hcq/influx-cli
hcq/influx-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: use remote package signing (#498)

Browse Source
This commit is contained in:
Brandon Pfeifer 2023-04-18 22:24:57 -04:00 committed by GitHub
parent 8a2499f476
commit b7eacf9ba9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
.circleci/config.yml
View File

@ -89,7 +89,6 @@ workflows:
- os: windows
arch: arm64
- build-packages:
sign: false
requires:
- build-darwin-amd64
- build-linux-amd64
@ -156,12 +155,14 @@ workflows:
- os: windows
arch: arm64
- build-packages:
sign: true
requires:
- build-darwin-amd64
- build-linux-amd64
- build-linux-arm64
- build-windows-amd64
- sign-packages:
requires:
- build-packages
- release:
is-nightly: true
requires:
@ -172,7 +173,7 @@ workflows:
- test-linux-arm64
- test-mac
- test-windows
- build-packages
- sign-packages
release-tag:
jobs:
- changelog:
@ -237,12 +238,15 @@ workflows:
arch: arm64
- build-packages:
<<: *release_filter
sign: true
requires:
- build-darwin-amd64
- build-linux-amd64
- build-linux-arm64
- build-windows-amd64
- sign-packages:
<<: *release_filter
requires:
- build-packages
- release:
<<: *release_filter
is-nightly: false
@ -254,7 +258,7 @@ workflows:
- test-linux-arm64
- test-mac
- test-windows
- build-packages
- sign-packages
commands:
setup:
@ -420,9 +424,6 @@ jobs:
docker:
- image: ubuntu:latest
resource_class: small
parameters:
sign:
type: boolean
steps:
- attach_workspace:
at: /tmp/workspace
@ -440,13 +441,6 @@ jobs:
ruby-dev
gem install fpm
if [[ "<< parameters.sign >>" == "true" ]]
then
gpg --import --batch \<<<"${GPG_PRIVATE_KEY//$'\\n'/$'\n'}"
export SIGN_PACKAGES=1
fi
mkdir -p packages
OS=darwin ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/darwin/amd64/influx "${PWD}/packages"
OS=linux ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/linux/amd64/influx "${PWD}/packages"
@ -459,6 +453,39 @@ jobs:
paths:
- packages
sign-packages:
circleci_ip_ranges: true
docker:
- image: quay.io/influxdb/rsign:latest
auth:
username: $QUAY_RSIGN_USERNAME
password: $QUAY_RSIGN_PASSWORD
steps:
- add_ssh_keys:
fingerpints:
-
- attach_workspace:
at: /tmp/workspace
- run: |
for target in /tmp/workspace/packages/*
do
case "${target}"
in
# rsign is shipped on Alpine Linux which uses "busybox ash" instead
# of bash. ash is somewhat more posix compliant and is missing some
# extensions and niceties from bash.
*.deb|*.rpm|*.tar.gz|*.zip)
rsign "${target}"
;;
esac
done
- persist_to_workspace:
root: /tmp/workspace
paths:
- packages
- store_artifacts:
path: /tmp/workspace/packages
changelog:
docker:
- image: quay.io/influxdb/changelogger:a20523cf8594eb93920e74d0189d6602a76a6146

15
scripts/ci/build-packages
View File

@ -39,9 +39,6 @@ build_archive()
zip -r "${target}" .
fi
# generate signature and checksums
generate_signature "${target}"
generate_checksums "${target}"
popd
@ -108,29 +105,17 @@ fpm_wrapper()
mv "${PKG_OUT_PATH}/influxdb2-cli_${VERSION}-1_${ARCH}.deb" \
"${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
# generate signature and checksums
generate_signature "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
;;
rpm)
mv "${PKG_OUT_PATH}/influxdb2-cli-${VERSION//-/_}-1.${ARCH}.rpm" \
"${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
# generate signature and checksums
generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
generate_signature "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
;;
esac
}
generate_signature()
{
if [[ ( "${SIGN_PACKAGES:-}" ) ]]
then
gpg --passphrase "${PASSPHRASE}" --pinentry-mode=loopback --batch --armor --detach-sign "${1}"
fi
}
generate_checksums()
{
md5sum "${1}" >"${1}.md5"