From f817d97f85fff41392ff3017245b80a3ab73cf8a Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Thu, 28 Dec 2023 17:23:09 +0100 Subject: [PATCH] [CI] Forgejo Actions based release process (squash) refactor (#2053) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refs: https://codeberg.org/forgejo/forgejo/issues/2051 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2053 Reviewed-by: Loïc Dachary Co-authored-by: Earl Warren Co-committed-by: Earl Warren (cherry picked from commit 01abf4d505b092886ed22cdb903ec834061cd7d6) [CI] Forgejo Actions based release process (squash) no ownca The private Forgejo instance trusted with the release signing keys no longer requires the installation of the ownca certificate authority. Refs: https://codeberg.org/forgejo/docs/pulls/338 (cherry picked from commit 72f9ae796d7d7328e87129485e83251708f3d2fb) (cherry picked from commit b0ca4236d76bcc24dfeecba54b602af542355c7d) (cherry picked from commit 81619cf8b5e1650eeb8cb315ee7fa70d0c2d82ba) (cherry picked from commit 2cb32c1a2bd1dd58bb51b81b06e5453608cf0b5d) --- .forgejo/actions/build-release/action.yml | 154 ------------------ .forgejo/actions/publish-release/action.yml | 110 ------------- .../workflows/build-release-integration.yml | 8 +- .forgejo/workflows/build-release.yml | 82 ++-------- .../workflows/cascade-setup-end-to-end.yml | 5 +- .forgejo/workflows/publish-release.yml | 61 ++++--- .forgejo/workflows/testing.yml | 6 + 7 files changed, 56 insertions(+), 370 deletions(-) delete mode 100644 .forgejo/actions/build-release/action.yml delete mode 100644 .forgejo/actions/publish-release/action.yml diff --git a/.forgejo/actions/build-release/action.yml b/.forgejo/actions/build-release/action.yml deleted file mode 100644 index 01fdfdedfc..0000000000 --- a/.forgejo/actions/build-release/action.yml +++ /dev/null @@ -1,154 +0,0 @@ -name: 'Build release' -author: 'Forgejo authors' -description: | - Build release - -inputs: - forgejo: - description: 'URL of the Forgejo instance where the release is uploaded' - required: true - owner: - description: 'User or organization where the release is uploaded, relative to the Forgejo instance' - required: true - repository: - description: 'Repository where the release is uploaded, relative to the owner' - required: true - doer: - description: 'Name of the user authoring the release' - required: true - tag-version: - description: 'Version of the release derived from the tag withint the leading v' - required: true - suffix: - description: 'Suffix to add to the image tag' - token: - description: 'token' - required: true - dockerfile: - description: 'path to the dockerfile' - default: 'Dockerfile' - platforms: - description: 'Coma separated list of platforms' - default: 'linux/amd64,linux/arm64' - release-notes: - description: 'Full text of the release notes' - default: 'Release notes placeholder' - binary-name: - description: 'Name of the binary' - binary-path: - description: 'Path of the binary within the container to extract into binary-name' - verbose: - description: 'Increase the verbosity level' - default: 'false' - -runs: - using: "composite" - steps: - - run: echo "${{ github.action_path }}" >> $GITHUB_PATH - shell: bash - - - name: Install dependencies - run: | - apt-get install -y -qq xz-utils - - - name: set -x if verbose is required - id: verbose - run: | - if ${{ inputs.verbose }} ; then - echo "shell=set -x" >> "$GITHUB_OUTPUT" - fi - - - name: Create the insecure and buildx-config variables for the container registry - id: registry - run: | - ${{ steps.verbose.outputs.shell }} - url="${{ inputs.forgejo }}" - hostport=${url##http*://} - hostport=${hostport%%/} - echo "host-port=${hostport}" >> "$GITHUB_OUTPUT" - if ! [[ $url =~ ^http:// ]] ; then - exit 0 - fi - cat >> "$GITHUB_OUTPUT" < /etc/docker/daemon.json < ~/.docker/config.json - env: - CI_REGISTRY: "${{ steps.registry.outputs.host-port }}" - - - name: Build the container image for each architecture - uses: https://github.com/docker/build-push-action@v4 - # workaround until https://github.com/docker/build-push-action/commit/d8823bfaed2a82c6f5d4799a2f8e86173c461aba is in @v4 or @v5 is released - env: - ACTIONS_RUNTIME_TOKEN: '' - with: - context: . - push: true - file: ${{ inputs.dockerfile }} - platforms: ${{ inputs.platforms }} - tags: ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }} - - - name: Extract the binary from the container images into the release directory - if: inputs.binary-name != '' - run: | - ${{ steps.verbose.outputs.shell }} - mkdir -p release - cd release - for platform in $(echo ${{ inputs.platforms }} | tr ',' ' '); do - arch=$(echo $platform | sed -e 's|linux/||g' -e 's|arm/v6|arm-6|g') - docker create --platform $platform --name forgejo-$arch ${{ steps.registry.outputs.host-port }}/${{ inputs.owner }}/${{ inputs.repository }}:${{ inputs.tag-version }}${{ inputs.suffix }} - binary="${{ inputs.binary-name }}-${{ inputs.tag-version }}-linux" - docker cp forgejo-$arch:${{ inputs.binary-path }} $binary-$arch - chmod +x $binary-$arch - # the displayed version has a + instead of the first -, deal with it - pattern=$(echo "${{ inputs.tag-version }}" | tr - .) - if ! ./$binary-$arch --version | grep "$pattern" ; then - echo "ERROR: expected version pattern $pattern not found in the output of $binary-$arch --version" - ./$binary-$arch --version - exit 1 - fi - xz --keep -9 $binary-$arch - shasum -a 256 $binary-$arch > $binary-$arch.sha256 - shasum -a 256 $binary-$arch.xz > $binary-$arch.xz.sha256 - docker rm forgejo-$arch - done - - - name: publish release - if: inputs.binary-name != '' - uses: https://code.forgejo.org/actions/forgejo-release@v1 - with: - direction: upload - release-dir: release - release-notes: "${{ inputs.release-notes }}" - token: ${{ inputs.token }} - verbose: ${{ steps.verbose.outputs.value }} diff --git a/.forgejo/actions/publish-release/action.yml b/.forgejo/actions/publish-release/action.yml deleted file mode 100644 index 42b6097ee0..0000000000 --- a/.forgejo/actions/publish-release/action.yml +++ /dev/null @@ -1,110 +0,0 @@ -name: 'Publish release' -author: 'Forgejo authors' -description: | - Publish release - -inputs: - forgejo: - description: 'URL of the Forgejo instance where the release is uploaded (e.g. https://codeberg.org)' - required: true - from-owner: - description: 'the owner from which a release is to be copied (e.g forgejo-integration)' - required: true - to-owner: - description: 'the owner to which a release is to be copied (e.g. forgejo-experimental). It has be an organization in which doer has the required permissions. Or be the same as the doer' - required: true - repo: - description: 'the repository from which a release is to be copied relative to from-owner and to-owner' - default: 'forgejo' - ref-name: - description: 'ref_name of the tag of the release to be copied (e.g. github.ref_name)' - required: true - doer: - description: 'Name of the user authoring the release (e.g. release-team). The user must be authorized to create packages in to-owner and releases in to-owner/repo' - required: true - token: - description: 'application token created on forgejo by the doer, with a scope allowing it to create packages in to-owner and releases in to-owner/repo' - required: true - gpg-private-key: - description: 'GPG Private Key to sign the release artifacts' - gpg-passphrase: - description: 'Passphrase of the GPG Private Key' - verbose: - description: 'Increase the verbosity level' - default: 'false' - -runs: - using: "composite" - steps: - - id: hostport - run: | - url="${{ inputs.forgejo }}" - hostport=${url##http*://} - hostport=${hostport%%/} - echo "value=$hostport" >> "$GITHUB_OUTPUT" - - - id: tag-version - run: | - version="${{ inputs.ref-name }}" - version=${version##*v} - echo "value=$version" >> "$GITHUB_OUTPUT" - - - name: Create the release notes - id: release-notes - run: | - anchor=${{ steps.tag-version.outputs.value }} - anchor=${anchor//./-} - cat >> "$GITHUB_OUTPUT" <> "$GITHUB_OUTPUT" - - name: Sanitize the name of the repository id: repository run: | - set -x # comment out repository="${{ github.repository }}" echo "value=${repository##*/}" >> "$GITHUB_OUTPUT" - - name: When in a test environment, create a token - id: token - if: ${{ secrets.TOKEN == '' }} - run: | - apt-get -qq install -y jq - url="${{ env.GITHUB_SERVER_URL }}" - hostport=${url##http*://} - hostport=${hostport%%/} - doer=root - api=http://$doer:admin1234@$hostport/api/v1/users/$doer/tokens - curl -sS -X DELETE $api/release - token=$(curl -sS -X POST -H 'Content-Type: application/json' --data-raw '{"name": "release", "scopes": ["all"]}' $api | jq --raw-output .sha1) - echo "value=${token}" >> "$GITHUB_OUTPUT" - - uses: https://code.forgejo.org/actions/setup-node@v3 with: - node-version: 18 + node-version: 20 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: ">=1.20" + go-version: ">=1.21" check-latest: true - - name: Create the version from ref_name + - name: version from ref_name id: tag-version run: | version="${{ github.ref_name }}" version=${version##*v} echo "value=$version" >> "$GITHUB_OUTPUT" - - name: Create the release notes + - name: release notes id: release-notes run: | + anchor=${{ steps.tag-version.outputs.value }} + anchor=${anchor//./-} cat >> "$GITHUB_OUTPUT" < +# vars.ROLE: forgejo-experimental +# vars.FORGEJO: https://codeberg.org +# vars.FROM_OWNER: forgejo-integration +# vars.TO_OWNER: forgejo-experimental +# vars.REPO: forgejo +# vars.DOER: forgejo-experimental-ci +# secrets.TOKEN: # -# https://forgejo.octopuce.forgejo.org/forgejo/forgejo +# http://private.forgejo.org/forgejo/forgejo # # Copies & sign a release from codeberg.org/forgejo-integration to codeberg.org/forgejo # -# ROLE: forgejo-release -# FORGEJO: https://codeberg.org -# FROM_OWNER: forgejo-integration -# TO_OWNER: forgejo -# DOER: release-team -# TOKEN: -# GPG_PRIVATE_KEY: -# GPG_PASSPHRASE: +# vars.ROLE: forgejo-release +# vars.FORGEJO: https://codeberg.org +# vars.FROM_OWNER: forgejo-integration +# vars.TO_OWNER: forgejo +# vars.REPO: forgejo +# vars.DOER: release-team +# secrets.TOKEN: +# secrets.GPG_PRIVATE_KEY: +# secrets.GPG_PASSPHRASE: # name: Pubish release @@ -35,39 +37,34 @@ on: jobs: publish: runs-on: self-hosted - if: secrets.DOER != '' && secrets.FORGEJO != '' && secrets.TO_OWNER != '' && secrets.FROM_OWNER != '' && secrets.TOKEN != '' + if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != '' steps: - - name: install the certificate authority - if: secrets.ROLE == 'forgejo-release' - run: | - apt-get install -qq -y wget - wget --no-check-certificate -O /usr/local/share/ca-certificates/enough.crt https://forgejo.octopuce.forgejo.org/forgejo/enough/raw/branch/main/certs/2023-05-13/ca.crt - update-ca-certificates --fresh - - uses: actions/checkout@v3 - - name: copy & sign binaries and container images from one owner to another - uses: ./.forgejo/actions/publish-release + - name: copy & sign + uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v1 with: - forgejo: ${{ secrets.FORGEJO }} - from-owner: ${{ secrets.FROM_OWNER }} - to-owner: ${{ secrets.TO_OWNER }} + forgejo: ${{ vars.FORGEJO }} + from-owner: ${{ vars.FROM_OWNER }} + to-owner: ${{ vars.TO_OWNER }} + repo: ${{ vars.REPO }} ref-name: ${{ github.ref_name }} - doer: ${{ secrets.DOER }} + release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#{ANCHOR}" + doer: ${{ vars.DOER }} token: ${{ secrets.TOKEN }} gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }} gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }} - verbose: ${{ secrets.VERBOSE }} + verbose: ${{ vars.VERBOSE }} - name: set up go for the DNS update below + if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != '' uses: https://code.forgejo.org/actions/setup-go@v4 - if: secrets.ROLE == 'forgejo-experimental' with: go-version: ">=1.21" check-latest: true - name: update the _release.experimental DNS record - if: secrets.ROLE == 'forgejo-experimental' + if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != '' uses: https://code.forgejo.org/actions/ovh-dns-update@v1 with: subdomain: _release.experimental diff --git a/.forgejo/workflows/testing.yml b/.forgejo/workflows/testing.yml index 353549c9a4..f8fcac3c1c 100644 --- a/.forgejo/workflows/testing.yml +++ b/.forgejo/workflows/testing.yml @@ -9,6 +9,7 @@ on: jobs: lint-backend: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker container: image: 'docker.io/node:20-bookworm' @@ -23,6 +24,7 @@ jobs: env: TAGS: bindata sqlite sqlite_unlock_notify checks-backend: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker container: image: 'docker.io/node:20-bookworm' @@ -35,6 +37,7 @@ jobs: - run: make deps-backend deps-tools - run: make --always-make checks-backend # ensure the "go-licenses" make target runs test-unit: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker needs: [lint-backend, checks-backend] container: @@ -67,6 +70,7 @@ jobs: RACE_ENABLED: 'true' TAGS: bindata test-mysql: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker needs: [lint-backend, checks-backend] container: @@ -109,6 +113,7 @@ jobs: TAGS: bindata USE_REPO_TEST_DIR: 1 test-pgsql: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker needs: [lint-backend, checks-backend] container: @@ -154,6 +159,7 @@ jobs: TEST_TAGS: gogit USE_REPO_TEST_DIR: 1 test-sqlite: + if: ${{ !startsWith(vars.ROLE, 'forgejo-') }} runs-on: docker needs: [lint-backend, checks-backend] container: