Skip to content

[Secure Build] New workflow to pull packages #1137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sean-breen merged 13 commits into from
Jun 20, 2025
Merged

[Secure Build] New workflow to pull packages #1137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
7b2d749
add verifier script
sean-breen Jun 10, 2025
1a8cd2a
rework
sean-breen Jun 10, 2025
feb8bf6
make CERT and KEY optional
sean-breen Jun 10, 2025
21d066e
update comments, now prints the download location for each package
sean-breen Jun 13, 2025
5ac1d93
Merge branch 'main' into secure_workflow
sean-breen Jun 18, 2025
5b0683b
add new workflow to download signed packages and add them to azure + …
sean-breen Jun 18, 2025
9e0414c
remove old steps
sean-breen Jun 18, 2025
4e907cc
tidy
sean-breen Jun 18, 2025
af5fb03
remove references to v3 from release-branch.yml
sean-breen Jun 18, 2025
38043fc
fix script path
sean-breen Jun 18, 2025
7eec116
handle alpine package naming for Azure
sean-breen Jun 18, 2025
5861758
add Azure logout
sean-breen Jun 18, 2025
c556396
use public runner
sean-breen Jun 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 4 additions & 46 deletions .github/workflows/release-branch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ on:
default: false
type: boolean
createPullRequest:
description: 'Create pull request back into v3'
description: 'Create pull request back into main'
default: false
type: boolean
releaseBranch:
Expand Down Expand Up @@ -262,23 +262,6 @@ jobs:
echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE}
make package

- name: Azure Login
if: ${{ inputs.uploadAzure == true }}
uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Azure Upload Release Packages
if: ${{ inputs.uploadAzure == true }}
uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
with:
inlineScript: |
for i in ./build/azure/packages/nginx-agent*; do
echo "Uploading ${i} to nginx-agent/${GITHUB_REF##*/}/${i##*/}"
az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
--account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/${GITHUB_REF##*/}/${i##*/}
done

- name: Install GPG tools
if: ${{ inputs.publishPackages == true }}
run: |
Expand All @@ -302,34 +285,9 @@ jobs:
run: |
make release

- name: Upload Release Assets
if: ${{ needs.vars.outputs.github_release == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# clobber overwrites existing assets of the same name
run: |
gh release upload --clobber v${{ inputs.packageVersion }} \
$(find ./build/github/packages -type f \( -name "*.deb" -o -name "*.rpm" -o -name "*.pkg" -o -name "*.apk" \))

- name: Publish Github Release
if: ${{ needs.vars.outputs.github_release == 'true' }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const {RELEASE_ID} = process.env
const release = (await github.rest.repos.updateRelease({
owner: context.payload.repository.owner.login,
repo: context.payload.repository.name,
release_id: `${RELEASE_ID}`,
draft: false,
}))
console.log(`Release published: ${release.data.html_url}`)
env:
RELEASE_ID: ${{ needs.release-draft.outputs.release_id }}

merge-release:
if: ${{ needs.vars.outputs.create_pull_request == 'true' }}
name: Merge release branch back into V3 branch
name: Merge release branch back into main branch
runs-on: ubuntu-22.04
needs: [vars,tag-release]
permissions:
Expand All @@ -346,11 +304,11 @@ jobs:
script: |
const { repo, owner } = context.repo;
const result = await github.rest.pulls.create({
title: 'Merge ${{ github.ref_name }} back into v3',
title: 'Merge ${{ github.ref_name }} back into main',
owner,
repo,
head: '${{ github.ref_name }}',
base: 'v3',
base: 'main',
body: [
'This PR is auto-generated by the release workflow.'
].join('\n')
Expand Down
102 changes: 102 additions & 0 deletions .github/workflows/upload-release-assets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
name: Publish Release packages

on:
workflow_dispatch:
inputs:
pkgRepo:
description: "Source repository to pull packages from"
type: string
default: ""
pkgVersion:
description: 'Agent version'
type: string
default: ""
uploadAzure:
description: 'Publish packages Azure storage'
type: boolean
default: false
uploadGithub:
description: 'Publish packages to GitHub release'
type: boolean
default: false

defaults:
run:
shell: bash

permissions:
contents: read

jobs:
vars:
name: Set workflow variables
runs-on: ubuntu-22.04
outputs:
github_release: ${{steps.vars.outputs.github_release }}
upload_azure: ${{steps.vars.outputs.upload_azure }}
steps:
- name: Checkout Repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ inputs.releaseBranch }}

- name: Set variables
id: vars
run: |
echo "github_release=${{ inputs.uploadGithub }}" >> $GITHUB_OUTPUT
echo "upload_azure=${{ inputs.uploadAzure }}" >> $GITHUB_OUTPUT
cat $GITHUB_OUTPUT

upload-release-assets:
name: Upload assets
runs-on: ubuntu-22.04
needs: [vars]
steps:
- name: Checkout Repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: ${{ inputs.releaseBranch }}

- name: Azure Login
if: ${{ inputs.uploadAzure == true }}
uses: azure/login@8c334a195cbb38e46038007b304988d888bf676a # v2.0.0
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Download Packages
run:
|
echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
PKG_REPO=${{inputs.pkgRepo}} CERT=${{secrets.PUBTEST_CERT}} KEY=${{secrets.PUBTEST_KEY}} DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"

- name: Azure Upload Release Packages
if: ${{ inputs.uploadAzure == true }}
uses: azure/CLI@965c8d7571d2231a54e321ddd07f7b10317f34d9 # v2.0.0
with:
inlineScript: |
for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
dest="nginx-agent/${GITHUB_REF##*/}/${i##*/}"
if [[ "$i" == *.apk ]]; then
ver=$(echo "$i" | grep -o -e "v[0-9]*\.[0-9]*")
arch=$(echo "$i" | grep -o -F -e "x86_64" -e "aarch64")
dest="nginx-agent/${GITHUB_REF##*/}/nginx-agent-$VER-$ver-$arch.apk"
fi
echo "Uploading ${i} to ${dest}"
az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
--account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}
done

- name: Azure Logout
run: |
az logout
if: always()

- name: GitHub Upload Release Assets
if: ${{ needs.vars.outputs.github_release == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# clobber overwrites existing assets of the same name
run: |
gh release upload --clobber v${{ inputs.pkgVersion }} \
$(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")