hcq/influx-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: use remote package signing (#498)

Browse Source
This commit is contained in:
Brandon Pfeifer
2023-04-18 22:24:57 -04:00
committed by GitHub
parent 8a2499f476
commit b7eacf9ba9
2 changed files with 42 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
.circleci/config.yml
View File

@ -89,7 +89,6 @@ workflows:
- os: windows - os: windows
arch: arm64 arch: arm64
- build-packages: - build-packages:
sign: false
requires: requires:
- build-darwin-amd64 - build-darwin-amd64
- build-linux-amd64 - build-linux-amd64
@ -156,12 +155,14 @@ workflows:
- os: windows - os: windows
arch: arm64 arch: arm64
- build-packages: - build-packages:
sign: true
requires: requires:
- build-darwin-amd64 - build-darwin-amd64
- build-linux-amd64 - build-linux-amd64
- build-linux-arm64 - build-linux-arm64
- build-windows-amd64 - build-windows-amd64
- sign-packages:
requires:
- build-packages
- release: - release:
is-nightly: true is-nightly: true
requires: requires:
@ -172,7 +173,7 @@ workflows:
- test-linux-arm64 - test-linux-arm64
- test-mac - test-mac
- test-windows - test-windows
- build-packages - sign-packages
release-tag: release-tag:
jobs: jobs:
- changelog: - changelog:
@ -237,12 +238,15 @@ workflows:
arch: arm64 arch: arm64
- build-packages: - build-packages:
<<: *release_filter <<: *release_filter
sign: true
requires: requires:
- build-darwin-amd64 - build-darwin-amd64
- build-linux-amd64 - build-linux-amd64
- build-linux-arm64 - build-linux-arm64
- build-windows-amd64 - build-windows-amd64
- sign-packages:
<<: *release_filter
requires:
- build-packages
- release: - release:
<<: *release_filter <<: *release_filter
is-nightly: false is-nightly: false
@ -254,7 +258,7 @@ workflows:
- test-linux-arm64 - test-linux-arm64
- test-mac - test-mac
- test-windows - test-windows
- build-packages - sign-packages
commands: commands:
setup: setup:
@ -420,9 +424,6 @@ jobs:
docker: docker:
- image: ubuntu:latest - image: ubuntu:latest
resource_class: small resource_class: small
parameters:
sign:
type: boolean
steps: steps:
- attach_workspace: - attach_workspace:
at: /tmp/workspace at: /tmp/workspace
@ -440,13 +441,6 @@ jobs:
ruby-dev ruby-dev
gem install fpm gem install fpm
if [[ "<< parameters.sign >>" == "true" ]]
then
gpg --import --batch \<<<"${GPG_PRIVATE_KEY//$'\\n'/$'\n'}"
export SIGN_PACKAGES=1
fi
mkdir -p packages mkdir -p packages
OS=darwin ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/darwin/amd64/influx "${PWD}/packages" OS=darwin ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/darwin/amd64/influx "${PWD}/packages"
OS=linux ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/linux/amd64/influx "${PWD}/packages" OS=linux ARCH=amd64 scripts/ci/build-packages /tmp/workspace/bin/linux/amd64/influx "${PWD}/packages"
@ -459,6 +453,39 @@ jobs:
paths: paths:
- packages - packages
sign-packages:
circleci_ip_ranges: true
docker:
- image: quay.io/influxdb/rsign:latest
auth:
username: $QUAY_RSIGN_USERNAME
password: $QUAY_RSIGN_PASSWORD
steps:
- add_ssh_keys:
fingerpints:
-
- attach_workspace:
at: /tmp/workspace
- run: |
for target in /tmp/workspace/packages/*
do
case "${target}"
in
# rsign is shipped on Alpine Linux which uses "busybox ash" instead
# of bash. ash is somewhat more posix compliant and is missing some
# extensions and niceties from bash.
*.deb|*.rpm|*.tar.gz|*.zip)
rsign "${target}"
;;
esac
done
- persist_to_workspace:
root: /tmp/workspace
paths:
- packages
- store_artifacts:
path: /tmp/workspace/packages
changelog: changelog:
docker: docker:
- image: quay.io/influxdb/changelogger:a20523cf8594eb93920e74d0189d6602a76a6146 - image: quay.io/influxdb/changelogger:a20523cf8594eb93920e74d0189d6602a76a6146

15
scripts/ci/build-packages
View File

@ -39,9 +39,6 @@ build_archive()
zip -r "${target}" . zip -r "${target}" .
fi fi
# generate signature and checksums
generate_signature "${target}"
generate_checksums "${target}" generate_checksums "${target}"
popd popd
@ -108,29 +105,17 @@ fpm_wrapper()
mv "${PKG_OUT_PATH}/influxdb2-cli_${VERSION}-1_${ARCH}.deb" \ mv "${PKG_OUT_PATH}/influxdb2-cli_${VERSION}-1_${ARCH}.deb" \
"${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb" "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
# generate signature and checksums
generate_signature "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb" generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION}-${ARCH}.deb"
;; ;;
rpm) rpm)
mv "${PKG_OUT_PATH}/influxdb2-cli-${VERSION//-/_}-1.${ARCH}.rpm" \ mv "${PKG_OUT_PATH}/influxdb2-cli-${VERSION//-/_}-1.${ARCH}.rpm" \
"${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm" "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
# generate signature and checksums
generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm" generate_checksums "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
generate_signature "${PKG_OUT_PATH}/influxdb2-client-${VERSION//-/_}.${ARCH}.rpm"
;; ;;
esac esac
} }
generate_signature()
{
if [[ ( "${SIGN_PACKAGES:-}" ) ]]
then
gpg --passphrase "${PASSPHRASE}" --pinentry-mode=loopback --batch --armor --detach-sign "${1}"
fi
}
generate_checksums() generate_checksums()
{ {
md5sum "${1}" >"${1}.md5" md5sum "${1}" >"${1}.md5"