Skip to content

Commit dd20738

Browse files
nchlswhttkrnchlswhttkr
committed
Sign release on local Buildkite agent
1 parent 0f94e60 commit dd20738

File tree

3 files changed

+40
-19
lines changed

3 files changed

+40
-19
lines changed

.buildkite/create-release.sh

+4-18
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,6 @@ set -euo pipefail
55
RELEASE=${BUILDKITE_TAG#v}
66

77
GITHUB_ACCESS_TOKEN="$(vault kv get -mount=kv -field github_access_token buildkite/terraform-provider-pass)"
8-
GPG_SIGNING_KEY="$(vault kv get -mount=kv -field gpg_signing_key buildkite/terraform-provider-pass)"
9-
GPG_SIGNING_KEY_PASSPHRASE="$(vault kv get -mount=kv -field gpg_signing_key_passphrase buildkite/terraform-provider-pass)"
108

119
echo "--- Downloading and zipping artifacts"
1210
buildkite-agent artifact download "terraform-provider-pass*" .
@@ -19,13 +17,10 @@ for os in darwin linux; do
1917
done
2018
done
2119

22-
echo "--- Importing GPG signing key"
23-
gpg --batch --import <(echo "${GPG_SIGNING_KEY}")
24-
25-
echo "--- Signing zipped artifacts"
20+
echo "--- Generating checksum for zipped artifacts"
2621
cd release
2722
sha256sum -- *.zip > "terraform-provider-pass_${RELEASE}_SHA256SUMS"
28-
gpg --batch --local-user "nicholas+terraform-provider-pass@nicholas.cloud" --passphrase "${GPG_SIGNING_KEY_PASSPHRASE}" --detach-sign "terraform-provider-pass_${RELEASE}_SHA256SUMS"
23+
buildkite-agent artifact upload "terraform-provider-pass_${RELEASE}_SHA256SUMS"
2924
cd ..
3025

3126
echo "--- Create draft release on GitHub"
@@ -45,9 +40,10 @@ curl --silent --fail --show-error -X POST "https://api.github.com/repos/nchlswht
4540
}
4641
" | tee "release.json"
4742
RELEASE_ID=$(jq --raw-output ".id" "release.json")
43+
buildkite-agent meta-data set "github-release-id" "${RELEASE_ID}"
4844
echo "Created draft release ${RELEASE_ID}"
4945

50-
echo "--- Uploading release assets"
46+
echo "--- Uploading release artifacts"
5147
# GitHub supports Hypermedia relations, but this isn't easy to shell script
5248
# https://docs.github.com/en/rest/overview/resources-in-the-rest-api#hypermedia
5349
find "release/" -type f | while read -r ASSET; do
@@ -58,13 +54,3 @@ find "release/" -type f | while read -r ASSET; do
5854
-H "Content-Type: $(file --brief --mime-type "${ASSET}")" \
5955
--data-binary "@${ASSET}" > /dev/null
6056
done
61-
62-
echo "--- Making release public"
63-
curl --silent --fail --show-error -X PATCH "https://api.github.com/repos/nchlswhttkr/terraform-provider-pass/releases/${RELEASE_ID}" \
64-
-H "Authorization: Bearer ${GITHUB_ACCESS_TOKEN}" \
65-
-H "Accept: application/vnd.github.v3+json" \
66-
--data "
67-
{
68-
\"draft\": false
69-
}
70-
"

.buildkite/pipeline.yml

+9-1
Original file line numberDiff line numberDiff line change
@@ -48,11 +48,19 @@ steps:
4848
config: .buildkite/docker-compose.yml
4949

5050
- label: ":github: Bundle binary artifacts and create GitHub release"
51-
key: release
51+
key: create-release
5252
depends_on: build
5353
command: .buildkite/create-release.sh
5454
if: build.env("BUILDKITE_TAG") =~ /^v\d/
5555
env:
5656
VAULT_ROLE_ID: 703f9e62-1225-507b-ab21-9b762f8db482
5757
artifact_paths:
5858
- release.json
59+
60+
- label: ":github: Sign and publish release"
61+
key: sign-release
62+
depends_on: create-release
63+
command: .buildkite/sign-release.sh
64+
if: build.env("BUILDKITE_TAG") =~ /^v\d/
65+
agents:
66+
queue: nchlswhttkr

.buildkite/sign-release.sh

+27
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
#!/bin/bash
2+
3+
set -euo pipefail
4+
5+
RELEASE=${BUILDKITE_TAG#v}
6+
RELEASE_ID="$(buildkite-agent meta-data get github-release-id)"
7+
8+
VAULT_TOKEN="$(pass show vault/root-token)"
9+
export VAULT_TOKEN
10+
GITHUB_ACCESS_TOKEN="$(vault kv get -mount=kv -field github_access_token buildkite/terraform-provider-pass)"
11+
12+
echo "--- Signing release checksum"
13+
buildkite-agent artifact download "terraform-provider-pass_${RELEASE}_SHA256SUMS" .
14+
gpg --detach-sign "terraform-provider-pass_${RELEASE}_SHA256SUMS"
15+
# GitHub supports Hypermedia relations, but this isn't easy to shell script
16+
# https://docs.github.com/en/rest/overview/resources-in-the-rest-api#hypermedia
17+
curl --silent --fail --show-error -X POST "https://uploads.github.com/repos/nchlswhttkr/terraform-provider-pass/releases/${RELEASE_ID}/assets?name=terraform-provider-pass_${RELEASE}_SHA256SUMS.sig" \
18+
-H "Authorization: Bearer ${GITHUB_ACCESS_TOKEN}" \
19+
-H "Accept: application/vnd.github.v3+json" \
20+
-H "Content-Type: $(file --brief --mime-type "terraform-provider-pass_${RELEASE}_SHA256SUMS.sig")" \
21+
--data-binary "@terraform-provider-pass_${RELEASE}_SHA256SUMS.sig" > /dev/null
22+
23+
echo "--- Publishing release"
24+
curl --silent --fail --show-error -X PATCH "https://api.github.com/repos/nchlswhttkr/terraform-provider-pass/releases/${RELEASE_ID}" \
25+
-H "Authorization: Bearer ${GITHUB_ACCESS_TOKEN}" \
26+
-H "Accept: application/vnd.github.v3+json" \
27+
--data "{\"draft\": false}"

0 commit comments

Comments
 (0)