-
Notifications
You must be signed in to change notification settings - Fork 0
106 lines (91 loc) · 4.12 KB
/
Copy pathrelease.yml
File metadata and controls
106 lines (91 loc) · 4.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
name: Release
# Tag-triggered. The signing key + S3 creds are only exposed here (tags on the
# base repo), never on PRs from forks.
on:
push:
tags: ["v*"]
permissions:
contents: write # create the GitHub Release + upload assets
# The apt repo is stateful (index rebuilt from the full pool); never publish two
# releases concurrently.
concurrency:
group: apt-publish
cancel-in-progress: false
jobs:
release:
runs-on: ubuntu-latest
# Gate secrets behind a protected Environment (add required reviewers in repo settings).
environment: release
env:
APT_S3_ENDPOINT: ${{ vars.APT_S3_ENDPOINT }}
APT_S3_REGION: ${{ vars.APT_S3_REGION }}
APT_S3_BUCKET: ${{ vars.APT_S3_BUCKET }}
APT_S3_PREFIX: ${{ vars.APT_S3_PREFIX }}
AWS_ACCESS_KEY_ID: ${{ secrets.APT_S3_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.APT_S3_SECRET_KEY }}
steps:
- uses: actions/checkout@v5
with:
fetch-depth: 0 # full history + tags for versioning
- uses: actions/setup-go@v6
with:
go-version: "1.24"
- name: Install apt-ftparchive
run: sudo apt-get update && sudo apt-get install -y apt-utils
- name: Import GPG signing key
id: gpg
uses: crazy-max/ghaction-import-gpg@v7
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Extract release notes from CHANGELOG.md
run: ./scripts/changelog-extract.sh "${GITHUB_REF_NAME}" | tee /tmp/notes.md
- name: Build, package .deb, and cut the GitHub Release
uses: goreleaser/goreleaser-action@v7
with:
version: "~> v2"
args: release --clean --release-notes=/tmp/notes.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# GoReleaser's --release-notes did not reliably populate the release body (v2.0.0-rc1
# shipped empty), so set it explicitly from the extracted CHANGELOG section. gh is
# preinstalled on ubuntu-latest and GITHUB_TOKEN has contents:write.
- name: Set GitHub Release notes from CHANGELOG
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release edit "${GITHUB_REF_NAME}" --repo "${{ github.repository }}" --notes-file /tmp/notes.md
# A semver prerelease tag (e.g. v2.0.0-rc1) MUST become a deb version with '~'
# (2.0.0~rc1) so it sorts BELOW the final 2.0.0. A '2.0.0-rc1' deb sorts ABOVE
# 2.0.0 (deb revision ordering), so the final would never supersede the rc.
# nfpm's default semver schema does this; this step fails loudly if it ever stops.
- name: Guard — prerelease debs must use '~'
run: |
if [[ "${GITHUB_REF_NAME}" == *-* ]]; then
for deb in dist/*.deb; do
ver="$(dpkg-deb -f "$deb" Version)"
echo "$deb -> $ver"
case "$ver" in
*'~'*) ;;
*) echo "::error::prerelease tag ${GITHUB_REF_NAME} produced deb version '$ver' without '~' (would sort above the final release)"; exit 1 ;;
esac
done
fi
# --- shared apt repo: Approach A (append-only pool + index rebuilt from the full pool) ---
# cs-agent is the SOLE publisher of the shared index today, so this is race-free. When a
# 2nd package's CI ships, move index rebuild+sign into a single index-builder (see
# packaging/README.md "Scaling to multiple packages"); reconcile-apt-repo.yml already
# rebuilds the shared index from the pool on a timer, on this same concurrency group.
- name: Pull existing pool from S3
run: |
mkdir -p aptrepo
go run ./cmd/apt-publish pull aptrepo
- name: Add new .debs to the pool
run: |
mkdir -p aptrepo/pool/main/c/cs-agent
cp dist/*.deb aptrepo/pool/main/c/cs-agent/
- name: Rebuild + sign the apt index
env:
APT_GPG_KEY_ID: ${{ steps.gpg.outputs.fingerprint }}
run: ./scripts/build-apt-repo.sh aptrepo
- name: Publish apt repo to S3 (Release files last)
run: go run ./cmd/apt-publish push aptrepo