RELENG: Build + attach RPMs to GitHub Release #26
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Manual action to build, sign, and attach a release's RPMs | |
# ------------------------------------------------------------------------------ | |
# | |
# NOTICE: **This file is maintained with puppetsync** | |
# | |
# This file is updated automatically as part of a puppet module baseline. | |
# | |
# The next baseline sync will overwrite any local changes to this file! | |
# | |
# ============================================================================== | |
# This pipeline uses the following GitHub Action Secrets: | |
# | |
# GitHub Secret variable Notes | |
# ------------------------------- --------------------------------------- | |
# SIMP_CORE_REF_FOR_BUILDING_RPMS simp-core ref (tag) to use to build | |
# RPMs with `rake pkg:single` against | |
# `build/rpms/dependencies.yaml` | |
# SIMP_DEV_GPG_SIGNING_KEY GPG signing key's secret key | |
# SIMP_DEV_GPG_SIGNING_KEY_ID User ID (name) of signing key | |
# SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE Passphrase to use GPG signing key | |
# | |
# ------------------------------------------------------------------------------ | |
# | |
# * This is a workflow_dispatch action, which can be triggered manually or from | |
# other workflows/API. | |
# | |
# * If triggered by another workflow, it will be necessary to provide a GitHub | |
# access token via the the `target_repo_token` parameter | |
# | |
# | |
--- | |
name: 'RELENG: Build + attach RPMs to GitHub Release' | |
on: | |
workflow_dispatch: | |
inputs: | |
release_tag: | |
description: "Release tag" | |
required: true | |
clobber: | |
description: "Clobber identical assets?" | |
required: false | |
default: 'yes' | |
clean: | |
description: "Wipe all release assets first?" | |
required: false | |
default: 'no' | |
autocreate_release: | |
# A GitHub release is needed to upload artifacts to, and some repos | |
# (e.g., forked mirrors) only have tags. | |
description: "Create release if missing? (tag must exist)" | |
required: false | |
default: 'yes' | |
build_container_os: | |
description: "Build container OS" | |
required: true | |
default: 'centos8' | |
target_repo: | |
description: "Target repo (instead of this one)" | |
required: false | |
# WARNING: To avoid exposing secrets in the log, only use this token with | |
# action/script's `github-token` parameter, NEVER in `env:` vars | |
target_repo_token: | |
description: "API token for uploading to target repo" | |
required: false | |
path_to_build: | |
# Example: simp-core builds pupmod from . and simp* from src/assets/simp | |
description: "Subpath to alternative RPM project" | |
required: false | |
dry_run: | |
description: "Dry run (Test-build RPMs)" | |
required: false | |
default: 'no' | |
#verbose: | |
# description: 'Verbose RPM builds when "yes"' | |
# required: false | |
# default: 'no' | |
rebuild_number: | |
description: 'If this is an RPM rebuild, put the number of the rebuild here' | |
required: false | |
default: '' | |
env: | |
TARGET_REPO: ${{ (github.event.inputs.target_repo != null && format('{0}/{1}', github.repository_owner, github.event.inputs.target_repo)) || github.repository }} | |
RELEASE_TAG: ${{ github.event.inputs.release_tag }} | |
jobs: | |
create-and-attach-rpms-to-github-release: | |
name: > | |
Build and attach RPMs to Release: | |
${{ (github.event.inputs.target_repo != null && format('{0}/{1}', github.repository_owner, github.event.inputs.target_repo)) || github.repository }} | |
${{ github.event.inputs.release_tag }} | |
(build os: ${{ github.event.inputs.build_container_os }}) | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: "Validate inputs" | |
id: validate-inputs | |
run: | | |
if ! [[ "$TARGET_REPO" =~ ^[a-z0-9][a-z0-9-]+/[a-z0-9][a-z0-9_-]+$ ]]; then | |
printf '::error ::Target repository name has invalid format: %s\n' "$TARGET_REPO" | |
exit 88 | |
fi | |
if [[ "$RELEASE_TAG" =~ ^(simp-|v)?([0-9]+\.[0-9]+\.[0-9]+)(-(rc|RC|[Aa]lpha|[Bb]eta|pre|post)?([0-9]+)?)?$ ]]; then | |
if [ -n "${BASH_REMATCH[5]}" ]; then | |
echo "{prebuild_number}={${BASH_REMATCH[5]#-}}" >> $GITHUB_OUTPUT | |
fi | |
if [ -n "${BASH_REMATCH[3]}" ]; then | |
echo "{prebuild_suffix}={${BASH_REMATCH[3]#-}}" >> $GITHUB_OUTPUT | |
fi | |
if [ -n "${BASH_REMATCH[2]}" ]; then | |
echo "{build_semver}={${BASH_REMATCH[2]}}" >> $GITHUB_OUTPUT | |
fi | |
else | |
printf '::error ::Release Tag format is not SemVer, X.Y.Z-R, X.Y.Z-<prerelease>: "%s"\n' "$RELEASE_TAG" | |
exit 88 | |
fi | |
- name: > | |
Query info for ${{ env.TARGET_REPO }} | |
release ${{ github.event.inputs.release_tag }} ${{ steps.validate-inputs.outputs.prebuild_suffix }} | |
build os ${{ github.event.inputs.build_container_os }} | |
(autocreate_release = '${{ github.event.inputs.autocreate_release }}') | |
id: release-api | |
env: | |
AUTOCREATE_RELEASE: ${{ github.event.inputs.autocreate_release }} | |
PREBUILD_TAG: ${{ steps.validate-inputs.outputs.prebuild_suffix }} | |
uses: actions/github-script@v6 | |
with: | |
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }} | |
script: | | |
const [owner, repo] = process.env.TARGET_REPO.split('/') | |
const tag = process.env.RELEASE_TAG | |
const autocreate_release = (process.env.AUTOCREATE_RELEASE == 'yes') | |
const owner_data = { owner: owner, repo: repo } | |
const release_data = Object.assign( {tag: tag}, owner_data ) | |
const prerelease = process.env.PREBUILD_TAG ? true : false | |
const create_release_data = Object.assign( {tag_name: tag, prerelease: prerelease}, owner_data ) | |
const tag_data = Object.assign( {ref: `tags/${tag}`}, owner_data ) | |
function id_from_release(data) { | |
console.log( ` >> Release for ${owner}/${repo}, tag ${tag}` ) | |
console.log( ` >>>> release_id: ${data.id}` ) | |
return data.id | |
} | |
function throw_error_unless_should_autocreate_release(err){ | |
if (!( err.name == 'HttpError' && err.status == 404 && autocreate_release )){ | |
core.error(`Error finding release for tag ${tag}: ${err.name}`) | |
throw err | |
} | |
} | |
async function autocreate_release_if_appropriate(err){ | |
throw_error_unless_should_autocreate_release(err) | |
core.warning(`Can't find release for tag ${tag} and tag exists, auto-creating release`) | |
return await github.request( 'GET /repos/{owner}/{repo}/git/matching-refs/{ref}', tag_data ).then ( | |
result => { | |
// Must already have a tag | |
if (result.data.length == 0) { throw `Can't find tag ${tag} in repo ${owner}/${repo}` } | |
return result | |
} | |
).then( | |
async result => { | |
return await github.request( 'POST /repos/{owner}/{repo}/releases', create_release_data).then( | |
result=>{ | |
release_id = id_from_release(result.data) | |
console.log(` ++ created auto release ${release_id}` ) | |
return release_id | |
}, | |
post_err =>{ | |
core.error('Error auto-creating release') | |
throw post_err | |
} | |
) | |
} | |
) | |
} | |
await github.request('GET /repos/{owner}/{repo}/releases/tags/{tag}', release_data ).then( | |
async result => { return await id_from_release(result.data) }, | |
async err => { return await autocreate_release_if_appropriate(err) } | |
).then( | |
release_id => { | |
if (!release_id){ | |
throw `Could not get release for ${tag} for repo ${owner}:${repo}` | |
} | |
console.log( ` **** release_id: ${release_id}` ) | |
core.setOutput('id', release_id) | |
}, | |
err => { throw err } | |
) | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
repository: ${{ env.TARGET_REPO }} | |
ref: ${{ env.RELEASE_TAG }} | |
clean: true | |
fetch-depth: 0 | |
- name: 'Customize RPM Release tag via build/rpm_metadata/release (pre-release only)' | |
if: steps.validate-inputs.outputs.prebuild_suffix | |
env: | |
BUILD_SEMVER: ${{ steps.validate-inputs.outputs.build_semver }} | |
PREBUILD_TAG: ${{ steps.validate-inputs.outputs.prebuild_suffix }} | |
PREBUILD_NUMBER: ${{ steps.validate-inputs.outputs.prebuild_number }} | |
# Note: To accomodate the capabilities of EL7's version of RPM, the | |
# release number is formatted according to the Fedora Packaging | |
# Guidelines' "Traditional versioning" conventions: | |
# | |
# - https://fedoraproject.org/en-US/packaging-guidelines/Versioning/ | |
# - https://fedoraproject.org/wiki/Package_Versioning_Examples | |
# | |
run: | | |
mkdir -p build/rpm_metadata | |
# Special case for simp-doc's unique data format in /release | |
if [[ "$TARGET_REPO" =~ ^simp\/simp-doc$ ]]; then | |
echo "version: $BUILD_SEMVER" > build/rpm_metadata/release | |
echo "release: 0.${PREBUILD_NUMBER:-$GITHUB_RUN_NUMBER}.${PREBUILD_TAG}" >> build/rpm_metadata/release | |
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)" | |
else | |
echo "0.${PREBUILD_NUMBER:-$GITHUB_RUN_NUMBER}.${PREBUILD_TAG}" > build/rpm_metadata/release | |
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)" | |
fi | |
- name: 'Customize RPM Release tag via build/rpm_metadata/release (RPM rebuild)' | |
if: ${{ github.event.inputs.rebuild_number != '' }} | |
env: | |
BUILD_SEMVER: ${{ steps.validate-inputs.outputs.build_semver }} | |
REBUILD_NUMBER: ${{ github.event.inputs.rebuild_number }} | |
run: | | |
mkdir -p build/rpm_metadata | |
# simp-doc uses a unique data format in /release | |
if [[ "$TARGET_REPO" =~ ^simp\/simp-doc$ ]]; then | |
echo "version: $BUILD_SEMVER" > build/rpm_metadata/release | |
echo "release: $REBUILD_NUMBER" > build/rpm_metadata/release | |
else | |
echo "$REBUILD_NUMBER" > build/rpm_metadata/release | |
fi | |
printf '::warning ::Added file build/rpm_metadata/release with content "%s"\n' "$(cat build/rpm_metadata/release)" | |
- name: > | |
Build & Sign RPMs for | |
${{ github.event.inputs.release_tag }} | |
Release (${{ github.event.inputs.build_container_os }}) | |
uses: simp/github-action-build-and-sign-pkg-single-rpm@v2 | |
id: build-and-sign-rpm | |
with: | |
gpg_signing_key: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY }} | |
gpg_signing_key_id: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_ID }} | |
gpg_signing_key_passphrase: ${{ secrets.SIMP_DEV_GPG_SIGNING_KEY_PASSPHRASE }} | |
simp_core_ref_for_building_rpms: ${{ secrets.SIMP_CORE_REF_FOR_BUILDING_RPMS }} | |
simp_builder_docker_image: 'docker.io/simpproject/simp_build_${{ github.event.inputs.build_container_os }}:latest' | |
path_to_build: "${{ (github.event.inputs.path_to_build != null && format('{0}/{1}', github.workspace, github.event.inputs.path_to_build)) || github.workspace }}" | |
verbose: 'no' #${{ github.event.inputs.verbose }} | |
- name: "Wipe all previous assets from GitHub Release (when clean == 'yes')" | |
if: ${{ github.event.inputs.clean == 'yes' && github.event.inputs.dry_run != 'yes' }} | |
uses: actions/github-script@v6 | |
env: | |
release_id: ${{ steps.release-api.outputs.id }} | |
with: | |
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }} | |
script: | | |
const release_id = process.env.release_id | |
const [owner, repo] = process.env.TARGET_REPO.split('/') | |
const existingAssets = await github.rest.repos.listReleaseAssets({ owner, repo, release_id }) | |
console.log( ` !! !! Wiping ALL uploaded assets for ${owner}/${repo} release (id: ${release_id})`) | |
existingAssets.data.forEach(async function(asset){ | |
asset_id = asset.id | |
console.log( ` !! !! !! Wiping existing asset for ${asset.name} (id: ${asset_id})`) | |
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id }) | |
}) | |
- name: "Upload RPM file(s) to GitHub Release (dry_run != 'yes')" | |
if: ${{ github.event.inputs.dry_run != 'yes' }} | |
uses: actions/github-script@v6 | |
env: | |
rpm_file_paths: ${{ steps.build-and-sign-rpm.outputs.rpm_file_paths }} | |
rpm_gpg_file: ${{ steps.build-and-sign-rpm.outputs.rpm_gpg_file }} | |
release_id: ${{ steps.release-api.outputs.id }} | |
clobber: ${{ github.event.inputs.clobber }} | |
clean: ${{ github.event.inputs.clean }} | |
dry_run: ${{ github.event.inputs.dry_run }} | |
with: | |
github-token: ${{ github.event.inputs.target_repo_token || secrets.GITHUB_TOKEN }} | |
script: | | |
const path = require('path') | |
const fs = require('fs') | |
async function clobberAsset (name, owner, repo, release_id ){ | |
console.log( ` -- clobber asset ${name}: owner: ${owner} repo: ${repo} release_id: ${release_id}` ) | |
const existingAssets = await github.rest.repos.listReleaseAssets({ owner, repo, release_id }) | |
const matchingAssets = existingAssets.data.filter(item => item.name == name); | |
if ( matchingAssets.length > 0 ){ | |
asset_id = matchingAssets[0].id | |
console.log( ` !! !! Clobbering existing asset for ${name} (id: ${asset_id})`) | |
await github.rest.repos.deleteReleaseAsset({ owner, repo, asset_id }) | |
return(true) | |
} | |
return(false) | |
} | |
async function uploadAsset(owner, repo, release_id, file, assetContentType ){ | |
console.log( `\n\n -- uploadAsset: owner: ${owner} repo: ${repo} release_id: ${release_id}, file: ${file}\n` ) | |
const name = path.basename(file) | |
const data = fs.readFileSync(file) | |
const contentLength = fs.statSync(file).size | |
const headers = { | |
'content-type': assetContentType, | |
'content-length': contentLength | |
}; | |
console.log( ` == Uploading asset ${name}: ${assetContentType}` ) | |
const uploadAssetResponse = await github.rest.repos.uploadReleaseAsset({ | |
owner, repo, release_id, data, name, headers, | |
}) | |
return( uploadAssetResponse ); | |
} | |
console.log('== start'); | |
const release_id = process.env.release_id | |
const [owner, repo] = process.env.TARGET_REPO.split('/') | |
const clobber = process.env.clobber == 'yes'; | |
const rpm_files = process.env.rpm_file_paths.split(/[\r\n]+/); | |
const rpm_gpg_file = process.env.rpm_gpg_file; | |
let uploaded_files = rpm_files.concat(rpm_gpg_file).map(function(file){ | |
const name = path.basename(file) | |
var content_type = 'application/pgp-keys' | |
if( name.match(/\.rpm$/) ){ | |
content_type = 'application/octet-stream' | |
} | |
let conditionalClobber = new Promise((resolve,reject) => { | |
if ( clobber ){ | |
resolve(clobberAsset( name, owner, repo, release_id )) | |
return | |
} | |
resolve( false ) | |
}) | |
conditionalClobber.then((clobbered)=> { | |
uploadAsset(owner, repo, release_id, file, content_type ) | |
}).then(result => result ) | |
}) | |
console.log('== done') |