For PRs opened by contributors who are not part of the cargo-bins team and for
PRs opened by dependabot, they cannot access the secrets, thus signing will
always fail.
Skipping release-dry-run on pull_request would fix that for them, while
retaining the signing stage on merge_queue and on main to ensure that the
release workflow is working.
It will also speedup CI for PR.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Bump dep trust-dns-reslver to v0.23.0
Since we no longer enables `reqwest/trust-dns-resolver` anymore, we
don't need to keep this dependency is sync with upstream `reqwest`.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix compilation
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
---------
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix fallback to `cargo-install`: Use the default target
which is guaranteed to work, instead of providing a custom `--target`
from `detect-targets`.
The one from `detect-targets` might report musl even if the `rustc`
reports gnu, since OSes like NixOS could use a custom glibc location
that prevent glibc binaries built for other OSes be run for them.
However, if we are compiling the crate and `rustc` defaults to glibc,
then it should be guaranteed to work.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Impl fn `DesiredTargets::get_initialized`
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix fallback to `cargo-install`: Use user-provided override targets
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
---------
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
Fixed#1414
There are many different kinds of gh tokens and they can change the
format at anytime, so we can't check it based on its formats.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix build again
* Recommend (r)age over minisign password
* Dry-run the entire release process
* Reorg a bit so dry-run works
* Fix secret name
* Add check on age key
* Pass secrets down
* Use a cross-platform "date"
* Delete signing key artifact to be extra safe
* Last little bits
* Revert "release: cargo-binstall v1.4.0 (#1397)"
This reverts commit 99e8256018.
* --allow-dirty on publish
* Remove private key file after generation
* Write public key file to bin crate and to package
* Upload public key file to release
* Sign our releases
* Use secrets instead of artifacts
* And the universal
* Apparently we can’t use secrets like that?
* Minor fixes to doc
* Private key requires untrusted comment
* Dogfood one deeper
* Add CLI options
* Add manifest types
* Thread signature policy through to fetchers
* Thread signing section through from metadata
* Implement signing validation
* Clippy
* Attempt testing
* Yes and
* Why
* fmt
* Update crates/bin/src/args.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/binstalk-fetchers/src/gh_crate_meta.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/bin/src/args.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/binstalk-fetchers/src/signing.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/binstalk-fetchers/src/signing.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/binstalk-fetchers/src/signing.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Update crates/binstalk-fetchers/src/signing.rs
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* fixes
* Finish feature
* Document
* Include all fields in the signing.file template
* Readme document
* Review fixes
* Fail on non-utf8 sig
* Thank goodness for tests
* Run test in ci
* Add rsign2 commands
* Log utf8 error
* Update e2e-tests/signing.sh
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix `e2e-tests/signing.sh` MacOS CI failure
Move the tls cert creation into `signing.sh` and sleep for 10s to wait
for https server to start.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Refactor e2e-tests-signing files
- Use a tempdir generated by `mktemp` for all certificates-related
files
- Put other checked-in files into `e2e-tests/signing`
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fixed `e2e-tests-signing` connection err in MacOS CI
Wait for server to start up by trying to connect to it.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix `e2e-tests-signing` passing `-subj` to `openssl` on Windows
Use single quote instead of double quote to avoid automatic expansion
from bash
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix `e2e-tests-signing` waiting for server to startup
Remove `timeout` since it is not supported on MacOS.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Try to fix windows CI by setting `MSYS_NO_PATHCONV=1` on `openssl` cmds
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fixed `e2e-tests-signing` on windows
By using double `//` for the value passed to option `-subj`
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fixed infinite loop in `signing/wait-for-server` on Windows
Pass `--ssl-revoke-best-effort` to prevent schannel from checking ssl
revocation status.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Add cap on retry attempt in `signing/wait-for-server.sh`
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Let `singing/server.py` print output to stderr
so that we can see the error message there.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix running `signing/server.py` on MacOS CI
use `python3` since macos-latest still has python2 installed and
`python` is a symlink to `python2` there.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
---------
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
Co-authored-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix `detect-targets` on ubuntu 20.04, glibc 2.31
Fixed#1375 and fixed#1378
glibc 2.31 does not support `--version`, so we need to detect and
fallback to passing an executable linked with that glibc to check if it
is indeed glibc.
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
* Fix compilation faillure on ubuntu-20.04
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
---------
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
