fix(ci/cd): fix release pipeline and adding tests

newrelic · Oct 11, 2023 · 22e99cd · 22e99cd
1 parent 8b5c9cb
commit 22e99cd
Show file tree

Hide file tree

Showing 10 changed files with 137 additions and 37 deletions.
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -17,7 +17,7 @@ env:
 jobs:
   test-nix:
     name: Run unit tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Login to DockerHub
@@ -30,7 +30,7 @@ jobs:
 
   test-windows:
     name: Run unit tests on Windows
-    runs-on: windows-2022
+    runs-on: windows-latest
     env:
       GOPATH: ${{ github.workspace }}
     defaults:
@@ -53,7 +53,7 @@ jobs:
   # can't run this step inside of container because of tests specific
   test-integration-nix:
     name: Run integration tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}}
@@ -74,7 +74,7 @@ jobs:
 
   prerelease:
     name: Build binary for *Nix/Win, create archives for *Nix/Win, create packages for *Nix, upload all artifacts into GH Release assets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     needs: [test-nix, test-windows, test-integration-nix]
     steps:
       - uses: actions/checkout@v4
@@ -97,7 +97,7 @@ jobs:
 
   package-win:
     name: Create MSI & Upload into GH Release assets
-    runs-on: windows-2022
+    runs-on: windows-latest
     needs: [prerelease]
     env:
       GOPATH: ${{ github.workspace }}
@@ -122,7 +122,8 @@ jobs:
       - name: Download zip from GH Release assets and extract .exe
         shell: pwsh
         run: |
-          build\windows\download_zip_extract_exe.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG" "$env:REPO_FULL_NAME"
+          build\windows\download_zip.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG" "$env:REPO_FULL_NAME"
+          build\windows\extract_exe.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG"
       - name: Create MSI
         shell: pwsh
         run: |
@@ -143,7 +144,7 @@ jobs:
 
   publish-to-s3:
     name: Send release assets to S3
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     needs: [package-win]
     steps:
       - name: Login to DockerHub

diff --git a/.github/workflows/push_pr.yml b/.github/workflows/push_pr.yml
@@ -9,15 +9,16 @@ on:
   pull_request:
 
 env:
-  TAG: "v0.0.0" # needed for goreleaser windows builds
+  TAG: "v0.0.0" # needed for fake-prereleases
   REPO_FULL_NAME: ${{ github.event.repository.full_name }}
+  INTEGRATION: "nginx"
   ORIGINAL_REPO_NAME: "newrelic/nri-nginx"
   DOCKER_LOGIN_AVAILABLE: ${{ secrets.OHAI_DOCKER_HUB_ID }}
 
 jobs:
   static-analysis:
     name: Run all static analysis checks
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: newrelic/newrelic-infra-checkers@v1
@@ -35,7 +36,7 @@ jobs:
 
   test-nix:
     name: Run unit tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Login to DockerHub
@@ -49,7 +50,7 @@ jobs:
 
   test-windows:
     name: Run unit tests on Windows
-    runs-on: windows-2022
+    runs-on: windows-latest
     env:
       GOPATH: ${{ github.workspace }}
     defaults:
@@ -72,7 +73,7 @@ jobs:
   # can't run this step inside of container because of tests specific
   test-integration-nix:
     name: Run integration tests on *Nix
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: src/github.com/${{env.ORIGINAL_REPO_NAME}}
@@ -97,16 +98,68 @@ jobs:
           GOPATH: ${{ github.workspace }}
         run: make integration-test
 
-  test-build:
-    name: Test binary compilation for all platforms:arch
-    runs-on: ubuntu-22.04
+  test-build-nix:
+    name: Test binary compilation and packaging for linux
+    runs-on: ubuntu-latest
+    env:
+      GPG_MAIL: '[email protected]'
+      GPG_PASSPHRASE: ${{ secrets.OHAI_GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_BASE64: ${{ secrets.OHAI_GPG_PRIVATE_KEY_BASE64 }} # base64 encoded
     steps:
       - uses: actions/checkout@v4
-      - name: Login to DockerHub
-        if: ${{env.DOCKER_LOGIN_AVAILABLE}}
-        uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.OHAI_DOCKER_HUB_ID }}
-          password: ${{ secrets.OHAI_DOCKER_HUB_PASSWORD }}
+      - run: |
+          git tag "$TAG"
+          if [ -z "$GPG_PASSPHRASE" ]; then
+            echo NO_SIGN=true >> $GITHUB_ENV
+          fi
       - name: Build all platforms:arch
-        run: make ci/build
+        run: make ci/fake-prerelease
+      - name: Upload artifacts for next job
+        uses: actions/upload-artifact@v3
+        with:
+          name: windows-packages
+          path: dist/nri-*.zip
+
+  test-build-windows:
+    name: Create MSI
+    runs-on: windows-latest
+    needs: [test-build-nix]
+    env:
+      GOPATH: ${{ github.workspace }}
+      PFX_CERTIFICATE_BASE64: ${{ secrets.OHAI_PFX_CERTIFICATE_BASE64 }} # base64 encoded
+      PFX_CERTIFICATE_DESCRIPTION: 'New Relic'
+      PFX_PASSPHRASE:  ${{ secrets.OHAI_PFX_PASSPHRASE }}
+    defaults:
+      run:
+        working-directory: src/github.com/${{ env.ORIGINAL_REPO_NAME }}
+    strategy:
+      matrix:
+        goarch: [amd64,386]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          path: src/github.com/${{ env.ORIGINAL_REPO_NAME }}
+      - shell: bash
+        run: git tag "$TAG"
+
+      - name: Download artifact from previous job
+        uses: actions/download-artifact@v3
+        with:
+          name: windows-packages
+          path: src/github.com/${{ env.ORIGINAL_REPO_NAME }}/dist/
+
+      - name: Get PFX certificate from GH secrets
+        shell: bash
+        run: |
+          if [ -z "$PFX_CERTIFICATE_BASE64" ]; then
+            echo NO_SIGN=true >> $GITHUB_ENV
+          else
+            printf "%s" "$PFX_CERTIFICATE_BASE64" | base64 -d - > wincert.pfx
+          fi
+      - name: Extract .exe
+        shell: pwsh
+        run: build\windows\extract_exe.ps1 "$env:INTEGRATION" ${{ matrix.goarch }} "$env:TAG"
+      - name: Create MSI
+        shell: pwsh
+        run: build\windows\package_msi.ps1 -integration "$env:INTEGRATION" -arch ${{ matrix.goarch }} -tag "$env:TAG" -pfx_passphrase "$env:PFX_PASSPHRASE" -pfx_certificate_description "$env:PFX_CERTIFICATE_DESCRIPTION"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
 
   publish-to-s3:
     name: Send release assets to S3
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     steps:
       - name: Login to DockerHub
         uses: docker/login-action@v3

diff --git a/build/ci.mk b/build/ci.mk
@@ -61,4 +61,27 @@ ifdef TAG
 else
 	@echo "===> $(INTEGRATION) ===  [ci/prerelease] TAG env variable expected to be set"
 	exit 1
-endif
+endif
+
+.PHONY : ci/fake-prerelease
+ci/fake-prerelease: ci/deps
+ifdef TAG
+	@docker run --rm -t \
+			--name "nri-$(INTEGRATION)-prerelease" \
+			-v $(CURDIR):/go/src/github.com/newrelic/nri-$(INTEGRATION) \
+			-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
+			-e INTEGRATION \
+			-e PRERELEASE=true \
+			-e NO_PUBLISH=true \
+			-e NO_SIGN \
+			-e GITHUB_TOKEN \
+			-e REPO_FULL_NAME \
+			-e TAG \
+			-e GPG_MAIL \
+			-e GPG_PASSPHRASE \
+			-e GPG_PRIVATE_KEY_BASE64 \
+			$(BUILDER_TAG) make release
+else
+	@echo "===> $(INTEGRATION) ===  [ci/fake-prerelease] TAG env variable expected to be set"
+	exit 1
+endif
diff --git a/build/package/windows/nri-386-installer/nri-installer.wixproj b/build/package/windows/nri-386-installer/nri-installer.wixproj
@@ -44,7 +44,7 @@
         </CreateProperty>
     </Target>
     <Target Name="SignInstaller">
-        <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign /s &quot;My&quot; /d &quot;$(pfx_certificate_description)&quot; /n &quot;$(pfx_certificate_description)&quot; &quot;$(OutputPath)$(OutputName).msi&quot;"/>
+        <Exec Condition="'$(noSign)' != 'true'" Command="&quot;$(SignToolPath)signtool.exe&quot; sign /s &quot;My&quot; /d &quot;$(pfx_certificate_description)&quot; /n &quot;$(pfx_certificate_description)&quot; &quot;$(OutputPath)$(OutputName).msi&quot;"/>
         <Copy SourceFiles="$(OutputPath)$(OutputName).msi" DestinationFiles="$(OutputPath)$(OutputName).x.y.z.msi"/>
         <!-- <Delete Files="$(OutputPath)$(OutputName).msi" /> -->
     </Target>

diff --git a/build/package/windows/nri-amd64-installer/nri-installer.wixproj b/build/package/windows/nri-amd64-installer/nri-installer.wixproj
@@ -44,7 +44,7 @@
         </CreateProperty>
     </Target>
     <Target Name="SignInstaller">
-        <Exec Command="&quot;$(SignToolPath)signtool.exe&quot; sign /s &quot;My&quot; /d &quot;$(pfx_certificate_description)&quot; /n &quot;$(pfx_certificate_description)&quot; &quot;$(OutputPath)$(OutputName).msi&quot;"/>
+        <Exec Condition="'$(noSign)' != 'true'" Command="&quot;$(SignToolPath)signtool.exe&quot; sign /s &quot;My&quot; /d &quot;$(pfx_certificate_description)&quot; /n &quot;$(pfx_certificate_description)&quot; &quot;$(OutputPath)$(OutputName).msi&quot;"/>
         <Copy SourceFiles="$(OutputPath)$(OutputName).msi" DestinationFiles="$(OutputPath)$(OutputName).x.y.z.msi"/>
         <!-- <Delete Files="$(OutputPath)$(OutputName).msi" /> -->
     </Target>

diff --git a/build/release.mk b/build/release.mk
@@ -42,14 +42,21 @@ release/fix-archive:
 
 .PHONY : release/sign/nix
 release/sign/nix:
+ifneq ($(NO_SIGN), true)
 	@echo "===> $(INTEGRATION) === [release/sign] signing packages"
 	@bash $(CURDIR)/build/nix/sign.sh
-
+else
+	@echo "===> $(INTEGRATION) === [release/sign] signing packages is disabled by environment variable"
+endif
 
 .PHONY : release/publish
 release/publish:
+ifneq ($(NO_PUBLISH), true)
 	@echo "===> $(INTEGRATION) === [release/publish] publishing artifacts"
 	@bash $(CURDIR)/build/upload_artifacts_gh.sh
+else
+	@echo "===> $(INTEGRATION) === [release/publish] publish is disabled by environment variable"
+endif
 
 .PHONY : release
 release: release/build release/fix-archive release/sign/nix release/publish release/clean

diff --git a/build/windows/download_zip_extract_exe.ps1 → build/windows/download_zip.ps1 b/build/windows/download_zip_extract_exe.ps1 → build/windows/download_zip.ps1
@@ -5,15 +5,12 @@ param (
     [string]$REPO_FULL_NAME="none"
 )
 write-host "===> Creating dist folder"
-New-Item -ItemType directory -Path .\dist
+New-Item -ItemType directory -Path .\dist -Force
 
 $VERSION=${TAG}.substring(1)
-$exe_folder="nri-${INTEGRATION}_windows_${ARCH}"
 $zip_name="nri-${INTEGRATION}-${ARCH}.${VERSION}.zip"
 
 $zip_url="https://github.com/${REPO_FULL_NAME}/releases/download/${TAG}/${zip_name}"
 write-host "===> Downloading & extracting .exe from ${zip_url}"
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "${zip_url}" -OutFile ".\dist\${zip_name}"
-write-host "===> Expanding"
-expand-archive -path "dist\${zip_name}" -destinationpath "dist\${exe_folder}\"
diff --git a/build/windows/extract_exe.ps1 b/build/windows/extract_exe.ps1
@@ -0,0 +1,14 @@
+param (
+    [string]$INTEGRATION="none",
+    [string]$ARCH="amd64",
+    [string]$TAG="v0.0.0"
+)
+write-host "===> Creating dist folder"
+New-Item -ItemType directory -Path .\dist -Force
+
+$VERSION=${TAG}.substring(1)
+$exe_folder="nri-${INTEGRATION}_windows_${ARCH}"
+$zip_name="nri-${INTEGRATION}-${ARCH}.${VERSION}.zip"
+
+write-host "===> Expanding"
+expand-archive -path "dist\${zip_name}" -destinationpath "dist\${exe_folder}\"
diff --git a/build/windows/package_msi.ps1 b/build/windows/package_msi.ps1
@@ -30,11 +30,16 @@ if ($wrong.Length  -ne 0) {
     exit -1
 }
 
-echo "===> Import .pfx certificate from GH Secrets"
-Import-PfxCertificate -FilePath wincert.pfx -Password (ConvertTo-SecureString -String $pfx_passphrase -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My
+$noSign = $env:NO_SIGN ?? "false"
+if ($noSign -ieq "true") {
+    echo "===> Import .pfx certificate is disabled by environment variable"
+} else {
+    echo "===> Import .pfx certificate from GH Secrets"
+    Import-PfxCertificate -FilePath wincert.pfx -Password (ConvertTo-SecureString -String $pfx_passphrase -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My
 
-echo "===> Show certificate installed"
-Get-ChildItem -Path cert:\CurrentUser\My\
+    echo "===> Show certificate installed"
+    Get-ChildItem -Path cert:\CurrentUser\My\
+}
 
 echo "===> Checking MSBuild.exe..."
 $msBuild = (Get-ItemProperty hklm:\software\Microsoft\MSBuild\ToolsVersions\4.0).MSBuildToolsPath
@@ -47,7 +52,7 @@ echo $msBuild
 echo "===> Building Installer"
 Push-Location -Path "build\package\windows\nri-$arch-installer"
 
-. $msBuild/MSBuild.exe nri-installer.wixproj /p:IntegrationVersion=${version} /p:IntegrationName=$integration /p:Year=$buildYear /p:pfx_certificate_description=$pfx_certificate_description
+. $msBuild/MSBuild.exe nri-installer.wixproj /p:IntegrationVersion=${version} /p:IntegrationName=$integration /p:Year=$buildYear /p:NoSign=$noSign /p:pfx_certificate_description=$pfx_certificate_description
 
 if (-not $?)
 {
@@ -60,4 +65,4 @@ echo "===> Making versioned installed copy"
 cd bin\Release
 cp "nri-$integration-$arch.msi" "nri-$integration-$arch.$version.msi"
 
-Pop-Location
+Pop-Location