Skip to content

Commit

Permalink
Use Goreleaser, and publish arm64
Browse files Browse the repository at this point in the history
Signed-off-by: peterdeme <[email protected]>
  • Loading branch information
peterdeme committed Nov 25, 2023
1 parent 8d8dd75 commit 0efdafb
Show file tree
Hide file tree
Showing 7 changed files with 102 additions and 101 deletions.
18 changes: 8 additions & 10 deletions .github/workflows/build-binary.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,30 +3,28 @@ name: Build Binary
on: { push: { branches-ignore: [main, production] } }

jobs:
preprod-agent-deployment:
name: Build and upload agent
build-binary:
name: Build binary
runs-on: ubuntu-latest
container: golang:1.20

env:
BASE_NAME: spacelift-vcs-agent
BIN_DIR: build

steps:
- name: Check out repository code
uses: actions/checkout@v4

- name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
- name: Mark source directory as safe.
run: git config --global --add safe.directory $GITHUB_WORKSPACE

- name: parse short SHA
id: vars
run: |
echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
- name: Build Spacelift VCS Agent
run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --snapshot
env:
BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
CGO_ENABLED: 0
SHORT_SHA: ${{ steps.vars.outputs.sha }}
129 changes: 70 additions & 59 deletions .github/workflows/preprod-deployment.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,16 @@
name: Preprod deployment

on:
push:
branches:
- main
on: [push]

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true

jobs:
preprod-agent-deployment:
name: Build and upload agent
runs-on: ubuntu-latest
outputs:
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
container: golang:1.20
env:
BASE_NAME: spacelift-vcs-agent
BIN_DIR: build
permissions:
id-token: write
contents: read
Expand All @@ -24,7 +20,7 @@ jobs:
- name: Check out repository code
uses: actions/checkout@v4

- name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
- name: Mark source directory as safe.
run: git config --global --add safe.directory $GITHUB_WORKSPACE

- uses: chrnorm/deployment-action@releases/v1
Expand All @@ -41,11 +37,13 @@ jobs:
run: |
echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
- name: Build Spacelift VCS Agent
run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --snapshot=${{ github.ref != 'refs/heads/main' }}
env:
BUGSNAG_API_KEY: ${{ secrets.PREPROD_BUGSNAG_API_KEY }}
CGO_ENABLED: 0
SHORT_SHA: ${{ steps.vars.outputs.sha }}

- name: Install dependencies
Expand All @@ -66,23 +64,17 @@ jobs:
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

- name: Sign Spacelift VCS Agent Binary
run: ./scripts/sign.sh $BIN_DIR $BASE_NAME
run: |
chmod 755 ./dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
./scripts/sign.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
./scripts/verify.sh ./dist/vcs-agent_linux_amd64_v1 spacelift-vcs-agent
chmod 755 ./dist/vcs-agent_linux_arm64/spacelift-vcs-agent
./scripts/sign.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
./scripts/verify.sh ./dist/vcs-agent_linux_arm64 spacelift-vcs-agent
env:
GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
SHORT_SHA: ${{ steps.vars.outputs.sha }}

- name: Verify Checksum Spacelift VCS Agent Binary
run: ./scripts/verify.sh $BIN_DIR $BASE_NAME
env:
SHORT_SHA: ${{ steps.vars.outputs.sha }}

- name: Upload the VCS Agent binary
uses: actions/upload-artifact@v3
with:
name: vcs-agent-binary
path: build/
retention-days: 1

- name: Update deployment status (failure)
uses: chrnorm/deployment-status@releases/v1
Expand All @@ -93,28 +85,6 @@ jobs:
state: "failure"
deployment_id: ${{ steps.deployment.outputs.deployment_id }}

publish-preprod-agent-deployment:
name: Upload VCS agent binary and container image
needs: ["preprod-agent-deployment"]
runs-on: ubuntu-latest

env:
BIN_DIR: build
permissions:
id-token: write
contents: read
deployments: write

steps:
- name: Check out repository code
uses: actions/checkout@v4

- name: Download the VCS Agent binary
uses: actions/download-artifact@v3
with:
name: vcs-agent-binary
path: ./build

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
if: ${{ github.ref == 'refs/heads/main' }}
Expand All @@ -124,11 +94,54 @@ jobs:
role-duration-seconds: 900

- name: Upload the VCS Agent binary to downloads.spacelift.dev
if: ${{ github.ref == 'refs/heads/main' }}
run: >-
######## AMD 64 old path ########
aws s3 sync
${BIN_DIR} s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/
dist/vcs-agent_linux_amd64_v1/*
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
######## AMD 64 new path ########
aws s3 sync
dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
aws s3 sync
dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
aws s3 sync
dist/vcs-agent_linux_amd64_v1/spacelift-vcs-agent_SHA256SUMS.sig
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-amd64_SHA256SUMS.sig
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
######## ARM 64 new path ########
aws s3 sync
dist/vcs-agent_linux_arm64/spacelift-vcs-agent
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
aws s3 sync
dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
aws s3 sync
dist/vcs-agent_linux_arm64/spacelift-vcs-agent_SHA256SUMS.sig
s3://${{ secrets.PREPROD_AWS_S3_BUCKET }}/spacelift-vcs-agent-aarch64_SHA256SUMS.sig
--no-progress
${{ github.ref != 'refs/heads/main' && '--dryrun' || '' }}
- name: Invalidate downloads.spacelift.dev cache
if: ${{ github.ref == 'refs/heads/main' }}
Expand All @@ -141,18 +154,16 @@ jobs:
if: ${{ github.ref == 'refs/heads/main' }}
run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws

# This will be needed in the future for adding multi architecture build support
# - name: Set up QEMU
# uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Build and push the image
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64
platforms: linux/amd64,linux/arm64
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
${{ secrets.PREPROD_PUBLIC_VCS_AGENT_ECR_REPOSITORY_URL }}:latest
Expand All @@ -164,7 +175,7 @@ jobs:
token: "${{ github.token }}"
target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
state: "success"
deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}

- name: Update deployment status (failure)
uses: chrnorm/deployment-status@releases/v1
Expand All @@ -173,4 +184,4 @@ jobs:
token: "${{ github.token }}"
target_url: https://downloads.spacelift.dev/spacelift-vcs-agent
state: "failure"
deployment_id: ${{ needs.preprod-agent-deployment.outputs.deployment_id }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
2 changes: 1 addition & 1 deletion .github/workflows/prod-deployment.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ jobs:
- name: Check out repository code
uses: actions/checkout@v4

- name: Mark source directory as safe. # This is some duct tape over the git version in the Go image complaining about this since one of the 1.19.x versions. Feel free to remove once it doesn't break the build anymore. See https://github.com/actions/runner/issues/2033 and https://github.com/actions/checkout/issues/760#issuecomment-1097797031
- name: Mark source directory as safe.
run: git config --global --add safe.directory $GITHUB_WORKSPACE

- uses: chrnorm/deployment-action@releases/v1
Expand Down
36 changes: 6 additions & 30 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,53 +13,29 @@ jobs:
name: Build
runs-on: ubuntu-latest

env:
BASE_NAME: spacelift-vcs-agent
BIN_DIR: build

steps:
- name: Checkout
uses: actions/checkout@v4
with: { fetch-depth: 0 }

- name: Set up Go
uses: actions/setup-go@v4
with: { go-version: 1.18 }
with: { go-version: 1.20 }

- name: parse short SHA
id: vars
run: |
echo ::set-output name=sha::$(git rev-parse --short=8 ${{ github.sha }})
- name: Build Spacelift VCS Agent
run: go build -a -tags netgo -ldflags "-s -w -extldflags '-static' -X main.VERSION=$SHORT_SHA -X main.BugsnagAPIKey=$BUGSNAG_API_KEY" -trimpath -o $BIN_DIR/$BASE_NAME ./cmd/spacelift-vcs-agent
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --snapshot
env:
BUGSNAG_API_KEY: ${{ secrets.BUGSNAG_API_KEY }}
CGO_ENABLED: 0
SHORT_SHA: ${{ steps.vars.outputs.sha }}

- name: Archive artifacts for use in Docker build
uses: actions/upload-artifact@v3
with:
name: build
path: |
build
analyze:
name: Analyze with Trivy
needs: build
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Download build artifacts
uses: actions/download-artifact@v3
with:
name: build
path: build

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Expand Down
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,5 @@

# Binary
cmd/spacelift-vcs-agent/spacelift-vcs-agent

dist/
13 changes: 13 additions & 0 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
builds:
- main: ./cmd/spacelift-vcs-agent
binary: spacelift-vcs-agent
env: [CGO_ENABLED=0]
goos: [linux]
goarch: [amd64, arm64]
flags: [-trimpath]
tags: [netgo]
ldflags:
- "-s -w -extldflags '-static' -X main.VERSION={{.Env.SHORT_SHA}} -X main.BugsnagAPIKey={{.Env.BUGSNAG_API_KEY}}"

changelog:
skip: true
3 changes: 2 additions & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
FROM alpine:3.18

ARG TARGETARCH

RUN apk add --no-cache ca-certificates
RUN apk upgrade --update-cache --available
RUN adduser --disabled-password --no-create-home --uid=1983 spacelift

COPY build/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent
COPY dist/vcs-agent_linux_${TARGETARCH}*/spacelift-vcs-agent /usr/bin/spacelift-vcs-agent

RUN chmod +x /usr/bin/spacelift-vcs-agent

Expand Down

0 comments on commit 0efdafb

Please sign in to comment.