From 74f13538382e2cc219e0ea83dd09a8af0427e425 Mon Sep 17 00:00:00 2001 From: Al Berez Date: Wed, 8 May 2024 11:40:10 -0700 Subject: [PATCH] Switch from repo secrets to vars [v8] (#2841) * Switch from repo secrets to vars --- .../workflows/release-build-sign-upload.yml | 67 +++++-------------- .github/workflows/release-update-repos.yml | 28 ++++---- 2 files changed, 29 insertions(+), 66 deletions(-) diff --git a/.github/workflows/release-build-sign-upload.yml b/.github/workflows/release-build-sign-upload.yml index 65fac808e59..f9742a341d3 100644 --- a/.github/workflows/release-build-sign-upload.yml +++ b/.github/workflows/release-build-sign-upload.yml @@ -44,45 +44,17 @@ permissions: contents: read defaults: - # top-level defaults subkeys apply to jobs - # run subkeys apply to all steps within all jobs run: shell: bash jobs: - - # test: - # environment: DEV - # runs-on: ubuntu-latest - # steps: - # - name: Setup upterm session - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - # AWS_REGION: ${{ secrets.AWS_REGION }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - # GIT_RELEASE_TARGET_REPO: ${{ secrets.GIT_RELEASE_TARGET_REPO }} - # GIT_REPO_ACCESS_TOKEN: ${{ secrets.GIT_REPO_ACCESS_TOKEN }} - # SIGNING_KEY_GPG: ${{ secrets.SIGNING_KEY_GPG }} - # SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }} - # SIGNING_KEY_GPG_PASSPHRASE: ${{ secrets.SIGNING_KEY_GPG_PASSPHRASE }} - # SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }} - # SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }} - # SIGNING_KEY_MAC_PFX: ${{ secrets.SIGNING_KEY_MAC_PFX }} - # SIGNING_KEY_WINDOWS_ID: ${{ secrets.SIGNING_KEY_WINDOWS_ID }} - # SIGNING_KEY_WINDOWS_PASSPHRASE: ${{ secrets.SIGNING_KEY_WINDOWS_PASSPHRASE }} - # SIGNING_KEY_WINDOWS_PFX: ${{ secrets.SIGNING_KEY_WINDOWS_PFX }} - # SIGNING_TEST_CA_MAC: ${{ secrets.SIGNING_TEST_CA_MAC }} - # if: always() - # uses: lhotari/action-upterm@v1 - # timeout-minutes: 60 - setup: name: Setup # needs: test runs-on: ubuntu-latest outputs: - aws-s3-bucket: "v${{ steps.parse-semver.outputs.version-major }}-cf-cli-releases" + aws-s3-bucket: "v${{ steps.parse-semver.outputs.version-major }}-cf-cli-releases" version-build: ${{ steps.parse-semver.outputs.version-build }} version-major: ${{ steps.parse-semver.outputs.version-major }} @@ -179,7 +151,7 @@ jobs: - name: Build RedHat Packages env: - SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }} + SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }} run: | set -ex set -o pipefail @@ -248,7 +220,7 @@ jobs: - name: Sign RedHat Packages env: - SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }} + SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }} SIGNING_KEY_GPG_PASSPHRASE: ${{ secrets.SIGNING_KEY_GPG_PASSPHRASE }} run: | set -ex @@ -544,8 +516,7 @@ jobs: - name: Load macos key env: - # SIGNING_TEST_CA_MAC: ${{ secrets.SIGNING_TEST_CA_MAC }} - SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }} + SIGNING_KEY_MAC_ID: ${{ vars.SIGNING_KEY_MAC_ID }} SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }} SIGNING_KEY_MAC_PFX: ${{ secrets.SIGNING_KEY_MAC_PFX }} @@ -583,7 +554,7 @@ jobs: - name: Sign macOS env: VERSION_MAJOR: ${{ needs.setup.outputs.version-major }} - SIGNING_KEY_MAC_ID: ${{ secrets.SIGNING_KEY_MAC_ID }} + SIGNING_KEY_MAC_ID: ${{ vars.SIGNING_KEY_MAC_ID }} SIGNING_KEY_MAC_PASSPHRASE: ${{ secrets.SIGNING_KEY_MAC_PASSPHRASE }} run: | @@ -694,8 +665,8 @@ jobs: - name: Sign Windows binaries run: | smctl healthcheck --all - smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_win32.exe - smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_winx64.exe + smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_win32.exe + smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input out\cf-cli_winx64.exe - name: View binary signatures run: | @@ -726,8 +697,8 @@ jobs: - name: Sign Windows installers run: | - smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\win32\cf${env:VERSION_MAJOR}_installer.exe" - smctl sign --fingerprint ${{ secrets.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\winx64\cf${env:VERSION_MAJOR}_installer.exe" + smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\win32\cf${env:VERSION_MAJOR}_installer.exe" + smctl sign --fingerprint ${{ vars.SIGNING_KEY_WINDOWS_DIGICERT_CERT_FINGERPRINT }} --tool signtool --input "${env:RUNNER_TEMP}\winx64\cf${env:VERSION_MAJOR}_installer.exe" - name: View installer signature run: | @@ -781,8 +752,8 @@ jobs: actions: read contents: read env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_REGION: ${{ secrets.AWS_REGION }} + AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }} + AWS_REGION: ${{ vars.AWS_REGION }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_S3_BUCKET: ${{ needs.setup.outputs.aws-s3-bucket }} VERSION_BUILD: ${{ needs.setup.outputs.version-build }} @@ -880,17 +851,13 @@ jobs: - name: Setup aws to upload installers to CLAW S3 bucket uses: aws-actions/configure-aws-credentials@v4 - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }} with: - aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 - role-to-assume: ${{ env.AWS_S3_ROLE_ARN }} + aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ vars.AWS_S3_ROLE_ARN }} role-skip-session-tagging: true - role-duration-seconds: 1200 + role-duration-seconds: 1200 - name: Upload installers to CLAW S3 bucket run: aws s3 sync upload "s3://v${VERSION_MAJOR}-cf-cli-releases/releases/v${VERSION_BUILD}/" @@ -928,7 +895,7 @@ jobs: draft: true name: "DRAFT v${{ env.VERSION_BUILD }}" # tag_name: "v${{ env.VERSION_BUILD }}" - repository: ${{ secrets.GIT_RELEASE_TARGET_REPO }} # repo to draft a release under, in / format + repository: ${{ vars.GIT_RELEASE_TARGET_REPO }} # repo to draft a release under, in / format token: ${{ secrets.GIT_REPO_ACCESS_TOKEN }} # only needed when pushing to a repo other than 'self' fail_on_unmatched_files: true diff --git a/.github/workflows/release-update-repos.yml b/.github/workflows/release-update-repos.yml index 38ffd46d177..d237bb69730 100644 --- a/.github/workflows/release-update-repos.yml +++ b/.github/workflows/release-update-repos.yml @@ -291,13 +291,13 @@ jobs: - name: Update Debian Repository env: - DEBIAN_FRONTEND: noninteractive - SIGNING_KEY_GPG_ID: ${{ secrets.SIGNING_KEY_GPG_ID }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_BUCKET_NAME: cf-cli-debian-repo - AWS_DEFAULT_REGION: us-west-2 + DEBIAN_FRONTEND: noninteractive + SIGNING_KEY_GPG_ID: ${{ vars.SIGNING_KEY_GPG_ID }} + AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }} + AWS_BUCKET_NAME: cf-cli-debian-repo + AWS_DEFAULT_REGION: us-west-2 AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }} + AWS_S3_ROLE_ARN: ${{ vars.AWS_S3_ROLE_ARN }} run: | export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" $(aws sts assume-role --role-arn ${AWS_S3_ROLE_ARN} --role-session-name foobar --output text --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]")) deb-s3 upload installers/*.deb \ @@ -360,7 +360,7 @@ jobs: # TODO: fix backup # - name: Download current RPM repodata # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + # AWS_ACCESS_KEY_ID: ${{ vars.AWS_ACCESS_KEY_ID }} # AWS_DEFAULT_REGION: us-east-1 # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} # uses: docker://amazon/aws-cli:latest @@ -394,17 +394,13 @@ jobs: - name: Setup aws to upload installers to CLAW S3 bucket uses: aws-actions/configure-aws-credentials@v4 - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_S3_ROLE_ARN: ${{ secrets.AWS_S3_ROLE_ARN }} with: - aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} - aws-region: us-west-1 - role-to-assume: ${{ env.AWS_S3_ROLE_ARN }} + aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ vars.AWS_S3_ROLE_ARN }} role-skip-session-tagging: true - role-duration-seconds: 1200 + role-duration-seconds: 1200 - name: Download V8 RPMs run: aws s3 sync --exclude "*" --include "releases/*/*installer*.rpm" s3://v8-cf-cli-releases .