diff --git a/.drone.yml b/.drone.yml index 94a7b8650b3de..6b9e5134213f7 100644 --- a/.drone.yml +++ b/.drone.yml @@ -516,11 +516,11 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline -type: exec +type: kubernetes name: push-build-darwin-amd64 trigger: event: @@ -536,165 +536,60 @@ trigger: - master - branch/* workspace: - path: /tmp/push-build-darwin-amd64 -platform: - os: darwin - arch: amd64 + path: /go clone: disable: true -concurrency: - limit: 1 steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 - name: Check out code + image: docker:git + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Install Go Toolchain - commands: - - set -u - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz - - tar -C /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains -xzf $RUNTIME.darwin-amd64.tar.gz - - rm -rf $RUNTIME.darwin-amd64.tar.gz - environment: - RUNTIME: go1.20.3 -- name: Install Rust Toolchain - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - rustup toolchain install $RUST_VERSION - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Install Node Toolchain - commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Build Mac artifacts (binaries and Teleport Connect) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH - - rustup override set $RUST_VERSION - - export PATH=$TOOLCHAIN_DIR/go/bin:$PATH - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - build.assets/build-fido2-macos.sh build - - export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)" - - make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes - - export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - print-version) - - export BUILD_NUMBER=$DRONE_BUILD_NUMBER - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83 - - export CONNECT_TSH_BIN_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build/tsh - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/push-build-darwin-amd64/go/cache - GOPATH: /tmp/push-build-darwin-amd64/go - OS: darwin - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Clean up toolchains (post) - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rustup override unset - - rustup toolchain uninstall $RUST_VERSION - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Send Slack notification (exec) +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - |2 - - export DRONE_BUILD_LINK="${DRONE_SYSTEM_PROTO}://${DRONE_SYSTEM_HOSTNAME}/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/${DRONE_BUILD_NUMBER}" - export GOOS=$(go env GOOS) - export GOARCH=$(go env GOARCH) - - |2- - - curl -sL -X POST -H 'Content-type: application/json' --data "{\"text\":\"Warning: \`${GOOS}-${GOARCH}\` artifact build failed for [\`${DRONE_REPO_NAME}\`] - please investigate immediately!\nBranch: \`${DRONE_BRANCH}\`\nCommit: \`${DRONE_COMMIT_SHA}\`\nLink: $DRONE_BUILD_LINK\"}" $SLACK_WEBHOOK_DEV_TELEPORT + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 1h0m0s -workflow release-mac-amd64.yaml -workflow-ref=${DRONE_BRANCH} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_COMMIT} + -input "build-packages=false" -input "release-artifacts=false" ' environment: - SLACK_WEBHOOK_DEV_TELEPORT: + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack + settings: + webhook: from_secret: SLACK_WEBHOOK_DEV_TELEPORT + template: + - | + *{{#success build.status}}✔{{ else }}✘{{/success}} {{ uppercasefirst build.status }}: Build #{{ build.number }}* (type: `{{ build.event }}`) + `${DRONE_STAGE_NAME}` artifact build failed. + *Warning:* This is a genuine failure to build the Teleport binary from `{{ build.branch }}` (likely due to a bad merge or commit) and should be investigated immediately. + Commit: + Branch: + Author: + <{{ build.link }}|Visit Drone build page ↗> when: status: - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS --- ################################################ @@ -4421,11 +4316,11 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline -type: exec +type: kubernetes name: build-darwin-amd64 trigger: event: @@ -4438,130 +4333,165 @@ trigger: include: - gravitational/* workspace: - path: /tmp/build-darwin-amd64 -platform: - os: darwin - arch: amd64 + path: /go clone: disable: true -depends_on: -- clean-up-previous-build -concurrency: - limit: 1 steps: -- name: Set up exec runner storage +- name: Check out code + image: docker:git + pull: if-not-exists + commands: + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa + environment: + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 1h0m0s -workflow release-mac-amd64.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-packages=true" -input "release-artifacts=true" ' environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack + settings: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + template: + - | + *{{#success build.status}}✔{{ else }}✘{{/success}} {{ uppercasefirst build.status }}: Build #{{ build.number }}* (type: `{{ build.event }}`) + `${DRONE_STAGE_NAME}` artifact build failed. + *Warning:* This is a genuine failure to build the Teleport binary from `{{ build.branch }}` (likely due to a bad merge or commit) and should be investigated immediately. + Commit: + Branch: + Author: + <{{ build.link }}|Visit Drone build page ↗> + when: + status: + - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/tag.go (main.tagPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-linux-arm +environment: + BUILDBOX_VERSION: teleport13 + RUNTIME: go1.20.3 +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +depends_on: +- clean-up-previous-build +steps: - name: Check out code + image: docker:git + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport + - mkdir -p /go/src/github.com/gravitational/teleport + - cd /go/src/github.com/gravitational/teleport - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt + - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa + && chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - rm -f /root/.ssh/id_rsa + - mkdir -p /go/cache /go/artifacts + - |- + VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) + if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then + echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" + exit 1 + fi + echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Install Go Toolchain +- name: Wait for docker + image: docker + pull: if-not-exists commands: - - set -u - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz - - tar -C /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains -xzf $RUNTIME.darwin-amd64.tar.gz - - rm -rf $RUNTIME.darwin-amd64.tar.gz - environment: - RUNTIME: go1.20.3 -- name: Install Rust Toolchain - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - rustup toolchain install $RUST_VERSION - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Install Node Toolchain + - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' + - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin + environment: + DOCKERHUB_PASSWORD: + from_secret: DOCKERHUB_READONLY_TOKEN + DOCKERHUB_USERNAME: + from_secret: DOCKERHUB_USERNAME + volumes: + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Build artifacts + image: docker + pull: if-not-exists commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Build Mac artifacts (binaries) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH - - rustup override set $RUST_VERSION - - export PATH=$TOOLCHAIN_DIR/go/bin:$PATH - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - build.assets/build-fido2-macos.sh build - - export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)" - - make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/build-darwin-amd64/go/cache - GOPATH: /tmp/build-darwin-amd64/go - OS: darwin - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Copy Mac artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cp teleport*.tar.gz $WORKSPACE_DIR/go/artifacts - - cp e/teleport-ent*.tar.gz $WORKSPACE_DIR/go/artifacts - - cd $WORKSPACE_DIR/go/artifacts && for FILE in teleport*.tar.gz; do shasum -a 256 - $FILE > $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 + - apk add --no-cache make + - chown -R $UID:$GID /go + - cd /go/src/github.com/gravitational/teleport + - make -C build.assets release-arm + environment: + ARCH: arm + GID: "1000" + GOCACHE: /go/cache + GOPATH: /go + OS: linux + UID: "1000" + volumes: + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Copy artifacts + image: docker + pull: if-not-exists + commands: + - cd /go/src/github.com/gravitational/teleport + - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts + \; + - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts + \; + - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; + done && ls -l - name: Assume AWS Role + image: amazon/aws-cli + pull: if-not-exists commands: - aws sts get-caller-identity - |- @@ -4571,7 +4501,7 @@ steps: --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ --output text) \ - > /tmp/build-darwin-amd64/credentials + > /root/.aws/credentials - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - aws sts get-caller-identity --profile default environment: @@ -4581,19 +4511,25 @@ steps: from_secret: AWS_ROLE AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 + image: amazon/aws-cli + pull: if-not-exists commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts + - cd /go/artifacts/ - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64 + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts + image: docker + pull: if-not-exists commands: - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") @@ -4611,7 +4547,7 @@ steps: [ -f "$file.sha256" ] || continue name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel" + description="Linux ARMv7 (32-bit)" products="$name" if [ "$name" = "tsh" ]; then products="teleport teleport-ent" @@ -4634,650 +4570,35 @@ steps: release_params="$release_params -F releaseId=$product@$VERSION" done - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; + curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; done environment: RELEASES_CERT: from_secret: RELEASES_CERT RELEASES_KEY: from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Clean up toolchains (post) - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rustup override unset - - rustup toolchain uninstall $RUST_VERSION - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 +services: +- name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run +volumes: +- name: awsconfig + temp: {} +- name: dockersock + temp: {} +- name: dockerconfig + temp: {} +image_pull_secrets: +- DOCKERHUB_CREDENTIALS --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-pkg -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-pkg -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64 -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-pkg/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials -- name: Download built tarball artifacts from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Build Mac pkg release artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export HOME=/Users/build - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - make pkg OS=$OS ARCH=$ARCH - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - ENT_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts - OS: darwin - OSS_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Copy Mac pkg artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz - - cp build/teleport*.pkg e/build/teleport-ent*.pkg $WORKSPACE_DIR/go/artifacts/ - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > - $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Register artifacts - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel .pkg installer" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-pkg-tsh -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-pkg-tsh -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64 -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-pkg-tsh/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials -- name: Download built tarball artifacts from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Build Mac pkg release artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export HOME=/Users/build - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - make pkg-tsh OS=$OS ARCH=$ARCH - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - ENT_TARBALL_PATH: /tmp/build-darwin-amd64-pkg-tsh/go/artifacts - OS: darwin - OSS_TARBALL_PATH: /tmp/build-darwin-amd64-pkg-tsh/go/artifacts - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Copy Mac pkg artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz - - cp build/tsh*.pkg $WORKSPACE_DIR/go/artifacts/ - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > - $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Register artifacts - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel .pkg installer (tsh client only)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm -environment: - BUILDBOX_VERSION: teleport13 - RUNTIME: go1.20.3 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - make -C build.assets release-arm - environment: - ARCH: arm - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - pull: if-not-exists - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARMv7 (32-bit)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaBuildPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline @@ -8266,239 +7587,6 @@ steps: image_pull_secrets: - DOCKERHUB_CREDENTIALS ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-connect -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-connect -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64-pkg-tsh -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Install Node Toolchain - commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-connect/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials -- name: Download tsh.pkg artifact from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}tsh-$${VERSION}.pkg $WORKSPACE_DIR/go/src/github.com/gravitational/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Build Mac artifacts (Teleport Connect) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - print-version) - - export BUILD_NUMBER=$DRONE_BUILD_NUMBER - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83 - - cd $WORKSPACE_DIR/go/src/github.com/gravitational - - pkgutil --expand-full tsh-$${VERSION}.pkg tsh - - export CONNECT_TSH_APP_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/tsh/Payload/tsh.app - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/build-darwin-amd64-connect/go/cache - GOPATH: /tmp/build-darwin-amd64-connect/go - OS: darwin - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Copy dmg artifact - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release - - cp *.dmg $WORKSPACE_DIR/go/artifacts - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.dmg; do shasum -a 256 "$FILE" - > "$FILE.sha256"; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Register artifact - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Clean up toolchains (post) - commands: - - set -u - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect - --- ################################################ # Generated using dronegen, do not edit by hand! @@ -21263,6 +20351,6 @@ image_pull_secrets: - DOCKERHUB_CREDENTIALS --- kind: signature -hmac: c255d7bcc4b43ec74779c9871d4e62027758bf42023e4144c59a4fb5116a96f8 +hmac: 101989203bdefb320f8daace5e6e6bf4b4e032c42b4fd22ace1acb54fe284880 ... diff --git a/dronegen/aws.go b/dronegen/aws.go index 33c925d40ce2f..04176c094bf7c 100644 --- a/dronegen/aws.go +++ b/dronegen/aws.go @@ -38,15 +38,6 @@ type kubernetesRoleSettings struct { append bool } -// macRoleSettings contains the info necessary to assume an AWS role and save the credentials to a path that later steps can use -type macRoleSettings struct { - awsRoleSettings - configPath string - name string - profile string - append bool -} - // kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline type kubernetesS3Settings struct { region string @@ -104,23 +95,6 @@ func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step { } } -// macAssumeAwsRoleStep builds a step to assume an AWS role and save it to a host path that later steps can use -func macAssumeAwsRoleStep(s macRoleSettings) step { - if s.name == "" { - s.name = "Assume AWS Role" - } - return step{ - Name: s.name, - Environment: map[string]value{ - "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, - "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, - "AWS_ROLE": s.role, - "AWS_SHARED_CREDENTIALS_FILE": value{raw: s.configPath}, - }, - Commands: assumeRoleCommands(s.profile, s.configPath, s.append), - } -} - // kubernetesUploadToS3Step generates an S3 upload step func kubernetesUploadToS3Step(s kubernetesS3Settings) step { return step{ diff --git a/dronegen/gha.go b/dronegen/gha.go index 9ab3dcbb6b58c..af9082d897e5f 100644 --- a/dronegen/gha.go +++ b/dronegen/gha.go @@ -16,8 +16,11 @@ package main import ( "fmt" + "sort" "strings" "time" + + "golang.org/x/exp/maps" ) type ghaBuildType struct { @@ -54,8 +57,12 @@ func ghaBuildPipeline(b ghaBuildType) pipeline { fmt.Fprintf(&cmd, `-input oss-teleport-ref=${%s} `, b.srcRefVar) } - for k, v := range b.inputs { - fmt.Fprintf(&cmd, `-input "%s=%s" `, k, v) + // Sort inputs so the are output in a consistent order to avoid + // spurious changes in the generated drone config. + keys := maps.Keys(b.inputs) + sort.Strings(keys) + for _, k := range keys { + fmt.Fprintf(&cmd, `-input "%s=%s" `, k, b.inputs[k]) } p.Steps = []step{ diff --git a/dronegen/mac.go b/dronegen/mac.go deleted file mode 100644 index 2b85fe45a2473..0000000000000 --- a/dronegen/mac.go +++ /dev/null @@ -1,621 +0,0 @@ -// Copyright 2021 Gravitational, Inc -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "path" - "path/filepath" -) - -const ( - perBuildDir = "/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED" - perBuildToolchainsDir = perBuildDir + "/toolchains" - perBuildCargoDir = perBuildToolchainsDir + "/cargo" - perBuildRustupDir = perBuildToolchainsDir + "/rustup" -) - -// escapedPreformatted returns expr wrapped in escaped backticks, -// resulting in Slack "preformatted" string, but safe to use in bash -// without triggering the command expansion. -// This is useful for use in Go backtick literals, -// where backticks can not be escaped in any way. -func escapedPreformatted(expr string) string { - return fmt.Sprintf("\\`%s\\`", expr) -} - -func newDarwinPipeline(name string) pipeline { - p := newExecPipeline(name) - p.Workspace.Path = path.Join("/tmp", name) - p.Concurrency.Limit = 1 - p.Platform = platform{OS: "darwin", Arch: "amd64"} - return p -} - -func darwinConnectDmgPipeline() pipeline { - b := buildType{os: "darwin", arch: "amd64"} - toolchainConfig := toolchainConfig{nodejs: true} - artifactConfig := onlyConnectWithBundledTshApp - - p := newDarwinPipeline("build-darwin-amd64-connect") - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{"build-darwin-amd64-pkg-tsh"} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)...) - p.Steps = append(p.Steps, []step{ - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Download tsh.pkg artifact from S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinConnectDownloadArtifactCommands(), - }, - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - { - Name: "Copy dmg artifact", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinConnectCopyDmgArtifactCommands(), - }, - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinUploadToS3Commands(), - }, - { - Name: "Register artifact", - // Connect's artifact description is automatically generated based on the filename so we pass - // no packageType and extraQualifications. - Commands: tagCreateReleaseAssetCommands(b, "", nil), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - }..., - ) - return p -} - -func darwinPushPipeline() pipeline { - b := buildType{os: "darwin", arch: "amd64"} - toolchainConfig := toolchainConfig{golang: true, rust: true, nodejs: true} - artifactConfig := binariesWithConnect - - p := newDarwinPipeline("push-build-darwin-amd64") - p.Trigger = trigger{ - Event: triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}}, - Branch: triggerRef{Include: []string{"master", "branch/*"}}, - Repo: triggerRef{Include: []string{"gravitational/*"}}, - } - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: pushCheckoutCommandsDarwin(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)...) - p.Steps = append(p.Steps, []step{ - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - { - Name: "Send Slack notification (exec)", - Environment: map[string]value{"SLACK_WEBHOOK_DEV_TELEPORT": {fromSecret: "SLACK_WEBHOOK_DEV_TELEPORT"}}, - Commands: []string{ - ` -export DRONE_BUILD_LINK="${DRONE_SYSTEM_PROTO}://${DRONE_SYSTEM_HOSTNAME}/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/${DRONE_BUILD_NUMBER}" -export GOOS=$(go env GOOS) -export GOARCH=$(go env GOARCH) -`, - fmt.Sprintf(` -curl -sL -X POST -H 'Content-type: application/json' --data "{\"text\":\"Warning: %s artifact build failed for [%s] - please investigate immediately!\nBranch: %s\nCommit: %s\nLink: $DRONE_BUILD_LINK\"}" $SLACK_WEBHOOK_DEV_TELEPORT`, - escapedPreformatted("${GOOS}-${GOARCH}"), - escapedPreformatted("${DRONE_REPO_NAME}"), - escapedPreformatted("${DRONE_BRANCH}"), - escapedPreformatted("${DRONE_COMMIT_SHA}")), - }, - When: &condition{Status: []string{"failure"}}, - }, - }...) - return p -} - -func darwinTagPipeline() pipeline { - b := buildType{ - arch: "amd64", - os: "darwin", - } - toolchainConfig := toolchainConfig{golang: true, rust: true, nodejs: true} - artifactConfig := onlyBinaries - - p := newDarwinPipeline("build-darwin-amd64") - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{tagCleanupPipelineName} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)..., - ) - p.Steps = append(p.Steps, []step{ - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - { - Name: "Copy Mac artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagCopyPackageArtifactCommands(), - }, - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinUploadToS3Commands(), - }, - { - Name: "Register artifacts", - // Binaries built by this pipeline don't require extra description, so we don't pass - // packageType and extraQualifications. - Commands: tagCreateReleaseAssetCommands(b, "", nil), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - }...) - return p -} - -func pushCheckoutCommandsDarwin(artifactConfig darwinArtifactConfig) []string { - commands := []string{ - `set -u`, - `mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .`, - `git checkout ${DRONE_TAG:-$DRONE_COMMIT}`, - // suppressing the newline on the end of the private key makes git operations fail on MacOS - // with an error like 'Load key "/path/.ssh/id_rsa": invalid format' - `mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa`, - `ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null`, - `chmod 600 $WORKSPACE_DIR/.ssh/known_hosts`, - } - - commands = append(commands, - // fetch enterprise submodules - `GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts -F /dev/null' git submodule update --init e`, - `rm -rf $WORKSPACE_DIR/.ssh`, - `mkdir -p $WORKSPACE_DIR/go/cache`, - ) - - return commands -} - -func setUpExecStorageStep(path string) step { - return step{ - Name: "Set up exec runner storage", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - "set -u", - "mkdir -p $WORKSPACE_DIR", - "chmod -R u+rw $WORKSPACE_DIR", - "rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh", - }, - } -} - -type toolchainConfig struct { - golang bool - rust bool - nodejs bool -} - -func installToolchains(workspacePath string, config toolchainConfig) (steps []step) { - if config.golang { - steps = append(steps, installGoToolchainStep()) - } - - if config.rust { - steps = append(steps, installRustToolchainStep(workspacePath)) - } - - if config.nodejs { - steps = append(steps, installNodeToolchainStep(workspacePath)) - } - - return steps -} - -func installGoToolchainStep() step { - return step{ - Name: "Install Go Toolchain", - Environment: map[string]value{ - "RUNTIME": goRuntime, - }, - Commands: []string{ - `set -u`, - `mkdir -p ` + perBuildToolchainsDir, - `curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz`, - `tar -C ` + perBuildToolchainsDir + ` -xzf $RUNTIME.darwin-amd64.tar.gz`, - `rm -rf $RUNTIME.darwin-amd64.tar.gz`, - }, - } -} - -func installRustToolchainStep(path string) step { - return step{ - Name: "Install Rust Toolchain", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - `set -u`, - `export PATH=/Users/$(whoami)/.cargo/bin:$PATH`, // use the system-installed rustup to install our custom Rust version - `mkdir -p ` + perBuildToolchainsDir, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `export CARGO_HOME=` + perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=` + perBuildRustupDir, - `rustup toolchain install $RUST_VERSION`, - }, - } -} - -func installNodeToolchainStep(workspacePath string) step { - return step{ - Name: "Install Node Toolchain", - Environment: map[string]value{"WORKSPACE_DIR": {raw: workspacePath}}, - Commands: []string{ - `set -u`, - `export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-node-version)`, - `export TOOLCHAIN_DIR=` + perBuildToolchainsDir, - `export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64`, - `mkdir -p $TOOLCHAIN_DIR`, - `curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz`, - `tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz`, - `rm -f node-v$NODE_VERSION-darwin-x64.tar.gz`, - `export PATH=$NODE_DIR/bin:$PATH`, - `corepack enable yarn`, - `echo Node reporting version $(node --version)`, - `echo Yarn reporting version $(yarn --version)`, - }, - } -} - -func configureToolchainsCommands(config toolchainConfig) []string { - commands := []string{ - // HOME needs to be set to the actual home directory of a macOS user rather than the temporary - // directory that Drone sets it to by default. This way we're able to unlock Keychain which is - // needed for Connect signing. - // - // Hence, the toolchains are not installed within the temporary home dir but a separate - // TOOLCHAIN_DIR. Every pipeline in this file follows this pattern even though technically we - // need to unlock Keychain only for the build-darwin-amd64-connect pipeline. - `export HOME=/Users/$(whoami)`, - `export TOOLCHAIN_DIR=` + perBuildToolchainsDir, - } - - // Configure toolchains in descending order so that Node.js is added to PATH last. - // We expect that Node.js will add the most packages so we want to avoid any bin conflicts with Go - // or Rust toolchains. - if config.nodejs { - commands = append(commands, - `export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-node-version)`, - `export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64`, - `export PATH=$NODE_HOME/bin:$PATH`, - ) - } - - if config.rust { - commands = append(commands, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `export CARGO_HOME=`+perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=`+perBuildRustupDir, - `export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH`, - `rustup override set $RUST_VERSION`, - ) - } - - if config.golang { - commands = append(commands, - `export PATH=$TOOLCHAIN_DIR/go/bin:$PATH`, - ) - } - - return commands -} - -func cleanUpToolchainsStep(workspacePath string, config toolchainConfig) step { - step := step{ - Name: "Clean up toolchains (post)", - Environment: map[string]value{"WORKSPACE_DIR": {raw: workspacePath}}, - When: &condition{ - Status: []string{"success", "failure"}, - }, - Commands: []string{ - `set -u`, - }, - } - - if config.rust { - step.Commands = append(step.Commands, - `export PATH=/Users/$(whoami)/.cargo/bin:$PATH`, - `export CARGO_HOME=`+perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=`+perBuildRustupDir, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // clean up the rust toolchain even though we're about to delete the directory - // this ensures we don't leave behind a broken link - `rustup override unset`, - `rustup toolchain uninstall $RUST_VERSION`, - ) - } - - step.Commands = append(step.Commands, - `rm -rf `+perBuildDir, - ) - - return step -} - -func cleanUpExecStorageStep(path string) step { - return step{ - Name: "Clean up exec runner storage (post)", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - `set -u`, - `chmod -R u+rw $WORKSPACE_DIR`, - `rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh`, - }, - } -} - -func darwinTagCheckoutCommands(artifactConfig darwinArtifactConfig) []string { - return append( - pushCheckoutCommandsDarwin(artifactConfig), - `mkdir -p $WORKSPACE_DIR/go/artifacts`, - `echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt`, - `cat $WORKSPACE_DIR/go/.version.txt`, - ) -} - -// darwinArtifactConfig describes artifacts made by the build step in different macOS pipelines. -// -// On a commit push, we run one pipeline that builds artifacts (darwinPushPipeline). It uses -// binariesWithConnect as the artifact config as it only checks if we can still compile/build the -// artifacts after a commit lands in master. -// -// On a version tag push, we run two pipelines from this file that build artifacts. First we run -// darwinTagPipeline with onlyBinaries as the artifact config. It builds, among others, the tsh -// binary which later gets signed, bundled into tsh.app and packaged into a .pkg file. -// -// After that, we run darwinConnectDmgPipeline with onlyConnectWithBundledTshApp as the artifact -// config. darwinConnectDmgPipeline downloads the signed tsh.app bundle and puts it within Connect's -// own bundle. -type darwinArtifactConfig int - -const ( - onlyBinaries darwinArtifactConfig = iota - binariesWithConnect - onlyConnectWithBundledTshApp -) - -func buildMacArtifactsStep(workspacePath string, b buildType, toolchainConfig toolchainConfig, artifactConfig darwinArtifactConfig) step { - step := step{ - Name: "Build Mac artifacts", - Environment: map[string]value{ - "GOPATH": {raw: path.Join(workspacePath, "/go")}, - "GOCACHE": {raw: path.Join(workspacePath, "/go/cache")}, - "OS": {raw: b.os}, - "ARCH": {raw: b.arch}, - "WORKSPACE_DIR": {raw: workspacePath}, - "BUILDBOX_PASSWORD": {fromSecret: "BUILDBOX_PASSWORD"}, - "APPLE_USERNAME": {fromSecret: "APPLE_USERNAME"}, - "APPLE_PASSWORD": {fromSecret: "APPLE_PASSWORD"}, - }, - Commands: darwinBuildCommands(toolchainConfig, artifactConfig), - } - - var artifactDesc string - switch artifactConfig { - case onlyBinaries: - artifactDesc = "binaries" - case binariesWithConnect: - artifactDesc = "binaries and Teleport Connect" - case onlyConnectWithBundledTshApp: - artifactDesc = "Teleport Connect" - } - step.Name = step.Name + " (" + artifactDesc + ")" - - if artifactConfig == onlyConnectWithBundledTshApp { - // These credentials are necessary for the signing and notarization of Teleport Connect, which - // is built in to the Electron tooling. - // The rest of the mac artifacts are signed and notarized with gon in the darwin pkg pipeline. - step.Environment["APPLE_USERNAME"] = value{fromSecret: "APPLE_USERNAME"} - step.Environment["APPLE_PASSWORD"] = value{fromSecret: "APPLE_PASSWORD"} - } - - return step -} - -func darwinBuildCommands(toolchainConfig toolchainConfig, artifactConfig darwinArtifactConfig) []string { - commands := []string{ - `set -u`, - } - commands = append(commands, configureToolchainsCommands(toolchainConfig)...) - - // Commands for building binaries. - if artifactConfig == onlyBinaries || artifactConfig == binariesWithConnect { - commands = append(commands, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `build.assets/build-fido2-macos.sh build`, - `export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)"`, - `make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes`, - ) - } - - // Commands for building Teleport Connect. - if artifactConfig == binariesWithConnect || artifactConfig == onlyConnectWithBundledTshApp { - commands = append(commands, - `export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport print-version)`, - // BUILD_NUMBER is used by electron-builder to add an extra fourth integer to CFBundleVersion on macOS. - // This makes the full app version look like this: 9.3.5.12489 - // https://www.electron.build/configuration/configuration.html#Configuration-buildVersion - `export BUILD_NUMBER=$DRONE_BUILD_NUMBER`, - - // Unlock Keychain so that electron-builder can use developer ID cert for signing. - `security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain`, - `security find-identity -v`, - // CSC_NAME tells electron-builder which cert to use for signing when there are multiple certs - // available. - // https://www.electron.build/code-signing - `export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83`, - ) - - if artifactConfig == binariesWithConnect { - commands = append(commands, - `export CONNECT_TSH_BIN_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build/tsh`, - ) - } - - if artifactConfig == onlyConnectWithBundledTshApp { - commands = append(commands, - // Unpack tsh.pkg. - `cd $WORKSPACE_DIR/go/src/github.com/gravitational`, - `pkgutil --expand-full tsh-$${VERSION}.pkg tsh`, - `export CONNECT_TSH_APP_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/tsh/Payload/tsh.app`, - ) - } - - commands = append(commands, - // Build and package Connect - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // c.extraMetadata.version overwrites the version property from package.json to $VERSION - // https://www.electron.build/configuration/configuration.html#Configuration-extraMetadata - `yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION`, - ) - } - - return commands -} - -func darwinTagCopyPackageArtifactCommands() []string { - commands := []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // copy release archives to artifact directory - `cp teleport*.tar.gz $WORKSPACE_DIR/go/artifacts`, - `cp e/teleport-ent*.tar.gz $WORKSPACE_DIR/go/artifacts`, - // generate checksums - `cd $WORKSPACE_DIR/go/artifacts && for FILE in teleport*.tar.gz; do shasum -a 256 $FILE > $FILE.sha256; done && ls -l`, - } - - return commands -} - -func darwinConnectCopyDmgArtifactCommands() []string { - commands := []string{ - `set -u`, - // copy dmg to artifact directory - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release`, - `cp *.dmg $WORKSPACE_DIR/go/artifacts`, - // generate checksums - `cd $WORKSPACE_DIR/go/artifacts && for FILE in *.dmg; do shasum -a 256 "$FILE" > "$FILE.sha256"; done && ls -l`, - } - - return commands -} - -func darwinUploadToS3Commands() []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/artifacts`, - `aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}`, - } -} - -func darwinConnectDownloadArtifactCommands() []string { - return []string{ - `set -u`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - `export S3_PATH="tag/$${DRONE_TAG##v}/"`, - // Download tsh.pkg. We're going to extract tsh.app from it which is then packaged within the - // Teleport Connect bundle. - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}tsh-$${VERSION}.pkg $WORKSPACE_DIR/go/src/github.com/gravitational/`, - } -} diff --git a/dronegen/mac_gha.go b/dronegen/mac_gha.go new file mode 100644 index 0000000000000..9c886a20491b7 --- /dev/null +++ b/dronegen/mac_gha.go @@ -0,0 +1,65 @@ +// Copyright 2023 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import "time" + +// darwinTagPipelineGHA returns a pipeline that kicks off a tagged build of +// the Mac (darwin) release assets on GitHub Actions. The action builds: +// * a tarball of signed teleport binaries (teleport, tsh, tctl, tbot). +// * a package with the Teleport binaries (teleport, tsh, tctl, tbot). +// * a package with the tsh binary. +// * a disk image (dmg) of Teleport Connect containing the signed tsh package. +// These build assets are signed and notarized. +func darwinTagPipelineGHA() pipeline { + bt := ghaBuildType{ + buildType: buildType{os: "darwin", arch: "amd64"}, + trigger: triggerTag, + pipelineName: "build-darwin-amd64", + ghaWorkflow: "release-mac-amd64.yaml", + srcRefVar: "DRONE_TAG", + workflowRef: "${DRONE_TAG}", + timeout: 60 * time.Minute, + slackOnError: true, + inputs: map[string]string{ + "release-artifacts": "true", + "build-packages": "true", + }, + } + return ghaBuildPipeline(bt) +} + +// darwinPushPipelineGHA returns a pipeline that kicks off a push build of the +// teleport binaries and the teleport connect dmg. The binaries are signed and +// notarized even though we do not release these assets. This tests that the +// signing and notarization process continues to work so we don't wait until +// release time to discover breakage. +func darwinPushPipelineGHA() pipeline { + bt := ghaBuildType{ + buildType: buildType{os: "darwin", arch: "amd64"}, + trigger: triggerPush, + pipelineName: "push-build-darwin-amd64", + ghaWorkflow: "release-mac-amd64.yaml", + srcRefVar: "DRONE_COMMIT", + workflowRef: "${DRONE_BRANCH}", + timeout: 60 * time.Minute, + slackOnError: true, + inputs: map[string]string{ + "release-artifacts": "false", + "build-packages": "false", + }, + } + return ghaBuildPipeline(bt) +} diff --git a/dronegen/mac_pkg.go b/dronegen/mac_pkg.go deleted file mode 100644 index 20ed18e3d4d8c..0000000000000 --- a/dronegen/mac_pkg.go +++ /dev/null @@ -1,158 +0,0 @@ -// Copyright 2021 Gravitational, Inc -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "path/filepath" - "strings" -) - -func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualifications []string) pipeline { - b := buildType{ - arch: "amd64", - os: "darwin", - } - artifactConfig := onlyBinaries - - p := newDarwinPipeline(name) - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{"build-darwin-amd64"} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Download built tarball artifacts from S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagDownloadArtifactCommands(), - }, - { - Name: "Build Mac pkg release artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "APPLE_USERNAME": {fromSecret: "APPLE_USERNAME"}, - "APPLE_PASSWORD": {fromSecret: "APPLE_PASSWORD"}, - "BUILDBOX_PASSWORD": {fromSecret: "BUILDBOX_PASSWORD"}, - "OSS_TARBALL_PATH": {raw: filepath.Join(p.Workspace.Path, "go/artifacts")}, - "ENT_TARBALL_PATH": {raw: filepath.Join(p.Workspace.Path, "go/artifacts")}, - "OS": {raw: b.os}, - "ARCH": {raw: b.arch}, - }, - Commands: darwinTagPackageCommands(makeTarget), - }, - { - Name: "Copy Mac pkg artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagCopyPkgArtifactCommands(pkgGlobs), - }, - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/artifacts`, - `aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}`, - }, - }, - { - Name: "Register artifacts", - Commands: tagCreateReleaseAssetCommands(b, ".pkg installer", extraQualifications), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpExecStorageStep(p.Workspace.Path), - } - - return p -} - -func darwinTeleportPkgPipeline() pipeline { - return darwinPkgPipeline("build-darwin-amd64-pkg", "pkg", []string{"build/teleport*.pkg", "e/build/teleport-ent*.pkg"}, nil) -} - -func darwinTshPkgPipeline() pipeline { - return darwinPkgPipeline("build-darwin-amd64-pkg-tsh", "pkg-tsh", []string{"build/tsh*.pkg"}, []string{"tsh client only"}) -} - -func darwinTagDownloadArtifactCommands() []string { - return []string{ - `set -u`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - `export S3_PATH="tag/$${DRONE_TAG##v}/"`, - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/`, - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/`, - } -} - -func darwinTagPackageCommands(target string) []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - // set HOME explicitly (as Drone overrides it normally) - `export HOME=/Users/build`, - // unlock login keychain - `security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain`, - // show available certificates - `security find-identity -v`, - // build pkg, target is `pkg` for teleport, `pkg-tsh` for tsh - fmt.Sprintf(`make %s OS=$OS ARCH=$ARCH`, target), - } -} - -func darwinTagCopyPkgArtifactCommands(pkgGlobs []string) []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // delete temporary tarball artifacts so we don't re-upload them in the next stage - `rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz`, - // copy release archives to artifact directory - fmt.Sprintf(`cp %s $WORKSPACE_DIR/go/artifacts/`, strings.Join(pkgGlobs, " ")), - // generate checksums (for mac) - `cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > $FILE.sha256; done && ls -l`, - } -} diff --git a/dronegen/push.go b/dronegen/push.go index 1cea3b2ec4182..c7c5ceda6c9d4 100644 --- a/dronegen/push.go +++ b/dronegen/push.go @@ -89,7 +89,7 @@ func pushPipelines() []pipeline { // Only amd64 Windows is supported for now. ps = append(ps, pushPipeline(buildType{os: "windows", arch: "amd64", windowsUnsigned: true})) - ps = append(ps, darwinPushPipeline()) + ps = append(ps, darwinPushPipelineGHA()) ps = append(ps, windowsPushPipeline()) return ps } diff --git a/dronegen/tag.go b/dronegen/tag.go index 10c713cfcab97..a4b3c4744694d 100644 --- a/dronegen/tag.go +++ b/dronegen/tag.go @@ -234,7 +234,7 @@ func tagPipelines() []pipeline { ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true})) ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true, fips: true})) - ps = append(ps, darwinTagPipeline(), darwinTeleportPkgPipeline(), darwinTshPkgPipeline(), darwinConnectDmgPipeline()) + ps = append(ps, darwinTagPipelineGHA()) ps = append(ps, windowsTagPipeline()) ps = append(ps, tagCleanupPipeline())