diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 21b8521..0000000 --- a/.drone.yml +++ /dev/null @@ -1,470 +0,0 @@ ---- -kind: pipeline -name: RPM Build EL7 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL7 - image: centos:7 - commands: - - policy/centos7/scripts/build - -- name: Sign RPM EL7 - image: centos:7 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos7/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL7 - image: centos:7 - commands: - - policy/centos7/scripts/repo-metadata - -- name: Upload RPM EL7 - image: centos:7 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos7/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL7 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos7-noarch.txt - checksum_flatten: true - files: - - "policy/centos7/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag ---- -kind: pipeline -name: RPM Build EL8 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/build - -- name: Sign RPM EL8 (dry-run) - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos8/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL8 - image: quay.io/centos/centos:stream8 - commands: - - policy/centos8/scripts/repo-metadata - -- name: Yum Repo Upload RPM EL8 - image: quay.io/centos/centos:stream8 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos8/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL8 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos8-noarch.txt - checksum_flatten: true - files: - - "policy/centos8/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build EL9 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/build - -- name: Sign RPM EL9 (dry-run) - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos9/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for EL9 - image: quay.io/centos/centos:stream9 - commands: - - policy/centos9/scripts/repo-metadata - -- name: Upload RPM EL9 - image: quay.io/centos/centos:stream9 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos9/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM EL9 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos9-noarch.txt - checksum_flatten: true - files: - - "policy/centos9/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build MicroOS - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM MicroOS - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/build - -- name: Sign RPM MicroOS (dry-run) - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM MicroOS - image: opensuse/tumbleweed - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/microos/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Microos - image: opensuse/tumbleweed - commands: - - policy/microos/scripts/repo-metadata - -- name: Yum Repo Upload RPM MicroOS - image: opensuse/tumbleweed - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/microos/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release RPM MicroOS - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-microos-noarch.txt - checksum_flatten: true - files: - - "policy/microos/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - ---- -kind: pipeline -name: RPM Build Fedora37 - -platform: - os: linux - arch: amd64 - -steps: -- name: Build RPM Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/build - -- name: Sign RPM Fedora37 (dry-run) - image: fedora:37 - commands: - - policy/fedora37/scripts/sign --dry-run - when: - event: - - pull_request - -- name: Sign RPM Fedora37 - image: fedora:37 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/fedora37/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Create repo metadata for Fedora37 - image: fedora:37 - commands: - - policy/fedora37/scripts/repo-metadata - -- name: Yum Repo Upload Fedora37 - image: fedora:37 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/fedora37/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release Fedora37 - image: plugins/github-release - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-fedora37-noarch.txt - checksum_flatten: true - files: - - "policy/fedora37/dist/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..613a9ad --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,37 @@ +name: Release + +on: + push: + tags: + - v* + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: 'stable' + + - run: make build + env: + PRIVATE_KEY: ${{ vars.PRIVATE_KEY }} + PRIVATE_KEY_PASS_PHRASE: ${{ vars.PRIVATE_KEY_PASS_PHRASE }} + TESTING_PRIVATE_KEY: ${{ vars.TESTING_PRIVATE_KEY }} + TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ vars.TESTING_PRIVATE_KEY_PASS_PHRASE }} + + - run: make upload + env: + TESTING_AWS_ACCESS_KEY_ID: ${{ vars.TESTING_AWS_ACCESS_KEY_ID }} + TESTING_AWS_SECRET_ACCESS_KEY: ${{ vars.TESTING_AWS_SECRET_ACCESS_KEY }} + TESTING_AWS_S3_BUCKET: ${{ vars.TESTING_AWS_S3_BUCKET }} + PRODUCTION_AWS_ACCESS_KEY_ID: ${{ vars.PRODUCTION_AWS_ACCESS_KEY_ID }} + PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ vars.PRODUCTION_AWS_SECRET_ACCESS_KEY }} + PRODUCTION_AWS_S3_BUCKET: ${{ vars.PRODUCTION_AWS_S3_BUCKET }} diff --git a/Dockerfile b/Dockerfile index d8a7f44..411c33c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,8 +12,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign expect \ - unzip + rpm-sign expect # Confirm this is needed, move to final if not. COPY hack/centos7_sign /usr/local/bin/sign @@ -26,8 +25,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -40,8 +38,7 @@ RUN yum install -y \ selinux-policy-devel \ yum-utils \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -52,8 +49,7 @@ RUN dnf install -y \ container-selinux \ selinux-policy-devel \ rpm-build \ - rpm-sign \ - unzip + rpm-sign # Move to final stage if centos7_sign is removed. COPY hack/sign /usr/local/bin/sign @@ -63,8 +59,7 @@ RUN zypper install -y \ container-selinux \ selinux-policy-devel \ rpm-build \ - rpm \ - unzip + rpm # libglib is required to install createrepo_c in Tumbleweed. RUN zypper install -y libglib-2_0-0 createrepo_c @@ -82,4 +77,4 @@ COPY policy/${POLICY}/rancher-selinux.spec \ policy/${POLICY}/rancher.fc \ policy/${POLICY}/rancher.te \ hack/build \ - hack/repo-metadata . + hack/metadata . diff --git a/hack/repo-metadata b/hack/metadata similarity index 100% rename from hack/repo-metadata rename to hack/metadata