From 26b19bfeacfff70b0c568eab84efba16b6dbf4d6 Mon Sep 17 00:00:00 2001
From: Joe Doss <jdoss@smallstep.com>
Date: Wed, 11 Dec 2024 15:01:03 -0600
Subject: [PATCH] Enable RPM and Deb package uploads to packages.smallstep.com

---
 .gitignore                     |  4 +++
 .goreleaser.yml                | 36 ++++++++++++++++++++--
 scripts/package-repo-import.sh | 56 ++++++++++++++++++++++++++++++++++
 scripts/package-upload.sh      | 24 +++++++++++++++
 4 files changed, 117 insertions(+), 3 deletions(-)
 create mode 100755 scripts/package-repo-import.sh
 create mode 100755 scripts/package-upload.sh

diff --git a/.gitignore b/.gitignore
index d4d55de..a5047a5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,7 @@ dist/
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+
+# Packages files
+0x889B19391F774443-Certify.key
+gha-creds-*.json
diff --git a/.goreleaser.yml b/.goreleaser.yml
index 0e6bb59..f04bc82 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -4,6 +4,17 @@
 #  - https://github.com/goreleaser/goreleaser-cross
 #  - https://github.com/goreleaser/goreleaser-cross-example
 project_name: step-kms-plugin
+version: 2
+
+variables:
+  packageName: step-kms-plugin
+  packageRelease: 1 # Manually update release: in the nfpm section to match this value if you change this
+
+after:
+  hooks:
+    # This script depends on IS_PRERELEASE env being set. This is set by CI in the Is Pre-release step.
+    - cmd: bash scripts/package-repo-import.sh {{ .Var.packageName }} {{ .Version }}
+      output: true
 
 builds:
   - id: linux-amd64
@@ -113,11 +124,17 @@ archives:
       - completions/*
 
 nfpms:
-  - builds:
+  - id: packages
+    builds:
       - linux-amd64
       - linux-arm64
-    package_name: step-kms-plugin
-    file_name_template: "{{ .PackageName }}_{{ .Version }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    package_name: "{{ .Var.packageName }}"
+    release: "1"
+    file_name_template: >-
+      {{- trimsuffix .ConventionalFileName .ConventionalExtension -}}
+      {{- if and (eq .Arm "6") (eq .ConventionalExtension ".deb") }}6{{ end -}}
+      {{- if not (eq .Amd64 "v1")}}{{ .Amd64 }}{{ end -}}
+      {{- .ConventionalExtension -}}
     vendor: Smallstep Labs
     homepage: https://github.com/smallstep/step-kms-plugin
     maintainer: Smallstep <techadmin@smallstep.com>
@@ -139,6 +156,13 @@ nfpms:
       - src: completions/zsh_completion
         dst: /usr/share/zsh/site-functions/_step-kms-plugin
         packager: rpm
+    rpm:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+    deb:
+      signature:
+          key_file: "{{ .Env.GPG_PRIVATE_KEY_FILE }}"
+          type: origin
     overrides:
       deb:
         dependencies:
@@ -160,6 +184,12 @@ sboms:
 checksum:
   name_template: "checksums.txt"
 
+publishers:
+- name: Google Cloud Artifact Registry
+  ids:
+  - packages
+  cmd: ./scripts/package-upload.sh {{ abs .ArtifactPath }} {{ .Var.packageName }} {{ .Version }} {{ .Var.packageRelease }}
+
 snapshot:
   name_template: "{{ .Tag }}"
 
diff --git a/scripts/package-repo-import.sh b/scripts/package-repo-import.sh
new file mode 100755
index 0000000..679e0ef
--- /dev/null
+++ b/scripts/package-repo-import.sh
@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+set -e
+
+: ${GCLOUD_LOCATION:=us-central1}
+: ${GCLOUD_RPM_REPO:=rpms}
+: ${GCLOUD_DEB_REPO:=debs}
+
+PACKAGE="${1}"
+VERSION="${2}"
+RELEASE="1"
+EPOCH="0"
+GORELEASER_PHASE=${GORELEASER_PHASE:-release}
+
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+
+check_package() {
+  local EXITCODE=0
+  local REPO="${1}"
+  local VER="${2}"
+  if [ ! -f /tmp/version-deleted.stamp ]; then
+    gcloud artifacts versions list \
+       --repository "${REPO}" \
+       --location "${GCLOUD_LOCATION}" \
+       --package "${PACKAGE}" \
+       --filter "VERSION:${VER}" \
+       --format json  2> /dev/null \
+       | jq -re '.[].name?' >/dev/null 2>&1 \
+       || EXITCODE=$?
+    if [[ "${EXITCODE}" -eq 0 ]]; then
+      echo "Package version already exists. Removing it..."
+      gcloud artifacts versions delete \
+      --quiet "${VER}" \
+      --package "${PACKAGE}" \
+      --repository "${REPO}" \
+      --location "${GCLOUD_LOCATION}"
+      touch /tmp/version-deleted.stamp
+    fi
+  fi
+}
+
+if [[ ${IS_PRERELEASE} == "true" ]]; then
+  echo "Skipping artifact import; IS_PRERELEASE is 'true'"
+  exit 0;
+fi
+
+check_package "${GCLOUD_RPM_REPO}" "${EPOCH}:${VERSION}-${RELEASE}"
+gcloud artifacts yum import "${GCLOUD_RPM_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/*"
+
+check_package ${GCLOUD_DEB_REPO} "${VERSION}-${RELEASE}"}
+gcloud artifacts apt import "${GCLOUD_DEB_REPO}" \
+  --location "${GCLOUD_LOCATION}" \
+  --gcs-source "gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/*"
diff --git a/scripts/package-upload.sh b/scripts/package-upload.sh
new file mode 100755
index 0000000..064dc43
--- /dev/null
+++ b/scripts/package-upload.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -e
+set -x
+
+FILE="${1}"
+PACKAGE="${2}"
+VERSION="${3}"
+
+echo "Package File: ${FILE}"
+echo "Package: ${PACKAGE}"
+echo "Version: ${VERSION}"
+echo "Release: ${RELEASE}"
+echo "Location: ${GCLOUD_LOCATION}"
+
+if [ "${FILE: -4}" == ".deb" ]; then
+  if [[ "${FILE}" =~ "armhf6" ]]; then
+    echo "Skipping ${FILE} due to GCP Artifact Registry armhf conflict!"
+  else
+    gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/deb/${VERSION}/
+  fi
+else
+  gcloud storage cp ${FILE} gs://artifacts-outgoing/${PACKAGE}/rpm/${VERSION}/
+fi