[CI/CD] Release Updater (#1397)

* add write permission

* add write permission

* write to release branch in Azure

* list releases

* add new oses

* [skip ci] add freebsd packages to uris if requested version is v2.x

* [skip ci] remove comment

* update handling of FreeBSD pakcages for v2 releases

* update regex

* recreate tarball for upload to Azure

* upload tarball with other packages to Azure

* fix upload of tarball

* [skip ci] Add azure path when uloading tarball

* [skip ci] fix tarball structure

* [skip ci] Tidy up paths in log, try simplify the configuration

* [skip ci] add missing commands

* [skip ci] remove azure upload and cleanup action inputs format

* [skip ci] fix typo, use secret for artifactory url

* [skip ci] set upload default to false

* [skip ci] tidy defaults and descriptions

* [skip ci] update descriptions with examples

* [skip ci] add warning to not squash commits when merging releases

* [skip-ci] suppress gpg key output in make target

* Remove job, deps already installed in previous step

* fix deb package formact for github assets

* [skip ci] sort list when displaying packages

* fix paths for FreeBSD pkgs when version 2.x

* re-enable workflow

Author: sean-breen

.github/workflows/assertion.yml

@@ -19,7 +19,7 @@ jobs:
       id-token: write
       contents: read
     env:
-      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+      GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}"
     outputs:
       agent_binary: ${{ steps.check_binary.outputs.agent_binary }}
       goversionm: ${{ steps.godeps.outputs.goversionm }}

.github/workflows/release-branch.yml

@@ -3,53 +3,51 @@ name: Release Agent
 on:
   workflow_dispatch:
     inputs:
-      githubRelease:
-        description: 'Setup release in github'
-        type: boolean
-        default: false
       packageVersion:
-        description: 'Package version number'
-        default: "3.0.0"
+        required: true
+        description: 'Package version number (3.x.x)'
+        default: ""
         type: string
       packageBuildNo:
-        description: 'Package Build number'
+        required: true
+        description: 'Package build number'
         default: "1"
         type: string
-      uploadAzure:
-        description: 'Publish packages Azure storage'
-        default: true
-        type: boolean
-      publishPackages:
-        description: 'Publish packages to nginx repo'
-        default: true
-        type: boolean
+      releaseBranch:
+        description: 'Release branch to build from (release-3.x.x)'
+        required: true
+        type: string
       tagRelease:
-        description: 'Add tag to release branch'
+        description: 'Add tag for release (v3.x.x)'
         default: false
         type: boolean
+      githubRelease:
+        description: 'Draft release (v3.x.x) on GitHub'
+        type: boolean
+        default: false
       createPullRequest:
-        description: 'Create pull request back into main'
+        description: 'Create pull request into main (required if release branch has diverged from main)'
+        default: false
+        type: boolean
+      publishPackages:
+        description: 'Publish packages to nginx repo'
         default: false
         type: boolean
-      releaseBranch:
-        description: 'Release branch to build & publish from'
-        required: true
-        type: string
       uploadUrl:
         description: 'Location to publish packages to'
         required: false
         default: "https://up-ap.nginx.com"
 
 env:
   NFPM_VERSION: 'v2.35.3'
-  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@azr.artifactory.f5net.com/artifactory/api/go/f5-nginx-go-local-approved-dependency"
+  GOPROXY: "https://${{ secrets.ARTIFACTORY_USER }}:${{ secrets.ARTIFACTORY_TOKEN }}@${{ secrets.ARTIFACTORY_URL_PROD }}"
 
 defaults:
   run:
     shell: bash
 
 concurrency:
-  group: ${{ github.ref_name }}-v3-release
+  group: ${{ github.ref_name }}-release
   cancel-in-progress: true
 
 permissions:
@@ -60,10 +58,9 @@ jobs:
     name: Set workflow variables
     runs-on: ubuntu-22.04
     outputs:
+      tag_release: ${{steps.vars.outputs.tag_release }}
       github_release: ${{steps.vars.outputs.github_release }}
-      upload_azure: ${{steps.vars.outputs.upload_azure }}
       publish_packages: ${{steps.vars.outputs.publish_packages }}
-      tag_release: ${{steps.vars.outputs.tag_release }}
       create_pull_request: ${{steps.vars.outputs.create_pull_request }}
     steps:
       - name: Checkout Repository
@@ -74,10 +71,9 @@ jobs:
       - name: Set variables
         id: vars
         run: |
+          echo "tag_release=${{ inputs.tagRelease }}" >> $GITHUB_OUTPUT
           echo "github_release=${{ inputs.githubRelease }}" >> $GITHUB_OUTPUT
-          echo "upload_azure=${{ inputs.uploadAzure }}" >> $GITHUB_OUTPUT
           echo "publish_packages=${{ inputs.publishPackages }}" >> $GITHUB_OUTPUT
-          echo "tag_release=${{ inputs.tagRelease }}" >> $GITHUB_OUTPUT
           echo "create_pull_request=${{ inputs.createPullRequest }}" >> $GITHUB_OUTPUT
           cat $GITHUB_OUTPUT
 
@@ -193,6 +189,7 @@ jobs:
           ref: ${{ inputs.releaseBranch }}
 
       - name: Tag release
+        if: ${{ needs.vars.outputs.tag_release == 'true' }}
         run: |
           git config --global user.name 'github-actions'
           git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
@@ -210,7 +207,7 @@ jobs:
     needs: [vars,release-draft,tag-release]
     permissions:
       id-token: write
-      contents: write # Needed to update a github release
+      contents: write # Needed to update a release
     steps:
       - name: Checkout Repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -246,12 +243,6 @@ jobs:
           echo "$GPG_KEY" | base64 --decode > ${NFPM_SIGNING_KEY_FILE}
           make package
 
-      - name: Install GPG tools
-        if: ${{ inputs.publishPackages == true }}
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gpgv1 monkeysphere
-
       - name: Get Id Token
         if: ${{ inputs.publishPackages == true }}
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -294,6 +285,7 @@ jobs:
               head: '${{ inputs.releaseBranch }}',
               base: 'main',
               body: [
-                'This PR is auto-generated by the release workflow.'
+                'This PR was auto-generated by the release workflow.',
+                'NOTE: DO NOT squash commits when merging!!',
               ].join('\n')
             });

.github/workflows/upload-release-assets.yml

@@ -12,7 +12,7 @@ on:
         type: string
         default: ""
       uploadAzure:
-        description: 'Publish packages Azure storage'
+        description: 'Publish packages to Azure blob storage'
         type: boolean
         default: false
       uploadGithub:
@@ -25,7 +25,7 @@ defaults:
     shell: bash
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
   vars:
@@ -63,31 +63,20 @@ jobs:
           echo "Checking Packages in ${{inputs.pkgRepo}}/nginx-agent"
           echo "${{secrets.PUBTEST_CERT}}" > pubtest.crt
           echo "${{secrets.PUBTEST_KEY}}" > pubtest.key
-          PKG_REPO=${{inputs.pkgRepo}} CERT=pubtest.crt KEY=pubtest.key DL=1 scripts/packages/package-check.sh ${{inputs.pkgVersion}}
-          for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
-            if [[ "$i" == *.deb ]]; then
-              echo "Renaming ${i} to ${i/_/-}"
-              mv "${i}" "${i/_/-}"
-            fi 
-            if [[ "$i" == *.apk ]]; then
-              ver=$(echo "$i" | grep -o -e "v[0-9]*\.[0-9]*")
-              arch=$(echo "$i" | grep -o -F -e "x86_64" -e "aarch64")
-              dest="$(dirname "$i")/nginx-agent-${{inputs.pkgVersion}}-$ver-$arch.apk"
-              echo "Renaming ${i} to ${dest}"
-              mv "${i}" "${dest}"
-            fi
-          done
-          find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"
+          
+          DL=1 PKG_REPO=${{inputs.pkgRepo}} \
+          CERT=pubtest.crt KEY=pubtest.key \
+            scripts/packages/package-check.sh ${{inputs.pkgVersion}}
 
       - name: GitHub Upload
-        continue-on-error: true
         if: ${{ needs.vars.outputs.github_release == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # clobber overwrites existing assets of the same name
         run: |
+          gh release list
           gh release upload --clobber v${{ inputs.pkgVersion }} \
-            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}")
+            $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}" | grep -v "azure")
 
       - name: Azure Login
         if: ${{ inputs.uploadAzure == true }}
@@ -100,8 +89,14 @@ jobs:
         uses: azure/CLI@9f7ce6f37c31b777ec6c6b6d1dfe7db79f497956 # v2.2.0
         with:
           inlineScript: |
-            for i in $(find ${{inputs.pkgRepo}}/nginx-agent | grep -e "nginx-agent[_-]${{inputs.pkgVersion}}"); do
-              dest="nginx-agent/${GITHUB_REF##*/}/${i##*/}"
+            echo "Uploading tarball... nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz"
+            az storage blob upload --auth-mode=login -f "${{ inputs.pkgRepo }}/nginx-agent/nginx-agent.tar.gz" \
+              -c ${{ secrets.AZURE_CONTAINER_NAME }} \
+              --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n nginx-agent/release-${{ inputs.pkgVersion }}/nginx-agent.tar.gz
+            
+            echo "Uploading packages..."
+            for i in $(find ${{ inputs.pkgRepo }}/nginx-agent | grep -e "nginx-agent[_-]${{ inputs.pkgVersion }}"); do
+              dest="nginx-agent/release-${{ inputs.pkgVersion }}/${i##*/}"
               echo "Uploading ${i} to ${dest}"
               az storage blob upload --auth-mode=login -f "$i" -c ${{ secrets.AZURE_CONTAINER_NAME }} \
               --account-name ${{ secrets.AZURE_ACCOUNT_NAME }} --overwrite -n ${dest}

Makefile.packaging

@@ -35,7 +35,7 @@ $(PACKAGES_DIR):
 	@mkdir -p $(PACKAGES_DIR)/deb && mkdir -p $(PACKAGES_DIR)/rpm && mkdir -p $(PACKAGES_DIR)/apk
 
 .PHONY: package
-package: $(PACKAGES_DIR) #### Create final packages for all supported distros
+package: gpg-key $(PACKAGES_DIR) #### Create final packages for all supported distros
 
 # Build binaries for all supported architectures
 	@for arch in $(DEB_ARCHS); do \
@@ -145,7 +145,12 @@ package: $(PACKAGES_DIR) #### Create final packages for all supported distros
 
 .PHONY: gpg-key
 gpg-key: ## Generate GPG public key
-	$$(gpg --import $(NFPM_SIGNING_KEY_FILE)); \
+	@if [ -z "$(NFPM_SIGNING_KEY_FILE)" ]; then \
+		echo "NFPM_SIGNING_KEY_FILE is not set. Exiting..."; \
+		exit 1; \
+	fi
+	@echo "Generating GPG public key for package signing...";
+	@$$(gpg --import $(NFPM_SIGNING_KEY_FILE)); \
 	keyid=$$(gpg --list-keys NGINX | egrep -A1 "^pub" | egrep -v "^pub" | tr -d '[:space:]'); \
 	if [ -z "$$keyid" ]; then echo "Error: GPG key not found."; exit 1; fi; \
 	# Check if the key is expired \