ci: Release binaries via CRT (#96)

* Remove goreleaser config * Add release config + metadata * release: Add security scanner config * github: Add build workflow * docs: Add releasing notes
hashicorp · Feb 2, 2023 · 4943701 · 4943701
1 parent c64df2c
commit 4943701
Show file tree

Hide file tree

Showing 6 changed files with 270 additions and 29 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -0,0 +1,131 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  PKG_NAME: "hc-install"
+
+jobs:
+  get-go-version:
+    name: "Determine Go toolchain version"
+    runs-on: ubuntu-latest
+    outputs:
+      go-version: ${{ steps.get-go-version.outputs.go-version }}
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # https://github.com/actions/checkout/releases/tag/v3.2.0
+      - name: Determine Go version
+        id: get-go-version
+        run: |
+          echo "Building with Go $(cat .go-version)"
+          echo "go-version=$(cat .go-version)" >> $GITHUB_OUTPUT
+
+  set-product-version:
+    runs-on: ubuntu-latest
+    outputs:
+      product-version: ${{ steps.set-product-version.outputs.product-version }}
+      product-base-version: ${{ steps.set-product-version.outputs.base-product-version }}
+      product-prerelease-version: ${{ steps.set-product-version.outputs.prerelease-product-version }}
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # https://github.com/actions/checkout/releases/tag/v3.2.0
+      - name: Set Product version
+        id: set-product-version
+        uses: hashicorp/actions-set-product-version@v1
+
+  generate-metadata-file:
+    needs: set-product-version
+    runs-on: ubuntu-latest
+    outputs:
+      filepath: ${{ steps.generate-metadata-file.outputs.filepath }}
+    steps:
+      - name: "Checkout directory"
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # https://github.com/actions/checkout/releases/tag/v3.2.0
+      - name: Generate metadata file
+        id: generate-metadata-file
+        uses: hashicorp/actions-generate-metadata@v1
+        with:
+          version: ${{ needs.set-product-version.outputs.product-version }}
+          product: ${{ env.PKG_NAME }}
+          repositoryOwner: "hashicorp"
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # https://github.com/actions/upload-artifact/releases/tag/v3.1.1
+        with:
+          name: metadata.json
+          path: ${{ steps.generate-metadata-file.outputs.filepath }}
+
+  build:
+    needs:
+      - get-go-version
+      - set-product-version
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - { goos: "linux", goarch: "386" }
+          - { goos: "linux", goarch: "amd64" }
+          - { goos: "linux", goarch: "arm" }
+          - { goos: "linux", goarch: "arm64" }
+          - { goos: "freebsd", goarch: "386" }
+          - { goos: "freebsd", goarch: "amd64" }
+          - { goos: "freebsd", goarch: "arm" }
+          - { goos: "freebsd", goarch: "arm64" }
+          - { goos: "openbsd", goarch: "386" }
+          - { goos: "openbsd", goarch: "amd64" }
+          - { goos: "solaris", goarch: "amd64" }
+          - { goos: "darwin", goarch: "arm64" }
+          - { goos: "darwin", goarch: "amd64" }
+          - { goos: "windows", goarch: "386" }
+          - { goos: "windows", goarch: "amd64" }
+          - { goos: "windows", goarch: "arm64" }
+      fail-fast: true
+    name: Go ${{ needs.get-go-version.outputs.go-version }} ${{ matrix.goos }} ${{ matrix.goarch }} build
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # https://github.com/actions/checkout/releases/tag/v3.2.0
+      - uses: hashicorp/actions-go-build@v0.1.7
+        env:
+          BASE_VERSION: ${{ needs.set-product-version.outputs.product-base-version }}
+          PRERELEASE_VERSION: ${{ needs.set-product-version.outputs.product-prerelease-version}}
+          METADATA_VERSION: ${{ env.METADATA }}
+        with:
+          product_name: ${{ env.PKG_NAME }}
+          product_version: ${{ needs.set-product-version.outputs.product-version }}
+          go_version: ${{ needs.get-go-version.outputs.go-version }}
+          os: ${{ matrix.goos }}
+          arch: ${{ matrix.goarch }}
+          reproducible: report
+          instructions: |
+            go build -trimpath -ldflags "-s -w" -o "$BIN_PATH" ./cmd/hc-install
+
+      - name: Package
+        if: ${{ matrix.goos == 'linux' }}
+        uses: hashicorp/actions-packaging-linux@v1
+        with:
+          name: ${{ github.event.repository.name }}
+          description: "hc-install CLI allows installing multiple versions of HashiCorp products in automation"
+          arch: ${{ matrix.goarch }}
+          version: ${{ needs.set-product-version.outputs.product-version }}
+          maintainer: "HashiCorp"
+          homepage: "https://github.com/hashicorp/hc-install"
+          license: "MPL-2.0"
+          binary: "dist/${{ env.PKG_NAME }}"
+          deb_depends: "openssl"
+          rpm_depends: "openssl"
+
+      - name: Set Package Names
+        if: ${{ matrix.goos == 'linux' }}
+        run: |
+          echo "RPM_PACKAGE=$(basename out/*.rpm)" >> $GITHUB_ENV
+          echo "DEB_PACKAGE=$(basename out/*.deb)" >> $GITHUB_ENV
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # https://github.com/actions/upload-artifact/releases/tag/v3.1.1
+        if: ${{ matrix.goos == 'linux' }}
+        with:
+          name: ${{ env.RPM_PACKAGE }}
+          path: out/${{ env.RPM_PACKAGE }}
+
+      - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # https://github.com/actions/upload-artifact/releases/tag/v3.1.1
+        if: ${{ matrix.goos == 'linux' }}
+        with:
+          name: ${{ env.DEB_PACKAGE }}
+          path: out/${{ env.DEB_PACKAGE }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
diff --git a/.release/ci.hcl b/.release/ci.hcl
@@ -0,0 +1,89 @@
+schema = "1"
+
+project "hc-install" {
+  // team is currently unused and has no meaning
+  // but is required to be non-empty by CRT orchestrator
+  team = "_UNUSED_"
+  slack {
+    notification_channel = "C01QDH3Q37W" // #feed-terraform-exec
+  }
+  github {
+    organization     = "hashicorp"
+    repository       = "hc-install"
+    release_branches = ["main"]
+  }
+}
+
+event "build" {
+  action "build" {
+    organization = "hashicorp"
+    repository   = "hc-install"
+    workflow     = "build"
+  }
+}
+
+event "prepare" {
+  depends = ["build"]
+
+  action "prepare" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "prepare"
+    depends      = ["build"]
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "trigger-staging" {
+  // This event is dispatched by the bob trigger-promotion command
+  // and is required - do not delete.
+}
+
+event "promote-staging" {
+  depends = ["trigger-staging"]
+  action "promote-staging" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "promote-staging"
+    config       = "release-metadata.hcl"
+  }
+
+  notification {
+    on = "fail"
+  }
+}
+
+event "trigger-production" {
+  // This event is dispatched by the bob trigger-promotion command
+  // and is required - do not delete.
+}
+
+event "promote-production" {
+  depends = ["trigger-production"]
+  action "promote-production" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "promote-production"
+  }
+
+  notification {
+    on = "always"
+  }
+}
+
+// promote Linux packages to production repo
+event "promote-production-packaging" {
+  depends = ["promote-production"]
+  action "promote-production-packaging" {
+    organization = "hashicorp"
+    repository   = "crt-workflows-common"
+    workflow     = "promote-production-packaging"
+  }
+
+  notification {
+    on = "always"
+  }
+}
diff --git a/.release/release-metadata.hcl b/.release/release-metadata.hcl
@@ -0,0 +1,2 @@
+url_license = "https://github.com/hashicorp/hc-install/blob/main/LICENSE"
+url_source_repository = "https://github.com/hashicorp/hc-install"
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -0,0 +1,10 @@
+binary {
+  go_modules = true # Scan the Go modules found in the binary
+  osv        = true # Use the Open Source Vulnerabilities (OSV) database
+  oss_index  = true # Use the Sonatype OSS Index vulnerability database
+  nvd        = true # Use the Nation Vulnerability Database
+
+  secrets { # Scan for secrets in the binary
+    all = true
+  }
+}
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -0,0 +1,38 @@
+# Contributing Notes
+
+## Releasing
+
+Releases are made on a reasonably regular basis by the maintainers (HashiCorp staff), using our internal tooling. The following notes are only relevant to maintainers.
+
+Release process:
+
+ 1. Update [`version/VERSION`](https://github.com/hashicorp/hc-install/blob/main/version/VERSION) to remove `-dev` suffix and set it to the intended version to be released
+ 1. Wait for [`build` workflow](https://github.com/hashicorp/hc-install/actions/workflows/build.yml) to finish
+ 1. Ensure you have the appropriate GitHub PAT set in `BOB_GITHUB_TOKEN` variable
+ 1. Set `SHA` to the corresponding (long) last commit SHA (after updating `VERSION` file) & `VERSION` to the same version
+ 1. Use `bob` to promote artifacts to **staging**
+ ```
+bob trigger-promotion \
+	--product-name=hc-install \
+	--environment=hc-install-oss \
+	--org=hashicorp \
+	--repo=hc-install \
+	--slack-channel=C01QDH3Q37W \
+	--product-version=$VERSION \
+	--sha=$SHA \
+	--branch=main \
+	staging
+ ```
+ 1. Use `bob` to promote artifacts to **production**
+ ```
+bob trigger-promotion \
+	--product-name=hc-install \
+	--environment=hc-install-oss \
+	--org=hashicorp \
+	--repo=hc-install \
+	--slack-channel=C01QDH3Q37W \
+	--product-version=$VERSION \
+	--sha=$SHA \
+	--branch=main \
+	production
+ ```