Merge pull request #706 from avh4/release/sign-artifacts

Build release CI: sign artifacts
avh4 · Sep 24, 2020 · c4449df · c4449df
2 parents e3e8f95 + aa996d1
commit c4449df
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 30 deletions.
diff --git a/.github/workflows/Build release.yml b/.github/workflows/Build release.yml
@@ -25,6 +25,13 @@ jobs:
     - name: Configure environment
       run: |
         git config --global core.autocrlf false
+    - name: Configure GPG Key
+      run: |
+        echo "$GPG_SIGNING_KEY" | base64 --decode > private.key
+        gpg --import private.key
+        rm private.key
+      env:
+        GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
     - uses: actions/checkout@v2
       with:
         fetch-depth: 0
@@ -44,15 +51,18 @@ jobs:
         ghc --version
         [[ $(ghc --numeric-version) == 8.8.4 ]]
     - uses: actions/cache@v2
-      name: Cache cabal-v2-${{ runner.os }}-${{ hashFiles('cabal.project.freeze') }}
+      name: Cache cabal-release-v1-${{ runner.os }}-${{ hashFiles('cabal.project.freeze') }}
       with:
         path: ${{ steps.setup-haskell.outputs.cabal-store }}
-        key: cabal-v2-${{ runner.os }}-${{ hashFiles('cabal.project.freeze') }}
+        key: cabal-release-v1-${{ runner.os }}-${{ hashFiles('cabal.project.freeze') }}
     - run: cabal v2-update
     - run: cabal v2-build --only-dependencies
-    - run: cabal v2-build --only-dependencies  --enable-tests
-    - run: ./build.sh -- dependencies
     - run: ./build.sh -- dist
+    - name: Sign artifacts
+      run: |
+        for i in dist/*; do
+          gpg --verbose --local-user 1508E30E65C8C21F --output "$i".sig --detach-sig "$i"
+        done
     - uses: actions/upload-artifact@v2
       with:
         name: elm-format-${{ github.sha }}-${{ runner.os }}

diff --git a/PUBLISHING.md b/PUBLISHING.md
@@ -8,10 +8,6 @@
 ```bash
 brew update
 brew install keybase
-brew install github-release
-brew install caskroom/cask/brew-cask
-brew cask install vagrant
-brew cask install virtualbox
 ```
 
 
@@ -30,9 +26,12 @@ brew cask install virtualbox
 1. Wait for CI to successfully build the tag.
 
 
-## Mac
+## Mac / Windows
 
-1. Run `./package/mac/build-package.sh`
+1. Pushing the tag should have triggered a build at <https://github.com/avh4/elm-format/actions?query=workflow%3A%22Build+release%22>
+1. Download the artifacts from the successful build (keep them as zip files)
+1. Run `./package/collect_files.sh` passing the paths to the downloaded zip files as arguments
+1. Check that the new files are reported to have valid signatures
 
 
 ## Linux
@@ -41,15 +40,6 @@ brew cask install virtualbox
 1. Run `./package/linux/build-in-docker.sh`
 
 
-## Windows
-
-1. Pushing the tag should have triggered a build at <https://github.com/avh4/elm-format/actions?query=workflow%3A%22Build+Windows+release%22>
-1. Download the zip file artifact from the successful build (github will wrap this in another zip file)
-1. Unzip the outer zip file to get the inner zip file
-1. Rename the inner zip file to `elm-format-<new version>-win-i386.zip`
-1. Check that the SHA1 hash of the zip file matches what was printed in the "Run Get-FileHash -Algorithm SHA1 elm-format.zip" step of the successful build
-
-
 ## Publishing
 
 1. Run `./package/sign_files.sh`

diff --git a/Shakefile.hs b/Shakefile.hs
@@ -156,7 +156,7 @@ main = do
         sourceFiles <- getDirectoryFiles "" sourceFilesPattern
         need sourceFiles
         need generatedSourceFiles
-        cmd_ "cabal" "v2-test" "-O0"
+        cmd_ "cabal" "v2-test" "-O0" "--test-show-details=streaming"
         writeFile' out ""
 
 

diff --git a/keys/github-actions.gpg b/keys/github-actions.gpg
diff --git a/package/collect_files.sh b/package/collect_files.sh
@@ -1,13 +1,19 @@
 #!/bin/bash
 
-set -ex
+set -euo pipefail
 
-VERSION="$(git describe --abbrev=8)"
+for i in "$@"; do
+    echo "Extracting $i"
+    unzip -d dist/ "$i"
+done
 
-pushd package/win/elm-format
-tar zxvf "elm-format-${VERSION}-win-i386.tgz"
-zip "elm-format-${VERSION}-win-i386.zip" elm-format.exe
-popd
-
-cp -v package/win/elm-format/elm-format-"${VERSION}"-win-i386.zip ./
 
+echo "Verifying signatures"
+for i in dist/*.{zip,tgz}; do
+    echo ">>> $i"
+    if [ -f "$i.sig" ]; then
+        gpgv --keyring "$(pwd)"/keys/github-actions.gpg "$i".sig "$i"
+    else
+        echo "WARNING: No signature"
+    fi
+done
diff --git a/package/sign_files.sh b/package/sign_files.sh
@@ -4,8 +4,8 @@ set -exo pipefail
 
 VERSION="$(git describe --abbrev=8)"
 
-for i in elm-format-${VERSION}-{mac-x64.tgz,win-i386.zip,linux-x64.tgz}; do
+for i in dist/elm-format-${VERSION}-{mac-x64.tgz,win-i386.zip,linux-x64.tgz}; do
   keybase pgp sign --detached --infile "$i" --outfile "$i".asc
   # github-release upload --user avh4 --repo elm-format --tag "$VERSION" --file "$BUILD".tgz
-#   github-release upload --user avh4 --repo elm-format --tag "$VERSION" --file "$BUILD".tgz.asc
+  # github-release upload --user avh4 --repo elm-format --tag "$VERSION" --file "$BUILD".tgz.asc
 done