Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Switch from repo secrets to vars [v8] #2841

Merged
merged 3 commits into from
May 8, 2024
Merged

Switch from repo secrets to vars [v8] #2841

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3eff1e0
Switch from repo secrets to vars
a-b Apr 4, 2024
029862e
Converted more repo secrets to variables
a-b Apr 4, 2024
98e26b5
Merge branch 'v8' into gha-switch-to-vars-v8
a-b May 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 17 additions & 50 deletions .github/workflows/release-build-sign-upload.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,45 +44,17 @@ permissions:
contents: read

defaults:
# top-level defaults subkeys apply to jobs
# run subkeys apply to all steps within all jobs
run:
shell: bash

jobs:

# test:
# environment: DEV
# runs-on: ubuntu-latest
# steps:
# - name: Setup upterm session
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_REGION: ${{ secrets.AWS_REGION }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# GIT_RELEASE_TARGET_REPO: ${{ secrets.GIT_RELEASE_TARGET_REPO }}
# GIT_REPO_ACCESS_TOKEN: ${{ secrets.GIT_REPO_ACCESS_TOKEN }}
# SIGNING_KEY_GPG: ${{ secrets.SIGNING_KEY_GPG }}
# SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }}
# SIGNING_KEY_GPG_PASSPHRASE: ${{ secrets.SIGNING_KEY_GPG_PASSPHRASE }}
# SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }}
# SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }}
# SIGNING_KEY_MAC_PFX: ${{ secrets.SIGNING_KEY_MAC_PFX }}
# SIGNING_KEY_WINDOWS_ID: ${{ secrets.SIGNING_KEY_WINDOWS_ID }}
# SIGNING_KEY_WINDOWS_PASSPHRASE: ${{ secrets.SIGNING_KEY_WINDOWS_PASSPHRASE }}
# SIGNING_KEY_WINDOWS_PFX: ${{ secrets.SIGNING_KEY_WINDOWS_PFX }}
# SIGNING_TEST_CA_MAC: ${{ secrets.SIGNING_TEST_CA_MAC }}
# if: always()
# uses: lhotari/action-upterm@v1
# timeout-minutes: 60

setup:
name: Setup
# needs: test
runs-on: ubuntu-latest

outputs:
aws-s3-bucket: "v${{ steps.parse-semver.outputs.version-major }}-cf-cli-releases"
aws-s3-bucket: "v${{ steps.parse-semver.outputs.version-major }}-cf-cli-releases"

version-build: ${{ steps.parse-semver.outputs.version-build }}
version-major: ${{ steps.parse-semver.outputs.version-major }}
Expand Down Expand Up @@ -179,7 +151,7 @@ jobs:

- name: Build RedHat Packages
env:
SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }}
SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }}
run: |
set -ex
set -o pipefail
Expand Down Expand Up @@ -248,7 +220,7 @@ jobs:

- name: Sign RedHat Packages
env:
SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }}
SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }}
SIGNING_KEY_GPG_PASSPHRASE: ${{ secrets.SIGNING_KEY_GPG_PASSPHRASE }}
run: |
set -ex
Expand Down Expand Up @@ -544,8 +516,7 @@ jobs:

- name: Load macos key
env:
# SIGNING_TEST_CA_MAC: ${{ secrets.SIGNING_TEST_CA_MAC }}
SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }}
SIGNING_KEY_MAC_ID: ${{ vars.SIGNING_KEY_MAC_ID }}
SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }}
SIGNING_KEY_MAC_PFX: ${{ secrets.SIGNING_KEY_MAC_PFX }}

Expand Down Expand Up @@ -583,7 +554,7 @@ jobs:
- name: Sign macOS
env:
VERSION_MAJOR: ${{ needs.setup.outputs.version-major }}
SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }}
SIGNING_KEY_MAC_ID: ${{ vars.SIGNING_KEY_MAC_ID }}
SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }}
run: |

Expand Down Expand Up @@ -694,8 +665,8 @@ jobs:
- name: Sign Windows binaries
run: |
smctl healthcheck --all
smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_win32.exe
smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_winx64.exe
smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_win32.exe
smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_winx64.exe

- name: View binary signatures
run: |
Expand Down Expand Up @@ -726,8 +697,8 @@ jobs:

- name: Sign Windows installers
run: |
smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\win32\cf${env:VERSION_MAJOR}_installer.exe"
smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\winx64\cf${env:VERSION_MAJOR}_installer.exe"
smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\win32\cf${env:VERSION_MAJOR}_installer.exe"
smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\winx64\cf${env:VERSION_MAJOR}_installer.exe"

- name: View installer signature
run: |
Expand Down Expand Up @@ -781,8 +752,8 @@ jobs:
actions: read
contents: read
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_REGION: ${{ secrets.AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }}
AWS_REGION: ${{ vars.AWS_REGION }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_S3_BUCKET: ${{ needs.setup.outputs.aws-s3-bucket }}
VERSION_BUILD: ${{ needs.setup.outputs.version-build }}
Expand Down Expand Up @@ -880,17 +851,13 @@ jobs:

- name: Setup aws to upload installers to CLAW S3 bucket
uses: aws-actions/configure-aws-credentials@v4
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }}
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: ${{ env.AWS_S3_ROLE_ARN }}
aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.AWS_S3_ROLE_ARN }}
role-skip-session-tagging: true
role-duration-seconds: 1200
role-duration-seconds: 1200

- name: Upload installers to CLAW S3 bucket
run: aws s3 sync upload "s3://v${VERSION_MAJOR}-cf-cli-releases/releases/v${VERSION_BUILD}/"
Expand Down Expand Up @@ -928,7 +895,7 @@ jobs:
draft: true
name: "DRAFT v${{ env.VERSION_BUILD }}"
# tag_name: "v${{ env.VERSION_BUILD }}"
repository: ${{ secrets.GIT_RELEASE_TARGET_REPO }} # repo to draft a release under, in <user>/<repo> format
repository: ${{ vars.GIT_RELEASE_TARGET_REPO }} # repo to draft a release under, in <user>/<repo> format
token: ${{ secrets.GIT_REPO_ACCESS_TOKEN }} # only needed when pushing to a repo other than 'self'
fail_on_unmatched_files: true

Expand Down
28 changes: 12 additions & 16 deletions .github/workflows/release-update-repos.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,13 +291,13 @@ jobs:

- name: Update Debian Repository
env:
DEBIAN_FRONTEND: noninteractive
SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_BUCKET_NAME: cf-cli-debian-repo
AWS_DEFAULT_REGION: us-west-2
DEBIAN_FRONTEND: noninteractive
SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }}
AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }}
AWS_BUCKET_NAME: cf-cli-debian-repo
AWS_DEFAULT_REGION: us-west-2
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }}
AWS_S3_ROLE_ARN: ${{ vars.AWS_S3_ROLE_ARN }}
run: |
export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_S3_ROLE_ARN} --role-session-name foobar --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]"))
deb-s3 upload installers/*.deb \
Expand Down Expand Up @@ -360,7 +360,7 @@ jobs:
# TODO: fix backup
# - name: Download current RPM repodata
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }}
# AWS_DEFAULT_REGION: us-east-1
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# uses: docker://amazon/aws-cli:latest
Expand Down Expand Up @@ -394,17 +394,13 @@ jobs:

- name: Setup aws to upload installers to CLAW S3 bucket
uses: aws-actions/configure-aws-credentials@v4
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }}
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-1
role-to-assume: ${{ env.AWS_S3_ROLE_ARN }}
aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.AWS_S3_ROLE_ARN }}
role-skip-session-tagging: true
role-duration-seconds: 1200
role-duration-seconds: 1200

- name: Download V8 RPMs
run: aws s3 sync --exclude "*" --include "releases/*/*installer*.rpm" s3://v8-cf-cli-releases .
Expand Down
Loading