build.yml

name: spel repo builder
on:
  # Run on demand
  workflow_dispatch:

  # Run pull requests against the main branch
  pull_request:
    branches: [main]
    paths:
      - 'Dockerfile.*'
      - '.github/workflows/build.yml'
      - 'package-templates/**'

  # Run when a release is created
  release:
    types: [released]

permissions:
  id-token: write

concurrency:
  group: ${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  BuildRepo:
    name: build-repo-el${{ matrix.el_version }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
        el_version: [8, 9]
    env:
      SPEL_RELEASE_RELEASE: 4
      AWS_DEFAULT_REGION: us-east-1
      REPO_ENDPOINT: https://spel-packages.cloudarmor.io
      REPO_BUCKET: spel-packages
      REPO_PREFIX: repo
      GPG_NAME: SPEL Packages <spel-packages@plus3it.com>
      DOCKER_NAME: spel-packages-el${{ matrix.el_version }}
      REPO_PATH: .repo/el${{ matrix.el_version }}
    steps:
      - name: Clone this git repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332

      - name: Install aws-cli
        uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367

      - name: Retrieve existing spel-packages yum repo
        run: |
          mkdir -p ./${{ env.REPO_PATH }}
          aws s3 sync --no-sign-request --exact-timestamps --endpoint-url ${{ env.REPO_ENDPOINT }} s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }} ./${{ env.REPO_PATH }}

      - name: Get pinned versions
        run: |
          echo "AMAZONLINUX_VERSION=$(make amazonlinux/version)" | tee -a "$GITHUB_ENV"
          echo "EL_VERSION=$(make el${{ matrix.el_version }}/version)" | tee -a "$GITHUB_ENV"
          echo "GOLANG_VERSION=$(make golang/version)" | tee -a "$GITHUB_ENV"
          echo "GOMPLATE_VERSION=$(make gomplate/version)" | tee -a "$GITHUB_ENV"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db

      - name: Build el${{ matrix.el_version }} repo
        uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
        with:
          file: Dockerfile.el${{ matrix.el_version }}
          context: .
          load: true
          tags: spel-packages-el${{ matrix.el_version }}
          build-args: |
            AMZN_VERSION=${{ env.AMAZONLINUX_VERSION }}
            EL_VERSION=${{ env.EL_VERSION }}
            GOLANG_VERSION=${{ env.GOLANG_VERSION }}
            GOMPLATE_VERSION=${{ env.GOMPLATE_VERSION }}
            EPEL_RELEASE_URL=https://dl.fedoraproject.org/pub/epel/epel-release-latest-${{ matrix.el_version }}.noarch.rpm
            SPEL_RELEASE_BASEURL=${{ env.REPO_ENDPOINT }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}
            SPEL_RELEASE_RELEASE=${{ env.SPEL_RELEASE_RELEASE }}

      - name: Copy built packages to host
        run: |
          docker run -dit --rm \
            --name ${{ env.DOCKER_NAME }} \
            ${{ env.DOCKER_NAME }}
          docker cp ${{ env.DOCKER_NAME }}:/spel-packages/builder/repo/. ./${{ env.REPO_PATH }}/

      - name: Import GPG key
        if: github.event_name != 'pull_request'
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Sign packages
        if: github.event_name != 'pull_request'
        run: |
          mapfile -t PACKAGES < <(find ./${{ env.REPO_PATH }}/packages -name '*.rpm' -type f)
          rpmsign --addsign \
            --define='%_gpg_name ${{ env.GPG_NAME }}' \
            --define='%_signature gpg' \
            "${PACKAGES[@]}"

      - name: Create yum repo and copy repodata to host
        run: |
          rm -rf ./${{ env.REPO_PATH }}/repodata
          docker cp ./${{ env.REPO_PATH }} ${{ env.DOCKER_NAME }}:/spel-packages/repo
          docker exec ${{ env.DOCKER_NAME }} createrepo /spel-packages/repo
          docker cp ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata ./${{ env.REPO_PATH }}/

      - name: Sign yum repodata
        if: github.event_name != 'pull_request'
        run: |
          gpg --batch --yes \
            --detach-sign --armor \
            -u '${{ env.GPG_NAME }}' \
            ./${{ env.REPO_PATH }}/repodata/repomd.xml
          docker cp ./${{ env.REPO_PATH }}/repodata/repomd.xml.asc ${{ env.DOCKER_NAME }}:/spel-packages/repo/repodata

      # upload repo artifact before testing them to troubleshoot failures
      - name: Store repo as artifact
        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
        with:
          name: spel-repo-el${{ matrix.el_version }}
          path: .repo/el${{ matrix.el_version }}
          retention-days: 3

      - name: Test signed packages and yum repo
        if: github.event_name != 'pull_request'
        run: |
          docker exec \
            ${{ env.DOCKER_NAME }} \
            bash -c 'yum install -y --setopt=skip_missing_names_on_install=False $(<packages-built)'
          docker stop ${{ env.DOCKER_NAME }}

      - name: Test unsigned packages and yum repo
        if: github.event_name == 'pull_request'
        run: |
          docker exec \
            ${{ env.DOCKER_NAME }} \
            bash -c 'yum install -y --nogpgcheck --setopt=skip_missing_names_on_install=False $(<packages-built)'
          docker stop ${{ env.DOCKER_NAME }}

      - name: configure aws credentials
        if: github.event_name != 'pull_request'
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
        with:
          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
          aws-region: us-east-1

      - name:  Validate credential
        if: github.event_name != 'pull_request'
        run: aws sts get-caller-identity

      - name: Push repo to s3 bucket
        if: github.event_name != 'pull_request'
        run: |
          SPEL_DOD_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-dod-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
          SPEL_WCF_CERTS="$(find ./${{ env.REPO_PATH }}/packages/noarch/ -name 'spel-wcf-certs-*' | sort --field-separator=- --key=4.1Vr,4 --key=5Vr | head -1)"
          aws s3 sync --delete ./${{ env.REPO_PATH }}/ s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/el${{ matrix.el_version }}/
          aws s3 cp ./${{ env.REPO_PATH }}/packages/noarch/spel-release-${{ matrix.el_version}}-${{ env.SPEL_RELEASE_RELEASE }}.noarch.rpm s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-release-latest-${{ matrix.el_version }}.noarch.rpm
          aws s3 cp "$SPEL_DOD_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-dod-certs-latest-${{ matrix.el_version }}.noarch.rpm
          aws s3 cp "$SPEL_WCF_CERTS" s3://${{ env.REPO_BUCKET }}/${{ env.REPO_PREFIX }}/spel-wcf-certs-latest-${{ matrix.el_version }}.noarch.rpm