Skip to content

Commit

Permalink
Apply GitHub workflow changes
Browse files Browse the repository at this point in the history
  • Loading branch information
OpenTofu Core Development Team committed Jan 4, 2024
1 parent 99a33b6 commit 7d00c2f
Show file tree
Hide file tree
Showing 7 changed files with 320 additions and 0 deletions.
12 changes: 12 additions & 0 deletions .github/workflows/artifact-release-trigger.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: Trigger Artifact Release

on:
workflow_dispatch:

permissions:
contents: read
actions: write

jobs:
trigger:
uses: opentffoundation/scripts/.github/workflows/trigger.yml@main
33 changes: 33 additions & 0 deletions .github/workflows/artifact-release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Artifact Release

on:
workflow_dispatch:
inputs:
tag:
description: "Release tag (v#.#.#)"
type: string
required: true

permissions:
contents: write

jobs:
release-dispatch:
if: inputs.tag != ''
uses: opentffoundation/scripts/.github/workflows/release.yml@main
with:
tag: ${{ inputs.tag }}
secrets:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GH_PAT: ${{ secrets.GH_PAT }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

release-push:
if: inputs.tag == ''
uses: opentffoundation/scripts/.github/workflows/release.yml@main
with:
tag: ${{ github.ref_name }}
secrets:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GH_PAT: ${{ secrets.GH_PAT }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
11 changes: 11 additions & 0 deletions .github/workflows/fork_sync.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
name: Sync Fork

on:
schedule:
- cron: '15 */4 * * *' # every hour
workflow_dispatch: # on button click

jobs:
sync:
uses: opentffoundation/scripts/.github/workflows/sync.yml@main
secrets: inherit
18 changes: 18 additions & 0 deletions .github/workflows/go/sign/go.mod
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
module github.com/opentofu/scripts/go/sign

go 1.21.1

require github.com/google/go-github/v54 v54.0.0

require (
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 // indirect
github.com/cloudflare/circl v1.3.3 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/go-querystring v1.1.0 // indirect
golang.org/x/crypto v0.12.0 // indirect
golang.org/x/net v0.14.0 // indirect
golang.org/x/oauth2 v0.11.0 // indirect
golang.org/x/sys v0.11.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.31.0 // indirect
)
46 changes: 46 additions & 0 deletions .github/workflows/go/sign/go.sum
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8 h1:wPbRQzjjwFc0ih8puEVAOFGELsn1zoIIYdxvML7mDxA=
github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-github/v54 v54.0.0 h1:OZdXwow4EAD5jEo5qg+dGFH2DpkyZvVsAehjvJuUL/c=
github.com/google/go-github/v54 v54.0.0/go.mod h1:Sw1LXWHhXRZtzJ9LI5fyJg9wbQzYvFhW8W5P2yaAQ7s=
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
golang.org/x/oauth2 v0.11.0 h1:vPL4xzxBM4niKCW6g9whtaWVXTJf1U5e4aZxxFx/gbU=
golang.org/x/oauth2 v0.11.0/go.mod h1:LdF7O/8bLR/qWK9DrpXmbHLTouvRHK0SgJl0GmDBchk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
183 changes: 183 additions & 0 deletions .github/workflows/go/sign/main.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,183 @@
package main

import (
"context"
"flag"
"fmt"
"io"
"log"
"net/http"
"os"
"os/exec"
"path/filepath"
"strings"

"github.com/google/go-github/v54/github"
)

var (
owner = flag.String("owner", "", "GitHub repo owner name")
repo = flag.String("repo", "", "GitHub repo name")

fingerprint = flag.String("fingerprint", "", "GPG fingerprint")
)

var c *github.Client

func main() {
flag.Parse()

pat := os.Getenv("GITHUB_PAT")
if pat == "" {
panic("GITHUB_PAT environment variable not set")
}

c = github.NewTokenClient(nil, pat)

err := resignReleases(context.Background(), *fingerprint)
if err != nil {
log.Fatalf("failed to resign releases: %v", err)
}
}

func resignReleases(ctx context.Context, fingerprint string) error {
tmpdir, err := os.MkdirTemp("", "")
if err != nil {
return err
}
defer os.RemoveAll(tmpdir)
log.Printf("tmpdir: %s", tmpdir)

releases, err := getReleases(ctx, "v")
if err != nil {
return fmt.Errorf("could not list %s/%s releases: %w", *owner, *repo, err)
}
log.Printf("releases: %d", len(releases))

for _, release := range releases {
log.Printf("release: %s", release.GetTagName())
assets, _, err := c.Repositories.ListReleaseAssets(ctx, *owner, *repo, release.GetID(), &github.ListOptions{})
if err != nil {
return fmt.Errorf("could not list %s/%s release %s assets: %w", *owner, *repo, release.GetTagName(), err)
}
log.Printf("assets: %d", len(assets))
var (
checksumAssetID int64 = -1
checksumAssetName string
signatureAssetID int64 = -1
)
for _, asset := range assets {
log.Printf("asset: %s=%d", asset.GetName(), asset.GetID())
if strings.HasSuffix(asset.GetName(), "_SHA256SUMS") {
checksumAssetID = asset.GetID()
checksumAssetName = asset.GetName()
}
if strings.HasSuffix(asset.GetName(), "_SHA256SUMS.sig") {
signatureAssetID = asset.GetID()
}
}
log.Printf("checksum=%d,signature=%d", checksumAssetID, signatureAssetID)
if checksumAssetID < 0 || signatureAssetID < 0 {
return fmt.Errorf("could not find %s/%s release %s assets, checksum=%t,signature=%t", *owner, *repo, release.GetTagName(), checksumAssetID < 0, signatureAssetID < 0)
}
log.Printf("download asset %d as %s", checksumAssetID, checksumAssetName)
if err := downloadAsset(ctx, checksumAssetID, filepath.Join(tmpdir, checksumAssetName)); err != nil {
return fmt.Errorf("could not download %s/%s release %s checksum asset %d: %w", *owner, *repo, release.GetTagName(), checksumAssetID, err)
}
log.Printf("sign asset %s", checksumAssetName)
signatureFilename, err := sign(fingerprint, tmpdir, checksumAssetName)
if err != nil {
return err
}
log.Printf("delete asset %d", signatureAssetID)
if err := deleteAsset(ctx, signatureAssetID); err != nil {
return fmt.Errorf("could not delete %s/%s release %s asset %d: %w", *owner, *repo, release.GetTagName(), signatureAssetID, err)
}
log.Printf("upload asset %s", signatureFilename)
if err := uploadAsset(ctx, release.GetID(), filepath.Join(tmpdir, signatureFilename), signatureFilename); err != nil {
return fmt.Errorf("could not upload %s/%s release %s asset %s: %w", *owner, *repo, release.GetTagName(), signatureFilename, err)
}
}

return nil
}

func getReleases(ctx context.Context, prefix string) ([]*github.RepositoryRelease, error) {
var repoReleases []*github.RepositoryRelease
page := 1
for {
releases, resp, err := c.Repositories.ListReleases(ctx, *owner, *repo, &github.ListOptions{
Page: page,
PerPage: 99,
})
if err != nil {
return nil, err
}
if prefix != "" {
for _, release := range releases {
if strings.HasPrefix(release.GetTagName(), prefix) {
repoReleases = append(repoReleases, release)
}
}
} else {
repoReleases = append(repoReleases, releases...)
}
if resp.NextPage == 0 {
break
}
page = resp.NextPage
}
return repoReleases, nil
}

func downloadAsset(ctx context.Context, id int64, filename string) error {
rc, _, err := c.Repositories.DownloadReleaseAsset(ctx, *owner, *repo, id, http.DefaultClient)
if err != nil {
return fmt.Errorf("could not download asset: %w", err)
}
defer rc.Close()
f, err := os.Create(filename)
if err != nil {
return fmt.Errorf("could not create file %s: %w", filename, err)
}
defer f.Close()
if _, err := io.Copy(f, rc); err != nil {
return fmt.Errorf("could not copy asset data: %w", err)
}
if err := f.Close(); err != nil {
return fmt.Errorf("could not close file %s: %w", filename, err)
}
return nil
}

func deleteAsset(ctx context.Context, id int64) error {
_, err := c.Repositories.DeleteReleaseAsset(ctx, *owner, *repo, id)
if err != nil {
return fmt.Errorf("could not download asset: %w", err)
}
return nil
}

func uploadAsset(ctx context.Context, id int64, filename, name string) error {
f, err := os.Open(filename)
if err != nil {
return fmt.Errorf("could not open %s: %w", filename, err)
}
defer f.Close()
_, _, err = c.Repositories.UploadReleaseAsset(ctx, *owner, *repo, id, &github.UploadOptions{Name: name}, f)
if err != nil {
return fmt.Errorf("could not upload asset: %w", err)
}
return nil
}

func sign(fingerprint string, dir, filename string) (string, error) {
signatureFilename := filename + ".sig"
cmd := exec.Command("gpg", "--batch", "--local-user", fingerprint, "--output", signatureFilename, "--detach-sign", filename)
cmd.Dir = dir
b, err := cmd.CombinedOutput()
if err != nil {
return "", fmt.Errorf("command failed '%s': %w", string(b), err)
}
return signatureFilename, nil
}
17 changes: 17 additions & 0 deletions .github/workflows/resign.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: Artifacts Resign

on:
workflow_dispatch:

permissions:
contents: write

jobs:
resign:
uses: opentffoundation/scripts/.github/workflows/sign.yml@main
with:
owner: ${{ github.repository_owner }}
repo: ${{ github.event.repository.name }}
secrets:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GH_PAT: ${{ secrets.GH_PAT }}

0 comments on commit 7d00c2f

Please sign in to comment.