publish-production-distrepos.yml

name: Publish production repos
concurrency: repo-state-aptly
on:
  pull_request: {}

env:
  AGENT_RELEASE_TAG: 'v3.13.2'

jobs:
  preflight:
    timeout-minutes: 5
    runs-on: ubuntu-22.04
    outputs:
      doit: ${{ steps.git-diff.outputs.diff != '' }}
      really: ${{ steps.release-diff.outputs.vchange != ''}}
    steps:
      - uses: actions/checkout@v3

      - uses: technote-space/get-diff-action@v6
        id: git-diff
        with:
          PATTERNS: |
            .github/workflows/publish-production-distrepos.yml

      - id: release-diff
        run: |
          git fetch --depth 1 origin ${GITHUB_BASE_REF} 
          echo "::set-output name=vchange::$(git diff -U0 origin/${GITHUB_BASE_REF} -- .github/workflows/publish-production-distrepos.yml | grep AGENT_RELEASE_TAG)"

      - run: |
          echo "${{ steps.git-diff.outputs.diff }}"
          echo "${{ steps.git-diff.outputs.diff == '' }}"
          echo "${{ github.ref }}"
          echo "${{ github.event_name }}"
          echo "${{ steps.git-diff.outputs.diff != '' }}"
          echo "${{ steps.release-diff.outputs.vchange }}"
          echo "${{ steps.release-diff.outputs.vchange != ''}}"


  repo-pub:
    timeout-minutes: 20
    needs:
      - preflight
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: ./
    steps:

###########
########### PREREQUISITES
###########

      - name: Install programs
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        run: |
          sudo apt-get update
          sudo apt-get install -y s3fs gnupg-pkcs11-scd openvpn openvpn-systemd-resolved rpm createrepo-c

      - name: Install Go
        uses: actions/setup-go@v3
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        with:
          go-version: '1.20'

      - name: Install aptly from source
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        run: |
          go install github.com/aptly-dev/aptly@v1.5.0

###########
########### HERE COMES THE GPG <-> PCKS11 <-> HSM setup
###########

      - name: Install YubiHSM pkcs11 libraries
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        shell: bash
        run: |
          test -f /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so && exit 0
          wget https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz
          tar -xzf yubihsm2-sdk-2022-06-ubuntu2204-amd64.tar.gz
          cd yubihsm2-sdk
          sudo dpkg -i libyubihsm-http1_2.3.2_amd64.deb libyubihsm1_2.3.2_amd64.deb yubihsm-pkcs11_2.3.2_amd64.deb
          go install github.com/aptly-dev/aptly@v1.5.0

      - name: Write GPG <-> PCKS11 <-> HSM configurations
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        env:
          CONNECTOR: ${{ secrets.HSM2_CONNECTOR}}
          OVPN_HSM_CFG: ${{ secrets.OVPN_HSM_CFG}}
        shell: bash
        run: |
          mkdir ~/.gnupg
          chmod 0700 ~/.gnupg
          echo "connector=$CONNECTOR" > ~/yubihsm_pkcs11.conf
          echo "scdaemon-program /usr/bin/gnupg-pkcs11-scd" > ~/.gnupg/gpg-agent.conf
          echo "default-cache-ttl 46000" >> ~/.gnupg/gpg-agent.conf
          echo "providers yubihsm" >> ~/.gnupg/gnupg-pkcs11-scd.conf 
          echo "provider-yubihsm-library /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so" >> ~/.gnupg/gnupg-pkcs11-scd.conf 
          echo "provider-yubihsm-cert-private" >> ~/.gnupg/gnupg-pkcs11-scd.conf
          gpg-connect-agent RELOADAGENT /bye
          echo "$OVPN_HSM_CFG" > hsm.ovpn

      - name: Connect to VPN
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        uses: "kota65535/github-openvpn-connect-action@v2"
        with:
          config_file: hsm.ovpn
          username: ${{ secrets.OVPN_HSM_UNAME }}
          password: ${{ secrets.OVPN_HSM_PWORD }}

      - name: Import and activate repo signing key
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        env:
          REPOKEY: ${{ secrets.REPO_SIGNING_KEY }}
          PKSHADOW: ${{ secrets.REPO_SIGNING_PKSHADOW }}
          KEYGRIP: ${{ secrets.REPO_SIGNING_PKGRIP }}
          GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }}
        run: |
          echo "$REPOKEY" > repo-signing.key
          gpg --import - < repo-signing.key
          # if you are missing the file below, set-up gpg with hsm on your local machine
          # like in this script and import the key. then we need to run gpg --card-status
          # to re-create the shadowed PK. this requires a pin entry which gpg does not support
          # at this point. to work around this use gpg-connect-agent and issue the SCD LEARN
          # command which will present you with a pin prompt. it has to be the first thing
          # you do and it will establish a session with the HSM that is re-used when running
          # gpg --card-status.
          echo "$PKSHADOW" > ~/.gnupg/private-keys-v1.d/$KEYGRIP
          (echo 5; echo y; echo save) |
          gpg --command-fd 0 --no-tty --no-greeting -q --edit-key "$(
          gpg --list-packets <repo-signing.key |
          awk '$1=="keyid:"{print$2;exit}')" trust 
          echo cache_passphrase_now | gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --sign > /dev/null

###########
########### HERE COMES THE APT REPO 
###########

      - name: Mount private repo state s3fs
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        shell: bash
        env:
          DO_ACCESS_KEY: ${{ secrets.DO_ACCESS_KEY}}
          DO_SECRET_KEY: ${{ secrets.DO_SECRET_KEY }}
          DO_SPACE: pkg-repo-state
        run: |
          touch passwd-s3fs
          chmod 0600 passwd-s3fs
          echo "$DO_ACCESS_KEY:$DO_SECRET_KEY" > passwd-s3fs
          mkdir repo-state
          s3fs $DO_SPACE $PWD/repo-state \
            -o passwd_file=$PWD/passwd-s3fs \
            -o url=https://fra1.digitaloceanspaces.com/ \
            -o use_path_request_style \
            -o uid=$UID

      - name: Release packages to APT repo
        if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' }}
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.DO_ACCESS_KEY}}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.DO_SECRET_KEY }}
          RELEASE_ID: ${{ env.AGENT_RELEASE_TAG }}
        run: |
          aptly -config ./repo-state/aptly.conf snapshot filter "agent-release-$RELEASE_ID" "agent-only-release-$RELEASE_ID" immune-guard
          aptly -config ./repo-state/aptly.conf publish switch stable s3:debian-prod: "agent-only-release-$RELEASE_ID"
          sync
          umount repo-state

###########
########### HERE COMES THE RPM REPO 
###########

      - name: Mount package registry s3fs
        if: ${{ needs.preflight.outputs.doit == 'true' }}
        shell: bash
        env:
          DO_SPACE: package-registry
        run: |
          # password setup has already been done by APT repo steps above
          mkdir live-repo
          s3fs $DO_SPACE $PWD/live-repo \
            -o passwd_file=$PWD/passwd-s3fs \
            -o url=https://fra1.digitaloceanspaces.com/ \
            -o use_path_request_style \
            -o default_acl=public-read \
            -o uid=$UID

      - name: Release packages to RPM repo
        if: ${{ needs.preflight.outputs.doit == 'true' && needs.preflight.outputs.really == 'true' }}
        shell: bash
        env:
          REPOPATH_EDGE: live-repo/rpmrepo/edge
          REPOPATH_PROD: live-repo/rpmrepo/prod
          GPG_PASSPHRASE: ${{ secrets.HSM2_AUTH }}
          RELEASE_ID: ${{ env.AGENT_RELEASE_TAG }}
        run: |
          cp ${PWD}/${REPOPATH_EDGE}/guard-1-${RELEASE_ID}-1.x86_64.rpm ${PWD}/${REPOPATH_PROD}
          createrepo_c --update ${PWD}/${REPOPATH_PROD}
          gpg --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --yes --detach-sign --armor ${PWD}/${REPOPATH_PROD}/repodata/repomd.xml
          sync
          umount live-repo