Source binaries for linux artifacts from docker images

This gives us static binaries linked against musl for our release artifacts, unifying our libc dependency for both docker and non-docker and simplifying our build tooling. Since artifact building is now fairly complicated and really only part of the CI/CD pipeline, got rid of the Makefile target for it. Fixes: spiffe#4346 Signed-off-by: Andrew Harding <azdagron@gmail.com>
azdagron · Sep 13, 2023 · 33eb9b1 · 33eb9b1
1 parent 969e383
commit 33eb9b1
Show file tree

Hide file tree

Showing 6 changed files with 186 additions and 132 deletions.
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -119,7 +119,7 @@ jobs:
  artifacts:
  name: artifacts (linux)
  runs-on: ubuntu-20.04
- needs: [cache-deps]
+ needs: [cache-deps, images]
  timeout-minutes: 30
 
  permissions:
@@ -132,16 +132,16 @@ jobs:
  uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
  with:
  go-version: ${{ env.GO_VERSION }}
- - name: Load cached deps
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
- with:
- path: ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- - name: Load cached build tools
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ - name: Install regctl
+ uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+ - name: Download archived images
+ uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
  with:
- path: .build
- key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+ name: images
+ path: .
+ - name: Expand archived images
+ run: |
+ tar xvf images.tar.gz
  - name: Build artifacts
  run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
  - name: Archive artifacts

diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml
@@ -113,7 +113,8 @@ jobs:
  artifacts:
  name: artifacts (linux)
  runs-on: ubuntu-20.04
- needs: [cache-deps]
+ needs: [cache-deps, images]
+ timeout-minutes: 30
 
  permissions:
  contents: read
@@ -125,16 +126,16 @@ jobs:
  uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
  with:
  go-version: ${{ env.GO_VERSION }}
- - name: Load cached deps
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
- with:
- path: ~/go/pkg/mod
- key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
- - name: Load cached build tools
- uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+ - name: Install regctl
+ uses: regclient/actions/regctl-installer@b6614f5f56245066b533343a85f4109bdc38c8cc # main
+ - name: Download archived images
+ uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
  with:
- path: .build
- key: ${{ runner.os }}-tools-${{ hashFiles('.go-version','Makefile') }}
+ name: images
+ path: .
+ - name: Expand archived images
+ run: |
+ tar xvf images.tar.gz
  - name: Build artifacts
  run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
  - name: Archive artifacts

diff --git a/.github/workflows/scripts/build_artifacts.sh b/.github/workflows/scripts/build_artifacts.sh
@@ -5,32 +5,32 @@
 set -e
 
 usage() {
- echo "usage: ${BASH_SOURCE[0]} <Linux|Windows|macOS>"
+ echo "usage: ${BASH_SOURCE[0]} <Linux|Windows>"
  exit 1
 }
 
-[[ $# -eq 1 ]] || usage
-
-os="$1"
-declare -a supported_archs
-if [[ "${os}" == "Linux" ]] || [[ "${os}" == "macOS" ]]; then
- supported_archs=(amd64 arm64)
-elif [[ "${os}" == "Windows" ]]; then
- supported_archs=(amd64)
-else
- echo "unrecognized OS: ${os}"
- usage
-fi
+SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 export TAG=
 if [[ "$GITHUB_REF" =~ ^refs/tags/v[0-9.]+$ ]]; then
-  # Strip off the leading "v" from the release tag. Release artifacts are
-  # named just with the version number (e.g. v0.9.3 tag produces
-  # spire-0.9.3-linux-x64.tar.gz).
-  TAG="${GITHUB_REF##refs/tags/v}"
+ # Strip off the leading "v" from the release tag. Release artifacts are
+ # named just with the version number (e.g. v0.9.3 tag produces
+ # spire-0.9.3-linux-x64.tar.gz).
+ TAG="${GITHUB_REF##refs/tags/v}"
 fi
 
-# Make references the $TAG environment variable set above
-for arch in "${supported_archs[@]}"; do
- GOARCH=$arch make artifact
-done
+[[ $# -eq 1 ]] || usage
+
+os="$1"
+case "${os}" in
+ Linux)
+ "${SCRIPTDIR}"/build_linux_artifacts.sh
+ ;;
+ Windows)
+ "${SCRIPTDIR}"/build_windows_artifacts.sh
+ ;;
+ *)
+ echo "Only artifacts for Linux and Windows are supported" 1>&2
+ usage
+ ;;
+esac
diff --git a/.github/workflows/scripts/build_linux_artifacts.sh b/.github/workflows/scripts/build_linux_artifacts.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+TARCMD=tar
+if [[ $(uname -s) == "Darwin" ]]; then
+ # When building linux artifacts from darwin, gtar is required.
+ TARCMD="gtar"
+fi
+
+TAROPTS=("--owner=root" "--group=root")
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+ rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+
+copy_binary_from_multiarch_tar() {
+ local arch=$1
+ local binary=$2
+ local destdir=$3
+
+ local srcpath="/opt/spire/bin/${binary}"
+ local destpath="${destdir}/${binary}"
+ local ocidir="ocidir://${TMPDIR}/${arch}/oci/${binary}"
+ local imagetar="${REPODIR}/${binary}-image.tar"
+ local platform="linux/${arch}"
+
+ echo "Importing multiarch image ${imagetar}..."
+ regctl image import "${ocidir}" "${imagetar}"
+
+ echo "Copying ${srcpath} for platform ${platform}..."
+ regctl image get-file "${ocidir}" "${srcpath}" "${destpath}" -p "${platform}"
+
+ # file does not retain permission bits, so fix up the executable bit.
+ chmod +x "${destpath}"
+}
+
+build_artifact() {
+ ARCH="$1"
+
+ ARTIFACT="${OUTDIR}/spire-${TAG}-linux-${ARCH}-musl.tar.gz"
+ CHECKSUM="${OUTDIR}/spire-${TAG}-linux-${ARCH}-musl_sha256sum.txt"
+
+ EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-linux-${ARCH}-musl.tar.gz"
+ EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-linux-${ARCH}-musl_sha256sum.txt"
+
+ TARDIR="${TMPDIR}/${ARCH}/tar" 
+ mkdir -p "${TARDIR}"
+
+ STAGING="${TARDIR}"/spire/spire-${TAG}
+ EXTRAS_STAGING="${TARDIR}"/spire-extras/spire-extras-${TAG}
+ mkdir -p "${STAGING}" "${EXTRAS_STAGING}"
+
+ echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\""
+
+ # Copy in the contents under release/
+ cp -r "${REPODIR}"/release/posix/spire/* "${STAGING}"
+ cp -r "${REPODIR}"/release/posix/spire-extras/* "${EXTRAS_STAGING}"
+
+ # Copy in the LICENSE
+ cp "${REPODIR}"/LICENSE "${STAGING}"
+ cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}"
+
+ # Copy in the SPIRE binaries from the docker images:
+ # 1. import the image from the multiarch tarball into the OCI directory
+ mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin
+ copy_binary_from_multiarch_tar "$ARCH" "spire-server" "${STAGING}/bin"
+ copy_binary_from_multiarch_tar "$ARCH" "spire-agent" "${STAGING}/bin"
+ copy_binary_from_multiarch_tar "$ARCH" "oidc-discovery-provider" "${EXTRAS_STAGING}/bin"
+
+ mkdir -p "${OUTDIR}"
+
+ # Create the tarballs and checksums
+ (cd "${TARDIR}/spire"; ${TARCMD} -cvzf "${ARTIFACT}" "${TAROPTS[@]}" -- *)
+ (cd "${TARDIR}/spire-extras"; ${TARCMD} -cvzf "${EXTRAS_ARTIFACT}" "${TAROPTS[@]}" -- *)
+
+ (cd "$(dirname "${ARTIFACT}")"; shasum -a 256 "$(basename "${ARTIFACT}")" > "${CHECKSUM}" )
+ (cd "$(dirname "${EXTRAS_ARTIFACT}")"; shasum -a 256 "$(basename "${EXTRAS_ARTIFACT}")" > "${EXTRAS_CHECKSUM}" )
+}
+
+command -v regctl >/dev/null 2>&1 || { echo -e "The regctl cli is required to run this script." >&2 ; exit 1; }
+command -v "${TARCMD}" >/dev/null 2>&1 || { echo -e "The ${TARCMD} command is required to run this script." >&2 ; exit 1; }
+
+build_artifact amd64
+build_artifact arm64
diff --git a/.github/workflows/scripts/build_windows_artifacts.sh b/.github/workflows/scripts/build_windows_artifacts.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+set -e
+
+REPODIR=$(git rev-parse --show-toplevel)
+BINDIR="${REPODIR}/bin"
+
+TAG=${TAG:-$(git log -n1 --pretty=%h)}
+OUTDIR=${OUTDIR:-"${REPODIR}/artifacts"}
+
+ARTIFACT="${OUTDIR}/spire-${TAG}-windows-${ARCH}${LIBC}.zip"
+CHECKSUM="${OUTDIR}/spire-${TAG}-windows-${ARCH}${LIBC}_sha256sum.txt"
+
+EXTRAS_ARTIFACT="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}${LIBC}.zip"
+EXTRAS_CHECKSUM="${OUTDIR}/spire-extras-${TAG}-windows-${ARCH}${LIBC}_sha256sum.txt"
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+ rm -rf "${TMPDIR}"
+}
+trap cleanup EXIT
+
+STAGING="${TMPDIR}"/spire/spire-${TAG}
+EXTRAS_STAGING="${TMPDIR}"/spire-extras/spire-extras-${TAG}
+mkdir -p "${STAGING}" "${EXTRAS_STAGING}"
+
+echo "Creating \"${ARTIFACT}\" and \"${EXTRAS_ARTIFACT}\""
+
+RELEASE_FOLDER="windows"
+
+# Copy in the contents under release/
+cp -r "${REPODIR}"/release/"${RELEASE_FOLDER}"/spire/* "${STAGING}"
+cp -r "${REPODIR}"/release/"${RELEASE_FOLDER}"/spire-extras/* "${EXTRAS_STAGING}"
+
+# Copy in the LICENSE
+cp "${REPODIR}"/LICENSE "${STAGING}"
+cp "${REPODIR}"/LICENSE "${EXTRAS_STAGING}"
+
+# Copy in the SPIRE binaries
+mkdir -p "${STAGING}"/bin "${EXTRAS_STAGING}"/bin
+cp "${BINDIR}"/spire-server.exe "${STAGING}"/bin
+cp "${BINDIR}"/spire-agent.exe "${STAGING}"/bin
+cp "${BINDIR}"/oidc-discovery-provider.exe "${EXTRAS_STAGING}"/bin
+
+mkdir -p "${OUTDIR}"
+
+(cd "${TMPDIR}/spire"; zip -rv "${ARTIFACT}" -- *)
+(cd "${TMPDIR}/spire-extras"; zip -rv "${EXTRAS_ARTIFACT}" -- *)
+
+(cd "$(dirname "${ARTIFACT}")"; CertUtil -hashfile "$(basename "${ARTIFACT}")" SHA256 > "${CHECKSUM}")
+(cd "$(dirname "${EXTRAS_ARTIFACT}")"; CertUtil -hashfile "$(basename "${EXTRAS_ARTIFACT}")" SHA256 > "${EXTRAS_CHECKSUM}")
diff --git a/script/build-artifact.sh b/script/build-artifact.sh