Merge pull request #18 from joemiller/github-actions-migration

.github/workflows/main.yaml

@@ -0,0 +1,137 @@
+name: main
+on: [push, pull_request]
+
+# TODO: implement support for [skip ci], https://timheuer.com/blog/skipping-ci-github-actions-workflows/
+# TODO: bonus: can we achiever apple codesigning in CI and remove the local script step?
+# TODO: update CI/CD section in readme to remove azure refs
+# TODO: switch readme CI badge to github actions
+# TODO: document autotag git branch+tags stuff in autotag README
+
+jobs:
+  lint:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    if: github.event_name == 'push' && !contains(toJson(github.event.commits), '[ci skip]') && !contains(toJson(github.event.commits), '[skip ci]')
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: install golangci-lint
+        run: |
+          mkdir -p "$HOME/bin"
+          curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b "$HOME/bin" v1.26.0
+          echo "::add-path::$HOME/bin"
+        shell: bash # force windows to use git-bash for access to curl
+
+      - name: install goreleaser
+        # only need to lint goreleaser on one platform:
+        if: startsWith(runner.os, 'Linux')
+        run: curl -sfL https://install.goreleaser.com/github.com/goreleaser/goreleaser.sh | sudo sh -s -- -b /usr/local/bin
+
+      - name: make lint
+        env:
+          CI: "true"
+        run: make lint
+        shell: bash
+
+  test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    if: github.event_name == 'push' && !contains(toJson(github.event.commits), '[ci skip]') && !contains(toJson(github.event.commits), '[skip ci]')
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: install go deps
+        run: make deps
+
+      - name: install pass (linux)
+        if: startsWith(runner.os, 'Linux')
+        run: |
+          sudo apt-get -qy update
+          sudo apt-get -qy install pass
+
+      - name: install pass (macos)
+        if: startsWith(runner.os, 'macOS')
+        run: |
+          brew install pass
+
+      - name: make test
+        env:
+          CI: "true"
+        run: make test
+
+  release-test:
+    needs: [lint, test]
+    # don't waste time running a goreleaser test build on master since we will run a full release:
+    if: github.ref != 'refs/heads/master'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: install go deps
+        run: make deps
+      - run: make snapshot
+
+  release:
+    needs: [lint, test]
+    # only create a release on master builds:
+    if: github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+      - uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Unshallow
+        run: |
+          # fetch all tags and history so that goreleaser can generate a proper changelog
+          # and autotag can calculate the next version tag:
+          git fetch --tags --unshallow --prune
+
+          if [ $(git rev-parse --abbrev-ref HEAD) != "master" ]; then
+            # ensure a local 'master' branch exists for autotag to work correctly:
+            git branch --track master origin/master
+          fi
+      - name: install go deps
+        run: make deps
+
+      - name: install autotag
+        run: |
+          curl -sL https://git.io/autotag-install | sudo sh -s -- -b /usr/local/bin
+
+      - name: run autotag to increment version
+        run: |
+          autotag
+
+      - name: build and push release artifacts
+        env:
+          GITHUB_TOKEN: ${{ secrets.BREW_GITHUB_TOKEN }}
+          # GPG_KEY contents must be base64 encoded:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          make release

.gitignore

@@ -9,3 +9,4 @@ vault-token-helper.exe
 .DS_Store
 .envrc
 vault-token-helper.signing-key.gpg
+.Attic

.goreleaser.yml

@@ -101,14 +101,14 @@ nfpms:
       - rpm
     overrides:
       rpm:
-        name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Arch }}"
+        file_name_template: "{{ .ProjectName }}-{{ .Version }}-{{ .Arch }}"
         replacements:
           amd64: x86_64
           386: i686
           arm: armhfp
           arm64: aarch64
       deb:
-        name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+        file_name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
         replacements:
           386: i386
           arm: armel

Makefile

@@ -2,7 +2,12 @@ deps:
 	@go get
 
 lint:
-	@golangci-lint run -v
+	@golangci-lint run -v --timeout=3m
+	@if command -v goreleaser >/dev/null; then \
+		goreleaser check; \
+	else \
+		echo "goreleaser not installed, skiping goreleaser linting"; \
+	fi
 
 test:
 	@go test -coverprofile=cover.out -v ./...

README.md

@@ -1,10 +1,10 @@
 vault-token-helper
 ==================
 
-[![Build Status](https://dev.azure.com/joeym0501/vault-token-helper/_apis/build/status/joemiller.vault-token-helper?branchName=master)](https://dev.azure.com/joeym0501/vault-token-helper/_build/latest?definitionId=1&branchName=master)
+![main](https://github.com/joemiller/vault-token-helper/workflows/main/badge.svg)
 
 A @hashicorp Vault [token helper](https://www.vaultproject.io/docs/commands/token-helper.html) with
-support for native secret storage backends on macOS, Linux, and Windows.
+support for native secret storage on macOS, Linux, and Windows.
 
 Features
 --------
@@ -17,7 +17,30 @@ Supported backends:
 * macOS Keychain
 * Linux (DBus Secret Service compatible backends, eg: Gnome Keyring)
 * Windows (WinCred)
-* [pass](https://www.passwordstore.org/)
+* [pass](https://www.passwordstore.org/) (GPG)
+
+Quickstart (macOS)
+------------------
+
+Install:
+
+    brew install joemiller/taps/vault-token-helper
+
+Configure Vault to use the token helper. This will create the `~/.vault` config file:
+
+    vault-token-helper enable
+
+Authenticate to a Vault instance to encrypt and store a new token locally, for example
+with the Okta auth backend:
+
+    export VAULT_ADDR=https://vault:8200
+    vault login -method=okta [email protected]
+
+List stored tokens:
+
+    vault-token-helper list -e
+
+Keep reading for further details and installation methods.
 
 Install
 -------
@@ -56,9 +79,10 @@ Clone this repo and compile for the current architecture:
 make build
 ```
 
-Binaries for all supported platforms are built using the [dockercore/golang-cross](https://github.com/docker/golang-cross)
-image. This is the same image used by the docker cli project. The image makes it possible to
-cross-compile and link to platform-specific libraries such as the OSX SDK on macOS:
+Binaries for all supported platforms are built using the
+[dockercore/golang-cross](https://github.com/docker/golang-cross) image. This is the same image used
+by the docker cli project for cross-compiling and linking with platform-specific libraries such
+as macOS' Keychain and Windows' WinCred.
 
 ```sh
 make snapshot
@@ -122,7 +146,7 @@ A fully annotated example config file is available in [./vault-token-helper.anno
 Set `VAULT_ADDR` to the URL of your Vault instance and run `vault` commands like normal. For example,
 to login and store a token on a Vault instance with the Okta auth plugin enabled:
 
-```sh
+```console
 export VAULT_ADDR=https://vault:8200
 vault login -method=okta [email protected]
 ```
@@ -181,10 +205,10 @@ The most complete way to run all tests would be to run `make test` under each pl
 
 ### CI/CD
 
-Azure DevOps Pipelines is used for CI and CD because it provides support for macos, windows,
-and linux.
+[Github Actions](https://github.com/joemiller/vault-token-helper/actions) is used for CI/CD.
 
-Tests are run on pull requests and releases are generated on successful master branch builds.
+Tests are run on pull requests and versioned releases are generated on all successful master branch
+builds.
 
 ### Release Management
 
@@ -234,5 +258,4 @@ TODO
 * ci/cd:
   * [x] `sign` checksum.txt and assets in goreleaser.yaml GPG key
   * [ ] apple `codesign` the macos binaries
-  * [ ] figure out how to cache go modules in azure pipelines, using this task maybe - https://github.com/microsoft/azure-pipelines-artifact-caching-tasks
   * [ ] linux tests, figure out how to test dbus secret-service in headless CI. probably need a stub to connect to Dbus and provide the 'prompt' service