-
Notifications
You must be signed in to change notification settings - Fork 20
130 lines (104 loc) · 4.18 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: release
on:
push:
tags:
- 'v[0-9]+\.[0-9]+\.[0-9]+'
jobs:
community-docs:
runs-on: ubuntu-latest
env:
GH_TOKEN: ${{ secrets.EXOSCALE_BUILD_GH_TOKEN }}
steps:
- run: gh workflow run gen-cli.yaml -R exoscale/community-ng -f version=${{ github.ref_name }}
goreleaser:
runs-on: ubuntu-latest
outputs:
version_tag: ${{ steps.get-version-tag.outputs.version_tag }}
linux_amd64_checksum: ${{ steps.get-linux-amd64-checksum.outputs.linux_amd64_checksum }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: ./.github/actions/build
- name: Import GPG key
# This is a third-party GitHub action and we trust it with our GPG key.
# To be on the safer side, we should always pin to the commit SHA.
# It's not a perfect mitigation, but we should always do some due diligence before upgrading.
# The author seems trustworthy, as the author is part of the docker and goreleaser organizations on GitHub.
uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- uses: ./go.mk/.github/actions/release
with:
release_github_token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
registry_username: ${{ secrets.DOCKERHUB_USERNAME }}
registry_password: ${{ secrets.DOCKERHUB_TOKEN }}
exoscale_api_key: ${{ secrets.SOS_PKG_BUCKET_KEY }}
exoscale_api_secret: ${{ secrets.SOS_PKG_BUCKET_SECRET }}
- run: echo "version_tag=$(make get-version-tag)" >> $GITHUB_OUTPUT
id: get-version-tag
shell: bash
- run: echo "linux_amd64_checksum="$(grep -P 'exoscale-cli_[0-9]+\.[0-9]+\.[0-9]+_linux_amd64.tar.gz' dist/exoscale-cli_*_checksums.txt | head -n 1 | cut -c1-64) >> $GITHUB_OUTPUT
id: get-linux-amd64-checksum
shell: bash
archrelease:
needs: goreleaser
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
aurpkg:
- exoscale-cli
- exoscale-cli-bin
- exoscale-cli-git
container:
image: archlinux
steps:
- name: create build user
run: |
useradd -G root runner
mkdir /home/runner/
chown -R runner /home/runner
shell: bash
- name: install tools
run: pacman --noconfirm -Sy base-devel git openssh glibc go
shell: bash
- name: release
run: |
cd /home/runner/
sudo -u runner mkdir -p /home/runner/.ssh
sudo -u runner sh -c "echo \"${{ secrets.AUR_SSH_PRIVATE_KEY }}\" > /home/runner/.ssh/github_actions"
cat << 'EOF' > release.bash
#!/usr/bin/env bash
set -e
set -o pipefail
aurpkg=$1
version_tag=$2
checksum=$3
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/home/runner/.ssh/known_hosts"
ssh-keyscan aur.archlinux.org >>/home/runner/.ssh/known_hosts
chmod 600 /home/runner/.ssh/github_actions
eval $(ssh-agent)
ssh-add /home/runner/.ssh/github_actions
git clone [email protected]:$aurpkg.git
cd /home/runner/$aurpkg
sed -i "/^pkgver=/s/.*/pkgver=$version_tag/" PKGBUILD
if [ $aurpkg == "exoscale-cli-bin" ]; then
sed -i "/^sha256sums=/s/.*/sha256sums=\('$checksum'/" PKGBUILD
fi
makepkg --skippgpcheck
makepkg --printsrcinfo >.SRCINFO
git add PKGBUILD .SRCINFO
git config --global user.email "[email protected]"
git config --global user.name "Exoscale"
git commit -m "release $version_tag"
git push
EOF
chown runner release.bash
sudo -u runner chmod +x release.bash
sudo -u runner ./release.bash \
${{ matrix.aurpkg }} \
${{ needs.goreleaser.outputs.version_tag }} \
${{ needs.goreleaser.outputs.linux_amd64_checksum }}
shell: bash