actions/cargo-binstall
1
0
Fork 0
mirror of https://github.com/cargo-bins/cargo-binstall.git synced 2025-04-19 12:08:43 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix release build again (#1400)

Browse source 
* Fix build again

* Recommend (r)age over minisign password

* Dry-run the entire release process

* Reorg a bit so dry-run works

* Fix secret name

* Add check on age key

* Pass secrets down

* Use a cross-platform "date"

* Delete signing key artifact to be extra safe

* Last little bits
This commit is contained in:
Félix Saparelli 2023-09-27 00:17:17 +13:00 committed by GitHub
parent 3f29e13e42
commit 5d4333d5c8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 189 additions and 140 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
.github/scripts/ephemeral-crate.sh vendored Executable file
View file

@ -0,0 +1,12 @@
#!/usr/bin/env bash
set -euxo pipefail
cat >> crates/bin/Cargo.toml <<EOF
[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "$(tail -n1 minisign.pub)"
EOF
cp minisign.pub crates/bin/minisign.pub

13
.github/scripts/ephemeral-gen.sh vendored
View file

@ -2,21 +2,12 @@
set -euxo pipefail set -euxo pipefail
cargo binstall -y rsign2 cargo binstall -y rsign2 rage
rsign generate -f -W -p minisign.pub -s minisign.key rsign generate -f -W -p minisign.pub -s minisign.key
cat >> crates/bin/Cargo.toml <<EOF
[package.metadata.binstall.signing]
algorithm = "minisign"
pubkey = "$(tail -n1 minisign.pub)"
EOF
echo "public=$(tail -n1 minisign.pub)" >> "$GITHUB_OUTPUT"
cp minisign.pub crates/bin/minisign.pub
set +x set +x
echo "::add-mask::$(tail -n1 minisign.key)" echo "::add-mask::$(tail -n1 minisign.key)"
echo "private=$(tail -n1 minisign.key)" >> "$GITHUB_OUTPUT"
set -x set -x
rage --encrypt --recipient "$AGE_KEY_PUBLIC" --output minisign.key.age minisign.key
rm minisign.key rm minisign.key

10
.github/scripts/ephemeral-sign.sh vendored
View file

@ -2,14 +2,15 @@
set -euo pipefail set -euo pipefail
echo "untrusted comment: rsign encrypted secret key" > minisign.key [[ -z "$AGE_KEY_SECRET" ]] && { echo "!!! Empty age key secret !!!"; exit 1; }
cat >> minisign.key <<< "$SIGNING_KEY" cat >> age.key <<< "$AGE_KEY_SECRET"
set -x set -x
cargo binstall -y rsign2 cargo binstall -y rsign2 rage
rage --decrypt --identity age.key --output minisign.key minisign.key.age
ts=$(date --utc --iso-8601=seconds) ts=$(node -e 'console.log((new Date).toISOString())')
git=$(git rev-parse HEAD) git=$(git rev-parse HEAD)
comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID" comment="gh=$GITHUB_REPOSITORY git=$git ts=$ts run=$GITHUB_RUN_ID"
@ -17,3 +18,4 @@ for file in "$@"; do
rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file" rsign sign -W -s minisign.key -x "$file.sig" -t "$comment" "$file"
done done
rm age.key minisign.key

14
.github/workflows/ci.yml vendored
View file

@ -125,9 +125,17 @@ jobs:
- run: just avoid-dev-deps - run: just avoid-dev-deps
- run: just lint - run: just lint
release-builds: release-dry-run:
uses: ./.github/workflows/release-build.yml uses: ./.github/workflows/release-cli.yml
secrets: inherit
with: with:
info: |
{
"is-release": false,
"crate": "cargo-binstall",
"version": "0.0.0",
"notes": ""
}
CARGO_PROFILE_RELEASE_LTO: no CARGO_PROFILE_RELEASE_LTO: no
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 4 CARGO_PROFILE_RELEASE_CODEGEN_UNITS: 4
@ -179,7 +187,7 @@ jobs:
- test - test
- cross-check - cross-check
- lint - lint
- release-builds - release-dry-run
- detect-targets-alpine-test - detect-targets-alpine-test
- detect-targets-ubuntu-test - detect-targets-ubuntu-test
if: always() # always run even if dependencies fail if: always() # always run even if dependencies fail

108
.github/workflows/release-cli.yml vendored Normal file
View file

@ -0,0 +1,108 @@
name: Release CLI
on:
workflow_call:
inputs:
info:
description: "The release metadata JSON"
required: true
type: string
CARGO_PROFILE_RELEASE_LTO:
description: "Used to speed up CI"
required: false
type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
description: "Used to speed up CI"
required: false
type: string
jobs:
tag:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- if: fromJSON(inputs.info).is-release == 'true'
name: Push cli release tag
uses: mathieudutour/github-tag-action@v6.1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
custom_tag: ${{ fromJSON(inputs.info).version }}
tag_prefix: v
keygen:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: cargo-bins/cargo-binstall@main
- name: Create ephemeral keypair
id: keypair
env:
AGE_KEY_PUBLIC: ${{ vars.AGE_KEY_PUBLIC }}
run: .github/scripts/ephemeral-gen.sh
- uses: actions/upload-artifact@v3
with:
name: minisign.pub
path: minisign.pub
- uses: actions/upload-artifact@v3
with:
name: minisign.key.age
path: minisign.key.age
retention-days: 1
- name: Check that key can be decrypted
env:
AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash
run: .github/scripts/ephemeral-sign.sh minisign.pub
package:
needs:
- tag
- keygen
uses: ./.github/workflows/release-packages.yml
secrets: inherit
with:
publish: ${{ inputs.info }}
CARGO_PROFILE_RELEASE_LTO: ${{ inputs.CARGO_PROFILE_RELEASE_LTO }}
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: ${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}
publish:
needs: package
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: .github/scripts/ephemeral-crate.sh
- if: fromJSON(inputs.info).is-release != 'true'
name: DRY-RUN Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty --dry-run
- if: fromJSON(inputs.info).is-release == 'true'
name: Publish to crates.io
env:
crate: ${{ fromJSON(inputs.info).crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty
- if: fromJSON(inputs.info).is-release == 'true'
name: Make release latest
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
release_name: v${{ fromJSON(inputs.info).version }}
tag: v${{ fromJSON(inputs.info).version }}
body: ${{ fromJSON(inputs.info).notes }}
promote: true
file: minisign.pub
- if: fromJSON(inputs.info).is-release == 'true'
name: Delete signing key artifact
uses: geekyeggo/delete-artifact@v2
with:
name: minisign.key.age
failOnError: false

78
.github/workflows/release-build.yml → .github/workflows/release-packages.yml vendored
View file

@ -1,29 +1,20 @@
name: Build for release name: Build packages for release
on: on:
workflow_dispatch: # can't publish from dispatch
workflow_call: workflow_call:
inputs: inputs:
publish: publish:
description: "Set to the release metadata JSON to publish the release" description: "The release metadata JSON"
required: false required: true
type: string
publickey:
description: "Minisign public key. Required when publishing"
required: false
type: string type: string
CARGO_PROFILE_RELEASE_LTO: CARGO_PROFILE_RELEASE_LTO:
description: "Set to override default release profile lto settings" description: "Used to speed up CI"
required: false required: false
type: string type: string
CARGO_PROFILE_RELEASE_CODEGEN_UNITS: CARGO_PROFILE_RELEASE_CODEGEN_UNITS:
description: "Set to override default release profile codegen-units settings" description: "Used to speed up CI"
required: false required: false
type: string type: string
secrets:
signingkey:
description: "Minisign private key. Required when publishing"
required: false
env: env:
CARGO_TERM_COLOR: always CARGO_TERM_COLOR: always
@ -69,15 +60,7 @@ jobs:
if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS if: inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS
run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV" run: echo "CARGO_PROFILE_RELEASE_CODEGEN_UNITS=${{ inputs.CARGO_PROFILE_RELEASE_CODEGEN_UNITS }}" >> "$GITHUB_ENV"
- name: Include public key in package - uses: cargo-bins/cargo-binstall@main
if: inputs.publickey
env:
PUBLIC_KEY: ${{ inputs.publickey }}
shell: bash
run: |
echo "untrusted comment: minisign public key" > minisign.pub
cat >> minisign.pub <<< "$PUBLIC_KEY"
- uses: ./.github/actions/just-setup - uses: ./.github/actions/just-setup
with: with:
tools: cargo-auditable tools: cargo-auditable
@ -89,6 +72,9 @@ jobs:
- run: just toolchain rust-src - run: just toolchain rust-src
- run: just ci-install-deps - run: just ci-install-deps
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: just package - run: just package
- if: runner.os == 'Windows' - if: runner.os == 'Windows'
run: Get-ChildItem packages/ run: Get-ChildItem packages/
@ -101,16 +87,16 @@ jobs:
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- if: inputs.publish - uses: actions/download-artifact@v3
uses: cargo-bins/cargo-binstall@main with:
name: minisign.key.age
- if: inputs.publish - name: Sign package
env: env:
SIGNING_KEY: ${{ secrets.signingkey }} AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
shell: bash shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-* run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-*
- if: inputs.publish - if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release name: Upload to release
uses: svenstaro/upload-release-action@v2 uses: svenstaro/upload-release-action@v2
with: with:
@ -120,7 +106,8 @@ jobs:
body: ${{ fromJSON(inputs.publish).notes }} body: ${{ fromJSON(inputs.publish).notes }}
file: packages/cargo-binstall-* file: packages/cargo-binstall-*
file_glob: true file_glob: true
- if: "! inputs.publish || runner.os == 'macOS'" prerelease: true
- if: "fromJSON(inputs.publish).is-release != 'true' || runner.os == 'macOS'"
name: Upload artifact name: Upload artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
@ -144,16 +131,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: cargo-bins/cargo-binstall@main
- name: Include public key in package
if: inputs.publickey
env:
PUBLIC_KEY: ${{ inputs.publickey }}
shell: bash
run: |
echo "untrusted comment: minisign public key" > minisign.pub
cat >> minisign.pub <<< "$PUBLIC_KEY"
- uses: taiki-e/install-action@v2 - uses: taiki-e/install-action@v2
with: with:
tool: just tool: just
@ -171,19 +149,22 @@ jobs:
name: aarch64-apple-darwin name: aarch64-apple-darwin
path: packages/ path: packages/
- uses: actions/download-artifact@v3
with:
name: minisign.pub
- run: ls -shalr packages/ - run: ls -shalr packages/
- run: just repackage-lipo - run: just repackage-lipo
- run: ls -shal packages/ - run: ls -shal packages/
- if: inputs.publish - uses: actions/download-artifact@v3
uses: cargo-bins/cargo-binstall@main with:
name: minisign.key.age
- if: inputs.publish - env:
env: AGE_KEY_SECRET: ${{ secrets.AGE_KEY_SECRET }}
SIGNING_KEY: ${{ secrets.signingkey }} shell: bash
run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-* run: .github/scripts/ephemeral-sign.sh packages/cargo-binstall-universal-*
- if: inputs.publish - if: fromJSON(inputs.publish).is-release == 'true'
name: Upload to release name: Upload to release
uses: svenstaro/upload-release-action@v2 uses: svenstaro/upload-release-action@v2
with: with:
@ -194,7 +175,8 @@ jobs:
file: packages/cargo-binstall-universal-* file: packages/cargo-binstall-universal-*
file_glob: true file_glob: true
overwrite: true overwrite: true
- if: "! inputs.publish" prerelease: true
- if: fromJSON(inputs.publish).is-release != 'true'
name: Upload artifact name: Upload artifact
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:

48
.github/workflows/release.yml vendored
View file

@ -22,7 +22,7 @@ jobs:
event-data: ${{ toJSON(github.event) }} event-data: ${{ toJSON(github.event) }}
extract-notes-under: '### Release notes' extract-notes-under: '### Release notes'
libtag: release-lib:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate != 'cargo-binstall' if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate != 'cargo-binstall'
needs: info needs: info
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -41,47 +41,11 @@ jobs:
env: env:
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
clitag: release-cli:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall' if: needs.info.outputs.crate == 'cargo-binstall'
needs: info needs: info
runs-on: ubuntu-latest uses: ./.github/workflows/release-cli.yml
steps: secrets: inherit
- uses: actions/checkout@v4
- name: Push cli release tag
uses: mathieudutour/github-tag-action@v6.1
with: with:
github_token: ${{ secrets.GITHUB_TOKEN }} info: ${{ toJSON(needs.info.outputs) }}
custom_tag: ${{ needs.info.outputs.version }}
tag_prefix: v
- uses: cargo-bins/cargo-binstall@main
- name: Create ephemeral keypair
id: keypair
run: .github/scripts/ephemeral-gen.sh
- name: Publish to crates.io
env:
crate: ${{ needs.info.outputs.crate }}
CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
run: cargo publish -p "$crate" --allow-dirty
- name: Upload public key to release
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
release_name: v${{ needs.info.outputs.version }}
tag: v${{ needs.info.outputs.version }}
body: ${{ needs.info.outputs.notes }}
file: minisign.pub
outputs:
publickey: ${{ steps.keypair.outputs.public }}
signingkey: ${{ steps.keypair.outputs.private }}
package:
if: needs.info.outputs.is-release == 'true' && needs.info.outputs.crate == 'cargo-binstall'
needs:
- info
- clitag
uses: ./.github/workflows/release-build.yml
with:
publish: ${{ toJSON(needs.info.outputs) }}
publickey: ${{ needs.clitag.publickey }}
secrets:
signingkey: ${{ needs.clitag.signingkey }}

44
SIGNING.md
View file

@ -10,10 +10,10 @@ This feature requires adding to the Cargo.toml metadata: no autodiscovery here!
Generate a [minisign](https://jedisct1.github.io/minisign/) keypair: Generate a [minisign](https://jedisct1.github.io/minisign/) keypair:
```console ```console
minisign -G -p signing.pub -s signing.key minisign -G -W -p signing.pub -s signing.key
# or with rsign2: # or with rsign2:
rsign generate -p signing.pub -s signing.key rsign generate -W -p signing.pub -s signing.key
``` ```
In your Cargo.toml, put: In your Cargo.toml, put:
@ -31,10 +31,10 @@ Save the `signing.key` as a secret in your CI, then use it when building package
```console ```console
tar cvf package-name.tar.zst your-files # or however tar cvf package-name.tar.zst your-files # or however
minisign -S -s signing.key -x package-name.tar.zst.sig -m package-name.tar.zst minisign -S -W -s signing.key -x package-name.tar.zst.sig -m package-name.tar.zst
# or with rsign2: # or with rsign2:
rsign sign -s signing.key -x package-name.tar.zst.sig package-name.tar.zst rsign sign -W -s signing.key -x package-name.tar.zst.sig package-name.tar.zst
``` ```
Upload both your package and the matching `.sig`. Upload both your package and the matching `.sig`.
@ -42,34 +42,16 @@ Upload both your package and the matching `.sig`.
Now when binstall downloads your packages, it will also download the `.sig` file and use the `pubkey` in the Cargo.toml to verify the signature. Now when binstall downloads your packages, it will also download the `.sig` file and use the `pubkey` in the Cargo.toml to verify the signature.
If the signature has a trusted comment, it will print it at install time. If the signature has a trusted comment, it will print it at install time.
`minisign` and `rsign2` by default prompt for a password when generating a keypair and signing, which can hinder automation. By default, `minisign` and `rsign2` prompt for a password; above we disable this with `-W`.
While you _can_ set a password, we recommend instead using [age](https://github.com/FiloSottile/age) (or the Rust version [rage](https://github.com/str4d/rage)) to separately encrypt the key, which we find is much better for automation.
You can: ```console
- Pass `-W` to `minisign` or `rsign2` to generate a password-less private key. rage-keygen -o age.key
NOTE that you also need to pass this when signing. Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
- When signing using `minisign`, it reads from stdin for password so you could use
shell redirect to pass the password. rage -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p -o signing.key.age signing.key
- Use [`expect`] to pass password to `rsign2` (since it reads `/dev/tty` for password): rage -d -i age.key -o signing.key signing.key.age
For generating private key: ```
```bash
expect <<EXP
spawn rsign generate -f -p minisign.pub -s minisign.key
expect "Password:"
send -- "$SIGNING_KEY_SECRET\r"
expect "Password (one more time):"
send -- "$SIGNING_KEY_SECRET\r"
expect eof
EXP
```
For signing:
```bash
expect <<EXP
spawn rsign sign -s minisign.key -x "$file.sig" -t "$comment" "$file"
expect "Password:"
send -- "$SIGNING_KEY_SECRET\r"
expect eof
EXP
```
For just-in-time or "keyless" schemes, securely generating and passing the ephemeral key to other jobs or workflows presents subtle issues. For just-in-time or "keyless" schemes, securely generating and passing the ephemeral key to other jobs or workflows presents subtle issues.
`cargo-binstall` has an implementation in [its own release process][`release.yml`] that you can use as example. `cargo-binstall` has an implementation in [its own release process][`release.yml`] that you can use as example.