workflows: unstable regular build fixes (fluent#5106)

* workflows: fix missing input Signed-off-by: Patrick Stephens <[email protected]> * workflows: fix incorrect usage Signed-off-by: Patrick Stephens <[email protected]> * workflows: add schema generation to staging Signed-off-by: Patrick Stephens <[email protected]> * workflows: linting fix Signed-off-by: Patrick Stephens <[email protected]> * packaging: add base check Signed-off-by: Patrick Stephens <[email protected]> * packaging: add base check Signed-off-by: Patrick Stephens <[email protected]> * workflows: sign repo-metadata Signed-off-by: Patrick Stephens <[email protected]> * workflows: sign repo-metadata Signed-off-by: Patrick Stephens <[email protected]> * workflows: sign repo-metadata Signed-off-by: Patrick Stephens <[email protected]> Signed-off-by: Manal Geries <[email protected]>
mgeriesa · Oct 25, 2022 · 9486522 · 9486522
1 parent b24e996
commit 9486522
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 6 deletions.
diff --git a/.github/workflows/cron-unstable-build.yaml b/.github/workflows/cron-unstable-build.yaml
@@ -38,25 +38,25 @@ jobs:
       - name: Manual run - get branch
         if: github.event_name == 'workflow_dispatch'
         run: |
-          echo "::set-env name=cron_branch::${{ github.event.inputs.branch }}"
+          echo "cron_branch=${{ github.event.inputs.branch }}" >> $GITHUB_ENV
         shell: bash
 
       - name: master run
         if:  github.event_name == 'schedule' && github.event.schedule=='*/6 * * * *'         # set-env value
         run: |
-          echo "::set-env name=cron_branch::master"
+          echo "cron_branch=master" >> $GITHUB_ENV
         shell: bash
 
       - name: 1.9 run
         if:  github.event_name == 'schedule' && github.event.schedule=='*/12 * * * *'   # set env value
         run: |
-          echo "::set-env name=cron_branch::1.9"
+          echo "cron_branch=1.9" >> $GITHUB_ENV
         shell: bash
 
       - name: 1.8 run
         if:  github.event_name == 'schedule' && github.event.schedule=='*/18 * * * *'   # set env value
         run: |
-          echo "::set-env name=cron_branch::1.8"
+          echo "cron_branch=1.8" >> $GITHUB_ENV
         shell: bash
 
       - name: Output the branch to use
@@ -70,6 +70,7 @@ jobs:
     needs: unstable-build-get-meta
     uses: fluent/fluent-bit/.github/workflows/call-build-images.yaml@master
     with:
+      version: ${{ needs.unstable-build-get-meta.outputs.branch }}
       ref: ${{ needs.unstable-build-get-meta.outputs.branch }}
       registry: ghcr.io
       username: ${{ github.actor }}
@@ -112,6 +113,8 @@ jobs:
     outputs:
       build-matrix: ${{ steps.set-matrix.outputs.build-matrix }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
       # Set up the list of target to build so we can pass the JSON to the reusable job
       - uses: ./.github/actions/generate-package-build-matrix
         id: set-matrix

diff --git a/.github/workflows/staging-build.yaml b/.github/workflows/staging-build.yaml
@@ -79,12 +79,49 @@ jobs:
       cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
       cosign_private_key_password: ${{ secrets.COSIGN_PASSWORD }}
 
+  staging-build-generate-schema:
+    needs:
+      - staging-build-get-meta
+      - staging-build-images
+    runs-on: ubuntu-latest
+    steps:
+      - name: Log in to the Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: |
+          docker run --rm -it ${{ github.repository }}/staging:${{ needs.staging-build-get-meta.outputs.version }} -J > fluent-bit-schema-${{ needs.staging-build-get-meta.outputs.version }}.json
+          cat fluent-bit-schema-${{ needs.staging-build-get-meta.outputs.version }}.json | jq -M > fluent-bit-schema-pretty-${{ needs.staging-build-get-meta.outputs.version }}.json
+        shell: bash
+
+      - name: Upload the schema
+        uses: actions/upload-artifact@v2
+        with:
+          path: ./
+          name: fluent-bit-schema*.json
+          if-no-files-found: error
+
+      - name: Push schema to S3
+        run: |
+          aws --region "$AWS_REGION" s3 sync . "s3://${AWS_S3_BUCKET}/${DEST_DIR}" --no-progress ${ENDPOINT}
+        env:
+          DEST_DIR: "${{ needs.staging-build-get-meta.outputs.version }}/"
+          AWS_REGION: "us-east-1"
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET_STAGING }}
+
   staging-build-generate-matrix:
     name: Staging build matrix
     runs-on: ubuntu-latest
     outputs:
       build-matrix: ${{ steps.set-matrix.outputs.build-matrix }}
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
       # Set up the list of target to build so we can pass the JSON to the reusable job
       - uses: ./.github/actions/generate-package-build-matrix
         id: set-matrix

diff --git a/.github/workflows/staging-release.yaml b/.github/workflows/staging-release.yaml
@@ -95,9 +95,10 @@ jobs:
     - name: Update repo info and remove any staging details
       run: |
         rm -f packaging/releases/*.repo
-        LATEST_VERSION=$(cat packaging/releases/latest-version.txt)
-        packaging/update-repos.sh packaging/releases/
         rm -f packaging/releases/latest-version.txt
+        packaging/update-repos.sh packaging/releases/
+        # Sign repo meta-data
+        find "$REPO_DIR" -name repomd.xml -exec gpg --detach-sign --armor -u "$GPG_KEY" --passphrase "${{ secrets.GPG_PRIVATE_KEY_PASSPHRASE }}" --batch --yes {} \;
       env:
         GPG_KEY: ${{ steps.import_gpg.outputs.name }}
         AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET_RELEASE }}

diff --git a/packaging/server/publish-all.sh b/packaging/server/publish-all.sh
@@ -112,3 +112,6 @@ if ! aptly -config="$APTLY_CONFIG" publish switch focal filesystem:ubuntu/focal:
     aptly -config="$APTLY_CONFIG" snapshot drop "fluent-bit-ubuntu-focal-${VERSION}"
     exit 1
 fi
+
+# Sign YUM repo meta-data
+find "/var/www/apt.fluentbit.io" -name repomd.xml -exec gpg --detach-sign --armor --yes -u "[email protected]" {} \;
diff --git a/packaging/update-repos.sh b/packaging/update-repos.sh
@@ -1,7 +1,13 @@
 #!/bin/bash
 set -eux
+
 # Where the base of all the repos is
 BASE_PATH=${BASE_PATH:-$1}
+if [[ ! -d "$BASE_PATH" ]]; then
+    echo "Invalid base path: $BASE_PATH"
+    exit 1
+fi
+
 # Set true to prevent signing
 DISABLE_SIGNING=${DISABLE_SIGNING:-false}
 if [[ "$DISABLE_SIGNING" != "true" ]]; then