Skip to content

Commit

Permalink
fix(ci): fix sign on release
Browse files Browse the repository at this point in the history 
Signed-off-by: Roberto Scolaro <[email protected]>
  • Loading branch information
@therealbobo
therealbobo committed Jan 29, 2025
1 parent 4eabe01 commit 18faa10
Showing 1 changed file with 32 additions and 59 deletions.
91 changes: 32 additions & 59 deletions .github/workflows/release-draft.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
build-release-linux:
runs-on: ubuntu-24.04${{ matrix.platform == 'arm64' && '-arm' || '' }}
container:
image: ubuntu:22.04
image: ubuntu:24.04
strategy:
matrix:
platform:
Expand Down Expand Up @@ -65,10 +65,10 @@ jobs:
make install && \
cd ../.. && \
rm -fr bpftool && \
curl -LO https://ziglang.org/builds/zig-linux-$(uname -m)-${ZIG_VERSION}.tar.xz && \
tar -xaf zig-linux-$(uname -m)-${ZIG_VERSION}.tar.xz && \
rm -v zig-linux-$(uname -m)-${ZIG_VERSION}.tar.xz && \
cd zig-linux-$(uname -m)-${ZIG_VERSION} && \
curl -LO https://ziglang.org/builds/zig-linux-"$(uname -m)"-"${ZIG_VERSION}".tar.xz && \
tar -xaf zig-linux-"$(uname -m)"-"${ZIG_VERSION}".tar.xz && \
rm -v zig-linux-"$(uname -m)"-"${ZIG_VERSION}".tar.xz && \
cd zig-linux-"$(uname -m)"-"${ZIG_VERSION}" && \
cp -v zig /usr/bin && \
find lib -exec cp --parents {} /usr/ \; && \
cd .. && \
Expand Down Expand Up @@ -97,12 +97,12 @@ jobs:
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-${{ matrix.release_arch }}
name: sysdig-release-${{ env.BUILD_VERSION }}-linux-${{ matrix.release_arch }}
path: |
build/sysdig-${{ env.BUILD_VERSION }}*
build-release-others-amd64:
name: build-release-others-amd64
build-release-others:
name: build-release-others
strategy:
matrix:
os: [windows-latest, macos-13, macos-14]
Expand Down Expand Up @@ -147,7 +147,7 @@ jobs:
- platform: arm64
base_arch: aarch64
release_arch: aarch64
needs: [build-release-linux, sign-rpms, sign-debs]
needs: [build-release-linux, sign-linux-packages]
env:
REGISTRY: ghcr.io
SYSDIG_IMAGE_BASE: ghcr.io/draios/sysdig
Expand All @@ -158,12 +158,12 @@ jobs:
- name: Download artifacts aarch64
uses: actions/download-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-aarch64
name: sysdig-release-${{ env.BUILD_VERSION }}-linux-aarch64

- name: Download artifacts x86_64
uses: actions/download-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-x86_64
name: sysdig-release-${{ env.BUILD_VERSION }}-linux-x86_64

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand All @@ -185,44 +185,10 @@ jobs:
build-args:
BUILD_VERSION=${{ env.BUILD_VERSION }}

sign-rpms:
strategy:
matrix:
name: [amd64, arm64]
include:
- name: amd64
arch: x86_64
- name: arm64
arch: aarch64
needs: build-release-linux
runs-on: ubuntu-latest
env:
KEY_ID: EC51E8C4
sign-linux-packages:
runs-on: ubuntu-24.04
container:
image: fedora:39
steps:
- name: Install deps
run: dnf install -y rpm-sign pinentry
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-${{ matrix.arch }}
- name: Import private key
env:
PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }}
run: printenv PRIVATE_KEY | gpg --import -
- name: Sign RPMs
run: rpm --define "_gpg_name ${{ env.KEY_ID }}" --define "_binary_filedigest_algorithm 8" --addsign *.rpm
- name: Check signature
run: test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0
- name: Upload Signed RPMs
uses: actions/upload-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-${{ matrix.arch }}-rpms
path: "*.rpm"

sign-debs:
runs-on: ubuntu-latest
image: ubuntu:24.04
strategy:
matrix:
name: [amd64, arm64]
Expand All @@ -234,37 +200,44 @@ jobs:
needs: build-release-linux
env:
KEY_ID: EC51E8C4
container:
image: debian:bullseye-slim
steps:
- name: Install deps
run: apt-get update && apt-get -y install dpkg-sig
run: apt update && apt -y install debsigs rpm

- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-${{ matrix.arch }}
name: sysdig-release-${{ env.BUILD_VERSION }}-linux-${{ matrix.arch }}

- name: Import private key
env:
PRIVATE_KEY: ${{ secrets.SYSDIG_REPO_SIGNING_KEY }}
run: printenv PRIVATE_KEY | gpg --import -

- name: Sign DEBs
run: dpkg-sig -k ${{ env.KEY_ID }} -s builder *.deb
run: debsigs --sign=origin --default-key="${{ env.KEY_ID }}" *.deb

Check warning on line 218 in .github/workflows/release-draft.yaml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2035:info:1:57: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

Raw Output:
i:.github/workflows/release-draft.yaml:218:9: shellcheck reported issue in this script: SC2035:info:1:57: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

- name: Check signature DEBs
run: debsigs --verify *.deb

Check warning on line 221 in .github/workflows/release-draft.yaml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2035:info:1:18: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

Raw Output:
i:.github/workflows/release-draft.yaml:221:9: shellcheck reported issue in this script: SC2035:info:1:18: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

- name: Sign RPMs
run: rpm --define "_gpg_name ${{ env.KEY_ID }}" --define "_binary_filedigest_algorithm 8" --addsign *.rpm

Check warning on line 224 in .github/workflows/release-draft.yaml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2035:info:1:96: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

Raw Output:
i:.github/workflows/release-draft.yaml:224:9: shellcheck reported issue in this script: SC2035:info:1:96: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

- name: Check signature
run: dpkg-sig --verify *.deb
- name: Check signature RPMs
run: test "$(rpm -qpi *.rpm | awk '/Signature/' | grep -i none | wc -l)" -eq 0

Check warning on line 227 in .github/workflows/release-draft.yaml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2035:info:1:18: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

Raw Output:
i:.github/workflows/release-draft.yaml:227:9: shellcheck reported issue in this script: SC2035:info:1:18: Use ./*glob* or -- *glob* so names with dashes won't become options [shellcheck]

Check failure on line 227 in .github/workflows/release-draft.yaml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2126:style:1:46: Consider using 'grep -c' instead of 'grep|wc -l' [shellcheck]

Raw Output:
e:.github/workflows/release-draft.yaml:227:9: shellcheck reported issue in this script: SC2126:style:1:46: Consider using 'grep -c' instead of 'grep|wc -l' [shellcheck]

- name: Upload Signed DEBs
- name: Upload Signed Packages
uses: actions/upload-artifact@v4
with:
name: sysdig-release-${{ env.BUILD_VERSION }}-${{ matrix.arch }}-debs
path: "*.deb"
name: sysdig-release-${{ env.BUILD_VERSION }}-linux-${{ matrix.arch }}
overwrite: true
path: |
*.deb
*.rpm
create-draft-release:
runs-on: ubuntu-latest
needs: [push-container-image, build-release-linux, sign-rpms, sign-debs]
needs: [push-container-image, build-release-linux, sign-linux-packages, build-release-others]
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
Expand Down

0 comments on commit 18faa10

Please sign in to comment.