build(deps): bump golang.org/x/crypto from 0.7.0 to 0.17.0 #87
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish production repos | |
| concurrency: repo-state-aptly | |
| on: | |
| pull_request: {} | |
| env: | |
| AGENT_RELEASE_TAG: 'v3.13.2' | |
| jobs: | |
| preflight: | |
| timeout-minutes: 5 | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| doit: ${{ steps.git-diff.outputs.diff != '' }} | |
| really: ${{ steps.release-diff.outputs.vchange != ''}} | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - uses: technote-space/get-diff-action@v6 | |
| id: git-diff | |
| with: | |
| PATTERNS: | | |
| .github/workflows/publish-production-distrepos.yml | |
| - id: release-diff | |
| run: | | |
| git fetch --depth 1 origin ${GITHUB_BASE_REF} | |
| echo "::set-output name=vchange::$(git diff -U0 origin/${GITHUB_BASE_REF} -- .github/workflows/publish-production-distrepos.yml | grep AGENT_RELEASE_TAG)" | |
| - run: | | |
| echo "${{ steps.git-diff.outputs.diff }}" | |
| echo "${{ steps.git-diff.outputs.diff == '' }}" | |
| echo "${{ github.ref }}" | |
| echo "${{ github.event_name }}" | |
| echo "${{ steps.git-diff.outputs.diff != '' }}" | |
| echo "${{ steps.release-diff.outputs.vchange }}" | |
| echo "${{ steps.release-diff.outputs.vchange != ''}}" | |
| repo-pub: | |
| timeout-minutes: 20 | |
| needs: | |
| - preflight | |
| runs-on: ubuntu-22.04 | |
| defaults: | |
| run: | |
| working-directory: ./ | |
| steps: | |
| ########### | |
| ########### PREREQUISITES | |
| ########### | |
| - name: Install programs | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y s3fs gnupg-pkcs11-scd openvpn openvpn-systemd-resolved rpm createrepo-c | |
| - name: Install Go | |
| uses: actions/setup-go@v3 | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| with: | |
| go-version: '1.20' | |
| - name: Install aptly from source | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| run: | | |
| go install github.com/aptly-dev/aptly@v1.5.0 | |
| ########### | |
| ########### HERE COMES THE GPG <-> PCKS11 <-> HSM setup | |
| ########### | |
| - name: Install YubiHSM pkcs11 libraries | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| shell: bash | |
| run: | | |
| test -f /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so && exit 0 | |
| wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz | |
| tar -xzf yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz | |
| cd yubihsm2-sdk | |
| sudo dpkg -i libyubihsm-http1_2.3.2_amd64.deb libyubihsm1_2.3.2_amd64.deb yubihsm-pkcs11_2.3.2_amd64.deb | |
| go install github.com/aptly-dev/aptly@v1.5.0 | |
| - name: Write GPG <-> PCKS11 <-> HSM configurations | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| env: | |
| CONNECTOR: ${{ secrets.HSM2_CONNECTOR}} | |
| OVPN_HSM_CFG: ${{ secrets.OVPN_HSM_CFG}} | |
| shell: bash | |
| run: | | |
| mkdir ~/.gnupg | |
| chmod 0700 ~/.gnupg | |
| echo "connector=$CONNECTOR" > ~/yubihsm_pkcs11.conf | |
| echo "scdaemon-program /usr/bin/gnupg-pkcs11-scd" > ~/.gnupg/gpg-agent.conf | |
| echo "default-cache-ttl 46000" >> ~/.gnupg/gpg-agent.conf | |
| echo "providers yubihsm" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
| echo "provider-yubihsm-library /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
| echo "provider-yubihsm-cert-private" >> ~/.gnupg/gnupg-pkcs11-scd.conf | |
| gpg-connect-agent RELOADAGENT /bye | |
| echo "$OVPN_HSM_CFG" > hsm.ovpn | |
| - name: Connect to VPN | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| uses: "kota65535/github-openvpn-connect-action@v2" | |
| with: | |
| config_file: hsm.ovpn | |
| username: ${{ secrets.OVPN_HSM_UNAME }} | |
| password: ${{ secrets.OVPN_HSM_PWORD }} | |
| - name: Import and activate repo signing key | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| env: | |
| REPOKEY: ${{ secrets.REPO_SIGNING_KEY }} | |
| PKSHADOW: ${{ secrets.REPO_SIGNING_PKSHADOW }} | |
| KEYGRIP: ${{ secrets.REPO_SIGNING_PKGRIP }} | |
| GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }} | |
| run: | | |
| echo "$REPOKEY" > repo-signing.key | |
| gpg --import - < repo-signing.key | |
| # if you are missing the file below, set-up gpg with hsm on your local machine | |
| # like in this script and import the key. then we need to run gpg --card-status | |
| # to re-create the shadowed PK. this requires a pin entry which gpg does not support | |
| # at this point. to work around this use gpg-connect-agent and issue the SCD LEARN | |
| # command which will present you with a pin prompt. it has to be the first thing | |
| # you do and it will establish a session with the HSM that is re-used when running | |
| # gpg --card-status. | |
| echo "$PKSHADOW" > ~/.gnupg/private-keys-v1.d/$KEYGRIP | |
| (echo 5; echo y; echo save) | | |
| gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$( | |
| gpg --list-packets <repo-signing.key | | |
| awk '$1=="keyid:"{print$2;exit}')" trust | |
| echo cache_passphrase_now | gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --sign > /dev/null | |
| ########### | |
| ########### HERE COMES THE APT REPO | |
| ########### | |
| - name: Mount private repo state s3fs | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| shell: bash | |
| env: | |
| DO_ACCESS_KEY: ${{ secrets.DO_ACCESS_KEY}} | |
| DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }} | |
| DO_SPACE: pkg-repo-state | |
| run: | | |
| touch passwd-s3fs | |
| chmod 0600 passwd-s3fs | |
| echo "$DO_ACCESS_KEY:$DO_SECRET_KEY" > passwd-s3fs | |
| mkdir repo-state | |
| s3fs $DO_SPACE $PWD/repo-state \ | |
| -o passwd_file=$PWD/passwd-s3fs \ | |
| -o url=https://fra1.digitaloceanspaces.com/ \ | |
| -o use_path_request_style \ | |
| -o uid=$UID | |
| - name: Release packages to APT repo | |
| if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' }} | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.DO_ACCESS_KEY}} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.DO_SECRET_KEY }} | |
| RELEASE_ID: ${{ env.AGENT_RELEASE_TAG }} | |
| run: | | |
| aptly -config ./repo-state/aptly.conf snapshot filter "agent-release-$RELEASE_ID" "agent-only-release-$RELEASE_ID" immune-guard | |
| aptly -config ./repo-state/aptly.conf publish switch stable s3:debian-prod: "agent-only-release-$RELEASE_ID" | |
| sync | |
| umount repo-state | |
| ########### | |
| ########### HERE COMES THE RPM REPO | |
| ########### | |
| - name: Mount package registry s3fs | |
| if: ${{ needs.preflight.outputs.doit == 'true' }} | |
| shell: bash | |
| env: | |
| DO_SPACE: package-registry | |
| run: | | |
| # password setup has already been done by APT repo steps above | |
| mkdir live-repo | |
| s3fs $DO_SPACE $PWD/live-repo \ | |
| -o passwd_file=$PWD/passwd-s3fs \ | |
| -o url=https://fra1.digitaloceanspaces.com/ \ | |
| -o use_path_request_style \ | |
| -o default_acl=public-read \ | |
| -o uid=$UID | |
| - name: Release packages to RPM repo | |
| if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' }} | |
| shell: bash | |
| env: | |
| REPOPATH_EDGE: live-repo/rpmrepo/edge | |
| REPOPATH_PROD: live-repo/rpmrepo/prod | |
| GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }} | |
| RELEASE_ID: ${{ env.AGENT_RELEASE_TAG }} | |
| run: | | |
| cp ${PWD}/${REPOPATH_EDGE}/guard-1-${RELEASE_ID}-1.x86_64.rpm ${PWD}/${REPOPATH_PROD} | |
| createrepo_c --update ${PWD}/${REPOPATH_PROD} | |
| gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --yes --detach-sign --armor ${PWD}/${REPOPATH_PROD}/repodata/repomd.xml | |
| sync | |
| umount live-repo |