Merge pull request #47 from OpenCHAMI/alexlovelltroy-patch-2 #170

Workflow file for this run

.github/workflows/build-rpm.yaml at e44203b

	name: Build and Sign RPM

	on:
	push:
	branches:
	- main
	tags:
	- 'v*'
	workflow_dispatch:
	inputs:
	release_tag:
	description: 'Release tag to publish (e.g., v1.2.3). Leave empty to use the tag from a push.'
	required: false
	default: ''

	permissions:
	contents: write

	jobs:
	build-rpm:
	runs-on: ubuntu-latest
	container:
	image: fedora:latest
	env:
	RELEASE_TAG: ${{ github.event.inputs.release_tag }}

	steps:
	- name: Install dependencies
	run: \|
	dnf install -y \
	rpm-build rpm-sign rpmlint gcc make redhat-rpm-config \
	gh gpg gpg2 gnupg2 expect rpmdevtools createrepo

	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Import GPG key
	run: \|
	echo "$GPG_PRIVATE_KEY" \| base64 --decode \| gpg --import --batch --yes
	env:
	GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

	- name: Show signing subkey expiration
	shell: bash
	run: \|
	gpg --list-secret-keys --with-colons \
	\| awk -F: '
	$1=="ssb" && $12 ~ /s/ {
	keyid = $5
	expires = $7
	if (expires == "" \|\| expires == "0") {
	edate = "never"
	} else {
	cmd = "date -u -d @" expires " +\"%Y-%m-%d %H:%M:%S UTC\""
	cmd \| getline edate
	close(cmd)
	}
	printf "signing subkey %s expires: %s\n", keyid, edate
	}
	'

	- name: Get version
	id: get_version
	run: \|
	if [ -n "$RELEASE_TAG" ]; then
	VERSION=${RELEASE_TAG#v}
	elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
	VERSION=${GITHUB_REF#refs/tags/v}
	else
	VERSION=0.0.0
	fi
	echo "VERSION=${VERSION}" >> $GITHUB_ENV
	echo "Version is ${VERSION}"

	- name: Setup RPM build environment
	run: \|
	rpmdev-setuptree
	cp ./*.spec ~/rpmbuild/SPECS/
	cp -r ./* ~/rpmbuild/SOURCES/ \|\| true

	- name: Create source tarball
	run: \|
	mkdir -p ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}
	cp -r ./* ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}/
	tar -czf ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz \
	-C ~/rpmbuild/SOURCES openchami-${{ env.VERSION }} \
	--transform "s\|openchami-${{ env.VERSION }}-${{ env.COMMIT_SHA }}\|openchami-${{ env.VERSION }}\|"

	- name: Sign source tarball
	run: \|
	echo "$GPG_PASSPHRASE" \| gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
	--armor --detach-sign \
	--local-user admin@openchami.org \
	--output ~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz.asc \
	~/rpmbuild/SOURCES/openchami-${{ env.VERSION }}.tar.gz
	env:
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

	- name: Build RPM package
	run: \|
	rpmbuild -ba ~/rpmbuild/SPECS/*.spec \
	--define "version ${{ env.VERSION }}" \
	--define "rel 1"

	- name: Sign RPM packages
	run: \|
	for rpm in $(find ~/rpmbuild/RPMS/ -type f -name "*.rpm"); do
	echo "$GPG_PASSPHRASE" \| gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
	--detach-sign --armor "$rpm"
	rpm --define "_gpg_name admin@openchami.org" --addsign "$rpm"
	done
	env:
	GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

	- name: Find RPM file
	if: env.VERSION != '0.0.0'
	id: find_rpm
	run: \|
	rpm_file=$(ls ~/rpmbuild/RPMS/noarch/*.rpm)
	echo "rpm_file=${rpm_file}" >> $GITHUB_ENV
	echo "::set-output name=path::${rpm_file}"

	- name: Compute RPM Checksum
	if: env.VERSION != '0.0.0'
	id: compute_checksum
	run: \|
	rpm_file=$(ls ~/rpmbuild/RPMS/noarch/*.rpm)
	checksum=$(sha256sum "$rpm_file" \| awk '{print $1}')
	echo "checksum=${checksum}" >> $GITHUB_ENV
	echo "::set-output name=checksum::${checksum}"

	- name: Export Public GPG Key
	if: env.VERSION != '0.0.0'
	run: \|
	gpg --armor --export admin@openchami.org > public_gpg_key.asc

	- name: Get Public GPG Key Content
	if: env.VERSION != '0.0.0'
	id: get_pubkey
	run: \|
	key=$(cat public_gpg_key.asc)
	escaped_key=$(echo "$key" \| sed ':a;N;$!ba;s/\n/\\n/g')
	echo "::set-output name=pubkey::${escaped_key}"

	- name: Genereate release notes
	if: env.VERSION != '0.0.0'
	id: gen_rel_notes
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	{
	echo '# OpenCHAMI v${{ env.VERSION }}'
	echo ''
	echo 'RPM SHA256 Checksum:'
	echo '`${{ steps.compute_checksum.outputs.checksum }}`'
	echo ''
	gh api "repos/${GITHUB_REPOSITORY}/releases/generate-notes" -F tag_name='v${{ env.VERSION }}' --jq .body
	} > CHANGELOG.md

	- name: Create GitHub Release
	if: env.VERSION != '0.0.0'
	id: create_release
	uses: actions/create-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	tag_name: v${{ env.VERSION }}
	release_name: v${{ env.VERSION }}
	draft: false
	prerelease: false
	body_path: CHANGELOG.md

	- name: Upload RPM to GitHub Release
	if: env.VERSION != '0.0.0'
	uses: actions/upload-release-asset@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: ${{ steps.find_rpm.outputs.path }}
	asset_name: openchami-${{ env.VERSION }}.rpm
	asset_content_type: application/x-rpm

	- name: Upload Public GPG Key to GitHub Release
	if: env.VERSION != '0.0.0'
	uses: actions/upload-release-asset@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	upload_url: ${{ steps.create_release.outputs.upload_url }}
	asset_path: public_gpg_key.asc
	asset_name: public_gpg_key.asc
	asset_content_type: text/plain

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #47 from OpenCHAMI/alexlovelltroy-patch-2 #170

Workflow file

Merge pull request #47 from OpenCHAMI/alexlovelltroy-patch-2 #170

Uh oh!

Workflow file for this run