Skip to content

APT uploading/signing workflow #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Oct 16, 2025
Merged

APT uploading/signing workflow #200

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
bcac4db
workflow test
jakub-tldr Oct 15, 2025
b99defe
edit secrets
jakub-tldr Oct 15, 2025
5bd366f
remove bookworm signing
jakub-tldr Oct 15, 2025
dd9e28a
ready to release
jakub-tldr Oct 15, 2025
968b3b2
Added ruby to path
jakub-tldr Oct 15, 2025
2912e46
for loop
jakub-tldr Oct 16, 2025
e2812bb
typo 2
jakub-tldr Oct 16, 2025
cb7121d
remove export
jakub-tldr Oct 16, 2025
91360fc
add eol
jakub-tldr Oct 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 47 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
name: Make a new release

on:
push:
tags:
Expand Down Expand Up @@ -178,6 +177,20 @@ jobs:
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
asset_content_type: application/octet-stream

- name: Install ruby with deb-s3
if: matrix.build == 'linux'
run: |
sudo apt-get install -y ruby
gem install deb-s3
echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH

- name: Upload DEB to apt repository
if: matrix.build == 'linux'
run: |
COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.

deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb

- name: Run `packer init`
if: matrix.build == 'linux' && matrix.arch == 'amd64'
id: init
Expand Down Expand Up @@ -215,3 +228,36 @@ jobs:
asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
asset_content_type: application/octet-stream

apt-sign:
needs:
- build-binaries
runs-on:
- self-hosted
- Linux
- X64
strategy:
fail-fast: false
steps:
- name: Sign APT repository on trixie
run: |
export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
export AWS_REGION=eu-north-1
sudo apt update -y
sudo apt install -y awscli curl jq

for DIST in trixie; do
aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .

curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
-H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
-F "file=@Release" \
-o response.json

cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease

aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
done