From c4d634668ce0dd3efa8f75ff527b3f620c85f5a2 Mon Sep 17 00:00:00 2001 From: lklimek <842586+lklimek@users.noreply.github.com> Date: Wed, 31 Jul 2024 10:35:12 +0200 Subject: [PATCH] build: add signed binaries to releases (#854) * feat: signed binaries * build: built binaries are not static * build: build and sign x86-64 and arm64 releases --- Makefile | 6 +- scripts/release/release.sh | 117 +++++++++++++++++++++++++++++++++++-- 2 files changed, 115 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index 8cf9474354..ad7dfedcf5 100644 --- a/Makefile +++ b/Makefile @@ -3,14 +3,14 @@ OUTPUT ?= build/tenderdash BUILDDIR ?= $(CURDIR)/build REPO_NAME ?= github.com/dashevo/tenderdash -BUILD_TAGS ?= tenderdash +BUILD_TAGS ?= tenderdash,netgo,osusergo # If building a release, please checkout the version tag to get the correct version setting ifneq ($(shell git symbolic-ref -q --short HEAD),) VERSION := unreleased-$(shell git symbolic-ref -q --short HEAD)-$(shell git rev-parse HEAD) else -VERSION := $(shell git describe) +VERSION := $(shell git describe --tags) endif -LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION) +LD_FLAGS = -X ${REPO_NAME}/version.TMCoreSemVer=$(VERSION) -linkmode 'external' -extldflags '-static' BUILD_FLAGS = -mod=readonly -ldflags "$(LD_FLAGS)" HTTPS_GIT := https://${REPO_NAME}.git BUILD_IMAGE := ghcr.io/tendermint/docker-build-proto diff --git a/scripts/release/release.sh b/scripts/release/release.sh index 2a9dbbd45c..a4547b0159 100755 --- a/scripts/release/release.sh +++ b/scripts/release/release.sh @@ -116,7 +116,7 @@ function configureFinal() { CURRENT_BRANCH="$(git branch --show-current)" SOURCE_BRANCH="v${VERSION_WITHOUT_PRERELEASE%.*}-dev" RELEASE_BRANCH="release_${NEW_PACKAGE_VERSION}" - MILESTONE="v${VERSION_WITHOUT_PRERELEASE}" + MILESTONE="v${VERSION_WITHOUT_PRERELEASE%.*}" if [[ ${RELEASE_TYPE} != "prerelease" ]]; then # full release TARGET_BRANCH="master" @@ -235,7 +235,7 @@ function createRelease() { --generate-notes \ --target "${TARGET_BRANCH}" \ ${gh_args} \ - "v${NEW_PACKAGE_VERSION}" + "v${NEW_PACKAGE_VERSION}" } function deleteRelease() { @@ -251,6 +251,109 @@ function getReleaseUrl() { gh release view --json url --jq .url "v${NEW_PACKAGE_VERSION}" } +function waitForRelease() { + debug 'Waiting for release to be published; use ^C to cancel' + + while [[ "$(gh release view --json isDraft --jq .isDraft "v${NEW_PACKAGE_VERSION}")" != "false" ]]; do + sleep 10 + done +} + +function buildAndUploadArtifacts() { + + bindir="$(mktemp -d)" + local platforms=("linux/amd64" "linux/arm64") + + waitForRelease + # checkout and build binaries from release tag + # TODO: uncomment + # git fetch --tags && git checkout "v${NEW_PACKAGE_VERSION}" + + buildBinaries "${bindir}" "${platforms[@]}" + + # Sign binaries + signBinary "${bindir}"/tenderdash-* + + # Create tarball + for platform in "${platforms[@]}"; do + local platform_safe="${platform//\//-}" + + tar -C "${bindir}" \ + -czf "${bindir}/tenderdash-${NEW_PACKAGE_VERSION}-${platform_safe}.tar.gz" \ + "tenderdash-${platform_safe}" "tenderdash-${platform_safe}.sig" + done + + sha256sum "${bindir}"/*.tar.gz >"${bindir}"/SHA256SUMS + + # Upload to release + uploadBinaries "${bindir}" + + # Cleanup + rm -r "${bindir}" +} + +# buildBinaries ... +function buildBinaries() { + local dest_dir="$1" + shift + if [[ -z "${dest_dir}" ]]; then + error "Destination directory is required to build binaries" + fi + + debug Building binaries + pushd "$(realpath "$(dirname "${0}")/../..")" + + while [ -n "$1" ]; do + platform="$1" + shift + + local platform_safe="${platform//\//-}" + + debug "Building binaries for ${platform}" + make clean + docker buildx build \ + --platform "${platform}" \ + --build-arg TENDERMINT_BUILD_OPTIONS='tenderdash,stable' \ + -f DOCKER/Dockerfile \ + -t tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}" \ + --load \ + . + # Copy /usr/bin/tenderdash from image to dest_dir + docker create --name tenderdash-local-"${platform_safe}" --platform "${platform}" tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}" + docker cp tenderdash-local-"${platform_safe}":/usr/bin/tenderdash "${dest_dir}/tenderdash-${platform_safe}" + docker rm tenderdash-local-"${platform_safe}" + # Remove the image + docker rmi tenderdash-local:"v${NEW_PACKAGE_VERSION}-${platform_safe}" + done + + popd +} + +# Sign tenederdash binary using default gpg key +# +# The key can be overridden by setting GPG_KEY_ID environment variable +# +# Args: list of binaries to sign +function signBinary() { + + local gpg_cmd="gpg" + if [[ -n "${GPG_KEY_ID}" ]]; then + gpg_cmd="gpg --local-user=${GPG_KEY_ID}" + fi + + for binary in "$@"; do + debug "Signing binaries with GPG ${gpg_cmd}" + $gpg_cmd --armor "--output=${binary}.sig" --detach-sign "${binary}" + done +} + +function uploadBinaries() { + local bin_dir="$1" + + debug uploading artifacts to release "v${NEW_PACKAGE_VERSION}" + gh release upload --clobber "v${NEW_PACKAGE_VERSION}" "${bin_dir}"/{*.tar.gz,SHA256SUMS} +} + function cleanup() { debug Cleaning up @@ -260,6 +363,8 @@ function cleanup() { # We need to re-detect current branch again CURRENT_BRANCH="$(git branch --show-current)" + + make clean } configureDefaults @@ -283,11 +388,11 @@ success "Release PR: ${PR_URL}" success "Please review it and merge." -if [[ "${RELEASE_TYPE}" = "prerelease" ]] ; then +if [[ "${RELEASE_TYPE}" = "prerelease" ]]; then success "NOTE: Use 'squash and merge' approach." -else +else success "NOTE: Use 'create merge commit' approach." -fi +fi waitForMerge @@ -300,3 +405,5 @@ sleep 5 # wait for the release to be finalized success "Release ${NEW_PACKAGE_VERSION} created successfully." success "Accept it at: $(getReleaseUrl)" + +buildAndUploadArtifacts