Skip to content

build(deps): bump golang.org/x/crypto from 0.7.0 to 0.17.0 #149

build(deps): bump golang.org/x/crypto from 0.7.0 to 0.17.0

build(deps): bump golang.org/x/crypto from 0.7.0 to 0.17.0 #149

Workflow file for this run

name: Build release
concurrency: repo-state-aptly
on:
push:
tags:
- v*
pull_request: {}
jobs:
preflight:
timeout-minutes: 5
runs-on: ubuntu-22.04
outputs:
doit: ${{ steps.git-diff.outputs.diff != '' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) }}
really: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') }}
steps:
- uses: actions/checkout@v3
if: ${{ github.event_name != 'push' && !startsWith(github.ref, 'refs/tags/v') }}
- uses: technote-space/get-diff-action@v5
if: ${{ github.event_name != 'push' && !startsWith(github.ref, 'refs/tags/v') }}
id: git-diff
with:
PATTERNS: |
.github/workflows/build-release.yml
- run: |
echo "${{ steps.git-diff.outputs.diff }}"
echo "${{ steps.git-diff.outputs.diff == '' }}"
echo "${{ github.event_name == 'push' }}"
echo "${{ startsWith(github.ref, 'refs/tags/v') }}"
echo "${{ github.ref }}"
echo "${{ github.event_name }}"
echo "${{ steps.git-diff.outputs.diff != '' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')) }}"
agent:
timeout-minutes: 20
needs:
- preflight
runs-on: ubuntu-22.04
defaults:
run:
working-directory: ./
steps:
###########
########### PREREQUISITES
###########
- uses: actions/checkout@v3
if: ${{ needs.preflight.outputs.doit == 'true' }}
with:
fetch-depth: 0
lfs: true
- name: Install programs
if: ${{ needs.preflight.outputs.doit == 'true' }}
run: |
sudo apt-get update
sudo apt-get install -y s3fs gnupg-pkcs11-scd openvpn openvpn-systemd-resolved dpkg-sig rpm createrepo-c
- name: Install Go
uses: actions/setup-go@v3
if: ${{ needs.preflight.outputs.doit == 'true' }}
with:
go-version: '1.20'
- id: go-cache-paths
if: ${{ needs.preflight.outputs.doit == 'true' }}
run: |
echo "::set-output name=go-build::$(go env GOCACHE)"
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
# shared with unit-tests-agent
- uses: actions/cache@v3
if: ${{ needs.preflight.outputs.doit == 'true' }}
with:
path: |
${{ steps.go-cache-paths.outputs.go-build }}
${{ steps.go-cache-paths.outputs.go-mod }}
key: ${{ runner.os }}-agent-${{ hashFiles('agent/go.sum') }}
restore-keys: |
${{ runner.os }}-agent-
- name: Install aptly from source
if: ${{ needs.preflight.outputs.doit == 'true' }}
run: |
go install github.com/aptly-dev/[email protected]
###########
########### BUILD
###########
- name: Setup action variables
if: ${{ needs.preflight.outputs.doit == 'true' }}
id: locals
run: |
echo "::set-output name=release_id::$(git describe --tags)"
- name: Build for Linux
if: ${{ needs.preflight.outputs.doit == 'true' }}
env:
LDFLAGS_EXTRA: -s
run: |
make Linux
- name: Build Debian and RPM installer packages
if: ${{ needs.preflight.outputs.doit == 'true' }}
env:
RELEASE_ID: ${{ steps.locals.outputs.release_id }}
run: |
cp ./guard-linux ./_packaging/nfpm/
cd ./_packaging/nfpm
make
- name: Setup artifact dir
if: ${{ needs.preflight.outputs.doit == 'true' }}
run: |
mkdir ./agent-binaries
cp ./guard-linux ./agent-binaries/guard-linux-${{ steps.locals.outputs.release_id }}
cp ./_packaging/nfpm/guard-1*.rpm ./agent-binaries
cp ./_packaging/nfpm/guard_1*.deb ./agent-binaries
###########
########### HERE COMES THE GPG <-> PCKS11 <-> HSM setup
###########
- name: Install YubiHSM pkcs11 libraries
if: ${{ needs.preflight.outputs.doit == 'true' }}
shell: bash
run: |
test -f /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so && exit 0
wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz
tar -xzf yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz
cd yubihsm2-sdk
sudo dpkg -i libyubihsm-http1_2.3.2_amd64.deb libyubihsm1_2.3.2_amd64.deb yubihsm-pkcs11_2.3.2_amd64.deb
go install github.com/aptly-dev/[email protected]
- name: Write GPG <-> PCKS11 <-> HSM configurations
if: ${{ needs.preflight.outputs.doit == 'true' }}
env:
CONNECTOR: ${{ secrets.HSM2_CONNECTOR}}
OVPN_HSM_CFG: ${{ secrets.OVPN_HSM_CFG}}
shell: bash
run: |
mkdir ~/.gnupg
chmod 0700 ~/.gnupg
echo "connector=$CONNECTOR" > ~/yubihsm_pkcs11.conf
echo "scdaemon-program /usr/bin/gnupg-pkcs11-scd" > ~/.gnupg/gpg-agent.conf
echo "default-cache-ttl 46000" >> ~/.gnupg/gpg-agent.conf
echo "providers yubihsm" >> ~/.gnupg/gnupg-pkcs11-scd.conf
echo "provider-yubihsm-library /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so" >> ~/.gnupg/gnupg-pkcs11-scd.conf
echo "provider-yubihsm-cert-private" >> ~/.gnupg/gnupg-pkcs11-scd.conf
gpg-connect-agent RELOADAGENT /bye
echo "$OVPN_HSM_CFG" > hsm.ovpn
- name: Connect to VPN
if: ${{ needs.preflight.outputs.doit == 'true' }}
uses: "kota65535/github-openvpn-connect-action@v2"
with:
config_file: hsm.ovpn
username: ${{ secrets.OVPN_HSM_UNAME }}
password: ${{ secrets.OVPN_HSM_PWORD }}
- name: Import and activate repo signing key
if: ${{ needs.preflight.outputs.doit == 'true' }}
env:
REPOKEY: ${{ secrets.REPO_SIGNING_KEY }}
PKSHADOW: ${{ secrets.REPO_SIGNING_PKSHADOW }}
KEYGRIP: ${{ secrets.REPO_SIGNING_PKGRIP }}
GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }}
run: |
echo "$REPOKEY" > repo-signing.key
gpg --import - < repo-signing.key
# if you are missing the file below, set-up gpg with hsm on your local machine
# like in this script and import the key. then we need to run gpg --card-status
# to re-create the shadowed PK. this requires a pin entry which gpg does not support
# at this point. to work around this use gpg-connect-agent and issue the SCD LEARN
# command which will present you with a pin prompt. it has to be the first thing
# you do and it will establish a session with the HSM that is re-used when running
# gpg --card-status.
echo "$PKSHADOW" > ~/.gnupg/private-keys-v1.d/$KEYGRIP
(echo 5; echo y; echo save) |
gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(
gpg --list-packets <repo-signing.key |
awk '$1=="keyid:"{print$2;exit}')" trust
echo cache_passphrase_now | gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --sign > /dev/null
###########
########### HERE COMES STANDALONE PACKAGE SIGNING AND UPLOAD (THE MORE COMMON REPO SIGNING IS SOMETHING ELSE)
###########
- name: Sign DEB and RPM
if: ${{ needs.preflight.outputs.doit == 'true' }}
run: |
dpkg-sig -s cibuilder ./agent-binaries/*.deb
echo "%_signature gpg" > ~/.rpmmacros
echo "%_gpg_name $(gpg --list-packets <repo-signing.key | awk '$1=="keyid:"{print$2;exit}')" > ~/.rpmmacros
rpm --addsign ./agent-binaries/*.rpm
- uses: BetaHuhn/do-spaces-action@v2
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }}
with:
access_key: ${{ secrets.DO_ACCESS_KEY}}
secret_key: ${{ secrets.DO_SECRET_KEY }}
space_name: "package-registry"
space_region: "fra1"
source: ./agent-binaries
out_dir: ${{ steps.locals.outputs.release_id }}
###########
########### HERE COMES THE APT REPO
###########
- name: Mount private repo state s3fs
if: ${{ needs.preflight.outputs.doit == 'true' }}
shell: bash
env:
DO_ACCESS_KEY: ${{ secrets.DO_ACCESS_KEY}}
DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }}
DO_SPACE: pkg-repo-state
run: |
touch passwd-s3fs
chmod 0600 passwd-s3fs
echo "$DO_ACCESS_KEY:$DO_SECRET_KEY" > passwd-s3fs
mkdir repo-state
s3fs $DO_SPACE $PWD/repo-state \
-o passwd_file=$PWD/passwd-s3fs \
-o url=https://fra1.digitaloceanspaces.com/ \
-o use_path_request_style \
-o uid=$UID
- name: Release packages to APT repo
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.DO_ACCESS_KEY}}
AWS_SECRET_ACCESS_KEY: ${{ secrets.DO_SECRET_KEY }}
RELEASE_ID: ${{ steps.locals.outputs.release_id }}
run: |
aptly -config ./repo-state/aptly.conf repo add -force-replace agent-release ./agent-binaries/*.deb
aptly -config ./repo-state/aptly.conf publish update -force-overwrite stable s3:debian-edge:
aptly -config ./repo-state/aptly.conf snapshot create "agent-release-$RELEASE_ID" from repo agent-release
sync
umount repo-state
###########
########### HERE COMES THE RPM REPO
###########
- name: Mount package registry s3fs
if: ${{ needs.preflight.outputs.doit == 'true' }}
shell: bash
env:
DO_SPACE: package-registry
run: |
# password setup has already been done by APT repo steps above
mkdir live-repo
s3fs $DO_SPACE $PWD/live-repo \
-o passwd_file=$PWD/passwd-s3fs \
-o url=https://fra1.digitaloceanspaces.com/ \
-o use_path_request_style \
-o default_acl=public-read \
-o uid=$UID
- name: Release packages to RPM repo
if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' && startsWith(steps.locals.outputs.release_id, 'v') }}
shell: bash
env:
REPOPATH: live-repo/rpmrepo/edge
GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }}
run: |
cp ./agent-binaries/*.rpm ${PWD}/${REPOPATH}
createrepo_c --update ${PWD}/${REPOPATH}
gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --yes --detach-sign --armor ${PWD}/${REPOPATH}/repodata/repomd.xml
sync
umount live-repo