TEMP/ios_signing_temp.keychain-db | |
| security create-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH | |
| security default-keychain -s $KEYCHAIN_PATH | |
| security unlock-keychain -p "${{ secrets.TEMP_KEYCHAIN }}" $KEYCHAIN_PATH | |
| # the keychain gets locked automatically after 300s, so we have to extend this interval to e.g. 900 seconds | |
| security set-keychain-settings -lut 900 | |
| security import ./ApplicationID.p12 -P "${{ secrets.APPLICATION_ID }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
| security list-keychain -d user -s $KEYCHAIN_PATH | |
| echo -n $AUTHKEY_BASE64 | base64 -d -o ./AuthKey.p8 | |
| xcrun notarytool store-credentials stackit-cli -i $APPLE_ISSUER -d $APPLE_KEY_ID -k AuthKey.p8 --keychain $KEYCHAIN_PATH | |
| rm ./ApplicationID.p12 | |
| rm ./AuthKey.p8 | |
| env: | |
| APPLE_ISSUER: ${{ secrets.APPLE_ISSUER }} | |
| APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }} | |
| SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }} | |
| AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }} | |
| - name: Install Snapcraft | |
| uses: samuelmeuli/action-snapcraft@v3 | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} | |
| GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
| GPG_KEY_PATH: ${{ env.GPG_KEY_PATH }} | |
| # nfpm-rpm signing needs this env to be set. | |
| NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Clean up GPG key file | |
| if: always() | |
| run: | | |
| rm -f "$GPG_KEY_PATH" | |
| - name: Upload artifacts to workflow | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: goreleaser-dist-temp | |
| path: dist | |
| retention-days: 1 | |
| publish-apt: | |
| name: Publish APT | |
| runs-on: macOS-latest | |
| needs: [goreleaser] | |
| env: | |
| # Needed to publish new packages to our S3-hosted APT repo | |
| AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| # use the artifacts from the "goreleaser" job | |
| - name: Download artifacts from workflow | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: goreleaser-dist-temp | |
| path: dist | |
| - name: Install Aptly | |
| run: brew install aptly | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| id: import_gpg | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Publish packages to APT repo | |
| if: contains(github.ref_name, '-') == false | |
| env: | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
| run: ./scripts/publish-apt-packages.sh | |
| publish-rpm: | |
| name: Publish RPM | |
| runs-on: ubuntu-latest | |
| needs: [goreleaser] | |
| env: | |
| # Needed to publish new packages to our S3-hosted RPM repo | |
| AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: eu01 | |
| AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Download artifacts from workflow | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: goreleaser-dist-temp | |
| path: dist | |
| - name: Install RPM tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y createrepo-c | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@v6 | |
| id: import_gpg | |
| with: | |
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
| - name: Publish RPM packages | |
| if: contains(github.ref_name, '-') == false | |
| env: | |
| GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
| run: ./scripts/publish-rpm-packages.sh |