Skip to content

Commit

Permalink
Fix: signature of tar balls
Browse files Browse the repository at this point in the history
Uses the `sign-release`files` action instead of using curl manually.

This allows us easier maintenance as we can get support from a dedicated
team.

Besides that the version calculation is separated into an own job by
using the output functionality. This allows us to reuse that calculation
later.
  • Loading branch information
nichtsfrei committed May 20, 2023
1 parent 631b66f commit 456f512
Showing 1 changed file with 78 additions and 40 deletions.
118 changes: 78 additions & 40 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ on:
# Once the version is found and enhanced, each CMakeLists file is updated to the new
# version, and a commit is created in the found branch.
jobs:
release:
name: release
calculate_version:
runs-on: "ubuntu-latest"
if: |
${{
(github.event_name == 'workflow_dispatch') ||
Expand All @@ -45,11 +45,15 @@ jobs:
contains(github.event.pull_request.labels.*.name, 'major_release') ||
contains(github.event.pull_request.labels.*.name, 'minor_release') ||
contains(github.event.pull_request.labels.*.name, 'patch_release')
)
)
}}
runs-on: "ubuntu-latest"
outputs:
new_version: ${{ steps.version.outputs.new_version }}
latest_version: ${{ steps.version.outputs.latest_version }}
release_kind: ${{ steps.version.outputs.release_kind }}
release_ref: ${{ steps.version.outputs.release_ref }}
project: ${{ steps.version.outputs.project}}
steps:
- uses: actions/checkout@v3
with:
Expand Down Expand Up @@ -103,6 +107,31 @@ jobs:
echo "NEW_VERSION=$(sh .github/enhance_version.sh ${{ env.LATEST_VERSION }} ${{ env.RELEASE_KIND }})" >> $GITHUB_ENV
- name: NEW_VERSION != NULL
run: ([ -n "${{ env.NEW_VERSION }}" ])
- name: set output
id: version
run: |
echo "latest_version=$LATEST_VERSION" >> "$GITHUB_OUTPUT"
echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT"
echo "release_kind=$RELEASE_KIND" >> "$GITHUB_OUTPUT"
echo "release_ref=$RELEASE_REF" >> "$GITHUB_OUTPUT"
echo "project=$(echo "${{ github.repository }}" | sed 's/.*\///' )" >> "$GITHUB_OUTPUT"
release:
name: release
needs: calculate_version
runs-on: "ubuntu-latest"
env:
RELEASE_KIND: ${{needs.calculate_version.outputs.release_kind}}
RELEASE_REF: ${{needs.calculate_version.outputs.release_ref}}
LATEST_VERSION: ${{needs.calculate_version.outputs.latest_version}}
NEW_VERSION: ${{needs.calculate_version.outputs.new_version}}
PROJECT: ${{needs.calculate_version.outputs.project}}
steps:
- uses: actions/checkout@v3
with:
token: ${{ secrets.GREENBONE_BOT_TOKEN }}
fetch-depth: '0'
- name: set git credentials
run: |
git config --global user.email "${{ secrets.GREENBONE_BOT_MAIL }}"
Expand All @@ -122,7 +151,8 @@ jobs:
git checkout "${{ env.RELEASE_REF }}"
# change version
python3 -m pip install pontos
pontos-version update ${{ env.NEW_VERSION }}
# ignore failure on setting version
pontos-version update ${{ env.NEW_VERSION }} || true
# as soon as pontos-version release is available and it supports cargo do
# cd rust
# pontos-version update ${{ env.NEW_VERSION }}
Expand All @@ -135,33 +165,34 @@ jobs:
git push origin ${{ env.RELEASE_REF }}
fi
- uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
rust/target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
- run: rustup update stable && rustup default stable
- run: cargo install cross
- run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu
working-directory: rust
- run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu
working-directory: rust
- name: "patch for debian stable"
working-directory: rust
run: |
find . -type f -name "nasl-cli"
patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/nasl-cli
- run: mkdir assets/
- run: mv rust/target/aarch64-unknown-linux-gnu/release/nasl-cli assets/nasl-cli-aarch64-unknown-linux-gnu
- run: mv rust/target/x86_64-unknown-linux-gnu/release/nasl-cli assets/nasl-cli-x86_64-unknown-linux-gnu
- name: release ${{ env.LATEST_VERSION }} -> ${{ env.NEW_VERSION }}
# - uses: actions/cache@v3
# with:
# path: |
# ~/.cargo/bin/
# ~/.cargo/registry/index/
# ~/.cargo/registry/cache/
# ~/.cargo/git/db/
# rust/target/
# key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
# - run: rustup update stable && rustup default stable
# # ignore failing install, it may already be installed
# - run: cargo install cross || true
# - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu
# working-directory: rust
# - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu
# working-directory: rust
# - name: "patch for debian stable"
# working-directory: rust
# run: |
# find . -type f -name "nasl-cli"
# patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/nasl-cli
# - run: mkdir assets/
# - run: mv rust/target/aarch64-unknown-linux-gnu/release/nasl-cli assets/nasl-cli-aarch64-unknown-linux-gnu
# - run: mv rust/target/x86_64-unknown-linux-gnu/release/nasl-cli assets/nasl-cli-x86_64-unknown-linux-gnu
#
- uses: greenbone/actions/setup-pontos@v2
- name: release ${{ env.PROJECT }} ${{ env.LATEST_VERSION }} -> ${{ env.NEW_VERSION }}
run: |
python3 -m pip install pontos
export PROJECT=$(echo "${{ github.repository }}" | sed 's/.*\///' )
pontos-changelog \
--current-version ${{ env.LATEST_VERSION }} \
--next-version ${{ env.NEW_VERSION }} \
Expand All @@ -178,12 +209,19 @@ jobs:
export nrn="v${{ env.NEW_VERSION }}"
export filename="$PROJECT-$nrn"
gh release create "$nrn" -F /tmp/changelog.md
mkdir -p assets
ls -las assets/
curl -Lo assets/$filename.zip https://github.com/${{ github.repository }}/openvas-scanner/archive/refs/tags/$nrn.zip
curl -Lo assets/$filename.tar.gz https://github.com/${{ github.repository }}/openvas-scanner/archive/refs/tags/$nrn.tar.gz
echo -e "${{ secrets.GPG_KEY }}" > private.pgp
echo ${{ secrets.GPG_PASSPHRASE }} | bash .github/sign-assets.sh private.pgp
rm assets/$filename.zip
rm assets/$filename.tar.gz
gh release upload $nrn assets/*
#ls -las assets/
#gh release upload $nrn assets/*
- name: Import gpg key from secrets
run: |
echo -e "${{ inputs.gpg-key }}" >> tmp.file
gpg --pinentry-mode loopback --passphrase ${{ inputs.gpg-passphrase }} --import tmp.file
rm tmp.file
shell: bash
- name: "sign ${{ env.PROJECT }}"
run: |
pontos-release sign \
--signing-key ${{ secrets.GPG_FINGERPRINT }} \
--passphrase ${{ secrets.GPG_PASSPHRASE }} \
--versioning-scheme semver \
--release-version $NEW_VERSION \
--project $PROJECT

0 comments on commit 456f512

Please sign in to comment.