-
Notifications
You must be signed in to change notification settings - Fork 4
188 lines (167 loc) · 8 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
name: spel repo builder
on:
# Run on demand
workflow_dispatch:
# Run pull requests against the main branch
pull_request:
branches: [main]
paths:
- 'Dockerfile.*'
- '.github/workflows/build.yml'
- 'package-templates/**'
# Run when a release is created
release:
types: [released]
permissions:
id-token: write
concurrency:
group: ${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
BuildRepo:
name: build-repo-el${{ matrix.el_version }}
runs-on: ubuntu-latest
strategy:
matrix:
el_version: [8, 9]
env:
SPEL_RELEASE_RELEASE: 4
AWS_DEFAULT_REGION: us-east-1
REPO_ENDPOINT: https://spel-packages.cloudarmor.io
REPO_BUCKET: spel-packages
REPO_PREFIX: repo
GPG_NAME: SPEL Packages <[email protected]>
DOCKER_NAME: spel-packages-el${{ matrix.el_version }}
REPO_PATH: .repo/el${{ matrix.el_version }}
steps:
- name: Maximize build space
run: |
set -xeuo pipefail
echo "Available storage:"
sudo df -h
echo
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /usr/local/.ghcup
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo rm -rf /usr/local/share/boost
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo apt-get remove -y '^aspnetcore-.*' > /dev/null
sudo apt-get remove -y '^dotnet-.*' > /dev/null
sudo apt-get remove -y '^llvm-.*' > /dev/null
sudo apt-get remove -y 'php.*' > /dev/null
sudo apt-get remove -y '^mongodb-.*' > /dev/null
sudo apt-get remove -y '^mysql-.*' > /dev/null
sudo apt-get remove -y azure-cli google-chrome-stable firefox mono-devel libgl1-mesa-dri --fix-missing > /dev/null
sudo apt-get autoremove -y > /dev/null
sudo apt-get clean > /dev/null
sudo docker image prune --all --force > /dev/null
echo "Available storage:"
sudo df -h
echo
- name: Clone this git repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Install aws-cli
uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367
- name: Retrieve existing spel-packages yum repo
run: |
mkdir -p ./${{ env.REPO_PATH }}
aws s3 sync --no-sign-request --exact-timestamps --endpoint-url ${{ env.REPO_ENDPOINT }} s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }} ./${{ env.REPO_PATH }}
- name: Get pinned versions
run: |
echo "AMAZONLINUX_VERSION=$(make amazonlinux/version)" | tee -a "$GITHUB_ENV"
echo "EL_VERSION=$(make el${{ matrix.el_version }}/version)" | tee -a "$GITHUB_ENV"
echo "GOLANG_VERSION=$(make golang/version)" | tee -a "$GITHUB_ENV"
echo "GOMPLATE_VERSION=$(make gomplate/version)" | tee -a "$GITHUB_ENV"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
- name: Build el${{ matrix.el_version }} repo
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85
with:
file: Dockerfile.el${{ matrix.el_version }}
context: .
load: true
tags: spel-packages-el${{ matrix.el_version }}
build-args: |
AMZN_VERSION=${{ env.AMAZONLINUX_VERSION }}
EL_VERSION=${{ env.EL_VERSION }}
GOLANG_VERSION=${{ env.GOLANG_VERSION }}
GOMPLATE_VERSION=${{ env.GOMPLATE_VERSION }}
EPEL_RELEASE_URL=https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.el_version }}.noarch.rpm
SPEL_RELEASE_BASEURL=${{ env.REPO_ENDPOINT }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}
SPEL_RELEASE_RELEASE=${{ env.SPEL_RELEASE_RELEASE }}
- name: Copy built packages to host
run: |
docker run -dit --rm \
--name ${{ env.DOCKER_NAME }} \
${{ env.DOCKER_NAME }}
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/builder/repo/. ./${{ env.REPO_PATH }}/
- name: Import GPG key
if: github.event_name != 'pull_request'
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Sign packages
if: github.event_name != 'pull_request'
run: |
mapfile -t PACKAGES < <(find ./${{ env.REPO_PATH }}/packages -name '*.rpm' -type f)
rpmsign --addsign \
--define='%_gpg_name ${{ env.GPG_NAME }}' \
--define='%_signature gpg' \
"${PACKAGES[@]}"
- name: Create yum repo and copy repodata to host
run: |
rm -rf ./${{ env.REPO_PATH }}/repodata
docker cp ./${{ env.REPO_PATH }} ${{ env.DOCKER_NAME }}:/spel-packages/repo
docker exec ${{ env.DOCKER_NAME }} createrepo /spel-packages/repo
docker cp ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata ./${{ env.REPO_PATH }}/
- name: Sign yum repodata
if: github.event_name != 'pull_request'
run: |
gpg --batch --yes \
--detach-sign --armor \
-u '${{ env.GPG_NAME }}' \
./${{ env.REPO_PATH }}/repodata/repomd.xml
docker cp ./${{ env.REPO_PATH }}/repodata/repomd.xml.asc ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata
# upload repo artifact before testing them to troubleshoot failures
- name: Store repo as artifact
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a
with:
name: spel-repo-el${{ matrix.el_version }}
path: .repo/el${{ matrix.el_version }}
retention-days: 3
- name: Test signed packages and yum repo
if: github.event_name != 'pull_request'
run: |
docker exec \
${{ env.DOCKER_NAME }} \
bash -c 'yum install -y --setopt=skip_missing_names_on_install=False $(<packages-built)'
docker stop ${{ env.DOCKER_NAME }}
- name: Test unsigned packages and yum repo
if: github.event_name == 'pull_request'
run: |
docker exec \
${{ env.DOCKER_NAME }} \
bash -c 'yum install -y --nogpgcheck --setopt=skip_missing_names_on_install=False $(<packages-built)'
docker stop ${{ env.DOCKER_NAME }}
- name: configure aws credentials
if: github.event_name != 'pull_request'
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
with:
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
aws-region: us-east-1
- name: Validate credential
if: github.event_name != 'pull_request'
run: aws sts get-caller-identity
- name: Push repo to s3 bucket
if: github.event_name != 'pull_request'
run: |
SPEL_DOD_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-dod-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
SPEL_WCF_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-wcf-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
aws s3 sync --delete ./${{ env.REPO_PATH }}/ s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}/
aws s3 cp ./${{ env.REPO_PATH }}/packages/noarch/spel-release-${{ matrix.el_version}}-${{ env.SPEL_RELEASE_RELEASE }}.noarch.rpm s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-release-latest-${{ matrix.el_version }}.noarch.rpm
aws s3 cp "$SPEL_DOD_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-dod-certs-latest-${{ matrix.el_version }}.noarch.rpm
aws s3 cp "$SPEL_WCF_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-wcf-certs-latest-${{ matrix.el_version }}.noarch.rpm