From e8d3dc0e756fe751c62eccb7ffa22e2e10785a73 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 21:45:09 +0200 Subject: [PATCH 01/37] skip goreleaser publish step --- .github/workflows/release.yaml | 65 +++++++++++++++++----------------- 1 file changed, 33 insertions(+), 32 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 0760269ed..93bac375f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -67,7 +67,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: - args: release --clean + args: release --clean --skip-publish env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} @@ -80,38 +80,39 @@ jobs: path: dist retention-days: 1 - publish-apt: - name: Publish APT - runs-on: macOS-latest - needs: [goreleaser] - env: - # Needed to publish new packages to our S3-hosted APT repo - AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} - steps: - - name: Checkout - uses: actions/checkout@v5 + # publish-apt: + # name: Publish APT + # runs-on: macOS-latest + # needs: [goreleaser] + # if: github.event_name != 'workflow_dispatch' + # env: + # # Needed to publish new packages to our S3-hosted APT repo + # AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} + # steps: + # - name: Checkout + # uses: actions/checkout@v5 - # use the artifacts from the "goreleaser" job - - name: Download artifacts from workflow - uses: actions/download-artifact@v5 - with: - name: goreleaser-dist-temp - path: dist + # # use the artifacts from the "goreleaser" job + # - name: Download artifacts from workflow + # uses: actions/download-artifact@v5 + # with: + # name: goreleaser-dist-temp + # path: dist - - name: Install Aptly - run: brew install aptly + # - name: Install Aptly + # run: brew install aptly - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 - id: import_gpg - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_PASSPHRASE }} + # - name: Import GPG key + # uses: crazy-max/ghaction-import-gpg@v6 + # id: import_gpg + # with: + # gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + # passphrase: ${{ secrets.GPG_PASSPHRASE }} - - name: Publish packages to APT repo - if: contains(github.ref_name, '-') == false - env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - run: ./scripts/publish-apt-packages.sh + # - name: Publish packages to APT repo + # if: contains(github.ref_name, '-') == false + # env: + # GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + # GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + # run: ./scripts/publish-apt-packages.sh \ No newline at end of file From c4c86d428429278647bb717f128b1382160668f8 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 21:53:42 +0200 Subject: [PATCH 02/37] fix typo --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 93bac375f..cf9139ffe 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -67,7 +67,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: - args: release --clean --skip-publish + args: release --clean --skip=publish env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} From 8f27d275a1926538062c474d1a9ef7f143115261 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 21:59:45 +0200 Subject: [PATCH 03/37] skip tag validation --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cf9139ffe..d91ac78a1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -67,7 +67,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: - args: release --clean --skip=publish + args: release --clean --skip=publish --skip=validate env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} From 84df183a4b7b3d12aa69a5ad325b8db3a900ac4e Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 22:14:51 +0200 Subject: [PATCH 04/37] temporarily outcomment most builds --- .goreleaser.yaml | 244 +++++++++++++++++++++++------------------------ 1 file changed, 122 insertions(+), 122 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 37412c183..c1475f175 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -12,74 +12,74 @@ builds: - linux binary: "stackit" - - id: windows-builds - env: - - CGO_ENABLED=0 - goos: - - windows - binary: "stackit" + # - id: windows-builds + # env: + # - CGO_ENABLED=0 + # goos: + # - windows + # binary: "stackit" - - id: macos-builds - env: - - CGO_ENABLED=0 - - BUNDLE_ID=cloud.stackit.cli - - "APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG" - goos: - - darwin - binary: "stackit" - goarch: - - arm64 - - amd64 - hooks: - post: - # Signing - - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}" - output: true - - cmd: codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}" - output: true - - cmd: hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - output: true - - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - output: true - - cmd: xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg - output: true - - cmd: xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - output: true - - cmd: spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg - output: true - # Completion files - - cmd: mkdir -p dist/completions - - cmd: sh -c 'go run main.go completion zsh > ./dist/completions/stackit.zsh' - - cmd: sh -c 'go run main.go completion bash > ./dist/completions/stackit.bash' - - cmd: sh -c 'go run main.go completion fish > ./dist/completions/stackit.fish' + # - id: macos-builds + # env: + # - CGO_ENABLED=0 + # - BUNDLE_ID=cloud.stackit.cli + # - "APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG" + # goos: + # - darwin + # binary: "stackit" + # goarch: + # - arm64 + # - amd64 + # hooks: + # post: + # # Signing + # - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}" + # output: true + # - cmd: codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}" + # output: true + # - cmd: hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + # output: true + # - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + # output: true + # - cmd: xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg + # output: true + # - cmd: xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + # output: true + # - cmd: spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg + # output: true + # # Completion files + # - cmd: mkdir -p dist/completions + # - cmd: sh -c 'go run main.go completion zsh > ./dist/completions/stackit.zsh' + # - cmd: sh -c 'go run main.go completion bash > ./dist/completions/stackit.bash' + # - cmd: sh -c 'go run main.go completion fish > ./dist/completions/stackit.fish' -archives: - - id: windows-archives - ids: - - windows-builds - formats: [ 'zip' ] - - ids: - - linux-builds - - macos-builds - formats: [ 'tar.gz' ] - files: - - src: ./dist/completions/* - dst: completions - - LICENSE.md - - README.md +# archives: +# - id: windows-archives +# ids: +# - windows-builds +# formats: [ 'zip' ] +# - ids: +# - linux-builds +# - macos-builds +# formats: [ 'tar.gz' ] +# files: +# - src: ./dist/completions/* +# dst: completions +# - LICENSE.md +# - README.md -release: - # If set to auto, the GitHub release will be marked as "Pre-release" - # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) - prerelease: auto +# release: +# # If set to auto, the GitHub release will be marked as "Pre-release" +# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) +# prerelease: auto -changelog: - use: github - sort: asc - filters: - exclude: - - "^docs:" - - "^test:" +# changelog: +# use: github +# sort: asc +# filters: +# exclude: +# - "^docs:" +# - "^test:" nfpms: - id: linux-packages @@ -111,63 +111,63 @@ signs: "${artifact}", ] -homebrew_casks: - - name: stackit - directory: Casks - repository: - owner: stackitcloud - name: homebrew-tap - commit_author: - name: CLI Release Bot - email: noreply@stackit.de - homepage: "https://github.com/stackitcloud/stackit-cli" - description: "A command-line interface to manage STACKIT resources." - license: "Apache-2.0" - # If set to auto, the release will not be uploaded to the homebrew tap repo - # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) - skip_upload: auto - completions: - zsh: ./completions/stackit.zsh - bash: ./completions/stackit.bash - fish: ./completions/stackit.fish +# homebrew_casks: +# - name: stackit +# directory: Casks +# repository: +# owner: stackitcloud +# name: homebrew-tap +# commit_author: +# name: CLI Release Bot +# email: noreply@stackit.de +# homepage: "https://github.com/stackitcloud/stackit-cli" +# description: "A command-line interface to manage STACKIT resources." +# license: "Apache-2.0" +# # If set to auto, the release will not be uploaded to the homebrew tap repo +# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) +# skip_upload: auto +# completions: +# zsh: ./completions/stackit.zsh +# bash: ./completions/stackit.bash +# fish: ./completions/stackit.fish -snapcrafts: - # IDs of the builds for which to create packages for - - ids: - - linux-builds - # The name of the snap - name: stackit - # The canonical title of the application, displayed in the software - # centre graphical frontends - title: STACKIT CLI - summary: A command-line interface to manage STACKIT resources. - description: "A command-line interface to manage STACKIT resources." - license: Apache-2.0 - confinement: classic - # Grade "devel" will only release to `edge` and `beta` channels - # Grade "stable" will also release to the `candidate` and `stable` channels - grade: stable - # Whether to publish the Snap to the store - publish: true +# snapcrafts: +# # IDs of the builds for which to create packages for +# - ids: +# - linux-builds +# # The name of the snap +# name: stackit +# # The canonical title of the application, displayed in the software +# # centre graphical frontends +# title: STACKIT CLI +# summary: A command-line interface to manage STACKIT resources. +# description: "A command-line interface to manage STACKIT resources." +# license: Apache-2.0 +# confinement: classic +# # Grade "devel" will only release to `edge` and `beta` channels +# # Grade "stable" will also release to the `candidate` and `stable` channels +# grade: stable +# # Whether to publish the Snap to the store +# publish: true -winget: - - name: stackit - publisher: stackitcloud - short_description: A command-line interface to manage STACKIT resources. - license: Apache-2.0 - publisher_support_url: "https://github.com/stackitcloud/stackit-cli/issues" - package_identifier: stackitcloud.stackit - homepage: "https://github.com/stackitcloud/stackit-cli" - # If set to auto, the release will not be uploaded to the homebrew tap repo - # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) - # Temporarily not skipping prereleases to test integration with Winget - # skip_upload: auto - repository: - owner: stackitcloud - name: winget-pkgs - pull_request: - enabled: true - base: - owner: microsoft - name: winget-pkgs - branch: master +# winget: +# - name: stackit +# publisher: stackitcloud +# short_description: A command-line interface to manage STACKIT resources. +# license: Apache-2.0 +# publisher_support_url: "https://github.com/stackitcloud/stackit-cli/issues" +# package_identifier: stackitcloud.stackit +# homepage: "https://github.com/stackitcloud/stackit-cli" +# # If set to auto, the release will not be uploaded to the homebrew tap repo +# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) +# # Temporarily not skipping prereleases to test integration with Winget +# # skip_upload: auto +# repository: +# owner: stackitcloud +# name: winget-pkgs +# pull_request: +# enabled: true +# base: +# owner: microsoft +# name: winget-pkgs +# branch: master From 6bd34865733a928d46f0d09407759cd82f0cbac1 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 22:49:45 +0200 Subject: [PATCH 05/37] add rpm release job and script --- .github/workflows/release.yaml | 72 +++++++++++++------------ scripts/publish-rpm-packages.sh | 94 +++++++++++++++++++++++++++++++++ 2 files changed, 131 insertions(+), 35 deletions(-) create mode 100755 scripts/publish-rpm-packages.sh diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d91ac78a1..ecebdb953 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -79,40 +79,42 @@ jobs: name: goreleaser-dist-temp path: dist retention-days: 1 - - # publish-apt: - # name: Publish APT - # runs-on: macOS-latest - # needs: [goreleaser] - # if: github.event_name != 'workflow_dispatch' - # env: - # # Needed to publish new packages to our S3-hosted APT repo - # AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} - # steps: - # - name: Checkout - # uses: actions/checkout@v5 - # # use the artifacts from the "goreleaser" job - # - name: Download artifacts from workflow - # uses: actions/download-artifact@v5 - # with: - # name: goreleaser-dist-temp - # path: dist - - # - name: Install Aptly - # run: brew install aptly - - # - name: Import GPG key - # uses: crazy-max/ghaction-import-gpg@v6 - # id: import_gpg - # with: - # gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - # passphrase: ${{ secrets.GPG_PASSPHRASE }} + + + publish-rpm: + name: Publish RPM + runs-on: ubuntu-latest + needs: [goreleaser] + env: + # Needed to publish new packages to our S3-hosted RPM repo + AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }} + steps: + - name: Checkout + uses: actions/checkout@v5 - # - name: Publish packages to APT repo - # if: contains(github.ref_name, '-') == false - # env: - # GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - # GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - # run: ./scripts/publish-apt-packages.sh \ No newline at end of file + - name: Download artifacts from workflow + uses: actions/download-artifact@v5 + with: + name: goreleaser-dist-temp + path: dist + + - name: Install RPM tools + run: | + sudo apt-get update + sudo apt-get install -y createrepo-c rpm-sign + + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@v6 + id: import_gpg + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + + - name: Publish RPM packages +# if: contains(github.ref_name, '-') == false + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + run: ./scripts/publish-rpm-packages.sh \ No newline at end of file diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh new file mode 100755 index 000000000..5ad0c5555 --- /dev/null +++ b/scripts/publish-rpm-packages.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +# This script is used to publish new RPM packages to the CLI RPM repository +# Usage: ./publish-rpm-packages.sh +set -eo pipefail + +PACKAGES_BUCKET_URL="https://distribution-test.object.storage.eu01.onstackit.cloud" +PUBLIC_KEY_FILE_PATH="keys/key.gpg" +RPM_REPO_PATH="rpm/cli" +RPM_BUCKET_NAME="distribution-test" +CUSTOM_KEYRING_FILE="rpm-keyring.gpg" +DISTRIBUTION="stackit" +GORELEASER_PACKAGES_FOLDER="dist/" + +# We need to disable the key database daemon (keyboxd) +# This can be done by removing "use-keyboxd" from ~/.gnupg/common.conf (see https://github.com/gpg/gnupg/blob/master/README) +echo -n >~/.gnupg/common.conf + +# Create RPM repository directory structure +printf ">>> Creating RPM repository structure \n" +mkdir -p rpm-repo/x86_64 +mkdir -p rpm-repo/i386 +mkdir -p rpm-repo/aarch64 + +# Copy RPM packages and signatures to appropriate architecture directories +printf "\n>>> Copying RPM packages and signatures to architecture directories \n" + +# Copy x86_64 packages (amd64) +for file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm*; do + if [ -f "$file" ]; then + cp "$file" rpm-repo/x86_64/ + printf "Copied $(basename "$file") to x86_64/\n" + fi +done + +# Copy i386 packages +for file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm*; do + if [ -f "$file" ]; then + cp "$file" rpm-repo/i386/ + printf "Copied $(basename "$file") to i386/\n" + fi +done + +# Copy aarch64 packages (arm64) +for file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm*; do + if [ -f "$file" ]; then + cp "$file" rpm-repo/aarch64/ + printf "Copied $(basename "$file") to aarch64/\n" + fi +done + +# Download existing repository metadata if it exists +printf "\n>>> Downloading existing repository metadata \n" +aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --delete || echo "No existing repository found, creating new one" + +# Create repository metadata for each architecture +printf "\n>>> Creating repository metadata \n" +for arch in x86_64 i386 aarch64; do + if [ -d "rpm-repo/${arch}" ] && [ "$(ls -A rpm-repo/${arch})" ]; then + printf "Creating metadata for ${arch}...\n" + + # List what we're working with + printf "Files in ${arch}: $(ls rpm-repo/${arch}/ | tr '\n' ' ')\n" + + # Create repository metadata + createrepo_c --update rpm-repo/${arch} + + # Sign the repository metadata + printf "Signing repository metadata for ${arch}...\n" + gpg --detach-sign --armor --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" --passphrase "${GPG_PASSPHRASE}" rpm-repo/${arch}/repodata/repomd.xml + + # Verify the signature was created + if [ -f "rpm-repo/${arch}/repodata/repomd.xml.asc" ]; then + printf "Repository metadata signed successfully for ${arch}\n" + else + printf "WARNING: Repository metadata signature not created for ${arch}\n" + fi + else + printf "No packages found for ${arch}, skipping...\n" + fi +done + +# Upload the updated repository to S3 +printf "\n>>> Uploading repository to S3 \n" +aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --delete + +# Upload the public key +printf "\n>>> Uploading public key \n" +gpg --armor --export "${GPG_PRIVATE_KEY_FINGERPRINT}" > public-key.asc +aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} + +printf "\n>>> RPM repository published successfully! \n" +printf "Repository URL: ${PACKAGES_BUCKET_URL}/${RPM_REPO_PATH}/ \n" +printf "Public key URL: ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} \n" From 0317c11d49a13864236752eec0266f6bd5a6352d Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 23:20:30 +0200 Subject: [PATCH 06/37] change nfpms signing to embedded --- .github/workflows/release.yaml | 10 ++++++++++ .goreleaser.yaml | 30 +++++++++++++++++++----------- scripts/publish-rpm-packages.sh | 27 +++++++++++++++------------ 3 files changed, 44 insertions(+), 23 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ecebdb953..3cf28843a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -41,6 +41,11 @@ jobs: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: Create GPG key file + run: | + echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg-private-key.asc + chmod 600 gpg-private-key.asc + - name: Set up keychain run: | echo -n $SIGNING_CERTIFICATE_BASE64 | base64 -d -o ./ApplicationID.p12 @@ -71,7 +76,12 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + GPG_KEY_PATH: ./gpg-private-key.asc + - name: Clean up GPG key file + run: | + rm -f gpg-private-key.asc + # artifacts need to be passed to the "publish-apt" job somehow - name: Upload artifacts to workflow uses: actions/upload-artifact@v4 diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c1475f175..258a03bbc 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -98,18 +98,26 @@ nfpms: formats: - deb - rpm + # The package is signed if a key_file is set + signature: + # PGP secret key file path (can also be ASCII-armored). + # + # See "Signing key passphrases" below for more information. + # + # Templates: allowed. + key_file: "{{ .Env.GPG_KEY_PATH }}" -signs: - - artifacts: package - args: - [ - "-u", - "{{ .Env.GPG_FINGERPRINT }}", - "--output", - "${signature}", - "--detach-sign", - "${artifact}", - ] +# signs: +# - artifacts: package +# args: +# [ +# "-u", +# "{{ .Env.GPG_FINGERPRINT }}", +# "--output", +# "${signature}", +# "--detach-sign", +# "${artifact}", +# ] # homebrew_casks: # - name: stackit diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 5ad0c5555..c93043c11 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -25,27 +25,30 @@ mkdir -p rpm-repo/aarch64 # Copy RPM packages and signatures to appropriate architecture directories printf "\n>>> Copying RPM packages and signatures to architecture directories \n" +# Copy RPM packages to appropriate architecture directories +printf "\n>>> Copying RPM packages to architecture directories \n" + # Copy x86_64 packages (amd64) -for file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm*; do - if [ -f "$file" ]; then - cp "$file" rpm-repo/x86_64/ - printf "Copied $(basename "$file") to x86_64/\n" +for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm; do + if [ -f "$rpm_file" ]; then + cp "$rpm_file" rpm-repo/x86_64/ + printf "Copied $(basename "$rpm_file") to x86_64/\n" fi done # Copy i386 packages -for file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm*; do - if [ -f "$file" ]; then - cp "$file" rpm-repo/i386/ - printf "Copied $(basename "$file") to i386/\n" +for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm; do + if [ -f "$rpm_file" ]; then + cp "$rpm_file" rpm-repo/i386/ + printf "Copied $(basename "$rpm_file") to i386/\n" fi done # Copy aarch64 packages (arm64) -for file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm*; do - if [ -f "$file" ]; then - cp "$file" rpm-repo/aarch64/ - printf "Copied $(basename "$file") to aarch64/\n" +for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm; do + if [ -f "$rpm_file" ]; then + cp "$rpm_file" rpm-repo/aarch64/ + printf "Copied $(basename "$rpm_file") to aarch64/\n" fi done From cbf953aad48f61abfc09acc50f089aecfb03dcd3 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 23:27:27 +0200 Subject: [PATCH 07/37] fix indentation --- .goreleaser.yaml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 258a03bbc..478001f07 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -98,14 +98,16 @@ nfpms: formats: - deb - rpm - # The package is signed if a key_file is set - signature: - # PGP secret key file path (can also be ASCII-armored). - # - # See "Signing key passphrases" below for more information. - # - # Templates: allowed. - key_file: "{{ .Env.GPG_KEY_PATH }}" + + rpm: + # The package is signed if a key_file is set + signature: + # PGP secret key file path (can also be ASCII-armored). + # + # See "Signing key passphrases" below for more information. + # + # Templates: allowed. + key_file: "{{ .Env.GPG_KEY_PATH }}" # signs: # - artifacts: package From 4c7e6e509c2a1dfe0e95cdec5f2f640470cbfc27 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 23:33:49 +0200 Subject: [PATCH 08/37] add passphrase --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3cf28843a..2766a254e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -77,6 +77,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} GPG_KEY_PATH: ./gpg-private-key.asc + NFPM_LINUX_PACKAGES_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Clean up GPG key file run: | From a332fd49df0a208e9ef04eb4dd9d78d874c8b678 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 23:38:07 +0200 Subject: [PATCH 09/37] fix passphrase env --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2766a254e..5704713ad 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -77,7 +77,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} GPG_KEY_PATH: ./gpg-private-key.asc - NFPM_LINUX_PACKAGES_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Clean up GPG key file run: | From fb156e5124df809ec985f5bcc6adb8da1148124a Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Wed, 1 Oct 2025 23:51:14 +0200 Subject: [PATCH 10/37] remove ubuntu rpm package --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5704713ad..99caad332 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -114,7 +114,7 @@ jobs: - name: Install RPM tools run: | sudo apt-get update - sudo apt-get install -y createrepo-c rpm-sign + sudo apt-get install -y createrepo-c - name: Import GPG key uses: crazy-max/ghaction-import-gpg@v6 From 1225186482e1849de742727ea0d724fc1f779e93 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Thu, 2 Oct 2025 00:12:52 +0200 Subject: [PATCH 11/37] add particular endpoint flag --- .github/workflows/release.yaml | 2 ++ scripts/publish-rpm-packages.sh | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 99caad332..cca2c77e9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -101,6 +101,8 @@ jobs: # Needed to publish new packages to our S3-hosted RPM repo AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: eu01 + AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud steps: - name: Checkout uses: actions/checkout@v5 diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index c93043c11..515489f17 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -54,7 +54,7 @@ done # Download existing repository metadata if it exists printf "\n>>> Downloading existing repository metadata \n" -aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --delete || echo "No existing repository found, creating new one" +aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --delete || echo "No existing repository found, creating new one" # Create repository metadata for each architecture printf "\n>>> Creating repository metadata \n" @@ -85,12 +85,12 @@ done # Upload the updated repository to S3 printf "\n>>> Uploading repository to S3 \n" -aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --delete +aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --endpoint-url "${AWS_ENDPOINT_URL}" --delete # Upload the public key printf "\n>>> Uploading public key \n" gpg --armor --export "${GPG_PRIVATE_KEY_FINGERPRINT}" > public-key.asc -aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} +aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} --endpoint-url "${AWS_ENDPOINT_URL}" printf "\n>>> RPM repository published successfully! \n" printf "Repository URL: ${PACKAGES_BUCKET_URL}/${RPM_REPO_PATH}/ \n" From de5d7fc68019005eef976c63a0e7ff314c14a115 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Thu, 2 Oct 2025 00:23:01 +0200 Subject: [PATCH 12/37] fix deletion packages bug --- scripts/publish-rpm-packages.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 515489f17..0eb0f5b1b 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -54,7 +54,7 @@ done # Download existing repository metadata if it exists printf "\n>>> Downloading existing repository metadata \n" -aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --delete || echo "No existing repository found, creating new one" +aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --exclude "*" --include "*/repodata/*" || echo "No existing repository found, creating new one" # Create repository metadata for each architecture printf "\n>>> Creating repository metadata \n" @@ -85,7 +85,7 @@ done # Upload the updated repository to S3 printf "\n>>> Uploading repository to S3 \n" -aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --endpoint-url "${AWS_ENDPOINT_URL}" --delete +aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --endpoint-url "${AWS_ENDPOINT_URL}" # Upload the public key printf "\n>>> Uploading public key \n" From 66956eb5e2c0cdb7f705ea362ffc472f1021b2e3 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Thu, 2 Oct 2025 23:28:30 +0200 Subject: [PATCH 13/37] add gpg --batch to to signing of repo metadata --- scripts/publish-rpm-packages.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 0eb0f5b1b..4e5126283 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -70,7 +70,7 @@ for arch in x86_64 i386 aarch64; do # Sign the repository metadata printf "Signing repository metadata for ${arch}...\n" - gpg --detach-sign --armor --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" --passphrase "${GPG_PASSPHRASE}" rpm-repo/${arch}/repodata/repomd.xml + gpg --batch --detach-sign --armor --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" --passphrase "${GPG_PASSPHRASE}" rpm-repo/${arch}/repodata/repomd.xml # Verify the signature was created if [ -f "rpm-repo/${arch}/repodata/repomd.xml.asc" ]; then From 7f198b6b1d7f9a5b73bfe629fe20ee85ba6a6220 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Thu, 2 Oct 2025 23:45:06 +0200 Subject: [PATCH 14/37] download existing bucket rpm content and redo signing of metadata --- scripts/publish-rpm-packages.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 4e5126283..04d8d3903 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -52,9 +52,9 @@ for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm; do fi done -# Download existing repository metadata if it exists -printf "\n>>> Downloading existing repository metadata \n" -aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --exclude "*" --include "*/repodata/*" || echo "No existing repository found, creating new one" +# Download existing repository content (RPMs and metadata) if it exists +printf "\n>>> Downloading existing repository content \n" +aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --exclude "*.asc" || echo "No existing repository found, creating new one" # Create repository metadata for each architecture printf "\n>>> Creating repository metadata \n" @@ -70,6 +70,8 @@ for arch in x86_64 i386 aarch64; do # Sign the repository metadata printf "Signing repository metadata for ${arch}...\n" + # Remove existing signature file if it exists + rm -f rpm-repo/${arch}/repodata/repomd.xml.asc gpg --batch --detach-sign --armor --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" --passphrase "${GPG_PASSPHRASE}" rpm-repo/${arch}/repodata/repomd.xml # Verify the signature was created From 5992b0da2abf5ae75b35cca8b47cfb1527f8de39 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Thu, 2 Oct 2025 23:53:53 +0200 Subject: [PATCH 15/37] fix duplicating metadata --- scripts/publish-rpm-packages.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 04d8d3903..4fde2bbb7 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -87,6 +87,8 @@ done # Upload the updated repository to S3 printf "\n>>> Uploading repository to S3 \n" +# Remove old metadata files first to avoid duplicates +aws s3 rm s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --recursive --exclude "*" --include "*/repodata/*" --endpoint-url "${AWS_ENDPOINT_URL}" || echo "No old metadata to remove" aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --endpoint-url "${AWS_ENDPOINT_URL}" # Upload the public key From 3cae183c128a41f59ee3e3ae688d60b338b27be2 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 13:28:56 +0200 Subject: [PATCH 16/37] insert apt again with test env for testing --- .aptly.conf | 2 +- .github/workflows/release.yaml | 36 +++++++++++++++++++++++++++++++++ scripts/publish-apt-packages.sh | 4 ++-- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/.aptly.conf b/.aptly.conf index deb53174e..8b5d57132 100644 --- a/.aptly.conf +++ b/.aptly.conf @@ -23,7 +23,7 @@ "S3PublishEndpoints": { "distribution": { "region": "eu01", - "bucket": "distribution", + "bucket": "distribution-test", "acl":"public-read", "endpoint": "https://object.storage.eu01.onstackit.cloud" } diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index cca2c77e9..77aef816b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -91,7 +91,43 @@ jobs: path: dist retention-days: 1 + publish-apt: + name: Publish APT + runs-on: macOS-latest + needs: [goreleaser] + env: + # Needed to publish new packages to our S3-hosted APT repo + AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }} + AWS_DEFAULT_REGION: eu01 + AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud + steps: + - name: Checkout + uses: actions/checkout@v5 + # use the artifacts from the "goreleaser" job + - name: Download artifacts from workflow + uses: actions/download-artifact@v5 + with: + name: goreleaser-dist-temp + path: dist + + - name: Install Aptly + run: brew install aptly + + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@v6 + id: import_gpg + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} + + - name: Publish packages to APT repo +# if: contains(github.ref_name, '-') == false + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + run: ./scripts/publish-apt-packages.sh publish-rpm: name: Publish RPM diff --git a/scripts/publish-apt-packages.sh b/scripts/publish-apt-packages.sh index 9d122d80b..804026620 100755 --- a/scripts/publish-apt-packages.sh +++ b/scripts/publish-apt-packages.sh @@ -4,10 +4,10 @@ # Usage: ./publish-apt-packages.sh set -eo pipefail -PACKAGES_BUCKET_URL="https://packages.stackit.cloud" +PACKAGES_BUCKET_URL="https://distribution-test.object.storage.eu01.onstackit.cloud" PUBLIC_KEY_FILE_PATH="keys/key.gpg" APT_REPO_PATH="apt/cli" -APT_BUCKET_NAME="distribution" +APT_BUCKET_NAME="distribution-test" CUSTOM_KEYRING_FILE="aptly-keyring.gpg" DISTRIBUTION="stackit" APTLY_CONFIG_FILE_PATH="./.aptly.conf" From a77d89693872d7d1914a37ac13e47f8cd9aaac7b Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 13:47:01 +0200 Subject: [PATCH 17/37] WORKAROUND for apt mirror issue --- scripts/publish-apt-packages.sh | 40 ++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/scripts/publish-apt-packages.sh b/scripts/publish-apt-packages.sh index 804026620..66bf3e79b 100755 --- a/scripts/publish-apt-packages.sh +++ b/scripts/publish-apt-packages.sh @@ -17,19 +17,21 @@ GORELEASER_PACKAGES_FOLDER="dist/" # This can be done by removing "use-keyboxd" from ~/.gnupg/common.conf (see https://github.com/gpg/gnupg/blob/master/README) echo -n >~/.gnupg/common.conf -# Create a local mirror of the current state of the remote APT repository -printf ">>> Creating mirror \n" -curl ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} >public.asc -gpg --no-default-keyring --keyring=${CUSTOM_KEYRING_FILE} --import public.asc -aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${PACKAGES_BUCKET_URL}/${APT_REPO_PATH}" ${DISTRIBUTION} - -# Update the mirror to the latest state -printf "\n>>> Updating mirror \n" -aptly mirror update -keyring="${CUSTOM_KEYRING_FILE}" -max-tries=5 current +BOOTSTRAP_ONLY=0 -# Create a snapshot of the mirror -printf "\n>>> Creating snapshop from mirror \n" -aptly snapshot create current-snapshot from mirror current +# Try to create a local mirror of the current remote APT repository +printf ">>> Creating mirror (if remote exists)\n" +curl -fsSL ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} -o public.asc +gpg --no-default-keyring --keyring=${CUSTOM_KEYRING_FILE} --import public.asc +if aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${PACKAGES_BUCKET_URL}/${APT_REPO_PATH}" ${DISTRIBUTION}; then + printf "\n>>> Updating mirror \n" + aptly mirror update -keyring="${CUSTOM_KEYRING_FILE}" -max-tries=5 current + printf "\n>>> Creating snapshot from mirror \n" + aptly snapshot create current-snapshot from mirror current +else + printf "\n>>> No existing remote repository found (bootstrap)\n" + BOOTSTRAP_ONLY=1 +fi # Create a new fresh local APT repo printf "\n>>> Creating fresh local repo \n" @@ -43,10 +45,16 @@ aptly repo add new-repo ${GORELEASER_PACKAGES_FOLDER} printf "\n>>> Creating snapshot of local repo \n" aptly snapshot create new-snapshot from repo new-repo -# Merge new-snapshot into current-snapshot creating a new snapshot updated-snapshot -printf "\n>>> Merging snapshots \n" -aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot ${DISTRIBUTION} +UPDATED_SNAPSHOT="new-snapshot" +if [ "$BOOTSTRAP_ONLY" -eq 0 ]; then + # Merge new-snapshot into current-snapshot creating a new snapshot updated-snapshot + printf "\n>>> Merging snapshots \n" + aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot ${DISTRIBUTION} + UPDATED_SNAPSHOT="updated-snapshot" +else + printf "\n>>> Bootstrap mode: publishing new packages as initial snapshot \n" +fi # Publish the new snapshot to the remote repo printf "\n>>> Publishing updated snapshot \n" -aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}" +aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" "$UPDATED_SNAPSHOT" "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}" From 755ec0bbe8564dc413afcec5a73346dee14c2864 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 13:53:30 +0200 Subject: [PATCH 18/37] WORKAROUND: fix aptly config for test env --- .aptly.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.aptly.conf b/.aptly.conf index 8b5d57132..d3bd800c2 100644 --- a/.aptly.conf +++ b/.aptly.conf @@ -21,7 +21,7 @@ "skipBz2Publishing": false, "FileSystemPublishEndpoints": {}, "S3PublishEndpoints": { - "distribution": { + "distribution-test": { "region": "eu01", "bucket": "distribution-test", "acl":"public-read", From 39e7d4d0bf83bf5bc5f8311eb4ff90fc6be4f26d Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 15:08:54 +0200 Subject: [PATCH 19/37] add DNF/YUM/Zypper installation Guide --- INSTALLATION.md | 48 ++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index 3a5045149..665872fbd 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -130,16 +130,52 @@ asset_filters=["stackit-cli_", "_linux_amd64.tar.gz"] eget stackitcloud/stackit-cli ``` -#### RPM package via dnf, yum and zypper +#### RHEL/Fedora/Rocky/Alma/openSUSE/... (`DNF/YUM/Zypper`) -The STACKIT CLI is available as [RPM Package](https://github.com/stackitcloud/stackit-cli/releases) and can be installed via dnf, yum and zypper package manager. +The STACKIT CLI can be installed through the [`DNF/YUM`](https://docs.fedoraproject.org/en-US/fedora/f40/system-administrators-guide/package-management/DNF/) / [`Zypper`](https://de.opensuse.org/Zypper) package managers. -Just download the rpm package from the [release page](https://github.com/stackitcloud/stackit-cli/releases) and run the install command like the following: +Note: Requires rpm version 4.15 or newer to support Ed25519 signatures. + +##### Installing DNF/YUM + +1. Add the repository: + +```shell +sudo tee /etc/yum.repos.d/stackit.repo > /dev/null << 'EOF' +[stackit] +name=STACKIT CLI +baseurl=https://distribution-test.object.storage.eu01.onstackit.cloud/rpm/cli/$basearch +enabled=1 +gpgcheck=1 +gpgkey=https://distribution-test.object.storage.eu01.onstackit.cloud/keys/key.gpg +EOF +``` + +2. Install the CLI: + +```shell +sudo dnf install -y stackit +``` + +##### Installing Zypper + +1. Add the repository: + +```shell +sudo tee /etc/zypp/repos.d/stackit.repo > /dev/null << 'EOF' +[stackit] +name=STACKIT CLI +baseurl=https://distribution-test.object.storage.eu01.onstackit.cloud/rpm/cli/$basearch +enabled=1 +gpgcheck=1 +gpgkey=https://distribution-test.object.storage.eu01.onstackit.cloud/keys/key.gpg +EOF +``` + +2. Install the CLI: ```shell -dnf install stackitcli.rpm -yum install stackitcli.rpm -zypper install stackitcli.rpm +sudo zypper install -y stackit ``` #### Any distribution From e1e19582302c359b027c0e3b07c21447188a9e5b Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 15:40:00 +0200 Subject: [PATCH 20/37] remove the apt testing stuff and isolation work again after successfully tested --- .aptly.conf | 4 +- .github/workflows/release.yaml | 66 ++++---- .goreleaser.yaml | 256 +++++++++++++++----------------- scripts/publish-apt-packages.sh | 44 +++--- 4 files changed, 174 insertions(+), 196 deletions(-) diff --git a/.aptly.conf b/.aptly.conf index d3bd800c2..deb53174e 100644 --- a/.aptly.conf +++ b/.aptly.conf @@ -21,9 +21,9 @@ "skipBz2Publishing": false, "FileSystemPublishEndpoints": {}, "S3PublishEndpoints": { - "distribution-test": { + "distribution": { "region": "eu01", - "bucket": "distribution-test", + "bucket": "distribution", "acl":"public-read", "endpoint": "https://object.storage.eu01.onstackit.cloud" } diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 77aef816b..b3c8198f2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -83,7 +83,7 @@ jobs: run: | rm -f gpg-private-key.asc - # artifacts need to be passed to the "publish-apt" job somehow + # artifacts need to be passed to further publishing jobs - name: Upload artifacts to workflow uses: actions/upload-artifact@v4 with: @@ -91,43 +91,41 @@ jobs: path: dist retention-days: 1 - publish-apt: - name: Publish APT - runs-on: macOS-latest - needs: [goreleaser] - env: - # Needed to publish new packages to our S3-hosted APT repo - AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }} - AWS_DEFAULT_REGION: eu01 - AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud - steps: - - name: Checkout - uses: actions/checkout@v5 + # publish-apt: + # name: Publish APT + # runs-on: macOS-latest + # needs: [goreleaser] + # env: + # # Needed to publish new packages to our S3-hosted APT repo + # AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} + # AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} + # steps: + # - name: Checkout + # uses: actions/checkout@v5 - # use the artifacts from the "goreleaser" job - - name: Download artifacts from workflow - uses: actions/download-artifact@v5 - with: - name: goreleaser-dist-temp - path: dist + # # use the artifacts from the "goreleaser" job + # - name: Download artifacts from workflow + # uses: actions/download-artifact@v5 + # with: + # name: goreleaser-dist-temp + # path: dist - - name: Install Aptly - run: brew install aptly + # - name: Install Aptly + # run: brew install aptly - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 - id: import_gpg - with: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.GPG_PASSPHRASE }} + # - name: Import GPG key + # uses: crazy-max/ghaction-import-gpg@v6 + # id: import_gpg + # with: + # gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + # passphrase: ${{ secrets.GPG_PASSPHRASE }} - - name: Publish packages to APT repo -# if: contains(github.ref_name, '-') == false - env: - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - run: ./scripts/publish-apt-packages.sh + # - name: Publish packages to APT repo + # if: contains(github.ref_name, '-') == false + # env: + # GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + # GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + # run: ./scripts/publish-apt-packages.sh publish-rpm: name: Publish RPM diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 478001f07..c2eab2160 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -12,74 +12,74 @@ builds: - linux binary: "stackit" - # - id: windows-builds - # env: - # - CGO_ENABLED=0 - # goos: - # - windows - # binary: "stackit" + - id: windows-builds + env: + - CGO_ENABLED=0 + goos: + - windows + binary: "stackit" - # - id: macos-builds - # env: - # - CGO_ENABLED=0 - # - BUNDLE_ID=cloud.stackit.cli - # - "APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG" - # goos: - # - darwin - # binary: "stackit" - # goarch: - # - arm64 - # - amd64 - # hooks: - # post: - # # Signing - # - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}" - # output: true - # - cmd: codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}" - # output: true - # - cmd: hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - # output: true - # - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - # output: true - # - cmd: xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg - # output: true - # - cmd: xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" - # output: true - # - cmd: spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg - # output: true - # # Completion files - # - cmd: mkdir -p dist/completions - # - cmd: sh -c 'go run main.go completion zsh > ./dist/completions/stackit.zsh' - # - cmd: sh -c 'go run main.go completion bash > ./dist/completions/stackit.bash' - # - cmd: sh -c 'go run main.go completion fish > ./dist/completions/stackit.fish' + - id: macos-builds + env: + - CGO_ENABLED=0 + - BUNDLE_ID=cloud.stackit.cli + - "APPLE_APPLICATION_IDENTITY=Developer ID Application: Schwarz IT KG" + goos: + - darwin + binary: "stackit" + goarch: + - arm64 + - amd64 + hooks: + post: + # Signing + - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/macos-builds_{{.Target}}/{{.Name}}" + output: true + - cmd: codesign -vvv --deep --strict "dist/macos-builds_{{.Target}}/{{.Name}}" + output: true + - cmd: hdiutil create -volname "STACKIT-CLI" -srcfolder "dist/macos-builds_{{.Target}}/{{.Name}}" -ov -format UDZO "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + output: true + - cmd: codesign -s "{{.Env.APPLE_APPLICATION_IDENTITY}}" -f -v --options=runtime "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + output: true + - cmd: xcrun notarytool submit --keychain-profile "stackit-cli" --wait --progress dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg + output: true + - cmd: xcrun stapler staple "dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg" + output: true + - cmd: spctl -a -t open --context context:primary-signature -v dist/{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}.dmg + output: true + # Completion files + - cmd: mkdir -p dist/completions + - cmd: sh -c 'go run main.go completion zsh > ./dist/completions/stackit.zsh' + - cmd: sh -c 'go run main.go completion bash > ./dist/completions/stackit.bash' + - cmd: sh -c 'go run main.go completion fish > ./dist/completions/stackit.fish' -# archives: -# - id: windows-archives -# ids: -# - windows-builds -# formats: [ 'zip' ] -# - ids: -# - linux-builds -# - macos-builds -# formats: [ 'tar.gz' ] -# files: -# - src: ./dist/completions/* -# dst: completions -# - LICENSE.md -# - README.md +archives: + - id: windows-archives + ids: + - windows-builds + formats: [ 'zip' ] + - ids: + - linux-builds + - macos-builds + formats: [ 'tar.gz' ] + files: + - src: ./dist/completions/* + dst: completions + - LICENSE.md + - README.md -# release: -# # If set to auto, the GitHub release will be marked as "Pre-release" -# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) -# prerelease: auto +release: + # If set to auto, the GitHub release will be marked as "Pre-release" + # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) + prerelease: auto -# changelog: -# use: github -# sort: asc -# filters: -# exclude: -# - "^docs:" -# - "^test:" +changelog: + use: github + sort: asc + filters: + exclude: + - "^docs:" + - "^test:" nfpms: - id: linux-packages @@ -109,75 +109,63 @@ nfpms: # Templates: allowed. key_file: "{{ .Env.GPG_KEY_PATH }}" -# signs: -# - artifacts: package -# args: -# [ -# "-u", -# "{{ .Env.GPG_FINGERPRINT }}", -# "--output", -# "${signature}", -# "--detach-sign", -# "${artifact}", -# ] - -# homebrew_casks: -# - name: stackit -# directory: Casks -# repository: -# owner: stackitcloud -# name: homebrew-tap -# commit_author: -# name: CLI Release Bot -# email: noreply@stackit.de -# homepage: "https://github.com/stackitcloud/stackit-cli" -# description: "A command-line interface to manage STACKIT resources." -# license: "Apache-2.0" -# # If set to auto, the release will not be uploaded to the homebrew tap repo -# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) -# skip_upload: auto -# completions: -# zsh: ./completions/stackit.zsh -# bash: ./completions/stackit.bash -# fish: ./completions/stackit.fish +homebrew_casks: + - name: stackit + directory: Casks + repository: + owner: stackitcloud + name: homebrew-tap + commit_author: + name: CLI Release Bot + email: noreply@stackit.de + homepage: "https://github.com/stackitcloud/stackit-cli" + description: "A command-line interface to manage STACKIT resources." + license: "Apache-2.0" + # If set to auto, the release will not be uploaded to the homebrew tap repo + # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) + skip_upload: auto + completions: + zsh: ./completions/stackit.zsh + bash: ./completions/stackit.bash + fish: ./completions/stackit.fish -# snapcrafts: -# # IDs of the builds for which to create packages for -# - ids: -# - linux-builds -# # The name of the snap -# name: stackit -# # The canonical title of the application, displayed in the software -# # centre graphical frontends -# title: STACKIT CLI -# summary: A command-line interface to manage STACKIT resources. -# description: "A command-line interface to manage STACKIT resources." -# license: Apache-2.0 -# confinement: classic -# # Grade "devel" will only release to `edge` and `beta` channels -# # Grade "stable" will also release to the `candidate` and `stable` channels -# grade: stable -# # Whether to publish the Snap to the store -# publish: true +snapcrafts: + # IDs of the builds for which to create packages for + - ids: + - linux-builds + # The name of the snap + name: stackit + # The canonical title of the application, displayed in the software + # centre graphical frontends + title: STACKIT CLI + summary: A command-line interface to manage STACKIT resources. + description: "A command-line interface to manage STACKIT resources." + license: Apache-2.0 + confinement: classic + # Grade "devel" will only release to `edge` and `beta` channels + # Grade "stable" will also release to the `candidate` and `stable` channels + grade: stable + # Whether to publish the Snap to the store + publish: true -# winget: -# - name: stackit -# publisher: stackitcloud -# short_description: A command-line interface to manage STACKIT resources. -# license: Apache-2.0 -# publisher_support_url: "https://github.com/stackitcloud/stackit-cli/issues" -# package_identifier: stackitcloud.stackit -# homepage: "https://github.com/stackitcloud/stackit-cli" -# # If set to auto, the release will not be uploaded to the homebrew tap repo -# # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) -# # Temporarily not skipping prereleases to test integration with Winget -# # skip_upload: auto -# repository: -# owner: stackitcloud -# name: winget-pkgs -# pull_request: -# enabled: true -# base: -# owner: microsoft -# name: winget-pkgs -# branch: master +winget: + - name: stackit + publisher: stackitcloud + short_description: A command-line interface to manage STACKIT resources. + license: Apache-2.0 + publisher_support_url: "https://github.com/stackitcloud/stackit-cli/issues" + package_identifier: stackitcloud.stackit + homepage: "https://github.com/stackitcloud/stackit-cli" + # If set to auto, the release will not be uploaded to the homebrew tap repo + # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1) + # Temporarily not skipping prereleases to test integration with Winget + # skip_upload: auto + repository: + owner: stackitcloud + name: winget-pkgs + pull_request: + enabled: true + base: + owner: microsoft + name: winget-pkgs + branch: master diff --git a/scripts/publish-apt-packages.sh b/scripts/publish-apt-packages.sh index 66bf3e79b..81aa53cb4 100755 --- a/scripts/publish-apt-packages.sh +++ b/scripts/publish-apt-packages.sh @@ -4,10 +4,10 @@ # Usage: ./publish-apt-packages.sh set -eo pipefail -PACKAGES_BUCKET_URL="https://distribution-test.object.storage.eu01.onstackit.cloud" +PACKAGES_BUCKET_URL="https://packages.stackit.cloud" PUBLIC_KEY_FILE_PATH="keys/key.gpg" APT_REPO_PATH="apt/cli" -APT_BUCKET_NAME="distribution-test" +APT_BUCKET_NAME="distribution" CUSTOM_KEYRING_FILE="aptly-keyring.gpg" DISTRIBUTION="stackit" APTLY_CONFIG_FILE_PATH="./.aptly.conf" @@ -17,21 +17,19 @@ GORELEASER_PACKAGES_FOLDER="dist/" # This can be done by removing "use-keyboxd" from ~/.gnupg/common.conf (see https://github.com/gpg/gnupg/blob/master/README) echo -n >~/.gnupg/common.conf -BOOTSTRAP_ONLY=0 - -# Try to create a local mirror of the current remote APT repository -printf ">>> Creating mirror (if remote exists)\n" -curl -fsSL ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} -o public.asc +# Create a local mirror of the current state of the remote APT repository +printf ">>> Creating mirror \n" +curl ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} >public.asc gpg --no-default-keyring --keyring=${CUSTOM_KEYRING_FILE} --import public.asc -if aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${PACKAGES_BUCKET_URL}/${APT_REPO_PATH}" ${DISTRIBUTION}; then - printf "\n>>> Updating mirror \n" - aptly mirror update -keyring="${CUSTOM_KEYRING_FILE}" -max-tries=5 current - printf "\n>>> Creating snapshot from mirror \n" - aptly snapshot create current-snapshot from mirror current -else - printf "\n>>> No existing remote repository found (bootstrap)\n" - BOOTSTRAP_ONLY=1 -fi +aptly mirror create -config "${APTLY_CONFIG_FILE_PATH}" -keyring="${CUSTOM_KEYRING_FILE}" current "${PACKAGES_BUCKET_URL}/${APT_REPO_PATH}" ${DISTRIBUTION} + +# Update the mirror to the latest state +printf "\n>>> Updating mirror \n" +aptly mirror update -keyring="${CUSTOM_KEYRING_FILE}" -max-tries=5 current + +# Create a snapshot of the mirror +printf "\n>>> Creating snapshop from mirror \n" +aptly snapshot create current-snapshot from mirror current # Create a new fresh local APT repo printf "\n>>> Creating fresh local repo \n" @@ -45,16 +43,10 @@ aptly repo add new-repo ${GORELEASER_PACKAGES_FOLDER} printf "\n>>> Creating snapshot of local repo \n" aptly snapshot create new-snapshot from repo new-repo -UPDATED_SNAPSHOT="new-snapshot" -if [ "$BOOTSTRAP_ONLY" -eq 0 ]; then - # Merge new-snapshot into current-snapshot creating a new snapshot updated-snapshot - printf "\n>>> Merging snapshots \n" - aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot ${DISTRIBUTION} - UPDATED_SNAPSHOT="updated-snapshot" -else - printf "\n>>> Bootstrap mode: publishing new packages as initial snapshot \n" -fi +# Merge new-snapshot into current-snapshot creating a new snapshot updated-snapshot +printf "\n>>> Merging snapshots \n" +aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot ${DISTRIBUTION} # Publish the new snapshot to the remote repo printf "\n>>> Publishing updated snapshot \n" -aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" "$UPDATED_SNAPSHOT" "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}" +aptly publish snapshot -keyring="${CUSTOM_KEYRING_FILE}" -gpg-key="${GPG_PRIVATE_KEY_FINGERPRINT}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" updated-snapshot "s3:${APT_BUCKET_NAME}:${APT_REPO_PATH}" \ No newline at end of file From afb2cb524c5f1ef8cfe2c1c819e775b2eae26b54 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 15:56:01 +0200 Subject: [PATCH 21/37] improve installation docs --- INSTALLATION.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index 665872fbd..4f94f8a60 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -134,7 +134,9 @@ eget stackitcloud/stackit-cli The STACKIT CLI can be installed through the [`DNF/YUM`](https://docs.fedoraproject.org/en-US/fedora/f40/system-administrators-guide/package-management/DNF/) / [`Zypper`](https://de.opensuse.org/Zypper) package managers. -Note: Requires rpm version 4.15 or newer to support Ed25519 signatures. +> Requires rpm version 4.15 or newer to support Ed25519 signatures. + +> `$basearch` is supported by modern distributions. On older systems that don't expand `$basearch`, replace it in the `baseurl` with your architecture explicitly (for example, `.../rpm/cli/x86_64` or `.../rpm/cli/aarch64`). ##### Installing DNF/YUM From 4e5548afc69540820e21f6cb96a6fa4d7277f687 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 15:59:56 +0200 Subject: [PATCH 22/37] remove duplicate message leftover --- scripts/publish-rpm-packages.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 4fde2bbb7..47145dec4 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -22,9 +22,6 @@ mkdir -p rpm-repo/x86_64 mkdir -p rpm-repo/i386 mkdir -p rpm-repo/aarch64 -# Copy RPM packages and signatures to appropriate architecture directories -printf "\n>>> Copying RPM packages and signatures to architecture directories \n" - # Copy RPM packages to appropriate architecture directories printf "\n>>> Copying RPM packages to architecture directories \n" From 9bdaa6dfe385875bdcc91884d0bb781a4a6f7ec6 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 16:20:42 +0200 Subject: [PATCH 23/37] publish rpm script improvement - regarding - sync --- scripts/publish-rpm-packages.sh | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 47145dec4..3ab72521e 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -69,7 +69,10 @@ for arch in x86_64 i386 aarch64; do printf "Signing repository metadata for ${arch}...\n" # Remove existing signature file if it exists rm -f rpm-repo/${arch}/repodata/repomd.xml.asc - gpg --batch --detach-sign --armor --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" --passphrase "${GPG_PASSPHRASE}" rpm-repo/${arch}/repodata/repomd.xml + gpg --batch --pinentry-mode loopback --detach-sign --armor \ + --local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" \ + --passphrase "${GPG_PASSPHRASE}" \ + rpm-repo/${arch}/repodata/repomd.xml # Verify the signature was created if [ -f "rpm-repo/${arch}/repodata/repomd.xml.asc" ]; then @@ -82,11 +85,21 @@ for arch in x86_64 i386 aarch64; do fi done -# Upload the updated repository to S3 -printf "\n>>> Uploading repository to S3 \n" -# Remove old metadata files first to avoid duplicates -aws s3 rm s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --recursive --exclude "*" --include "*/repodata/*" --endpoint-url "${AWS_ENDPOINT_URL}" || echo "No old metadata to remove" -aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ --endpoint-url "${AWS_ENDPOINT_URL}" +# Upload the updated repository to S3 in two phases (repodata pointers last) +# clients reading the repo won't see a state where repomd.xml points to files not uploaded yet. +printf "\n>>> Uploading repository to S3 (phase 1: all except repomd*) \n" +aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ \ + --endpoint-url "${AWS_ENDPOINT_URL}" \ + --delete \ + --exclude "*/repodata/repomd.xml" \ + --exclude "*/repodata/repomd.xml.asc" + +printf "\n>>> Uploading repository to S3 (phase 2: repomd* only) \n" +aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ \ + --endpoint-url "${AWS_ENDPOINT_URL}" \ + --exclude "*" \ + --include "*/repodata/repomd.xml" \ + --include "*/repodata/repomd.xml.asc" # Upload the public key printf "\n>>> Uploading public key \n" From d982c2dfabdc6c52549f48a71956d03fe9cabbc7 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 18:07:21 +0200 Subject: [PATCH 24/37] add release comments --- .github/workflows/release.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b3c8198f2..23a0bbf0b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -41,6 +41,8 @@ jobs: gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_PASSPHRASE }} + # nfpm-rpm signing needs gpg provided as filepath + # https://goreleaser.com/customization/nfpm/ - name: Create GPG key file run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg-private-key.asc @@ -77,6 +79,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} GPG_KEY_PATH: ./gpg-private-key.asc + # nfpm-rpm signing needs this env to be set. NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Clean up GPG key file From 5af38d81cc2f127e339b99eaaeb99fe2b8391428 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 6 Oct 2025 18:09:44 +0200 Subject: [PATCH 25/37] remove some comments goreleaser --- .goreleaser.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c2eab2160..b86115c5f 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -102,11 +102,6 @@ nfpms: rpm: # The package is signed if a key_file is set signature: - # PGP secret key file path (can also be ASCII-armored). - # - # See "Signing key passphrases" below for more information. - # - # Templates: allowed. key_file: "{{ .Env.GPG_KEY_PATH }}" homebrew_casks: From 067d3dd12d2705c99bb0bf5cd5fdf7b2a7dc6fbc Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:24:28 +0200 Subject: [PATCH 26/37] fix installing typo --- INSTALLATION.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index 4f94f8a60..3c77631ae 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -138,7 +138,7 @@ The STACKIT CLI can be installed through the [`DNF/YUM`](https://docs.fedoraproj > `$basearch` is supported by modern distributions. On older systems that don't expand `$basearch`, replace it in the `baseurl` with your architecture explicitly (for example, `.../rpm/cli/x86_64` or `.../rpm/cli/aarch64`). -##### Installing DNF/YUM +##### Installation via DNF/YUM 1. Add the repository: @@ -159,7 +159,7 @@ EOF sudo dnf install -y stackit ``` -##### Installing Zypper +##### Installation via Zypper 1. Add the repository: From 3b82b58e2b17e7f4769e99beaa2477cd66dbd6a2 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:26:07 +0200 Subject: [PATCH 27/37] remove installation auto-confirmation --- INSTALLATION.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index 3c77631ae..cd22fabc4 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -156,7 +156,7 @@ EOF 2. Install the CLI: ```shell -sudo dnf install -y stackit +sudo dnf install stackit ``` ##### Installation via Zypper @@ -177,7 +177,7 @@ EOF 2. Install the CLI: ```shell -sudo zypper install -y stackit +sudo zypper install stackit ``` #### Any distribution From 1f9e88e7bd57bdd05c322771fb5868b3097c2f2b Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:27:40 +0200 Subject: [PATCH 28/37] fix unused variable --- scripts/publish-rpm-packages.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 3ab72521e..389e8fd1d 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -9,7 +9,6 @@ PUBLIC_KEY_FILE_PATH="keys/key.gpg" RPM_REPO_PATH="rpm/cli" RPM_BUCKET_NAME="distribution-test" CUSTOM_KEYRING_FILE="rpm-keyring.gpg" -DISTRIBUTION="stackit" GORELEASER_PACKAGES_FOLDER="dist/" # We need to disable the key database daemon (keyboxd) From 8061c88f73cfea57d8b091d515c9c2620528721c Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:33:42 +0200 Subject: [PATCH 29/37] fix quotes codesplitting --- scripts/publish-rpm-packages.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 389e8fd1d..8a9031ff7 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -25,7 +25,7 @@ mkdir -p rpm-repo/aarch64 printf "\n>>> Copying RPM packages to architecture directories \n" # Copy x86_64 packages (amd64) -for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm; do +for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_amd64.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/x86_64/ printf "Copied $(basename "$rpm_file") to x86_64/\n" @@ -33,7 +33,7 @@ for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_amd64.rpm; do done # Copy i386 packages -for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm; do +for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_386.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/i386/ printf "Copied $(basename "$rpm_file") to i386/\n" @@ -41,7 +41,7 @@ for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_386.rpm; do done # Copy aarch64 packages (arm64) -for rpm_file in ${GORELEASER_PACKAGES_FOLDER}*_arm64.rpm; do +for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_arm64.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/aarch64/ printf "Copied $(basename "$rpm_file") to aarch64/\n" From 0b7f09898defa34cc28441f745b7fc546b296a78 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:35:14 +0200 Subject: [PATCH 30/37] fix unused keyring --- scripts/publish-rpm-packages.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 8a9031ff7..6a6835551 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -8,7 +8,6 @@ PACKAGES_BUCKET_URL="https://distribution-test.object.storage.eu01.onstackit.clo PUBLIC_KEY_FILE_PATH="keys/key.gpg" RPM_REPO_PATH="rpm/cli" RPM_BUCKET_NAME="distribution-test" -CUSTOM_KEYRING_FILE="rpm-keyring.gpg" GORELEASER_PACKAGES_FOLDER="dist/" # We need to disable the key database daemon (keyboxd) From 71bf833d630d590b510648f9d192af0fa1b08825 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 09:39:45 +0200 Subject: [PATCH 31/37] fix printf --- scripts/publish-rpm-packages.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 6a6835551..447d5d6b6 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -27,7 +27,7 @@ printf "\n>>> Copying RPM packages to architecture directories \n" for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_amd64.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/x86_64/ - printf "Copied $(basename "$rpm_file") to x86_64/\n" + printf "Copied %s to x86_64/\n" "$(basename "$rpm_file")" fi done @@ -35,7 +35,7 @@ done for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_386.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/i386/ - printf "Copied $(basename "$rpm_file") to i386/\n" + printf "Copied %s to i386/\n" "$(basename "$rpm_file")" fi done @@ -43,7 +43,7 @@ done for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_arm64.rpm; do if [ -f "$rpm_file" ]; then cp "$rpm_file" rpm-repo/aarch64/ - printf "Copied $(basename "$rpm_file") to aarch64/\n" + printf "Copied %s to aarch64/\n" "$(basename "$rpm_file")" fi done @@ -55,16 +55,16 @@ aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url " printf "\n>>> Creating repository metadata \n" for arch in x86_64 i386 aarch64; do if [ -d "rpm-repo/${arch}" ] && [ "$(ls -A rpm-repo/${arch})" ]; then - printf "Creating metadata for ${arch}...\n" + printf "Creating metadata for %s...\n" "$arch" # List what we're working with - printf "Files in ${arch}: $(ls rpm-repo/${arch}/ | tr '\n' ' ')\n" + printf "Files in %s: %s\n" "$arch" "$(ls "rpm-repo/${arch}/" | tr '\n' ' ')" # Create repository metadata createrepo_c --update rpm-repo/${arch} # Sign the repository metadata - printf "Signing repository metadata for ${arch}...\n" + printf "Signing repository metadata for %s...\n" "$arch" # Remove existing signature file if it exists rm -f rpm-repo/${arch}/repodata/repomd.xml.asc gpg --batch --pinentry-mode loopback --detach-sign --armor \ @@ -74,12 +74,12 @@ for arch in x86_64 i386 aarch64; do # Verify the signature was created if [ -f "rpm-repo/${arch}/repodata/repomd.xml.asc" ]; then - printf "Repository metadata signed successfully for ${arch}\n" + printf "Repository metadata signed successfully for %s\n" "$arch" else - printf "WARNING: Repository metadata signature not created for ${arch}\n" + printf "WARNING: Repository metadata signature not created for %s\n" "$arch" fi else - printf "No packages found for ${arch}, skipping...\n" + printf "No packages found for %s, skipping...\n" "$arch" fi done @@ -105,5 +105,5 @@ gpg --armor --export "${GPG_PRIVATE_KEY_FINGERPRINT}" > public-key.asc aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} --endpoint-url "${AWS_ENDPOINT_URL}" printf "\n>>> RPM repository published successfully! \n" -printf "Repository URL: ${PACKAGES_BUCKET_URL}/${RPM_REPO_PATH}/ \n" -printf "Public key URL: ${PACKAGES_BUCKET_URL}/${PUBLIC_KEY_FILE_PATH} \n" +printf "Repository URL: %s/%s/ \n" "$PACKAGES_BUCKET_URL" "$RPM_REPO_PATH" +printf "Public key URL: %s/%s \n" "$PACKAGES_BUCKET_URL" "$PUBLIC_KEY_FILE_PATH" From 7f50890eacd1226d931c5a7decc77ffaf85e6d1c Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 10:02:46 +0200 Subject: [PATCH 32/37] fix filelist using find --- scripts/publish-rpm-packages.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 447d5d6b6..073cfe112 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -54,11 +54,12 @@ aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url " # Create repository metadata for each architecture printf "\n>>> Creating repository metadata \n" for arch in x86_64 i386 aarch64; do - if [ -d "rpm-repo/${arch}" ] && [ "$(ls -A rpm-repo/${arch})" ]; then + if [ -d "rpm-repo/${arch}" ] && [ -n "$(find "rpm-repo/${arch}" -mindepth 1 -maxdepth 1 -print -quit)" ]; then printf "Creating metadata for %s...\n" "$arch" # List what we're working with - printf "Files in %s: %s\n" "$arch" "$(ls "rpm-repo/${arch}/" | tr '\n' ' ')" + file_list=$(find "rpm-repo/${arch}" -maxdepth 1 -type f -exec basename {} \; | tr '\n' ' ') + printf "Files in %s: %s\n" "$arch" "${file_list% }" # Create repository metadata createrepo_c --update rpm-repo/${arch} From c6167612b2d34572927be7bdaa9ded507144b39d Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 10:07:58 +0200 Subject: [PATCH 33/37] remove comment, fix gpg cleanup --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 23a0bbf0b..2b2b34a4c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -83,10 +83,10 @@ jobs: NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Clean up GPG key file + if: always() run: | rm -f gpg-private-key.asc - # artifacts need to be passed to further publishing jobs - name: Upload artifacts to workflow uses: actions/upload-artifact@v4 with: From 051cacb5528f4226bafd1b84d9427ef3ffc15f98 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 10:38:28 +0200 Subject: [PATCH 34/37] fix gpg key storage --- .github/workflows/release.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 2b2b34a4c..d47fe8c8c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -45,8 +45,10 @@ jobs: # https://goreleaser.com/customization/nfpm/ - name: Create GPG key file run: | - echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg-private-key.asc - chmod 600 gpg-private-key.asc + KEY_PATH="$RUNNER_TEMP/gpg-private-key.asc" + printf '%s' "${{ secrets.GPG_PRIVATE_KEY }}" > "$KEY_PATH" + chmod 600 "$KEY_PATH" + echo "GPG_KEY_PATH=$KEY_PATH" >> "$GITHUB_ENV" - name: Set up keychain run: | @@ -78,14 +80,14 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - GPG_KEY_PATH: ./gpg-private-key.asc + GPG_KEY_PATH: ${{ env.GPG_KEY_PATH }} # nfpm-rpm signing needs this env to be set. NFPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - name: Clean up GPG key file if: always() run: | - rm -f gpg-private-key.asc + rm -f "$GPG_KEY_PATH" - name: Upload artifacts to workflow uses: actions/upload-artifact@v4 From bb4effa476e366bbbda3badce82b273dcb9f01bc Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 13:52:35 +0200 Subject: [PATCH 35/37] add key redundancy comment --- scripts/publish-rpm-packages.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 073cfe112..95008d2fb 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -101,6 +101,8 @@ aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ \ --include "*/repodata/repomd.xml.asc" # Upload the public key +# Also uploaded in APT publish; intentionally redundant +# Safe to overwrite and ensures updates if APT fails or key changes. printf "\n>>> Uploading public key \n" gpg --armor --export "${GPG_PRIVATE_KEY_FINGERPRINT}" > public-key.asc aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} --endpoint-url "${AWS_ENDPOINT_URL}" From 5081b7db369191d66bc936bc72470a0f38313167 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 14:51:57 +0200 Subject: [PATCH 36/37] updating links to point to production --- .github/workflows/release.yaml | 70 ++++++++++++++++----------------- scripts/publish-rpm-packages.sh | 4 +- 2 files changed, 37 insertions(+), 37 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d47fe8c8c..9e453b7fa 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -76,7 +76,7 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v6 with: - args: release --clean --skip=publish --skip=validate + args: release --clean env: GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }} GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} @@ -96,41 +96,41 @@ jobs: path: dist retention-days: 1 - # publish-apt: - # name: Publish APT - # runs-on: macOS-latest - # needs: [goreleaser] - # env: - # # Needed to publish new packages to our S3-hosted APT repo - # AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} - # steps: - # - name: Checkout - # uses: actions/checkout@v5 + publish-apt: + name: Publish APT + runs-on: macOS-latest + needs: [goreleaser] + env: + # Needed to publish new packages to our S3-hosted APT repo + AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} + steps: + - name: Checkout + uses: actions/checkout@v5 - # # use the artifacts from the "goreleaser" job - # - name: Download artifacts from workflow - # uses: actions/download-artifact@v5 - # with: - # name: goreleaser-dist-temp - # path: dist + # use the artifacts from the "goreleaser" job + - name: Download artifacts from workflow + uses: actions/download-artifact@v5 + with: + name: goreleaser-dist-temp + path: dist - # - name: Install Aptly - # run: brew install aptly + - name: Install Aptly + run: brew install aptly - # - name: Import GPG key - # uses: crazy-max/ghaction-import-gpg@v6 - # id: import_gpg - # with: - # gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - # passphrase: ${{ secrets.GPG_PASSPHRASE }} + - name: Import GPG key + uses: crazy-max/ghaction-import-gpg@v6 + id: import_gpg + with: + gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} + passphrase: ${{ secrets.GPG_PASSPHRASE }} - # - name: Publish packages to APT repo - # if: contains(github.ref_name, '-') == false - # env: - # GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - # GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} - # run: ./scripts/publish-apt-packages.sh + - name: Publish packages to APT repo + if: contains(github.ref_name, '-') == false + env: + GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} + run: ./scripts/publish-apt-packages.sh publish-rpm: name: Publish RPM @@ -138,8 +138,8 @@ jobs: needs: [goreleaser] env: # Needed to publish new packages to our S3-hosted RPM repo - AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }} AWS_DEFAULT_REGION: eu01 AWS_ENDPOINT_URL: https://object.storage.eu01.onstackit.cloud steps: @@ -165,7 +165,7 @@ jobs: passphrase: ${{ secrets.GPG_PASSPHRASE }} - name: Publish RPM packages -# if: contains(github.ref_name, '-') == false + if: contains(github.ref_name, '-') == false env: GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} diff --git a/scripts/publish-rpm-packages.sh b/scripts/publish-rpm-packages.sh index 95008d2fb..d657d1e0d 100755 --- a/scripts/publish-rpm-packages.sh +++ b/scripts/publish-rpm-packages.sh @@ -4,10 +4,10 @@ # Usage: ./publish-rpm-packages.sh set -eo pipefail -PACKAGES_BUCKET_URL="https://distribution-test.object.storage.eu01.onstackit.cloud" +PACKAGES_BUCKET_URL="https://packages.stackit.cloud" PUBLIC_KEY_FILE_PATH="keys/key.gpg" RPM_REPO_PATH="rpm/cli" -RPM_BUCKET_NAME="distribution-test" +RPM_BUCKET_NAME="distribution" GORELEASER_PACKAGES_FOLDER="dist/" # We need to disable the key database daemon (keyboxd) From c6a74348c5d682700c7e8ffca69c836f4837a455 Mon Sep 17 00:00:00 2001 From: Benjosh95 Date: Mon, 13 Oct 2025 15:32:26 +0200 Subject: [PATCH 37/37] fix installation docs --- INSTALLATION.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/INSTALLATION.md b/INSTALLATION.md index cd22fabc4..c2e7bf751 100644 --- a/INSTALLATION.md +++ b/INSTALLATION.md @@ -146,10 +146,10 @@ The STACKIT CLI can be installed through the [`DNF/YUM`](https://docs.fedoraproj sudo tee /etc/yum.repos.d/stackit.repo > /dev/null << 'EOF' [stackit] name=STACKIT CLI -baseurl=https://distribution-test.object.storage.eu01.onstackit.cloud/rpm/cli/$basearch +baseurl=https://packages.stackit.cloud/rpm/cli/$basearch enabled=1 gpgcheck=1 -gpgkey=https://distribution-test.object.storage.eu01.onstackit.cloud/keys/key.gpg +gpgkey=https://packages.stackit.cloud/keys/key.gpg EOF ``` @@ -167,10 +167,10 @@ sudo dnf install stackit sudo tee /etc/zypp/repos.d/stackit.repo > /dev/null << 'EOF' [stackit] name=STACKIT CLI -baseurl=https://distribution-test.object.storage.eu01.onstackit.cloud/rpm/cli/$basearch +baseurl=https://packages.stackit.cloud/rpm/cli/$basearch enabled=1 gpgcheck=1 -gpgkey=https://distribution-test.object.storage.eu01.onstackit.cloud/keys/key.gpg +gpgkey=https://packages.stackit.cloud/keys/key.gpg EOF ```