Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CLI-2823] Add chocolatey to goreleaser config #2365

Draft
wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

Conversation

sgagniere
Copy link
Member

@sgagniere sgagniere commented Oct 20, 2023

Release Notes

Breaking Changes

  • PLACEHOLDER

New Features

  • PLACEHOLDER

Bug Fixes

  • PLACEHOLDER

Checklist

  1. [CRUCIAL] Is the change for features that are already live in prod?
    • yes: ok

What

Add a new Windows build (w/ updates disabled) for Chocolatey.
Add the chocolatey block to the goreleaser file.

References

https://goreleaser.com/customization/chocolatey/

Test & Review

TODO: test locally

Open Questions / Follow-ups

.goreleaser.yml Outdated
goarch:
- amd64
hooks:
# TODO: We might have to convert some of these to global before/after hooks since we'll now have multiple Windows binaries w/ different ldflags
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, let's try to avoid running az login more than once. When this is automated in Semaphore it won't result in an annoying pop-up, but might result in a longer release time.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(and I guess we only need to download the signing secret once, too)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aside from just the annoyance of two popups, I actually discovered a pretty annoying thing when I was testing this: if you log in w/ one of the tabs and close out the other, goreleaser just blocks on that pre-hook.

Converting it into a global before hook worked perfectly, though (I'll update the remote branch soon).

For the downloading, we have some options. What I tried is downloading to two separate files so that the removal post hook doesn't remove the file before the other build's post hook can sign with it. This works, although it's a bit clunky carrying two copies of the signing file with different names.

The other option is to download the file in the global before hook and remove it in the global after hook. The documentation for the after hook has weird wording which is why I didn't try it first.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other option is to download the file in the global before hook and remove it in the global after hook.

👍

.goreleaser.yml Outdated Show resolved Hide resolved
.goreleaser.yml Outdated
release_notes: https://docs.confluent.io/confluent-cli/current/release-notes.html
# TODO
api_key: "{{ .Env.CHOCOLATEY_API_KEY }}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be reading this directly from vault instead?

Copy link
Member Author

@sgagniere sgagniere Oct 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah if we do end up using the chocolatey repo, that's what we'll do. This is just a "don't forget this" placeholder.

Actually, no matter which repo we end up using we'll need a corresponding api-key, so we'll be likely be storing and reading it from vault no matter what we go with.

.goreleaser.yml Outdated
@@ -178,6 +178,33 @@ builds:
post:
- cmd: ./lib/osslsigncode sign -n "Confluent CLI" -i "https://confluent.io" -pkcs12 CLIEVCodeSigningCertificate2.pfx -in {{ .Path }} -out {{ .Path }}
- cmd: rm CLIEVCodeSigningCertificate2.pfx
- id: confluent-windows-amd64-chocolatey
Copy link
Member

@brianstrauch brianstrauch Oct 23, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to come up with a more generic name, i.e. confluent-windows-amd64-disableupdates in case we want to support scoop (or other Windows package managers) in the future. We should probably consider doing the same for the linux/darwin builds too.

@@ -0,0 +1,15 @@
FROM --platform=linux/amd64 ubuntu:jammy-20231211.1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have other Dockerfiles like this one. Let's make sure they're all using the same ubuntu version?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't, unfortunately.

The other Ubuntu image doesn't have a new enough version of mingw-w64 to be able to cross compile for Windows.

This Ubuntu image has glibc version 2.35, which is too high for cross compiling Linux arm64 without a breaking change.

#!/bin/bash

function cleanup {
shred --force --remove --zero --iterations=10 CLIEVCodeSigningCertificate2.pfx
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not the end of the world if we don't do this since the CI machines get reset between runs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

True, but I'm writing this so far on the assumption that we might be releasing before we fully switch to the CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants