release: switch to macos as host for making releases to fully automat…

…e codesigning workflow The previous release process used the dockercross image to execute CGO compatible cross-compilation for all platforms using Linux (docker) as the build environment. This necessitated a multi-step workflow in order to CodeSign the macos binaries. This is a cumbersome and error prone workflow. This changes switches to macOS as the build environment, implementing cross-compilation for windows and linux binaries and a goreleaser post-build hook to codesign the macOS binary. The release pipeline is now fully automated from CI (currently github actions)
joemiller · May 24, 2020 · 315dbaa · 315dbaa
1 parent f3cfbc7
commit 315dbaa
Show file tree

Hide file tree

Showing 8 changed files with 78 additions and 225 deletions.
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -1,12 +1,6 @@
 name: main
 on: [push, pull_request]
 
-# TODO: implement support for [skip ci], https://timheuer.com/blog/skipping-ci-github-actions-workflows/
-# TODO: bonus: can we achiever apple codesigning in CI and remove the local script step?
-# TODO: update CI/CD section in readme to remove azure refs
-# TODO: switch readme CI badge to github actions
-# TODO: document autotag git branch+tags stuff in autotag README
-
 jobs:
   lint:
     strategy:
@@ -80,7 +74,7 @@ jobs:
     needs: [lint, test]
     # don't waste time running a goreleaser test build on master since we will run a full release:
     if: github.ref != 'refs/heads/master'
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
@@ -90,15 +84,33 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-      - name: install go deps
-        run: make deps
+
+      - uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CODESIGN_CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.APPLE_CODESIGN_CERTIFICATES_PASSWORD }}
+
+      - name: import GPG signing key
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" \
+            | base64 --decode \
+            | gpg --batch --allow-secret-key-import --import
+          gpg --keyid-format LONG --list-secret-keys
+
+      - name: install release deps
+        run: |
+          brew install goreleaser/tap/goreleaser
+          brew install FiloSottile/musl-cross/musl-cross
+
       - run: make snapshot
 
   release:
     needs: [lint, test]
     # only create a release on master builds:
     if: github.ref == 'refs/heads/master'
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-go@v2
@@ -108,6 +120,21 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
+
+      - uses: apple-actions/import-codesign-certs@v1
+        with:
+          p12-file-base64: ${{ secrets.APPLE_CODESIGN_CERTIFICATES_P12 }}
+          p12-password: ${{ secrets.APPLE_CODESIGN_CERTIFICATES_PASSWORD }}
+
+      - name: import GPG signing key
+        env:
+          GPG_KEY: ${{ secrets.GPG_KEY }}
+        run: |
+          echo "$GPG_KEY" \
+            | base64 --decode \
+            | gpg --batch --allow-secret-key-import --import
+          gpg --keyid-format LONG --list-secret-keys
+
       - name: Unshallow
         run: |
           # fetch all tags and history so that goreleaser can generate a proper changelog
@@ -118,21 +145,20 @@ jobs:
             # ensure a local 'master' branch exists for autotag to work correctly:
             git branch --track master origin/master
           fi
-      - name: install go deps
-        run: make deps
 
-      - name: install autotag
+      - name: install release deps
         run: |
-          curl -sL https://git.io/autotag-install | sudo sh -s -- -b /usr/local/bin
+          brew install goreleaser/tap/goreleaser
+          brew install FiloSottile/musl-cross/musl-cross
 
       - name: run autotag to increment version
         run: |
+          curl -sL https://git.io/autotag-install | sudo sh -s -- -b /usr/local/bin
           autotag
 
       - name: build and push release artifacts
         env:
           GITHUB_TOKEN: ${{ secrets.BREW_GITHUB_TOKEN }}
-          # GPG_KEY contents must be base64 encoded:
-          GPG_KEY: ${{ secrets.GPG_KEY }}
         run: |
+          make deps
           make release
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -4,39 +4,43 @@ env:
   - GOPROXY=https://proxy.golang.org
 builds:
   - binary: vault-token-helper
-    id: windows
-    ldflags:
-      - -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
-      - "-extldflags '-static'"
+    id: macos
+    ldflags: -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
     env:
       - CGO_ENABLED=1
-      - CC=x86_64-w64-mingw32-gcc
-      - CXX=x86_64-w64-mingw32-g++
     goos:
-      - windows
+      - darwin
     goarch:
       - amd64
+    hooks:
+      post: ./scripts/macos-codesign.sh "{{ .Path }}"
 
+  # cross-compile windows binary
   - binary: vault-token-helper
-    id: macos
-    ldflags: -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
+    id: windows
+    ldflags:
+      - -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
+      - "-extldflags '-static'"
     env:
       - CGO_ENABLED=1
-      - CC=o64-clang
-      - CXX=o64-clang++
+      - CC=x86_64-w64-mingw32-gcc
+      - CXX=x86_64-w64-mingw32-g++
     goos:
-      - darwin
+      - windows
     goarch:
       - amd64
 
-    # TODO: find a way to codesign from linux and integrate into azure pipelines ci/cd
-    # hooks:
-    #   post: ./macos-codesign.sh
+  # cross-compile static linux bin on macos using https://github.com/FiloSottile/homebrew-musl-cross
+  #   brew install FiloSottile/musl-cross/musl-cross
   - binary: vault-token-helper
     id: linux
-    ldflags: -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
+    ldflags:
+      - -s -w -X github.com/joemiller/vault-token-helper/cmd.version={{.Version}}+{{.ShortCommit}}
+      - "-linkmode external -extldflags '-static'"
     env:
       - CGO_ENABLED=1
+      - CC=x86_64-linux-musl-gcc
+      - CXX=x86_64-linux-musl-g++
     goos:
       - linux
     goarch:

diff --git a/Makefile b/Makefile
@@ -19,28 +19,11 @@ build:
 	@go build .
 
 release:
-	@docker run \
-		--rm \
-		-e "GITHUB_TOKEN=$$GITHUB_TOKEN" \
-		-e "GPG_KEY=$$GPG_KEY" \
-		-v `pwd`:/src \
-		-w /src \
-		dockercore/golang-cross \
-			/src/scripts/release.sh $(GORELEASER_ARGS)
+	@goreleaser $(GORELEASER_ARGS)
 
 snapshot: GORELEASER_ARGS= --rm-dist --snapshot
 snapshot: release
 
-sign-and-promote-release:
-	bash ./scripts/sign-and-promote-release.sh
-
-build-dev-docker-image:
-	@docker build -t joemiller/vault-token-helper-dev -f ./dev/Dockerfile.dev ./dev
-
-run-dev-docker-image:
-	#docker run --rm -it -v$$(PWD):/src -w /src joemiller/vault-token-helper-dev /bin/bash
-	docker run --rm -it -v$$(PWD):/src --privileged -w /src joemiller/vault-token-helper-dev /bin/bash
-
 todo:
 	@grep \
 		--exclude-dir=vendor \

diff --git a/README.md b/README.md
@@ -239,14 +239,7 @@ $ GPG_KEY="$(cat vault-token-helper.signing-key.gpg | base64)" make snapshot
 #### Apple codesign
 
 In order to avoid macOS keychain from always prompting for passwords the macOS binaries
-are codesigned with a cert issued by Apple. Unfortunately this can't be done easily in CI
-while still being able to leverage all the advantages of [goreleaser](https://goreleaser.com/).
-This will hopefully change one day when there is a `codesign` compatible binary available
-for Linux.
-
-In the meantime, all releases pushed by CI are created as draft releases. In order to promote
-a release, run `make sign-and-promote-release TAG=vX.Y.Z` from a macOS system with both the
-project GPG key and an apple code signing cert available.
+are codesigned with a cert issued by Apple.
 
 TODO
 ----
@@ -257,5 +250,5 @@ TODO
 * [x] add a flag like `--extended` to `list` that will query vault for additional token info, eg: valid/invalid, ttl, policies
 * ci/cd:
   * [x] `sign` checksum.txt and assets in goreleaser.yaml GPG key
-  * [ ] apple `codesign` the macos binaries
+  * [x] apple `codesign` the macos binaries
   * [ ] linux tests, figure out how to test dbus secret-service in headless CI. probably need a stub to connect to Dbus and provide the 'prompt' service
diff --git a/go.mod b/go.mod
@@ -6,15 +6,13 @@ require (
 	github.com/99designs/keyring v0.0.0-20190704105226-2c916c935b9f
 	github.com/PuerkitoBio/purell v1.1.0
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
-	github.com/davecgh/go-spew v1.1.1
 	github.com/hashicorp/vault/api v1.0.2
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.8.0
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/viper v1.4.0
 	github.com/stretchr/testify v1.3.0
-	google.golang.org/appengine v1.4.0 // indirect
 )
 
 // replace github.com/99designs/keyring v0.0.0-20190531235905-2e3b4e59b02e => ../keyring

diff --git a/scripts/macos-codesign.sh b/scripts/macos-codesign.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -eou pipefail
+
+CODESIGN_CERT="Developer ID Application: JOSEPH MILLER (P3MF48HUD7)"
+
+path="$1"
+
+# sign
+codesign -s "$CODESIGN_CERT" -i "vault-token-helper" "$path"
+
+# display signature
+codesign -v -d "$path"
diff --git a/scripts/release.sh b/scripts/release.sh