c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[forwardport] ci/cd: publish binaries onto a release when we create a tag (#609) (#611)

Browse Source 
This diff forwardports 856e436e20d511a4f0d618546da7921fa9f8c5f6 to the master branch

Original commit message:

- - -

This pull request changes `mk` and github workflows to build and publish binaries on tag. We also update the documentation to explain this new branching model. Basically, we have release branches where we produce binary packages and we add extra code, on tag, to publish such packages inside a release.

We discussed removing most secrets from builds in this repository and having a different tool/repository that takes in input also secrets for doing follow-up actions after publishing. As a consequence, this pull request also removes all pieces of code that require secrets. The next step is to reinstate this code in this new repository/tool.

The existing code in `mk` also implemented caching. This feature was useful when doing local builds because it reduced the time required to obtain binary releases. With builds running as part of GitHub actions, we don't need caching because we spawn parallel machines to build binaries. Therefore, let us also remove caching, which makes the code simpler. (Caching in itself is hard and in https://github.com/ooni/probe/issues/1875 I noted that, for example, caching of the `ooni/go` repository was leading to some unwanted behaviour when changing the branch. Without caching, this behaviour is gone and we always generally use fresh information to produce builds.) Of course, this means that local builds are now slower, but I do not think this is a problem _because_ we want to use GitHub actions for building in the common case.

Reference issues: https://github.com/ooni/probe/issues/1879 and https://github.com/ooni/probe/issues/1875.

The final aspect to mention to conclude this description is an implementation one:

```
          gh release create -p $tag --target $GITHUB_SHA || true
```

The code above uses `|| true` because there could already be a release. So, basically, it means that, if a release does not already exist, then we're going to create one. Otherwise, it does not matter because there's already a release.
This commit is contained in:
Simone Basso
2021-11-23 15:56:25 +01:00
committed by GitHub
parent 5b9f701317
commit fdbf871103
49 changed files with 957 additions and 2014 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CLI/.gitignore
+1
View File
@@ -1 +1,2 @@
/miniooni-*
/ooniprobe-*
CLI/linux/build → CLI/build-linux
+5 -2
View File
@@ -14,8 +14,11 @@ apk add --no-progress gcc git linux-headers musl-dev
# some of the following exports are redundant but are however
# useful because they provide explicit logging
export GOARM=$GOARM
export GOPATH=$GOPATH
export CGO_ENABLED=1
export GOOS=linux
export GOARCH=$GOARCH
go build -o "./CLI/linux/$GOARCH/" -ldflags='-s -w -extldflags "-static"' "$@" ./cmd/ooniprobe
archname=$GOARCH
if [ "$GOARCH" = "arm" -a "$GOARM" = "7" ]; then
archname="armv7"
fi
go build -o "./CLI/ooniprobe-linux-$archname" -ldflags='-s -w -extldflags "-static"' "$@" ./cmd/ooniprobe
CLI/darwin/amd64/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/darwin/arm64/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/linux/386/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/linux/amd64/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/linux/arm/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/linux/arm64/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni
/ooniprobe
/ooniprobe.asc
CLI/linux/pkgdebian
-76
View File
@@ -1,76 +0,0 @@
#!/bin/sh
# This script creates a Debian package. When run by `./mk`, it
# is run inside a debian:stable container. It's fine to also
# run this script from any debian-like system, as long as the
# following ASSUMPTIONS are met:
#
# 1. the `ooniprobe` we are packaging is available at
# this path `./CLI/linux/$GOARCH/ooniprobe`;
#
# 2. we are running on a debian system that is capable
# of running binaries for the architecture that we wanna
# package, either natively or via qemu-user-static.
if [ $# -ne 1 ] && [ $# -ne 2 ]; then
echo "usage: $0 {arch} [run_number]" 1>&2
exit 1
fi
goarch=$1
run_number=$2
set -ex
# Copy the target binary in the correct location expected
# by the debian/ooniprobe-cli.install file.
rm -rf ./debian/bin
mkdir -p ./debian/bin
cp "./CLI/linux/$goarch/ooniprobe" ./debian/bin
# figure out the version number from the binary itself (which rests
# on the assumption that we can run such a binary)
version=$(./debian/bin/ooniprobe version)
if [ -n "$run_number" ]; then
version="${version}~${run_number}"
fi
darch=""
case $goarch in
386)
darch="i386"
;;
amd64)
darch="amd64"
;;
arm)
darch="armhf"
;;
arm64)
darch="arm64"
;;
esac
echo "Building for GOARCH=$goarch / DEBARCH=$darch"
# The OONI_DEB_DRY_RUN is a semi-undocumented feature allowing
# us to see the commands that would be run by this script.
$OONI_DEB_DRY_RUN dpkg --add-architecture $darch
# install the dependencies required by the build process
$OONI_DEB_DRY_RUN apt-get update -q
$OONI_DEB_DRY_RUN apt-get build-dep -y --no-install-recommends .
# keep the original changelog file safe
$OONI_DEB_DRY_RUN cp ./debian/changelog ./debian/changelog.oocopy
$OONI_DEB_DRY_RUN dch -v "$version" "New version ${version}"
$OONI_DEB_DRY_RUN dpkg-buildpackage -a $darch -us -uc -b
# restore the original changelog file
$OONI_DEB_DRY_RUN mv ./debian/changelog.oocopy ./debian/changelog
# move the package so that we don't loose track
# of it when using a build container
$OONI_DEB_DRY_RUN mv ../*.deb .
# install the package on the container as a smoke test to
# ensure that it is installable.
DEBIAN_FRONTEND=noninteractive dpkg -i "ooniprobe-cli_${version}_${darch}.deb"
CLI/linux/pubdebian
-52
View File
@@ -1,52 +0,0 @@
#!/bin/sh
# This script publishes Debian packages. When run by `mk`, it's
# run inside of an `ubuntu:20.04` container. It's fine also to run
# this script from a live Debian-like system as long as all the
# following assumptions are met:
#
# 1. Debian packages we want to publish are in the toplevel dir.
# ensure that we have all the required environment variables.
fail=0
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "warning: missing AWS_ACCESS_KEY_ID environment variable" 1>&2
fail=1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "warning: missing AWS_SECRET_ACCESS_KEY environment variable" 1>&2
fail=1
fi
if [ -z "$DEB_GPG_KEY" ]; then
echo "warning: missing DEB_GPG_KEY environment variable" 1>&2
fail=1
fi
if [ $fail -ne 0 ]; then
exit 1
fi
set -ex
export DEBIAN_FRONTEND=noninteractive
maybe_with_sudo() {
if command -v sudo 1>/dev/null; then
sudo "$@"
else
"$@"
fi
}
# install the dependencies required by the uploader.
maybe_with_sudo apt-get update -q
maybe_with_sudo apt-get install --yes --no-install-recommends curl git make python3 python3-requests python3-gnupg s3cmd
# pull the latest version of the debops-ci script from ooni/sysadmin.
curl -fsSLO https://raw.githubusercontent.com/ooni/sysadmin/master/tools/debops-ci
chmod +x debops-ci
# loop over the available packages and upload.
for debpkg in *.deb; do
# for example: ooniprobe-cli_3.10.0_i386.deb
arch=$(echo "$debpkg" | awk -F_ '{print $3}' | sed 's/\.deb$//g')
./debops-ci --show-commands upload --bucket-name ooni-deb --arch "$arch" "$debpkg"
done
CLI/windows/386/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni.exe
/ooniprobe.exe
/ooniprobe.exe.asc
CLI/windows/amd64/.gitignore
-3
View File
@@ -1,3 +0,0 @@
/miniooni.exe
/ooniprobe.exe
/ooniprobe.exe.asc