build(deps): bump golang.org/x/crypto from 0.7.0 to 0.17.0 #149
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build release | |
concurrency: repo-state-aptly | |
on: | |
push: | |
tags: | |
- v* | |
pull_request: {} | |
jobs: | |
preflight: | |
timeout-minutes: 5 | |
runs-on: ubuntu-22.04 | |
outputs: | |
doit: ${{ steps.git-diff.outputs.diff != '' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) }} | |
really: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }} | |
steps: | |
- uses: actions/checkout@v3 | |
if: ${{ github.event_name != 'push' && !startsWith(github.ref, 'refs/tags/v') }} | |
- uses: technote-space/get-diff-action@v5 | |
if: ${{ github.event_name != 'push' && !startsWith(github.ref, 'refs/tags/v') }} | |
id: git-diff | |
with: | |
PATTERNS: | | |
.github/workflows/build-release.yml | |
- run: | | |
echo "${{ steps.git-diff.outputs.diff }}" | |
echo "${{ steps.git-diff.outputs.diff == '' }}" | |
echo "${{ github.event_name == 'push' }}" | |
echo "${{ startsWith(github.ref, 'refs/tags/v') }}" | |
echo "${{ github.ref }}" | |
echo "${{ github.event_name }}" | |
echo "${{ steps.git-diff.outputs.diff != '' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) }}" | |
agent: | |
timeout-minutes: 20 | |
needs: | |
- preflight | |
runs-on: ubuntu-22.04 | |
defaults: | |
run: | |
working-directory: ./ | |
steps: | |
########### | |
########### PREREQUISITES | |
########### | |
- uses: actions/checkout@v3 | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
with: | |
fetch-depth: 0 | |
lfs: true | |
- name: Install programs | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y s3fs gnupg-pkcs11-scd openvpn openvpn-systemd-resolved dpkg-sig rpm createrepo-c | |
- name: Install Go | |
uses: actions/setup-go@v3 | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
with: | |
go-version: '1.20' | |
- id: go-cache-paths | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
run: | | |
echo "::set-output name=go-build::$(go env GOCACHE)" | |
echo "::set-output name=go-mod::$(go env GOMODCACHE)" | |
# shared with unit-tests-agent | |
- uses: actions/cache@v3 | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
with: | |
path: | | |
${{ steps.go-cache-paths.outputs.go-build }} | |
${{ steps.go-cache-paths.outputs.go-mod }} | |
key: ${{ runner.os }}-agent-${{ hashFiles('agent/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-agent- | |
- name: Install aptly from source | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
run: | | |
go install github.com/aptly-dev/[email protected] | |
########### | |
########### BUILD | |
########### | |
- name: Setup action variables | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
id: locals | |
run: | | |
echo "::set-output name=release_id::$(git describe --tags)" | |
- name: Build for Linux | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
env: | |
LDFLAGS_EXTRA: -s | |
run: | | |
make Linux | |
- name: Build Debian and RPM installer packages | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
env: | |
RELEASE_ID: ${{ steps.locals.outputs.release_id }} | |
run: | | |
cp ./guard-linux ./_packaging/nfpm/ | |
cd ./_packaging/nfpm | |
make | |
- name: Setup artifact dir | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
run: | | |
mkdir ./agent-binaries | |
cp ./guard-linux ./agent-binaries/guard-linux-${{ steps.locals.outputs.release_id }} | |
cp ./_packaging/nfpm/guard-1*.rpm ./agent-binaries | |
cp ./_packaging/nfpm/guard_1*.deb ./agent-binaries | |
########### | |
########### HERE COMES THE GPG <-> PCKS11 <-> HSM setup | |
########### | |
- name: Install YubiHSM pkcs11 libraries | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
shell: bash | |
run: | | |
test -f /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so && exit 0 | |
wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz | |
tar -xzf yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz | |
cd yubihsm2-sdk | |
sudo dpkg -i libyubihsm-http1_2.3.2_amd64.deb libyubihsm1_2.3.2_amd64.deb yubihsm-pkcs11_2.3.2_amd64.deb | |
go install github.com/aptly-dev/[email protected] | |
- name: Write GPG <-> PCKS11 <-> HSM configurations | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
env: | |
CONNECTOR: ${{ secrets.HSM2_CONNECTOR}} | |
OVPN_HSM_CFG: ${{ secrets.OVPN_HSM_CFG}} | |
shell: bash | |
run: | | |
mkdir ~/.gnupg | |
chmod 0700 ~/.gnupg | |
echo "connector=$CONNECTOR" > ~/yubihsm_pkcs11.conf | |
echo "scdaemon-program /usr/bin/gnupg-pkcs11-scd" > ~/.gnupg/gpg-agent.conf | |
echo "default-cache-ttl 46000" >> ~/.gnupg/gpg-agent.conf | |
echo "providers yubihsm" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
echo "provider-yubihsm-library /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
echo "provider-yubihsm-cert-private" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
gpg-connect-agent RELOADAGENT /bye | |
echo "$OVPN_HSM_CFG" > hsm.ovpn | |
- name: Connect to VPN | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
uses: "kota65535/github-openvpn-connect-action@v2" | |
with: | |
config_file: hsm.ovpn | |
username: ${{ secrets.OVPN_HSM_UNAME }} | |
password: ${{ secrets.OVPN_HSM_PWORD }} | |
- name: Import and activate repo signing key | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
env: | |
REPOKEY: ${{ secrets.REPO_SIGNING_KEY }} | |
PKSHADOW: ${{ secrets.REPO_SIGNING_PKSHADOW }} | |
KEYGRIP: ${{ secrets.REPO_SIGNING_PKGRIP }} | |
GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }} | |
run: | | |
echo "$REPOKEY" > repo-signing.key | |
gpg --import - < repo-signing.key | |
# if you are missing the file below, set-up gpg with hsm on your local machine | |
# like in this script and import the key. then we need to run gpg --card-status | |
# to re-create the shadowed PK. this requires a pin entry which gpg does not support | |
# at this point. to work around this use gpg-connect-agent and issue the SCD LEARN | |
# command which will present you with a pin prompt. it has to be the first thing | |
# you do and it will establish a session with the HSM that is re-used when running | |
# gpg --card-status. | |
echo "$PKSHADOW" > ~/.gnupg/private-keys-v1.d/$KEYGRIP | |
(echo 5; echo y; echo save) | | |
gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$( | |
gpg --list-packets <repo-signing.key | | |
awk '$1=="keyid:"{print$2;exit}')" trust | |
echo cache_passphrase_now | gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --sign > /dev/null | |
########### | |
########### HERE COMES STANDALONE PACKAGE SIGNING AND UPLOAD (THE MORE COMMON REPO SIGNING IS SOMETHING ELSE) | |
########### | |
- name: Sign DEB and RPM | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
run: | | |
dpkg-sig -s cibuilder ./agent-binaries/*.deb | |
echo "%_signature gpg" > ~/.rpmmacros | |
echo "%_gpg_name $(gpg --list-packets <repo-signing.key | awk '$1=="keyid:"{print$2;exit}')" > ~/.rpmmacros | |
rpm --addsign ./agent-binaries/*.rpm | |
- uses: BetaHuhn/do-spaces-action@v2 | |
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }} | |
with: | |
access_key: ${{ secrets.DO_ACCESS_KEY}} | |
secret_key: ${{ secrets.DO_SECRET_KEY }} | |
space_name: "package-registry" | |
space_region: "fra1" | |
source: ./agent-binaries | |
out_dir: ${{ steps.locals.outputs.release_id }} | |
########### | |
########### HERE COMES THE APT REPO | |
########### | |
- name: Mount private repo state s3fs | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
shell: bash | |
env: | |
DO_ACCESS_KEY: ${{ secrets.DO_ACCESS_KEY}} | |
DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }} | |
DO_SPACE: pkg-repo-state | |
run: | | |
touch passwd-s3fs | |
chmod 0600 passwd-s3fs | |
echo "$DO_ACCESS_KEY:$DO_SECRET_KEY" > passwd-s3fs | |
mkdir repo-state | |
s3fs $DO_SPACE $PWD/repo-state \ | |
-o passwd_file=$PWD/passwd-s3fs \ | |
-o url=https://fra1.digitaloceanspaces.com/ \ | |
-o use_path_request_style \ | |
-o uid=$UID | |
- name: Release packages to APT repo | |
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }} | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.DO_ACCESS_KEY}} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.DO_SECRET_KEY }} | |
RELEASE_ID: ${{ steps.locals.outputs.release_id }} | |
run: | | |
aptly -config ./repo-state/aptly.conf repo add -force-replace agent-release ./agent-binaries/*.deb | |
aptly -config ./repo-state/aptly.conf publish update -force-overwrite stable s3:debian-edge: | |
aptly -config ./repo-state/aptly.conf snapshot create "agent-release-$RELEASE_ID" from repo agent-release | |
sync | |
umount repo-state | |
########### | |
########### HERE COMES THE RPM REPO | |
########### | |
- name: Mount package registry s3fs | |
if: ${{ needs.preflight.outputs.doit == 'true' }} | |
shell: bash | |
env: | |
DO_SPACE: package-registry | |
run: | | |
# password setup has already been done by APT repo steps above | |
mkdir live-repo | |
s3fs $DO_SPACE $PWD/live-repo \ | |
-o passwd_file=$PWD/passwd-s3fs \ | |
-o url=https://fra1.digitaloceanspaces.com/ \ | |
-o use_path_request_style \ | |
-o default_acl=public-read \ | |
-o uid=$UID | |
- name: Release packages to RPM repo | |
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }} | |
shell: bash | |
env: | |
REPOPATH: live-repo/rpmrepo/edge | |
GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }} | |
run: | | |
cp ./agent-binaries/*.rpm ${PWD}/${REPOPATH} | |
createrepo_c --update ${PWD}/${REPOPATH} | |
gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --yes --detach-sign --armor ${PWD}/${REPOPATH}/repodata/repomd.xml | |
sync | |
umount live-repo |