Extend release pipeline to publish to APT repo (#102)

* Extend release pipeline to publish to APT repo

* Set necessary AWS credentials environment variables

* Remove duplicated comment in script

* Clarify dist/ folder

* Skip publishing to APT if tag contains a dash -

* Restrict release workflow trigger to semantic version tags

Author: joaopalet

.aptly.conf

@@ -0,0 +1,36 @@
+{
+  "rootDir": "./.aptly",
+  "downloadConcurrency": 4,
+  "downloadSpeedLimit": 0,
+  "downloadRetries": 0,
+  "downloader": "default",
+  "databaseOpenAttempts": -1,
+  "architectures": [],
+  "dependencyFollowSuggests": false,
+  "dependencyFollowRecommends": false,
+  "dependencyFollowAllVariants": false,
+  "dependencyFollowSource": false,
+  "dependencyVerboseResolve": false,
+  "gpgDisableSign": false,
+  "gpgDisableVerify": false,
+  "gpgProvider": "gpg",
+  "downloadSourcePackages": false,
+  "skipLegacyPool": true,
+  "ppaDistributorID": "ubuntu",
+  "ppaCodename": "",
+  "skipContentsPublishing": false,
+  "skipBz2Publishing": false,
+  "FileSystemPublishEndpoints": {},
+  "S3PublishEndpoints": {
+    "stackit-cli-apt": {
+      "region": "eu01",
+      "bucket": "stackit-cli-apt",
+      "acl":"public-read",
+      "endpoint": "object.storage.eu01.onstackit.cloud"
+    }
+  },
+  "SwiftPublishEndpoints": {},
+  "AzurePublishEndpoints": {},
+  "AsyncAPI": false,
+  "enableMetricsEndpoint": false
+}

.github/workflows/release.yaml

@@ -6,7 +6,8 @@ name: Release
 on:
   push:
     tags:
-      - "v*"
+      - "v[0-9]+.[0-9]+.[0-9]+"
+      - "v[0-9]+.[0-9]+.[0-9]+-*"
   workflow_dispatch:
 
 # Releases need permissions to read and write the repository contents.
@@ -19,6 +20,9 @@ jobs:
     runs-on: macOS-latest
     env:
       SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
+      # Needed to publish new packages to our S3-hosted APT repo
+      AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -52,6 +56,8 @@ jobs:
           APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
           SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
           AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
+      - name: Install Aptly
+        run: brew install aptly
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v2
       - name: Run GoReleaser
@@ -61,3 +67,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+      - name: Publish packages to APT repo
+        if: ! contains(github.ref_name, '-')
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_PRIVATE_KEY_ID: ${{ steps.import_gpg.outputs.keyid }}
+        run: ./scripts/publish-apt-packages.sh

scripts/publish-apt-packages.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+
+# This script is used to publish new packages to the CLI APT repository
+# Usage: ./publish-apt-packages.sh
+set -eo pipefail
+
+ROOT_DIR=$(git rev-parse --show-toplevel)
+
+OBJECT_STORAGE_ENDPOINT="https://object.storage.eu01.onstackit.cloud"
+APT_BUCKET_NAME="stackit-cli-apt"
+PUBLIC_KEY_BUCKET_NAME="stackit-public-key"
+PUBLIC_KEY_FILE="key.gpg"
+CUSTOM_KEYRING="custom-keyring"
+APTLY_CONFIG_FILE_PATH="./.aptly.conf"
+GORELEASER_PACKAGES_FOLDER="dist/"
+
+# Create a local mirror of the current state of the remote APT repository
+printf ">>> Creating mirror \n"
+curl ${OBJECT_STORAGE_ENDPOINT}/${PUBLIC_KEY_BUCKET_NAME}/${PUBLIC_KEY_FILE} >public.asc
+gpg --no-default-keyring --keyring ./${CUSTOM_KEYRING}.gpg --import public.asc
+aptly mirror create -keyring="${CUSTOM_KEYRING}.gpg" current "${OBJECT_STORAGE_ENDPOINT}/${APT_BUCKET_NAME}" stackit
+
+# Update the mirror to the latest state
+printf "\n>>> Updating mirror \n"
+aptly mirror update current
+
+# Create a snapshot of the mirror
+printf "\n>>> Creating snapshop from mirror \n"
+aptly snapshot create current-snapshot from mirror current
+
+# Create a new fresh local APT repo
+printf "\n>>> Creating fresh local repo \n"
+aptly repo create -distribution="stackit-cli" new-repo
+
+# Add new generated .deb packages to the new local repo
+printf "\n>>> Adding new packages to local repo \n"
+aptly repo add new-repo ${GORELEASER_PACKAGES_FOLDER}
+
+# Create a snapshot of the local repo
+printf "\n>>> Creating snapshot of local repo \n"
+aptly snapshot create new-snapshot from repo new-repo
+
+# Merge new-snapshot into current-snapshot creating a new snapshot updated-snapshot
+printf "\n>>> Merging snapshots \n"
+aptly snapshot pull -no-remove -architectures="amd64,i386,arm64" current-snapshot new-snapshot updated-snapshot stackit
+
+# Publish the new snapshot to the remote repo
+printf "\n>>> Publishing updated snapshot \n"
+aptly publish switch -gpg-key="${GPG_PRIVATE_KEY_ID}" -passphrase "${GPG_PASSPHRASE}" -config "${APTLY_CONFIG_FILE_PATH}" stackit "s3:${APT_BUCKET_NAME}:" updated-snapshot