Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload nightly and release deb packages to Nexus #9123

Closed
wants to merge 13 commits into from
Closed

Upload nightly and release deb packages to Nexus #9123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
9948053
Set up version number for deb and rpm
Atry Jul 14, 2022
98699e5
Upload deb and rpm packages as artifacts
Atry Jul 14, 2022
d803a22
Add steps to retrieve passwords
Atry Jul 14, 2022
e7cf1d1
set -o pipefail
Atry Jul 14, 2022
26ec6a0
Add gpg-key.kms-ciphertext
Atry Jul 14, 2022
5b799b9
Add names to steps
Atry Jul 14, 2022
78780b2
Create separate GitHub Action job upload-deb
Atry Jul 14, 2022
7349967
Add configure-aws-credentials step
Atry Jul 14, 2022
d681f3b
Upload deb packages to the nightly distribution
Atry Jul 15, 2022
41e19d4
Determine suite to upload according to tag name
Atry Jul 15, 2022
e2bbfd6
Replace tabs with spaces
Atry Jul 15, 2022
c406784
Don't break line
Atry Jul 15, 2022
cf810a5
Escapt newline
Atry Jul 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .github/workflows/nix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,12 @@ jobs:
- name: Show the deb package's content
if: runner.os == 'Linux'
run: dpkg-deb --contents bundle.deb
- name: Save the deb package as build artifact
if: runner.os == 'Linux'
uses: actions/upload-artifact@v2
with:
name: bundle.deb
path: bundle.deb
- name: Build the rpm package
if: runner.os == 'Linux'
run: nix bundle --print-build-logs --bundler "git+file://$(pwd)?submodules=1&shallow=1#rpm" "git+file://$(pwd)?submodules=1&shallow=1"
Expand All @@ -52,6 +58,12 @@ jobs:
- name: Show the rpm package's content
if: runner.os == 'Linux'
run: rpm --query --list --package bundle.rpm
- name: Save the rpm package as build artifact
if: runner.os == 'Linux'
uses: actions/upload-artifact@v2
with:
name: bundle.rpm
path: bundle.rpm
- name: Assume the AWS role
continue-on-error: true
id: configure-aws-credentials
Expand All @@ -66,3 +78,105 @@ jobs:
- name: Upload Nix binaries to the binary cache server on S3
if: steps.configure-aws-credentials.outcome == 'success'
run: nix copy --to 's3://hhvm-nix-cache?region=us-west-2&endpoint=hhvm-nix-cache.s3-accelerate.amazonaws.com' --print-build-logs --no-sandbox "git+file://$(pwd)?submodules=1&shallow=1"
upload-deb:
if: github.event_name == 'push' && github.ref_type == 'tag'
runs-on: ubuntu-latest
needs: build-and-test
steps:
- uses: actions/checkout@v3
- name: Download the bundle.deb from build-and-test job
uses: actions/download-artifact@v2
with:
name: bundle.deb
- name: Assume the AWS role
continue-on-error: true
id: configure-aws-credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: arn:aws:iam::223121549624:role/hhvm-github-actions
aws-region: us-west-2
- name: Decrypt the GPG key
if: steps.configure-aws-credentials.outcome == 'success'
run: |
set -o pipefail
GPG_KEY_FILE="$(mktemp)" &&
aws kms decrypt \
--ciphertext-blob "fileb://$PWD/gpg-key.kms-ciphertext" \
--query Plaintext \
--output text |
base64 --decode > "$GPG_KEY_FILE" &&
echo "GPG_KEY_FILE=$GPG_KEY_FILE" >> $GITHUB_ENV
- name: Fetch the Nexus admin password
if: steps.configure-aws-credentials.outcome == 'success'
run: |
NEXUS_ADMIN_PASSWORD_FILE="$(mktemp)" &&
aws secretsmanager get-secret-value --secret-id nexus-admin-password-prod --query SecretString --output text > "$NEXUS_ADMIN_PASSWORD_FILE" &&
echo "NEXUS_ADMIN_PASSWORD_FILE=$NEXUS_ADMIN_PASSWORD_FILE" >> $GITHUB_ENV
- name: Upload the deb package
if: steps.configure-aws-credentials.outcome == 'success'
run: |
set -e
GPG_KEY="$(cat "$GPG_KEY_FILE")"
ESCAPED_GPG_KEY=\""${GPG_KEY//$'\n'/'\n'}"\"
function upload () {
GET_DISTRIBUTION_STATUS_CODE="$(
curl \
-o /dev/null \
-s -w "%{http_code}" \
-X GET \
-u "admin:$(cat "$NEXUS_ADMIN_PASSWORD_FILE")" \
"http://nexus-prod-lb-384239604.us-west-2.elb.amazonaws.com/service/rest/v1/repositories/deb-$1"
)"
case "$GET_DISTRIBUTION_STATUS_CODE" in
200)
echo "Skip distribution creation becuase it exists.";;
404)
curl \
--fail \
-X POST \
-u "admin:$(cat "$NEXUS_ADMIN_PASSWORD_FILE")" \
-H "Content-Type: application/json" \
--data-binary @- \
http://nexus-prod-lb-384239604.us-west-2.elb.amazonaws.com/service/rest/v1/repositories/apt/hosted \
<< EOF
{
"name": "deb-$1",
"online": true,
"storage": {
"blobStoreName": "default",
"strictContentTypeValidation": true,
"writePolicy": "allow_once"
},
"component": {
"proprietaryComponents": false
},
"apt": {
"distribution": "$1"
},
"aptSigning": {
"keypair": $ESCAPED_GPG_KEY
}
}
EOF
;;
*)
echo Unexpected HTTP status $GET_DISTRIBUTION_STATUS_CODE when \
fetching "http://nexus-prod-lb-384239604.us-west-2.elb.amazonaws.com/service/rest/v1/repositories/deb-$1"
;;
esac
curl \
--fail \
-X POST \
-u "admin:$(cat "$NEXUS_ADMIN_PASSWORD_FILE")" \
-H "Content-Type: multipart/form-data" \
--data-binary @bundle.deb \
"http://nexus-prod-lb-384239604.us-west-2.elb.amazonaws.com/repository/deb-$1/"
}
if [[ "$GITHUB_REF_NAME" =~ HHVM-([0-9]+\.[0-9]+)\.[0-9]+ ]]
then
upload release-"${BASH_REMATCH[1]}"
upload release
elif [[ "$GITHUB_REF_NAME" =~ nightly-([0-9]+\.[0-9]+\.[0-9]+) ]]
then
upload nightly
fi
5 changes: 4 additions & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,10 @@
--input-type dir \
--output-type ${outputType} \
--name ${pkgs.lib.strings.escapeShellArg pkg.pname} \
--version ${pkgs.lib.strings.escapeShellArg pkg.version} \
--version ${
pkgs.lib.strings.escapeShellArg
(builtins.replaceStrings ["-"] ["~"] pkg.version)
} \
--description ${pkgs.lib.strings.escapeShellArg pkg.meta.description} \
--url ${pkgs.lib.strings.escapeShellArg pkg.meta.homepage} \
--maintainer ${pkgs.lib.strings.escapeShellArg (pkgs.lib.strings.concatStringsSep ", " (map ({name, email, ...}: "\"${name}\" <${email}>") pkg.meta.maintainers))} \
Expand Down
Binary file added gpg-key.kms-ciphertext
View file
Open in desktop
Binary file not shown.
6 changes: 2 additions & 4 deletions hhvm.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,18 +80,16 @@ let
.*
''
(builtins.readFile ./hphp/runtime/version.h);
makePName = major: minor: patch: suffix:
if suffix == "-dev" then "hhvm_nightly" else "hhvm";
makeVersion = major: minor: patch: suffix:
if suffix == "-dev" then "${major}.${minor}.${patch}-${lastModifiedDate}" else "${major}.${minor}.${patch}";
if suffix == "-dev" then "${major}.${minor}.${patch}-dev${lastModifiedDate}" else "${major}.${minor}.${patch}";
rustNightly = rustChannelOf {
sha256 = "TpJKRroEs7V2BTo2GFPJlEScYVArFY2MnGpYTxbnSo8=";
date = "2022-02-24";
channel = "nightly";
};
in
stdenv.mkDerivation rec {
pname = builtins.foldl' lib.trivial.id makePName versionParts;
pname = "hhvm";
version = builtins.foldl' lib.trivial.id makeVersion versionParts;
src = ./.;
nativeBuildInputs =
Expand Down