Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed Commits for Brews: #242

Closed
timharris777 opened this issue Aug 28, 2020 · 7 comments
Closed

Signed Commits for Brews: #242

timharris777 opened this issue Aug 28, 2020 · 7 comments

Comments

@timharris777
Copy link

I'm using goreleaser-action and it is amazing! We recently started using the Brews feature and are hoping to implement the scoop feature as well. The one issue I have run into is that our organization requires signed commits for all default branches. I see documentation on signing... but it seems like that is more like signing compiled bins. I have been trying to figure out how to use https://github.com/crazy-max/ghaction-import-gpg in conjunction with a service account access token to get the Brews: option to sign the commit when updating the formula. So far I have been unsuccessful. Is this even possible? If so, can documentation be provided for signed commits in github actions?

++@venkatkotta since you are dealing with this as well.
@crazy-max
Copy link
Member

@timharris777 https://github.com/crazy-max/ghaction-import-gpg#sign-commits?

@timharris777
Copy link
Author

I have tried already and the goreleaser-action doesn't seem to pick it up. Here is the portion of my yaml file:

...
    - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v2
        with:
          git_user_signingkey: true
          git_commit_gpgsign: true
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GITHUB_ACTIONS_GPG_KEY }}
          PASSPHRASE: ${{ secrets.GITHUB_ACTIONS_GPG_PASS }}
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v1
        with:
          version: latest
          args: release --rm-dist --skip-validate --config ./${{ env.GRCONFIG }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITHUB_TOKEN_BREW: ${{ secrets.GITHUB_ACTIONS_ACCESS_TOKEN }}
          APP_VERSION: ${{ env.APP_VERSION}}
...

Here is the goreleaser config:

...
brews:
  - name: "aws-login"
    tap:
      owner: cfacorp
      name: homebrew-tap
      token: "{{ .Env.GITHUB_TOKEN_BREW }}"
    folder: Formula
    description: A utiltity to login to aws accounts from cli using OKTA SSO
    download_strategy: GitHubPrivateRepositoryReleaseDownloadStrategy
    custom_require: "../custom_download_strategy"
...

However, I'm getting this error:

• homebrew tap formula
         • writing                   formula=dist/aws-login-dev.rb
         • pushing                   formula=Formula/aws-login-dev.rb repo=cfacorp/homebrew-tap
   ⨯ release failed after 69.72s error=homebrew tap formula: failed to publish artifacts: PUT https://api.github.com/repos/cfacorp/homebrew-tap/contents/Formula/aws-login-dev.rb: 409 Could not update file: Commits must have valid signatures. []
##[error]The process '/opt/hostedtoolcache/goreleaser-action/0.142.0/x64/goreleaser' failed with exit code 1

The token I'm providing for the Brews: option is the token to associated with the github account that uses the pgp key we are importing in the previous step. Any suggestions on what else I should try?

@timharris777
Copy link
Author

Just found the following: https://github.com/goreleaser/goreleaser/blob/acfd0024fa74c29d2a7d55f730927228947ac144/internal/pipe/brew/brew.go#L111

I'll try specifying proper name and email so that it doesn't default to goreleaser name and email.

Stand by...

@timharris777
Copy link
Author

That didn't work. Looking further through the code it looks like under the hood this is the code that is being run: https://github.com/goreleaser/goreleaser/blob/01fd3e8c7b3b16e77996b0434fc49f62a033f775/internal/client/github.go#L28

It is using the api, not the local git client... which means the import gpg action will not apply here. I'm not even sure if signed commits are possible through the github api.

Thoughts...?

@timharris777
Copy link
Author

Opened a ticket against goreleaser as it will require a change there:
goreleaser/goreleaser#1774

@timharris777
Copy link
Author

This will require a significant change to goreleaser/goreleaser to work. I opened issue goreleaser/goreleaser#1774

In the meantime I have a working workaround. In goreleaser.yaml I

  1. add the skip_upload: true option under brews section in goreleaser.yaml so goreleaser does not autoupdate tap repository.
  2. checkout my tap repository in github actions to a separate folder
  3. copy the formula into the tap repository folder
  4. enable signing by https://github.com/crazy-max/ghaction-import-gpg#sign-commits
  5. add formula file, commit, and push.

This did require me adding a feature to https://github.com/crazy-max/ghaction-import-gpg to run in a different working directory. The pull request is currently open here: crazy-max/ghaction-import-gpg#55

I believe this issue can be closed now.

@crazy-max
Copy link
Member

LGTM thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timharris777 @crazy-max