Release #783
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| permissions: write-all | |
| # Triggered via GitHub Actions UI | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| test: | |
| if: github.ref == 'refs/heads/main' | |
| uses: newrelic/newrelic-cli/.github/workflows/test.yml@main | |
| secrets: | |
| NEW_RELIC_ACCOUNT_ID: ${{ secrets.NEW_RELIC_ACCOUNT_ID }} | |
| NEW_RELIC_ADMIN_API_KEY: ${{ secrets.NEW_RELIC_ADMIN_API_KEY }} | |
| NEW_RELIC_API_KEY: ${{ secrets.NEW_RELIC_API_KEY }} | |
| NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} | |
| NEW_RELIC_REGION: ${{ secrets.NEW_RELIC_REGION }} | |
| release: | |
| if: github.ref == 'refs/heads/main' | |
| name: Release | |
| needs: test | |
| runs-on: ubuntu-latest | |
| env: | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }} | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.23.x | |
| - name: Add GOBIN to PATH | |
| run: echo "$(go env GOPATH)/bin" >> $GITHUB_PATH | |
| shell: bash | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| # Needed for release notes | |
| fetch-depth: 0 | |
| token: ${{ secrets.RELEASE_TOKEN }} | |
| - name: Install Snapcraft | |
| uses: samuelmeuli/action-snapcraft@v2 | |
| - name: Install PGP private key | |
| shell: bash | |
| env: | |
| PGP_PRIVATE_KEY: ${{ secrets.PGP_PRIVATE_KEY }} | |
| run: echo "$PGP_PRIVATE_KEY" | gpg --batch --import | |
| - name: Install AWS CLI | |
| run: | | |
| sudo snap install aws-cli --classic | |
| - name: Write AWS config 1 | |
| uses: DamianReeves/write-file-action@v1.3 | |
| with: | |
| path: /home/runner/.aws/credentials | |
| contents: | | |
| [virtuoso_user] | |
| aws_access_key_id=${{ secrets.AWS_ACCESS_KEY_ID_V2 }} | |
| aws_secret_access_key=${{ secrets.AWS_SECRET_ACCESS_KEY_V2 }} | |
| write-mode: overwrite | |
| - name: Write AWS config 2 | |
| uses: DamianReeves/write-file-action@v1.3 | |
| with: | |
| path: /home/runner/.aws/config | |
| contents: | | |
| [profile virtuoso] | |
| role_arn = ${{ secrets.AWS_ROLE_ARN_V2 }} | |
| region = ${{ secrets.AWS_DEFAULT_REGION }} | |
| source_profile = virtuoso_user | |
| write-mode: overwrite | |
| - name: Verify AWS credentials for release artifact distribution to S3 | |
| run: | | |
| set -e | |
| echo "🔐 Verifying AWS credentials and S3 bucket access..." | |
| echo "📦 Target bucket: s3://nr-downloads-main/install/newrelic-cli/" | |
| echo "🔍 Testing S3 ListBucket permission..." | |
| if ! aws s3 ls s3://nr-downloads-main/install/newrelic-cli/ --profile virtuoso > /dev/null 2>&1; then | |
| echo "::error::❌ Failed to list S3 bucket. Please verify AWS credentials and s3:ListBucket permission." | |
| exit 1 | |
| fi | |
| echo "✅ ListBucket permission verified" | |
| echo "📝 Creating test file for upload verification..." | |
| TIMESTAMP=$(date -u +"%d-%m-%Y_T%H%M%S") | |
| TEST_FILE_NAME="permission-check-${TIMESTAMP}.txt" | |
| S3_TEST_PATH="s3://nr-downloads-main/install/newrelic-cli/workflow_tester/${TEST_FILE_NAME}" | |
| echo "test-permission-check" > /tmp/${TEST_FILE_NAME} | |
| echo "🕒 Test file: ${TEST_FILE_NAME}" | |
| echo "⬆️ Testing S3 PutObject permission..." | |
| if ! aws s3 cp /tmp/${TEST_FILE_NAME} ${S3_TEST_PATH} --profile virtuoso > /dev/null 2>&1; then | |
| echo "::error::❌ Failed to upload to S3 bucket. Please verify s3:PutObject permission." | |
| rm -f /tmp/${TEST_FILE_NAME} | |
| exit 1 | |
| fi | |
| echo "✅ PutObject permission verified" | |
| echo "🧹 Cleaning up test artifacts..." | |
| aws s3 rm ${S3_TEST_PATH} --profile virtuoso > /dev/null 2>&1 || true | |
| rm -f /tmp/${TEST_FILE_NAME} | |
| echo "✅ AWS S3 permissions validated successfully - ready for release artifact distribution!" | |
| - name: Publish Release | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} | |
| SNAPCRAFT_TOKEN: ${{ secrets.SNAPCRAFT_TOKEN }} | |
| SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }} | |
| run: | | |
| git config --global user.name ${{ secrets.NEW_RELIC_GITHUB_SERVICE_ACCOUNT_USERNAME }} | |
| git config --global user.email ${{ secrets.NEW_RELIC_GITHUB_SERVICE_ACCOUNT_EMAIL }} | |
| # removes git's file permission changes tracking as goreleaser's before hook uses 'chmod' for win_metadat*.sh | |
| git config core.fileMode false | |
| mkdir -p $HOME/.cache/snapcraft/download | |
| mkdir -p $HOME/.cache/snapcraft/stage-packages | |
| make snapshot | |
| ./scripts/release.sh | |
| chmod +x scripts/win_metadata.sh scripts/win_metadata_files_remove.sh | |
| # creates the `versioninfo.json` file with version info for the Windows binary | |
| ./scripts/win_metadata.sh | |
| go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@latest | |
| # Invokes 'goversioninfo' and uses the 'goversion directive' inside 'main.go' to create 'resource_windows.syso' | |
| # that 'goreleaser' will need in its build step | |
| go generate cmd/newrelic/main.go | |
| make release-publish | |
| ./scripts/win_metadata_files_remove.sh | |
| - name: Sign newrelic.exe | |
| shell: bash | |
| env: | |
| PFX_CONTENT: ${{ secrets.PFX_BASE64_CONTENT }} | |
| PFX_PASSWORD: ${{ secrets.PFX_CERT_PASSWORD }} | |
| run: | | |
| echo "$PFX_CONTENT" | base64 -d > cert.pfx | |
| sudo apt-get install osslsigncode -y | |
| sudo mv dist/newrelic_windows_amd64_v1/newrelic.exe dist/newrelic_windows_amd64_v1/newrelic-unsigned.exe | |
| osslsigncode sign -pkcs12 cert.pfx -pass "$PFX_PASSWORD" -h sha256 -t http://timestamp.digicert.com \ | |
| -in dist/newrelic_windows_amd64_v1/newrelic-unsigned.exe -out dist/newrelic_windows_amd64_v1/newrelic.exe | |
| rm -f cert.pfx dist/newrelic_windows_amd64_v1/newrelic-unsigned.exe | |
| # Note the uploaded binary is downloaded and used in the release-windows-installer job | |
| - name: Upload Windows binary to GitHub | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: windows-binary | |
| path: dist/newrelic_windows_amd64_v1/newrelic.exe | |
| - name: Re-do Windows_x86_64.zip | |
| run: | | |
| VERSION=$(ls dist/*Windows_x86_64.zip | cut -d_ -f2) | |
| rm -f dist/newrelic-cli_${VERSION}_Windows_x86_64.zip | |
| zip -q dist/newrelic-cli_${VERSION}_Windows_x86_64.zip dist/newrelic_windows_amd64_v1/newrelic.exe | |
| - name: Upload Unix based install script to AWS | |
| id: upload-install-script | |
| run: | | |
| aws s3 cp ./scripts/install.sh s3://nr-downloads-main/install/newrelic-cli/scripts/install.sh --profile virtuoso | |
| - name: Get latest tag | |
| id: get-latest-tag | |
| uses: actions-ecosystem/action-get-latest-tag@v1 | |
| - name: Get latest release upload URL | |
| id: get-latest-release-upload-url | |
| shell: bash | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| run: echo "::set-output name=upload_url::$(./scripts/get_latest_release_upload_url.sh)" | |
| - name: Copy checksum files and validate | |
| id: copy-checksums | |
| shell: bash | |
| run: | | |
| # Find the checksum file and validate | |
| CHECKSUM_FILE=$(find dist -name "newrelic-cli_*_checksums.txt") | |
| if [ -z "$CHECKSUM_FILE" ]; then | |
| echo "::error::Original checksum file not found in dist directory" | |
| exit 1 | |
| fi | |
| # Extract version and validate | |
| VERSION=$(echo "$CHECKSUM_FILE" | cut -d_ -f2) | |
| if [ -z "$VERSION" ]; then | |
| echo "::error::Could not extract version from checksum filename" | |
| exit 1 | |
| fi | |
| echo "Found version: $VERSION" | |
| # Copy checksum file and validate | |
| cp "$CHECKSUM_FILE" "dist/checksums_sha256.txt" | |
| if [ ! -f "dist/checksums_sha256.txt" ]; then | |
| echo "::error::Failed to create checksums_sha256.txt" | |
| exit 1 | |
| fi | |
| echo "Created checksums_sha256.txt successfully" | |
| # Create signature and validate | |
| gpg --batch --yes -u "4F9A9B5B96EC30B9" \ | |
| --output "dist/checksums_sha256.txt.sig" \ | |
| --detach-sign \ | |
| "dist/checksums_sha256.txt" | |
| if [ ! -f "dist/checksums_sha256.txt.sig" ]; then | |
| echo "::error::Failed to create signature file" | |
| exit 1 | |
| fi | |
| echo "Created checksums_sha256.txt.sig successfully" | |
| - name: Upload checksums file | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.get-latest-release-upload-url.outputs.upload_url }} | |
| asset_path: ./dist/checksums_sha256.txt | |
| asset_name: checksums_sha256.txt | |
| asset_content_type: text/plain | |
| - name: Upload checksums signature | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.get-latest-release-upload-url.outputs.upload_url }} | |
| asset_path: ./dist/checksums_sha256.txt.sig | |
| asset_name: checksums_sha256.txt.sig | |
| asset_content_type: text/plain | |
| - name: Create currentVersion.txt | |
| id: create-current-version | |
| uses: "finnp/create-file-action@master" | |
| env: | |
| FILE_NAME: "currentVersion.txt" | |
| FILE_DATA: "${{ steps.get-latest-tag.outputs.tag }}" | |
| - name: Upload currentVersion.txt | |
| id: upload-current-version | |
| run: | | |
| aws s3 cp currentVersion.txt s3://nr-downloads-main/install/newrelic-cli/currentVersion.txt --profile virtuoso --cache-control no-cache | |
| - name: Upload release artifacts to AWS | |
| id: upload-release-artifacts | |
| run: | | |
| aws s3 cp --recursive --exclude "*" --include "newrelic-cli_*.txt" --include "newrelic-cli_*.sig" --include "newrelic-cli_*.zip" --include "newrelic-cli_*.gz" --include "newrelic-cli_*.rpm" --include "newrelic-cli_*.deb" --include "newrelic_*" ./dist s3://nr-downloads-main/install/newrelic-cli/${{ steps.get-latest-tag.outputs.tag }}/ --profile virtuoso | |
| - name: Cleanup configs | |
| run: | | |
| rm -rf /home/runner/.aws/credentials | |
| rm -rf /home/runner/.aws/config | |
| release-windows-installer: | |
| if: github.ref == 'refs/heads/main' | |
| needs: release | |
| uses: newrelic/newrelic-cli/.github/workflows/release-windows-installer.yml@main | |
| secrets: | |
| PFX_BASE64_CONTENT: ${{ secrets.PFX_BASE64_CONTENT }} | |
| PFX_CERT_PASSWORD: ${{ secrets.PFX_CERT_PASSWORD }} | |
| RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| publish: | |
| if: github.ref == 'refs/heads/main' | |
| needs: release-windows-installer | |
| uses: newrelic/newrelic-cli/.github/workflows/release-publish-windows.yml@main | |
| secrets: | |
| RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }} | |
| DEV_TOOLKIT_TOKEN: ${{ secrets.DEV_TOOLKIT_TOKEN }} | |
| CHOCOLATEY_API_KEY: ${{ secrets.CHOCOLATEY_API_KEY }} | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_V2 }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_V2 }} | |
| AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN_V2 }} | |
| AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }} | |
| snapshot: | |
| if: github.ref == 'refs/heads/main' | |
| uses: newrelic/newrelic-cli/.github/workflows/snapshot.yml@main | |
| secrets: | |
| DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} | |
| DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }} |