From fac4290d7179803548378a38937242e2cff2368e Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Thu, 6 Apr 2023 07:27:53 +1000 Subject: [PATCH 1/3] dronegen: Sort workflow inputs for stable output Sort the GitHub Actions inputs when generating the `gh-trigger-workflow` command line so that it does not randomly change order, as happens when iterating a map directly. --- dronegen/gha.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/dronegen/gha.go b/dronegen/gha.go index 9ab3dcbb6b58c..af9082d897e5f 100644 --- a/dronegen/gha.go +++ b/dronegen/gha.go @@ -16,8 +16,11 @@ package main import ( "fmt" + "sort" "strings" "time" + + "golang.org/x/exp/maps" ) type ghaBuildType struct { @@ -54,8 +57,12 @@ func ghaBuildPipeline(b ghaBuildType) pipeline { fmt.Fprintf(&cmd, `-input oss-teleport-ref=${%s} `, b.srcRefVar) } - for k, v := range b.inputs { - fmt.Fprintf(&cmd, `-input "%s=%s" `, k, v) + // Sort inputs so the are output in a consistent order to avoid + // spurious changes in the generated drone config. + keys := maps.Keys(b.inputs) + sort.Strings(keys) + for _, k := range keys { + fmt.Fprintf(&cmd, `-input "%s=%s" `, k, b.inputs[k]) } p.Steps = []step{ From c3ca8e3924f4582b7f740e08c48b75ce5e5d8518 Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Tue, 4 Apr 2023 12:58:01 +1000 Subject: [PATCH 2/3] dronegen: Have darwin pipelines call out to GitHub Actions Update the darwin pipelines to run workflows on GitHub Actions instead of locally on drone builders. This replaces four pipelines with a single GitHub actions workflow as the one workflow builds the tarballs, Mac packages and Mac disk images. We continue to drive the push build from drone until we work out how secrets are safely managed in the Teleport OSS repo. --- dronegen/aws.go | 26 -- dronegen/mac.go | 621 -------------------------------------------- dronegen/mac_gha.go | 65 +++++ dronegen/mac_pkg.go | 158 ----------- dronegen/push.go | 2 +- dronegen/tag.go | 2 +- 6 files changed, 67 insertions(+), 807 deletions(-) delete mode 100644 dronegen/mac.go create mode 100644 dronegen/mac_gha.go delete mode 100644 dronegen/mac_pkg.go diff --git a/dronegen/aws.go b/dronegen/aws.go index 33c925d40ce2f..04176c094bf7c 100644 --- a/dronegen/aws.go +++ b/dronegen/aws.go @@ -38,15 +38,6 @@ type kubernetesRoleSettings struct { append bool } -// macRoleSettings contains the info necessary to assume an AWS role and save the credentials to a path that later steps can use -type macRoleSettings struct { - awsRoleSettings - configPath string - name string - profile string - append bool -} - // kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline type kubernetesS3Settings struct { region string @@ -104,23 +95,6 @@ func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step { } } -// macAssumeAwsRoleStep builds a step to assume an AWS role and save it to a host path that later steps can use -func macAssumeAwsRoleStep(s macRoleSettings) step { - if s.name == "" { - s.name = "Assume AWS Role" - } - return step{ - Name: s.name, - Environment: map[string]value{ - "AWS_ACCESS_KEY_ID": s.awsAccessKeyID, - "AWS_SECRET_ACCESS_KEY": s.awsSecretAccessKey, - "AWS_ROLE": s.role, - "AWS_SHARED_CREDENTIALS_FILE": value{raw: s.configPath}, - }, - Commands: assumeRoleCommands(s.profile, s.configPath, s.append), - } -} - // kubernetesUploadToS3Step generates an S3 upload step func kubernetesUploadToS3Step(s kubernetesS3Settings) step { return step{ diff --git a/dronegen/mac.go b/dronegen/mac.go deleted file mode 100644 index 2b85fe45a2473..0000000000000 --- a/dronegen/mac.go +++ /dev/null @@ -1,621 +0,0 @@ -// Copyright 2021 Gravitational, Inc -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "path" - "path/filepath" -) - -const ( - perBuildDir = "/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED" - perBuildToolchainsDir = perBuildDir + "/toolchains" - perBuildCargoDir = perBuildToolchainsDir + "/cargo" - perBuildRustupDir = perBuildToolchainsDir + "/rustup" -) - -// escapedPreformatted returns expr wrapped in escaped backticks, -// resulting in Slack "preformatted" string, but safe to use in bash -// without triggering the command expansion. -// This is useful for use in Go backtick literals, -// where backticks can not be escaped in any way. -func escapedPreformatted(expr string) string { - return fmt.Sprintf("\\`%s\\`", expr) -} - -func newDarwinPipeline(name string) pipeline { - p := newExecPipeline(name) - p.Workspace.Path = path.Join("/tmp", name) - p.Concurrency.Limit = 1 - p.Platform = platform{OS: "darwin", Arch: "amd64"} - return p -} - -func darwinConnectDmgPipeline() pipeline { - b := buildType{os: "darwin", arch: "amd64"} - toolchainConfig := toolchainConfig{nodejs: true} - artifactConfig := onlyConnectWithBundledTshApp - - p := newDarwinPipeline("build-darwin-amd64-connect") - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{"build-darwin-amd64-pkg-tsh"} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)...) - p.Steps = append(p.Steps, []step{ - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Download tsh.pkg artifact from S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinConnectDownloadArtifactCommands(), - }, - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - { - Name: "Copy dmg artifact", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinConnectCopyDmgArtifactCommands(), - }, - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinUploadToS3Commands(), - }, - { - Name: "Register artifact", - // Connect's artifact description is automatically generated based on the filename so we pass - // no packageType and extraQualifications. - Commands: tagCreateReleaseAssetCommands(b, "", nil), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - }..., - ) - return p -} - -func darwinPushPipeline() pipeline { - b := buildType{os: "darwin", arch: "amd64"} - toolchainConfig := toolchainConfig{golang: true, rust: true, nodejs: true} - artifactConfig := binariesWithConnect - - p := newDarwinPipeline("push-build-darwin-amd64") - p.Trigger = trigger{ - Event: triggerRef{Include: []string{"push"}, Exclude: []string{"pull_request"}}, - Branch: triggerRef{Include: []string{"master", "branch/*"}}, - Repo: triggerRef{Include: []string{"gravitational/*"}}, - } - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: pushCheckoutCommandsDarwin(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)...) - p.Steps = append(p.Steps, []step{ - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - { - Name: "Send Slack notification (exec)", - Environment: map[string]value{"SLACK_WEBHOOK_DEV_TELEPORT": {fromSecret: "SLACK_WEBHOOK_DEV_TELEPORT"}}, - Commands: []string{ - ` -export DRONE_BUILD_LINK="${DRONE_SYSTEM_PROTO}://${DRONE_SYSTEM_HOSTNAME}/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/${DRONE_BUILD_NUMBER}" -export GOOS=$(go env GOOS) -export GOARCH=$(go env GOARCH) -`, - fmt.Sprintf(` -curl -sL -X POST -H 'Content-type: application/json' --data "{\"text\":\"Warning: %s artifact build failed for [%s] - please investigate immediately!\nBranch: %s\nCommit: %s\nLink: $DRONE_BUILD_LINK\"}" $SLACK_WEBHOOK_DEV_TELEPORT`, - escapedPreformatted("${GOOS}-${GOARCH}"), - escapedPreformatted("${DRONE_REPO_NAME}"), - escapedPreformatted("${DRONE_BRANCH}"), - escapedPreformatted("${DRONE_COMMIT_SHA}")), - }, - When: &condition{Status: []string{"failure"}}, - }, - }...) - return p -} - -func darwinTagPipeline() pipeline { - b := buildType{ - arch: "amd64", - os: "darwin", - } - toolchainConfig := toolchainConfig{golang: true, rust: true, nodejs: true} - artifactConfig := onlyBinaries - - p := newDarwinPipeline("build-darwin-amd64") - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{tagCleanupPipelineName} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - } - p.Steps = append(p.Steps, - installToolchains(p.Workspace.Path, toolchainConfig)..., - ) - p.Steps = append(p.Steps, []step{ - buildMacArtifactsStep(p.Workspace.Path, b, toolchainConfig, artifactConfig), - { - Name: "Copy Mac artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagCopyPackageArtifactCommands(), - }, - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_REGION": {raw: "us-west-2"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - }, - Commands: darwinUploadToS3Commands(), - }, - { - Name: "Register artifacts", - // Binaries built by this pipeline don't require extra description, so we don't pass - // packageType and extraQualifications. - Commands: tagCreateReleaseAssetCommands(b, "", nil), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpToolchainsStep(p.Workspace.Path, toolchainConfig), - cleanUpExecStorageStep(p.Workspace.Path), - }...) - return p -} - -func pushCheckoutCommandsDarwin(artifactConfig darwinArtifactConfig) []string { - commands := []string{ - `set -u`, - `mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .`, - `git checkout ${DRONE_TAG:-$DRONE_COMMIT}`, - // suppressing the newline on the end of the private key makes git operations fail on MacOS - // with an error like 'Load key "/path/.ssh/id_rsa": invalid format' - `mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa`, - `ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null`, - `chmod 600 $WORKSPACE_DIR/.ssh/known_hosts`, - } - - commands = append(commands, - // fetch enterprise submodules - `GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts -F /dev/null' git submodule update --init e`, - `rm -rf $WORKSPACE_DIR/.ssh`, - `mkdir -p $WORKSPACE_DIR/go/cache`, - ) - - return commands -} - -func setUpExecStorageStep(path string) step { - return step{ - Name: "Set up exec runner storage", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - "set -u", - "mkdir -p $WORKSPACE_DIR", - "chmod -R u+rw $WORKSPACE_DIR", - "rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh", - }, - } -} - -type toolchainConfig struct { - golang bool - rust bool - nodejs bool -} - -func installToolchains(workspacePath string, config toolchainConfig) (steps []step) { - if config.golang { - steps = append(steps, installGoToolchainStep()) - } - - if config.rust { - steps = append(steps, installRustToolchainStep(workspacePath)) - } - - if config.nodejs { - steps = append(steps, installNodeToolchainStep(workspacePath)) - } - - return steps -} - -func installGoToolchainStep() step { - return step{ - Name: "Install Go Toolchain", - Environment: map[string]value{ - "RUNTIME": goRuntime, - }, - Commands: []string{ - `set -u`, - `mkdir -p ` + perBuildToolchainsDir, - `curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz`, - `tar -C ` + perBuildToolchainsDir + ` -xzf $RUNTIME.darwin-amd64.tar.gz`, - `rm -rf $RUNTIME.darwin-amd64.tar.gz`, - }, - } -} - -func installRustToolchainStep(path string) step { - return step{ - Name: "Install Rust Toolchain", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - `set -u`, - `export PATH=/Users/$(whoami)/.cargo/bin:$PATH`, // use the system-installed rustup to install our custom Rust version - `mkdir -p ` + perBuildToolchainsDir, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `export CARGO_HOME=` + perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=` + perBuildRustupDir, - `rustup toolchain install $RUST_VERSION`, - }, - } -} - -func installNodeToolchainStep(workspacePath string) step { - return step{ - Name: "Install Node Toolchain", - Environment: map[string]value{"WORKSPACE_DIR": {raw: workspacePath}}, - Commands: []string{ - `set -u`, - `export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-node-version)`, - `export TOOLCHAIN_DIR=` + perBuildToolchainsDir, - `export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64`, - `mkdir -p $TOOLCHAIN_DIR`, - `curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz`, - `tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz`, - `rm -f node-v$NODE_VERSION-darwin-x64.tar.gz`, - `export PATH=$NODE_DIR/bin:$PATH`, - `corepack enable yarn`, - `echo Node reporting version $(node --version)`, - `echo Yarn reporting version $(yarn --version)`, - }, - } -} - -func configureToolchainsCommands(config toolchainConfig) []string { - commands := []string{ - // HOME needs to be set to the actual home directory of a macOS user rather than the temporary - // directory that Drone sets it to by default. This way we're able to unlock Keychain which is - // needed for Connect signing. - // - // Hence, the toolchains are not installed within the temporary home dir but a separate - // TOOLCHAIN_DIR. Every pipeline in this file follows this pattern even though technically we - // need to unlock Keychain only for the build-darwin-amd64-connect pipeline. - `export HOME=/Users/$(whoami)`, - `export TOOLCHAIN_DIR=` + perBuildToolchainsDir, - } - - // Configure toolchains in descending order so that Node.js is added to PATH last. - // We expect that Node.js will add the most packages so we want to avoid any bin conflicts with Go - // or Rust toolchains. - if config.nodejs { - commands = append(commands, - `export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-node-version)`, - `export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64`, - `export PATH=$NODE_HOME/bin:$PATH`, - ) - } - - if config.rust { - commands = append(commands, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `export CARGO_HOME=`+perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=`+perBuildRustupDir, - `export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH`, - `rustup override set $RUST_VERSION`, - ) - } - - if config.golang { - commands = append(commands, - `export PATH=$TOOLCHAIN_DIR/go/bin:$PATH`, - ) - } - - return commands -} - -func cleanUpToolchainsStep(workspacePath string, config toolchainConfig) step { - step := step{ - Name: "Clean up toolchains (post)", - Environment: map[string]value{"WORKSPACE_DIR": {raw: workspacePath}}, - When: &condition{ - Status: []string{"success", "failure"}, - }, - Commands: []string{ - `set -u`, - }, - } - - if config.rust { - step.Commands = append(step.Commands, - `export PATH=/Users/$(whoami)/.cargo/bin:$PATH`, - `export CARGO_HOME=`+perBuildCargoDir, - `export RUST_HOME=$CARGO_HOME`, - `export RUSTUP_HOME=`+perBuildRustupDir, - `export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets print-rust-version)`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // clean up the rust toolchain even though we're about to delete the directory - // this ensures we don't leave behind a broken link - `rustup override unset`, - `rustup toolchain uninstall $RUST_VERSION`, - ) - } - - step.Commands = append(step.Commands, - `rm -rf `+perBuildDir, - ) - - return step -} - -func cleanUpExecStorageStep(path string) step { - return step{ - Name: "Clean up exec runner storage (post)", - Environment: map[string]value{"WORKSPACE_DIR": {raw: path}}, - Commands: []string{ - `set -u`, - `chmod -R u+rw $WORKSPACE_DIR`, - `rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh`, - }, - } -} - -func darwinTagCheckoutCommands(artifactConfig darwinArtifactConfig) []string { - return append( - pushCheckoutCommandsDarwin(artifactConfig), - `mkdir -p $WORKSPACE_DIR/go/artifacts`, - `echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt`, - `cat $WORKSPACE_DIR/go/.version.txt`, - ) -} - -// darwinArtifactConfig describes artifacts made by the build step in different macOS pipelines. -// -// On a commit push, we run one pipeline that builds artifacts (darwinPushPipeline). It uses -// binariesWithConnect as the artifact config as it only checks if we can still compile/build the -// artifacts after a commit lands in master. -// -// On a version tag push, we run two pipelines from this file that build artifacts. First we run -// darwinTagPipeline with onlyBinaries as the artifact config. It builds, among others, the tsh -// binary which later gets signed, bundled into tsh.app and packaged into a .pkg file. -// -// After that, we run darwinConnectDmgPipeline with onlyConnectWithBundledTshApp as the artifact -// config. darwinConnectDmgPipeline downloads the signed tsh.app bundle and puts it within Connect's -// own bundle. -type darwinArtifactConfig int - -const ( - onlyBinaries darwinArtifactConfig = iota - binariesWithConnect - onlyConnectWithBundledTshApp -) - -func buildMacArtifactsStep(workspacePath string, b buildType, toolchainConfig toolchainConfig, artifactConfig darwinArtifactConfig) step { - step := step{ - Name: "Build Mac artifacts", - Environment: map[string]value{ - "GOPATH": {raw: path.Join(workspacePath, "/go")}, - "GOCACHE": {raw: path.Join(workspacePath, "/go/cache")}, - "OS": {raw: b.os}, - "ARCH": {raw: b.arch}, - "WORKSPACE_DIR": {raw: workspacePath}, - "BUILDBOX_PASSWORD": {fromSecret: "BUILDBOX_PASSWORD"}, - "APPLE_USERNAME": {fromSecret: "APPLE_USERNAME"}, - "APPLE_PASSWORD": {fromSecret: "APPLE_PASSWORD"}, - }, - Commands: darwinBuildCommands(toolchainConfig, artifactConfig), - } - - var artifactDesc string - switch artifactConfig { - case onlyBinaries: - artifactDesc = "binaries" - case binariesWithConnect: - artifactDesc = "binaries and Teleport Connect" - case onlyConnectWithBundledTshApp: - artifactDesc = "Teleport Connect" - } - step.Name = step.Name + " (" + artifactDesc + ")" - - if artifactConfig == onlyConnectWithBundledTshApp { - // These credentials are necessary for the signing and notarization of Teleport Connect, which - // is built in to the Electron tooling. - // The rest of the mac artifacts are signed and notarized with gon in the darwin pkg pipeline. - step.Environment["APPLE_USERNAME"] = value{fromSecret: "APPLE_USERNAME"} - step.Environment["APPLE_PASSWORD"] = value{fromSecret: "APPLE_PASSWORD"} - } - - return step -} - -func darwinBuildCommands(toolchainConfig toolchainConfig, artifactConfig darwinArtifactConfig) []string { - commands := []string{ - `set -u`, - } - commands = append(commands, configureToolchainsCommands(toolchainConfig)...) - - // Commands for building binaries. - if artifactConfig == onlyBinaries || artifactConfig == binariesWithConnect { - commands = append(commands, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `build.assets/build-fido2-macos.sh build`, - `export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)"`, - `make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes`, - ) - } - - // Commands for building Teleport Connect. - if artifactConfig == binariesWithConnect || artifactConfig == onlyConnectWithBundledTshApp { - commands = append(commands, - `export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport print-version)`, - // BUILD_NUMBER is used by electron-builder to add an extra fourth integer to CFBundleVersion on macOS. - // This makes the full app version look like this: 9.3.5.12489 - // https://www.electron.build/configuration/configuration.html#Configuration-buildVersion - `export BUILD_NUMBER=$DRONE_BUILD_NUMBER`, - - // Unlock Keychain so that electron-builder can use developer ID cert for signing. - `security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain`, - `security find-identity -v`, - // CSC_NAME tells electron-builder which cert to use for signing when there are multiple certs - // available. - // https://www.electron.build/code-signing - `export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83`, - ) - - if artifactConfig == binariesWithConnect { - commands = append(commands, - `export CONNECT_TSH_BIN_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build/tsh`, - ) - } - - if artifactConfig == onlyConnectWithBundledTshApp { - commands = append(commands, - // Unpack tsh.pkg. - `cd $WORKSPACE_DIR/go/src/github.com/gravitational`, - `pkgutil --expand-full tsh-$${VERSION}.pkg tsh`, - `export CONNECT_TSH_APP_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/tsh/Payload/tsh.app`, - ) - } - - commands = append(commands, - // Build and package Connect - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // c.extraMetadata.version overwrites the version property from package.json to $VERSION - // https://www.electron.build/configuration/configuration.html#Configuration-extraMetadata - `yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION`, - ) - } - - return commands -} - -func darwinTagCopyPackageArtifactCommands() []string { - commands := []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // copy release archives to artifact directory - `cp teleport*.tar.gz $WORKSPACE_DIR/go/artifacts`, - `cp e/teleport-ent*.tar.gz $WORKSPACE_DIR/go/artifacts`, - // generate checksums - `cd $WORKSPACE_DIR/go/artifacts && for FILE in teleport*.tar.gz; do shasum -a 256 $FILE > $FILE.sha256; done && ls -l`, - } - - return commands -} - -func darwinConnectCopyDmgArtifactCommands() []string { - commands := []string{ - `set -u`, - // copy dmg to artifact directory - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release`, - `cp *.dmg $WORKSPACE_DIR/go/artifacts`, - // generate checksums - `cd $WORKSPACE_DIR/go/artifacts && for FILE in *.dmg; do shasum -a 256 "$FILE" > "$FILE.sha256"; done && ls -l`, - } - - return commands -} - -func darwinUploadToS3Commands() []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/artifacts`, - `aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}`, - } -} - -func darwinConnectDownloadArtifactCommands() []string { - return []string{ - `set -u`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - `export S3_PATH="tag/$${DRONE_TAG##v}/"`, - // Download tsh.pkg. We're going to extract tsh.app from it which is then packaged within the - // Teleport Connect bundle. - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}tsh-$${VERSION}.pkg $WORKSPACE_DIR/go/src/github.com/gravitational/`, - } -} diff --git a/dronegen/mac_gha.go b/dronegen/mac_gha.go new file mode 100644 index 0000000000000..9c886a20491b7 --- /dev/null +++ b/dronegen/mac_gha.go @@ -0,0 +1,65 @@ +// Copyright 2023 Gravitational, Inc +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package main + +import "time" + +// darwinTagPipelineGHA returns a pipeline that kicks off a tagged build of +// the Mac (darwin) release assets on GitHub Actions. The action builds: +// * a tarball of signed teleport binaries (teleport, tsh, tctl, tbot). +// * a package with the Teleport binaries (teleport, tsh, tctl, tbot). +// * a package with the tsh binary. +// * a disk image (dmg) of Teleport Connect containing the signed tsh package. +// These build assets are signed and notarized. +func darwinTagPipelineGHA() pipeline { + bt := ghaBuildType{ + buildType: buildType{os: "darwin", arch: "amd64"}, + trigger: triggerTag, + pipelineName: "build-darwin-amd64", + ghaWorkflow: "release-mac-amd64.yaml", + srcRefVar: "DRONE_TAG", + workflowRef: "${DRONE_TAG}", + timeout: 60 * time.Minute, + slackOnError: true, + inputs: map[string]string{ + "release-artifacts": "true", + "build-packages": "true", + }, + } + return ghaBuildPipeline(bt) +} + +// darwinPushPipelineGHA returns a pipeline that kicks off a push build of the +// teleport binaries and the teleport connect dmg. The binaries are signed and +// notarized even though we do not release these assets. This tests that the +// signing and notarization process continues to work so we don't wait until +// release time to discover breakage. +func darwinPushPipelineGHA() pipeline { + bt := ghaBuildType{ + buildType: buildType{os: "darwin", arch: "amd64"}, + trigger: triggerPush, + pipelineName: "push-build-darwin-amd64", + ghaWorkflow: "release-mac-amd64.yaml", + srcRefVar: "DRONE_COMMIT", + workflowRef: "${DRONE_BRANCH}", + timeout: 60 * time.Minute, + slackOnError: true, + inputs: map[string]string{ + "release-artifacts": "false", + "build-packages": "false", + }, + } + return ghaBuildPipeline(bt) +} diff --git a/dronegen/mac_pkg.go b/dronegen/mac_pkg.go deleted file mode 100644 index 20ed18e3d4d8c..0000000000000 --- a/dronegen/mac_pkg.go +++ /dev/null @@ -1,158 +0,0 @@ -// Copyright 2021 Gravitational, Inc -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package main - -import ( - "fmt" - "path/filepath" - "strings" -) - -func darwinPkgPipeline(name, makeTarget string, pkgGlobs []string, extraQualifications []string) pipeline { - b := buildType{ - arch: "amd64", - os: "darwin", - } - artifactConfig := onlyBinaries - - p := newDarwinPipeline(name) - awsConfigPath := filepath.Join(p.Workspace.Path, "credentials") - p.Trigger = triggerTag - p.DependsOn = []string{"build-darwin-amd64"} - p.Steps = []step{ - setUpExecStorageStep(p.Workspace.Path), - { - Name: "Check out code", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - }, - Commands: darwinTagCheckoutCommands(artifactConfig), - }, - macAssumeAwsRoleStep(macRoleSettings{ - awsRoleSettings: awsRoleSettings{ - awsAccessKeyID: value{fromSecret: "AWS_ACCESS_KEY_ID"}, - awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"}, - role: value{fromSecret: "AWS_ROLE"}, - }, - configPath: awsConfigPath, - }), - { - Name: "Download built tarball artifacts from S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - "GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagDownloadArtifactCommands(), - }, - { - Name: "Build Mac pkg release artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "APPLE_USERNAME": {fromSecret: "APPLE_USERNAME"}, - "APPLE_PASSWORD": {fromSecret: "APPLE_PASSWORD"}, - "BUILDBOX_PASSWORD": {fromSecret: "BUILDBOX_PASSWORD"}, - "OSS_TARBALL_PATH": {raw: filepath.Join(p.Workspace.Path, "go/artifacts")}, - "ENT_TARBALL_PATH": {raw: filepath.Join(p.Workspace.Path, "go/artifacts")}, - "OS": {raw: b.os}, - "ARCH": {raw: b.arch}, - }, - Commands: darwinTagPackageCommands(makeTarget), - }, - { - Name: "Copy Mac pkg artifacts", - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: darwinTagCopyPkgArtifactCommands(pkgGlobs), - }, - { - Name: "Upload to S3", - Environment: map[string]value{ - "AWS_REGION": {raw: "us-west-2"}, - "AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"}, - "AWS_SHARED_CREDENTIALS_FILE": {raw: awsConfigPath}, - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - }, - Commands: []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/artifacts`, - `aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}`, - }, - }, - { - Name: "Register artifacts", - Commands: tagCreateReleaseAssetCommands(b, ".pkg installer", extraQualifications), - Environment: map[string]value{ - "WORKSPACE_DIR": {raw: p.Workspace.Path}, - "RELEASES_CERT": {fromSecret: "RELEASES_CERT"}, - "RELEASES_KEY": {fromSecret: "RELEASES_KEY"}, - }, - }, - cleanUpExecStorageStep(p.Workspace.Path), - } - - return p -} - -func darwinTeleportPkgPipeline() pipeline { - return darwinPkgPipeline("build-darwin-amd64-pkg", "pkg", []string{"build/teleport*.pkg", "e/build/teleport-ent*.pkg"}, nil) -} - -func darwinTshPkgPipeline() pipeline { - return darwinPkgPipeline("build-darwin-amd64-pkg-tsh", "pkg-tsh", []string{"build/tsh*.pkg"}, []string{"tsh client only"}) -} - -func darwinTagDownloadArtifactCommands() []string { - return []string{ - `set -u`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - `export S3_PATH="tag/$${DRONE_TAG##v}/"`, - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/`, - `aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz $WORKSPACE_DIR/go/artifacts/`, - } -} - -func darwinTagPackageCommands(target string) []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - `export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt)`, - // set HOME explicitly (as Drone overrides it normally) - `export HOME=/Users/build`, - // unlock login keychain - `security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain`, - // show available certificates - `security find-identity -v`, - // build pkg, target is `pkg` for teleport, `pkg-tsh` for tsh - fmt.Sprintf(`make %s OS=$OS ARCH=$ARCH`, target), - } -} - -func darwinTagCopyPkgArtifactCommands(pkgGlobs []string) []string { - return []string{ - `set -u`, - `cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport`, - // delete temporary tarball artifacts so we don't re-upload them in the next stage - `rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz`, - // copy release archives to artifact directory - fmt.Sprintf(`cp %s $WORKSPACE_DIR/go/artifacts/`, strings.Join(pkgGlobs, " ")), - // generate checksums (for mac) - `cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > $FILE.sha256; done && ls -l`, - } -} diff --git a/dronegen/push.go b/dronegen/push.go index 1cea3b2ec4182..c7c5ceda6c9d4 100644 --- a/dronegen/push.go +++ b/dronegen/push.go @@ -89,7 +89,7 @@ func pushPipelines() []pipeline { // Only amd64 Windows is supported for now. ps = append(ps, pushPipeline(buildType{os: "windows", arch: "amd64", windowsUnsigned: true})) - ps = append(ps, darwinPushPipeline()) + ps = append(ps, darwinPushPipelineGHA()) ps = append(ps, windowsPushPipeline()) return ps } diff --git a/dronegen/tag.go b/dronegen/tag.go index 10c713cfcab97..a4b3c4744694d 100644 --- a/dronegen/tag.go +++ b/dronegen/tag.go @@ -234,7 +234,7 @@ func tagPipelines() []pipeline { ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true})) ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true, fips: true})) - ps = append(ps, darwinTagPipeline(), darwinTeleportPkgPipeline(), darwinTshPkgPipeline(), darwinConnectDmgPipeline()) + ps = append(ps, darwinTagPipelineGHA()) ps = append(ps, windowsTagPipeline()) ps = append(ps, tagCleanupPipeline()) From 7bf1188b256969bb9e4b8fcc0121a17a70466e63 Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Wed, 5 Apr 2023 13:16:18 +1000 Subject: [PATCH 3/3] drone: Regenerate .drone.yml for Mac pipeline changes To regenerate the `.drone.yml` file, first three pipelines were manually removed: - build-darwin-amd64-pkg - build-darwin-amd64-pkg-tsh - build-darwin-amd64-connect Then make dronegen was run to update the pipelines: - push-build-darwin-amd64 - build-darwin-amd64 --- .drone.yml | 1352 +++++++++------------------------------------------- 1 file changed, 220 insertions(+), 1132 deletions(-) diff --git a/.drone.yml b/.drone.yml index 94a7b8650b3de..6b9e5134213f7 100644 --- a/.drone.yml +++ b/.drone.yml @@ -516,11 +516,11 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline -type: exec +type: kubernetes name: push-build-darwin-amd64 trigger: event: @@ -536,165 +536,60 @@ trigger: - master - branch/* workspace: - path: /tmp/push-build-darwin-amd64 -platform: - os: darwin - arch: amd64 + path: /go clone: disable: true -concurrency: - limit: 1 steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 - name: Check out code + image: docker:git + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Install Go Toolchain - commands: - - set -u - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz - - tar -C /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains -xzf $RUNTIME.darwin-amd64.tar.gz - - rm -rf $RUNTIME.darwin-amd64.tar.gz - environment: - RUNTIME: go1.20.3 -- name: Install Rust Toolchain - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - rustup toolchain install $RUST_VERSION - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Install Node Toolchain - commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Build Mac artifacts (binaries and Teleport Connect) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH - - rustup override set $RUST_VERSION - - export PATH=$TOOLCHAIN_DIR/go/bin:$PATH - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - build.assets/build-fido2-macos.sh build - - export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)" - - make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes - - export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - print-version) - - export BUILD_NUMBER=$DRONE_BUILD_NUMBER - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83 - - export CONNECT_TSH_BIN_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build/tsh - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/push-build-darwin-amd64/go/cache - GOPATH: /tmp/push-build-darwin-amd64/go - OS: darwin - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Clean up toolchains (post) - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rustup override unset - - rustup toolchain uninstall $RUST_VERSION - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/push-build-darwin-amd64 -- name: Send Slack notification (exec) +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - |2 - - export DRONE_BUILD_LINK="${DRONE_SYSTEM_PROTO}://${DRONE_SYSTEM_HOSTNAME}/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/${DRONE_BUILD_NUMBER}" - export GOOS=$(go env GOOS) - export GOARCH=$(go env GOARCH) - - |2- - - curl -sL -X POST -H 'Content-type: application/json' --data "{\"text\":\"Warning: \`${GOOS}-${GOARCH}\` artifact build failed for [\`${DRONE_REPO_NAME}\`] - please investigate immediately!\nBranch: \`${DRONE_BRANCH}\`\nCommit: \`${DRONE_COMMIT_SHA}\`\nLink: $DRONE_BUILD_LINK\"}" $SLACK_WEBHOOK_DEV_TELEPORT + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 1h0m0s -workflow release-mac-amd64.yaml -workflow-ref=${DRONE_BRANCH} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_COMMIT} + -input "build-packages=false" -input "release-artifacts=false" ' environment: - SLACK_WEBHOOK_DEV_TELEPORT: + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack + settings: + webhook: from_secret: SLACK_WEBHOOK_DEV_TELEPORT + template: + - | + *{{#success build.status}}✔{{ else }}✘{{/success}} {{ uppercasefirst build.status }}: Build #{{ build.number }}* (type: `{{ build.event }}`) + `${DRONE_STAGE_NAME}` artifact build failed. + *Warning:* This is a genuine failure to build the Teleport binary from `{{ build.branch }}` (likely due to a bad merge or commit) and should be investigated immediately. + Commit: + Branch: + Author: + <{{ build.link }}|Visit Drone build page ↗> when: status: - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS --- ################################################ @@ -4421,11 +4316,11 @@ image_pull_secrets: ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline -type: exec +type: kubernetes name: build-darwin-amd64 trigger: event: @@ -4438,130 +4333,165 @@ trigger: include: - gravitational/* workspace: - path: /tmp/build-darwin-amd64 -platform: - os: darwin - arch: amd64 + path: /go clone: disable: true -depends_on: -- clean-up-previous-build -concurrency: - limit: 1 steps: -- name: Set up exec runner storage +- name: Check out code + image: docker:git + pull: if-not-exists + commands: + - mkdir -pv "/go/src/github.com/gravitational/teleport" + - cd "/go/src/github.com/gravitational/teleport" + - git init + - git remote add origin ${DRONE_REMOTE_URL} + - git fetch origin --tags + - git checkout -qf "${DRONE_COMMIT_SHA}" + - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && + chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - mkdir -pv /go/cache + - rm -f /root/.ssh/id_rsa + environment: + GITHUB_PRIVATE_KEY: + from_secret: GITHUB_PRIVATE_KEY +- name: Delegate build to GitHub + image: golang:1.18-alpine + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh + - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling" + - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e + -tag-workflow -timeout 1h0m0s -workflow release-mac-amd64.yaml -workflow-ref=${DRONE_TAG} + -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input + "build-packages=true" -input "release-artifacts=true" ' environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 + GHA_APP_KEY: + from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY +- name: Send Slack notification + image: plugins/slack + settings: + webhook: + from_secret: SLACK_WEBHOOK_DEV_TELEPORT + template: + - | + *{{#success build.status}}✔{{ else }}✘{{/success}} {{ uppercasefirst build.status }}: Build #{{ build.number }}* (type: `{{ build.event }}`) + `${DRONE_STAGE_NAME}` artifact build failed. + *Warning:* This is a genuine failure to build the Teleport binary from `{{ build.branch }}` (likely due to a bad merge or commit) and should be investigated immediately. + Commit: + Branch: + Author: + <{{ build.link }}|Visit Drone build page ↗> + when: + status: + - failure +image_pull_secrets: +- DOCKERHUB_CREDENTIALS + +--- +################################################ +# Generated using dronegen, do not edit by hand! +# Use 'make dronegen' to update. +# Generated at dronegen/tag.go (main.tagPipeline) +################################################ + +kind: pipeline +type: kubernetes +name: build-linux-arm +environment: + BUILDBOX_VERSION: teleport13 + RUNTIME: go1.20.3 +trigger: + event: + include: + - tag + ref: + include: + - refs/tags/v* + repo: + include: + - gravitational/* +workspace: + path: /go +clone: + disable: true +depends_on: +- clean-up-previous-build +steps: - name: Check out code + image: docker:git + pull: if-not-exists commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport + - mkdir -p /go/src/github.com/gravitational/teleport + - cd /go/src/github.com/gravitational/teleport - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt + - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa + && chmod 600 /root/.ssh/id_rsa + - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts + - git submodule update --init e + - rm -f /root/.ssh/id_rsa + - mkdir -p /go/cache /go/artifacts + - |- + VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) + if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then + echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" + exit 1 + fi + echo "$$VERSION" > /go/.version.txt environment: GITHUB_PRIVATE_KEY: from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Install Go Toolchain +- name: Wait for docker + image: docker + pull: if-not-exists commands: - - set -u - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - curl --silent -O https://dl.google.com/go/$RUNTIME.darwin-amd64.tar.gz - - tar -C /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains -xzf $RUNTIME.darwin-amd64.tar.gz - - rm -rf $RUNTIME.darwin-amd64.tar.gz - environment: - RUNTIME: go1.20.3 -- name: Install Rust Toolchain - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - mkdir -p /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - rustup toolchain install $RUST_VERSION - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Install Node Toolchain + - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' + - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin + environment: + DOCKERHUB_PASSWORD: + from_secret: DOCKERHUB_READONLY_TOKEN + DOCKERHUB_USERNAME: + from_secret: DOCKERHUB_USERNAME + volumes: + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Build artifacts + image: docker + pull: if-not-exists commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Build Mac artifacts (binaries) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export PATH=$CARGO_HOME/bin:/Users/build/.cargo/bin:$PATH - - rustup override set $RUST_VERSION - - export PATH=$TOOLCHAIN_DIR/go/bin:$PATH - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - build.assets/build-fido2-macos.sh build - - export PKG_CONFIG_PATH="$(build.assets/build-fido2-macos.sh pkg_config_path)" - - make clean release OS=$OS ARCH=$ARCH FIDO2=yes TOUCHID=yes PIV=yes - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/build-darwin-amd64/go/cache - GOPATH: /tmp/build-darwin-amd64/go - OS: darwin - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Copy Mac artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cp teleport*.tar.gz $WORKSPACE_DIR/go/artifacts - - cp e/teleport-ent*.tar.gz $WORKSPACE_DIR/go/artifacts - - cd $WORKSPACE_DIR/go/artifacts && for FILE in teleport*.tar.gz; do shasum -a 256 - $FILE > $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 + - apk add --no-cache make + - chown -R $UID:$GID /go + - cd /go/src/github.com/gravitational/teleport + - make -C build.assets release-arm + environment: + ARCH: arm + GID: "1000" + GOCACHE: /go/cache + GOPATH: /go + OS: linux + UID: "1000" + volumes: + - name: dockersock + path: /var/run + - name: dockerconfig + path: /root/.docker +- name: Copy artifacts + image: docker + pull: if-not-exists + commands: + - cd /go/src/github.com/gravitational/teleport + - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts + \; + - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts + \; + - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; + done && ls -l - name: Assume AWS Role + image: amazon/aws-cli + pull: if-not-exists commands: - aws sts get-caller-identity - |- @@ -4571,7 +4501,7 @@ steps: --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ --output text) \ - > /tmp/build-darwin-amd64/credentials + > /root/.aws/credentials - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - aws sts get-caller-identity --profile default environment: @@ -4581,19 +4511,25 @@ steps: from_secret: AWS_ROLE AWS_SECRET_ACCESS_KEY: from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials + volumes: + - name: awsconfig + path: /root/.aws - name: Upload to S3 + image: amazon/aws-cli + pull: if-not-exists commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts + - cd /go/artifacts/ - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} environment: AWS_REGION: us-west-2 AWS_S3_BUCKET: from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64 + volumes: + - name: awsconfig + path: /root/.aws - name: Register artifacts + image: docker + pull: if-not-exists commands: - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") @@ -4611,7 +4547,7 @@ steps: [ -f "$file.sha256" ] || continue name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel" + description="Linux ARMv7 (32-bit)" products="$name" if [ "$name" = "tsh" ]; then products="teleport teleport-ent" @@ -4634,650 +4570,35 @@ steps: release_params="$release_params -F releaseId=$product@$VERSION" done - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; + curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; done environment: RELEASES_CERT: from_secret: RELEASES_CERT RELEASES_KEY: from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64 -- name: Clean up toolchains (post) - commands: - - set -u - - export PATH=/Users/$(whoami)/.cargo/bin:$PATH - - export CARGO_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/cargo - - export RUST_HOME=$CARGO_HOME - - export RUSTUP_HOME=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains/rustup - - export RUST_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-rust-version) - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rustup override unset - - rustup toolchain uninstall $RUST_VERSION - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64 +services: +- name: Start Docker + image: docker:dind + privileged: true + volumes: + - name: dockersock + path: /var/run +volumes: +- name: awsconfig + temp: {} +- name: dockersock + temp: {} +- name: dockerconfig + temp: {} +image_pull_secrets: +- DOCKERHUB_CREDENTIALS --- ################################################ # Generated using dronegen, do not edit by hand! # Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-pkg -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-pkg -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64 -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-pkg/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials -- name: Download built tarball artifacts from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Build Mac pkg release artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export HOME=/Users/build - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - make pkg OS=$OS ARCH=$ARCH - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - ENT_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts - OS: darwin - OSS_TARBALL_PATH: /tmp/build-darwin-amd64-pkg/go/artifacts - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Copy Mac pkg artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz - - cp build/teleport*.pkg e/build/teleport-ent*.pkg $WORKSPACE_DIR/go/artifacts/ - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > - $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Register artifacts - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel .pkg installer" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-pkg-tsh -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-pkg-tsh -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64 -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-pkg-tsh/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials -- name: Download built tarball artifacts from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-darwin-amd64-bin.tar.gz - $WORKSPACE_DIR/go/artifacts/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Build Mac pkg release artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export HOME=/Users/build - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - make pkg-tsh OS=$OS ARCH=$ARCH - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - ENT_TARBALL_PATH: /tmp/build-darwin-amd64-pkg-tsh/go/artifacts - OS: darwin - OSS_TARBALL_PATH: /tmp/build-darwin-amd64-pkg-tsh/go/artifacts - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Copy Mac pkg artifacts - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - rm -rf $WORKSPACE_DIR/go/artifacts/*.tar.gz - - cp build/tsh*.pkg $WORKSPACE_DIR/go/artifacts/ - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.pkg; do shasum -a 256 $FILE > - $FILE.sha256; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-pkg-tsh/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Register artifacts - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel .pkg installer (tsh client only)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-pkg-tsh - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/tag.go (main.tagPipeline) -################################################ - -kind: pipeline -type: kubernetes -name: build-linux-arm -environment: - BUILDBOX_VERSION: teleport13 - RUNTIME: go1.20.3 -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /go -clone: - disable: true -depends_on: -- clean-up-previous-build -steps: -- name: Check out code - image: docker:git - pull: if-not-exists - commands: - - mkdir -p /go/src/github.com/gravitational/teleport - - cd /go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa - && chmod 600 /root/.ssh/id_rsa - - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts - - git submodule update --init e - - rm -f /root/.ssh/id_rsa - - mkdir -p /go/cache /go/artifacts - - |- - VERSION=$(egrep ^VERSION Makefile | cut -d= -f2) - if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then - echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG" - exit 1 - fi - echo "$$VERSION" > /go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY -- name: Wait for docker - image: docker - pull: if-not-exists - commands: - - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done' - - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin - environment: - DOCKERHUB_PASSWORD: - from_secret: DOCKERHUB_READONLY_TOKEN - DOCKERHUB_USERNAME: - from_secret: DOCKERHUB_USERNAME - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Build artifacts - image: docker - pull: if-not-exists - commands: - - apk add --no-cache make - - chown -R $UID:$GID /go - - cd /go/src/github.com/gravitational/teleport - - make -C build.assets release-arm - environment: - ARCH: arm - GID: "1000" - GOCACHE: /go/cache - GOPATH: /go - OS: linux - UID: "1000" - volumes: - - name: dockersock - path: /var/run - - name: dockerconfig - path: /root/.docker -- name: Copy artifacts - image: docker - pull: if-not-exists - commands: - - cd /go/src/github.com/gravitational/teleport - - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts - \; - - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; - done && ls -l -- name: Assume AWS Role - image: amazon/aws-cli - pull: if-not-exists - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /root/.aws/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - volumes: - - name: awsconfig - path: /root/.aws -- name: Upload to S3 - image: amazon/aws-cli - pull: if-not-exists - commands: - - cd /go/artifacts/ - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - volumes: - - name: awsconfig - path: /root/.aws -- name: Register artifacts - image: docker - pull: if-not-exists - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="Linux ARMv7 (32-bit)" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY -services: -- name: Start Docker - image: docker:dind - privileged: true - volumes: - - name: dockersock - path: /var/run -volumes: -- name: awsconfig - temp: {} -- name: dockersock - temp: {} -- name: dockerconfig - temp: {} -image_pull_secrets: -- DOCKERHUB_CREDENTIALS - ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/gha.go (main.ghaBuildPipeline) +# Generated at dronegen/gha.go (main.ghaBuildPipeline) ################################################ kind: pipeline @@ -8266,239 +7587,6 @@ steps: image_pull_secrets: - DOCKERHUB_CREDENTIALS ---- -################################################ -# Generated using dronegen, do not edit by hand! -# Use 'make dronegen' to update. -# Generated at dronegen/mac.go (main.newDarwinPipeline) -################################################ - -kind: pipeline -type: exec -name: build-darwin-amd64-connect -trigger: - event: - include: - - tag - ref: - include: - - refs/tags/v* - repo: - include: - - gravitational/* -workspace: - path: /tmp/build-darwin-amd64-connect -platform: - os: darwin - arch: amd64 -clone: - disable: true -depends_on: -- build-darwin-amd64-pkg-tsh -concurrency: - limit: 1 -steps: -- name: Set up exec runner storage - commands: - - set -u - - mkdir -p $WORKSPACE_DIR - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Check out code - commands: - - set -u - - mkdir -p $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git . - - git checkout ${DRONE_TAG:-$DRONE_COMMIT} - - mkdir -m 0700 $WORKSPACE_DIR/.ssh && echo "$GITHUB_PRIVATE_KEY" > $WORKSPACE_DIR/.ssh/id_rsa - && chmod 600 $WORKSPACE_DIR/.ssh/id_rsa - - ssh-keyscan -H github.com > $WORKSPACE_DIR/.ssh/known_hosts 2>/dev/null - - chmod 600 $WORKSPACE_DIR/.ssh/known_hosts - - GIT_SSH_COMMAND='ssh -i $WORKSPACE_DIR/.ssh/id_rsa -o UserKnownHostsFile=$WORKSPACE_DIR/.ssh/known_hosts - -F /dev/null' git submodule update --init e - - rm -rf $WORKSPACE_DIR/.ssh - - mkdir -p $WORKSPACE_DIR/go/cache - - mkdir -p $WORKSPACE_DIR/go/artifacts - - echo "${DRONE_TAG##v}" > $WORKSPACE_DIR/go/.version.txt - - cat $WORKSPACE_DIR/go/.version.txt - environment: - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Install Node Toolchain - commands: - - set -u - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_DIR=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - mkdir -p $TOOLCHAIN_DIR - - curl --silent -O https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-darwin-x64.tar.gz - - tar -C $TOOLCHAIN_DIR -xzf node-v$NODE_VERSION-darwin-x64.tar.gz - - rm -f node-v$NODE_VERSION-darwin-x64.tar.gz - - export PATH=$NODE_DIR/bin:$PATH - - corepack enable yarn - - echo Node reporting version $(node --version) - - echo Yarn reporting version $(yarn --version) - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Assume AWS Role - commands: - - aws sts get-caller-identity - - |- - printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \ - $(aws sts assume-role \ - --role-arn "$AWS_ROLE" \ - --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \ - --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \ - --output text) \ - > /tmp/build-darwin-amd64-connect/credentials - - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY - - aws sts get-caller-identity --profile default - environment: - AWS_ACCESS_KEY_ID: - from_secret: AWS_ACCESS_KEY_ID - AWS_ROLE: - from_secret: AWS_ROLE - AWS_SECRET_ACCESS_KEY: - from_secret: AWS_SECRET_ACCESS_KEY - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials -- name: Download tsh.pkg artifact from S3 - commands: - - set -u - - export VERSION=$(cat $WORKSPACE_DIR/go/.version.txt) - - export S3_PATH="tag/$${DRONE_TAG##v}/" - - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}tsh-$${VERSION}.pkg $WORKSPACE_DIR/go/src/github.com/gravitational/ - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials - GITHUB_PRIVATE_KEY: - from_secret: GITHUB_PRIVATE_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Build Mac artifacts (Teleport Connect) - commands: - - set -u - - export HOME=/Users/$(whoami) - - export TOOLCHAIN_DIR=/tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED/toolchains - - export NODE_VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/build.assets - print-node-version) - - export NODE_HOME=$TOOLCHAIN_DIR/node-v$NODE_VERSION-darwin-x64 - - export PATH=$NODE_HOME/bin:$PATH - - export VERSION=$(make -C $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - print-version) - - export BUILD_NUMBER=$DRONE_BUILD_NUMBER - - security unlock-keychain -p $${BUILDBOX_PASSWORD} login.keychain - - security find-identity -v - - export CSC_NAME=0FFD3E3413AB4C599C53FBB1D8CA690915E33D83 - - cd $WORKSPACE_DIR/go/src/github.com/gravitational - - pkgutil --expand-full tsh-$${VERSION}.pkg tsh - - export CONNECT_TSH_APP_PATH=$WORKSPACE_DIR/go/src/github.com/gravitational/tsh/Payload/tsh.app - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport - - yarn install && yarn build-term && yarn package-term -c.extraMetadata.version=$VERSION - environment: - APPLE_PASSWORD: - from_secret: APPLE_PASSWORD - APPLE_USERNAME: - from_secret: APPLE_USERNAME - ARCH: amd64 - BUILDBOX_PASSWORD: - from_secret: BUILDBOX_PASSWORD - GOCACHE: /tmp/build-darwin-amd64-connect/go/cache - GOPATH: /tmp/build-darwin-amd64-connect/go - OS: darwin - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Copy dmg artifact - commands: - - set -u - - cd $WORKSPACE_DIR/go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release - - cp *.dmg $WORKSPACE_DIR/go/artifacts - - cd $WORKSPACE_DIR/go/artifacts && for FILE in *.dmg; do shasum -a 256 "$FILE" - > "$FILE.sha256"; done && ls -l - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Upload to S3 - commands: - - set -u - - cd $WORKSPACE_DIR/go/artifacts - - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v} - environment: - AWS_REGION: us-west-2 - AWS_S3_BUCKET: - from_secret: AWS_S3_BUCKET - AWS_SHARED_CREDENTIALS_FILE: /tmp/build-darwin-amd64-connect/credentials - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Register artifact - commands: - - WORKSPACE_DIR=$${WORKSPACE_DIR:-/} - - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt") - - RELEASES_HOST='https://releases-prod.platform.teleport.sh' - - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt" - - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key" - - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT - - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key" - - which curl || apk add --no-cache curl - - |- - cd "$WORKSPACE_DIR/go/artifacts" - find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do - # Skip files that are not results of this build - # (e.g. tarballs from which OS packages are made) - [ -f "$file.sha256" ] || continue - - name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z - description="MacOS Intel" - products="$name" - if [ "$name" = "tsh" ]; then - products="teleport teleport-ent" - elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then - description="Teleport Connect" - products="teleport teleport-ent" - fi - shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)" - - release_params="" # List of "-F releaseId=XXX" parameters to curl - - for product in $products; do - status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases") - if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then - echo "curl HTTP status: $status_code" - cat $WORKSPACE_DIR/curl_out.txt - exit 1 - fi - - release_params="$release_params -F releaseId=$product@$VERSION" - done - - curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="darwin" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets"; - done - environment: - RELEASES_CERT: - from_secret: RELEASES_CERT - RELEASES_KEY: - from_secret: RELEASES_KEY - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect -- name: Clean up toolchains (post) - commands: - - set -u - - rm -rf /tmp/build-$DRONE_BUILD_NUMBER-$DRONE_BUILD_CREATED - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect - when: - status: - - success - - failure -- name: Clean up exec runner storage (post) - commands: - - set -u - - chmod -R u+rw $WORKSPACE_DIR - - rm -rf $WORKSPACE_DIR/go $WORKSPACE_DIR/.ssh - environment: - WORKSPACE_DIR: /tmp/build-darwin-amd64-connect - --- ################################################ # Generated using dronegen, do not edit by hand! @@ -21263,6 +20351,6 @@ image_pull_secrets: - DOCKERHUB_CREDENTIALS --- kind: signature -hmac: c255d7bcc4b43ec74779c9871d4e62027758bf42023e4144c59a4fb5116a96f8 +hmac: 101989203bdefb320f8daace5e6e6bf4b4e032c42b4fd22ace1acb54fe284880 ...