Skip to content

Commit

Permalink
Deploy dmg and deb files built on Travis to downloads.mixxx.org.
Browse files Browse the repository at this point in the history 
Adds an RSA key that is authorized to login to
downloads-hostgator.mixxx.org. This key is encrypted with a password which is
provided as a Travis secure variable.
  • Loading branch information
@rryan
rryan committed Jul 20, 2020
1 parent 4669ad2 commit 9226812
Show file tree
Hide file tree
Showing 5 changed files with 122 additions and 0 deletions.
11 changes: 11 additions & 0 deletions .travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ env:
- CTEST_OUTPUT_ON_FAILURE=1
# Render analyzer waveform tests to an offscreen buffer
- QT_QPA_PLATFORM=offscreen
# DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD for deploys.
- secure: aS40s8gx1mM01oRj2pskFqR+rBID1nnTY7hwSqkT1bgJT+JF0tMZt/SkMjR08bp+3soNbBtqJgZKAhQ6Tts2DtkWQGbUiXgU5QpowUcecTxge/jqxZeWdJWThpB+qWs70Fm0QhzZXIyBPM8EGljWbLum5ncR7AUBEasRboNZ0P8=

jobs:
include:
Expand Down Expand Up @@ -256,3 +258,12 @@ addons:
notifications:
webhooks:
- https://mixxx.zulipchat.com/api/v1/external/travis?stream=travis&topic=build-status&api_key=$ZULIP_API_KEY

deploy:
provider: script
skip_cleanup: true
# Deploy is executed from cmake_build.
script: ../build/travis/deploy.sh
on:
all_branches: true
condition: "\"${TRAVIS_JOB_NAME}\" =~ CMake"
20 changes: 20 additions & 0 deletions build/certificates/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@

# Key Rotation

# downloads-hostgator.mixxx.org

SSH access is granted via an RSA key stored in `build/certificates/downloads-hostgator.mixxx.org.key`.

To rotate this key, generate a new RSA key with a strong password (e.g. 32 character randomly generated).

```
ssh-keygen -t rsa -b 4096 -f downloads-hostgator.mixxx.org.key
```

Copy the **public** key to `$HOME/.ssh/authorized_keys`, replacing the old file to remove access for the current key.

Encrypt the password using `travis encrypt` and update `.travis.yml`.

```
travis encrypt DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD=hunter2 -r mixxxdj/mixxx
```
54 changes: 54 additions & 0 deletions build/certificates/downloads-hostgator.mixxx.org.key
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,4D25AED6ED1AD07B47186093278F7F27

/aFQab21BJ4OnILuHd/FoXQfURebSWX/LhKrukZLqE1TvkftwDVhjHHjxFmo1yp2
oU8B4vx15os5QZa24KNGBsFVGd59scSEIZO8MTLk+T0hvF6huA7x3B6FGE7T9prJ
swKghpM9sn72IRRBF8XPmk2lPw1XwC2AcUMSp0kqPK96jxAdsbqroKfhVMWIuNEC
+kiuZjoJNkrfnwsKd3aIEtFq7x9tSuWztyxn8y8OnQuo8Vew97DOabuX97DEzpk/
nsTaoK239oImBbRTHj3Y2ocJpZGW+FNeUqE89IukXRPvy0vvSS/A7hAH1kB1Hyjs
/DNs5I2YNw+drhdPwlxPa6mTeDVzhY2/EQ+2m6D7jFgTe1Jt083ELVkA5EFGD4qq
rEy/G6YnLUhUrp7ssSqB6zSm+wH6F24U2Cxrzoe7IUJfanynkYamzEY0OSoCVW3b
2IOMWrytibJiP0mCWkW4yowwaIplPPhFXOY8iaMfLGvwYaa+w9bSNjip1UBjjce/
Z+sp7MiJiXbS28SDjMe9J1Lw3hEFRR/F5YJ2za3UAlB8bwFJF30i7YwEas6RaEwu
obEca64x3CpCDFAzPYInKDORvMu6xfByuLxZ/WCq8APrAp56924+TvNFnRbqKaLh
xvOR5rM0rqGlbhBTpTY1bKXCudzosI7uMUGoPFodP8S87tFUHyZYXOi/ZBKVhi8s
Q7v2c2v+2D2oMwGaqFzPOug/QbcXfzDdND1ZBwAr18I7YgJJUBJXIPbn6LFiqpJp
8+91jSVGPdX8Z0cudn6jvBwcpj7BvG9/IBfW7/ORDxsIQq6fogk2REFwBlDtPfCQ
8OENo2pvhbXUoYGq+BNmjdT7pyYZbbKQ4ufix2B8xjjK6hpF7e6DGxpEmVr93UnP
i+lkgCKpQMME9LDtcNDcptIEIqan9YEEpCukmSz9MF1SzKG1Cp/Ych1cnAtO3FGI
LqUVKHoSf5Q35By1t3fythHe5UR++XjwAM7f+eZTPqWRg4T1z4MDV+WtFSDdW+fs
WoPsr+/AXQZJePly70liyYeu5nltwAdx+fhX6hxqGssA1eGrJwAZsTlgg7JWDwWe
bg3JKkJ4O954auUGKVWDbu0wSHletysgEumaq43vM0pv3CVknh9xKsmtG6jeGgt1
LlDPUvCBVkReejtnncoh8v9/5WwVPwq+qNVzRmUJQ9CrxFkZFibe1EVl2olieC5E
26qK/GqiMh5WjdXU5v8GNWR4M5AGVBcuNyUtYBP4mmAuXGu3T7ceKF2wUmdF70YM
QGDuNnJdPavcg9b85r/mFvvJVRhUjcf/FWCOnkfT4fEMBrQZgMPSFz37V+d8hXO6
u5cW2rrrbVwL/n4JT4RS1B/Mmtf/e9D0JFybne/qGgYfMv1Zp87uZIDZhCqiBSs+
39XGccpxtn3t63bKzbH81a0QYN/SqDc0vPttw8isHKlu+tGbar/Yo6qbo5Q1aGfQ
8SIVsjMNYfUs9qeIOrpVYiyX+LiTWVQS3R1Fx6mA16DBqkpVIwgM9nJOuC5YtytM
36NJksTi73hsEQTa03P60PRKFTXrrs7pUc1mxmwk50YX2zhJrIHGw5iESFkAJ88A
f8p8zf7WUzaf1rqcXvRYghTrn6SNsew8vC/Bob7pub0p6KFRuCfU1fellTqikhKt
AWpyKyQJanoiuJ5NWcJ2E6eAqlG51U+wLC1Uv8IBhR1y/zwF0aoDcKZlv7MJlBMb
juDPmNDPa/In8lqL0CI18svUU+kAImGgJdeNr9eE5s95oiqMhOSTTTvRiX4t+PvW
FFsw6zGtyKUOygBndF91q7GPBXTrPTlvlK/S0e0P/mZImbrS8XUwqcl4iOJU3Y9L
9nwWj49v7scer68PMWZGDoCSyPKlkSFysUyk8z2W+gN13W0CecCQNl13wSf4QEJ8
YGcxQ24AcOUAq5CFU/KvLseqKAKZVPaUBzitiCjVZER/1dIg0NqSyRTkKacuS3Em
5G8777TOVJhRJY65x9PnkXZjaGrHKYzNHHRvh+nVNu7j3PMLUhXpTkCf1BDlMTbl
8E2/ucbZmRlvX4mfL7CbR03IgUHCEtmMnZPvW4v9/qbnutOsedE6Im54MC+oXAr8
XJxP04EJ0SgmOsZiwLIp/qoQhvT5BeML7qvP8CQxkLgg3BQMeC6e2i8wNGiM+94Q
c5yHwoLiOYMBgjSKU160/eN9aO5QFcALMz8/CT4zXT19mkXjK5QaR9Jz2f68luLf
QffYOhM+QCjMio/Z62/RiI0w3AgV1p4miyP1MPbcFL9jdWC0b2AF7/ewTnsXdmD6
NzwPIqK2ffwNJJ1B8fDhZKRgOyMigAqU8viahx8yeWNpgwyN0Cp3zkAvrpg1/tEa
B/TqmRgVX9N2Og3OqtXcNNWgc+SNYGyS4PEAu46Fxao1mubKftw5H7RC6L3WzVHP
G50aU2ewrBox2a9IJLnaVXHe5dqiMaGbaMyZweCqZDzsIb6BfOot7+3T6NrbEZVC
57TpRDZOxAF1yaOSTO4yivsVB7PU3fPUq/YAoBIyhZt6zvi8MOhpjV7KQhwL4GZi
0v9WYGQSIYGGQ0uYzIiZ7bLloXwWIMmC4nJkpvPfVChsvVXIyy1zfNY3qrETckW8
7jE6NzMGJ5EmK7p919J6L7+YE7E3anc+wUTJSlwrWz1K2eGIC8OmN1jyKdqZkfGj
/mE/eUFcwC5+whf7EwXaHCnd/u+e1B7lGfzPC551ovRDydGhGYT+CBNaZGqsLEnu
yq3qJCEBhbDV8kDaWgx/34ta/Vp6ZeASj7Qf6h/++645Q+yg6F/616isJrujBXO+
qa0c99wM9rXNlyWcIAEPZ9ul0qfat4hA91Mv9LNzJd8mVSHGOpz5VEgFhix/3TKz
DSDLBpbDIyPWnPGZAo7tQg11kWCtQIgLTCB+zkfmYJklNmxKe6j3TnCC/0BjLgWF
LHHLykvZ5SxK2/m/tQwEDA7xfh1h8EqpmpIjAJVvjUbR3bu3cMrV+GRs0HuZk60I
gDM4fgUsM0JApSvgSrvJx3yMCDCqhN1VPjEwnXFHVsK39GQs6zvlCbsYjuifRzmR
AjOSGOWQfwbhDm+AdN6Zi8xi5VbYMlmaeYwYIrG00PmxxeAzqjVcAIn5Z04tCGJA
-----END RSA PRIVATE KEY-----
1 change: 1 addition & 0 deletions build/certificates/downloads-hostgator.mixxx.org.key.pub
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDP1q+/ayZvi1NCqVZBmajI1TP2qAO1H5pNLx80z/qfNkFMWspgrT3//xaItMfhyIjAycQfDBYOatxFCNST5y12Pjm8H1SF74dHLIVhBdAGfb7JtOt4vAqxeJp7E7T3gn7ZmcNCJnnVPnX0Wl4NRNvS/sE7Q5a/UUNOJGWyvKfrfvuvp91J+XQqhB6shUkmGmchL5ISHbq1i6EbH3ZyRqmPQSAROJ9yyQIVBuCuSisgl3teOnqDxibFP8yMOJhysw3VA8U29ERP8gtvSjcTfDJXeiMM6y6Ty4SrYJe3KUU2OQI3u4W31KREUGj9zH9SBcfh/EvUjw/bw/OSgKxsCaJIeH8bOnFz037ipgGCTbYcdvhEKIJRFqy0/kjm7hf4rWITNJ9Wvkn83MAhvEeOVPoV6cajQZd/0r54Fg8/6/mhp7J5yBBNjKNRYDW5wDpYPjwRvxVEIYS5QD1wwUHmRF1qy1YiAJK37YmoWr4Fd8fWNF5g+ozhCacaxIMcWjKneStwCsjxIG4mTBEnJAIt6mFptoX0ewA8ozgw7POBNLSW469LiGDZOf9GTBL6YsGyaV2WzWjSIFYn2dqL+TfSaKNqDBFoHLJ2SZ+Utp5a63NCaLAY5TbGUbzAMmq8j4qrJa1wu6y7GUKiYs5BByik+j9szW0/i28FkQjnZYMPtTSJ/w== mixxx@downloads-hostgator.mixxx.org
36 changes: 36 additions & 0 deletions build/travis/deploy.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
#!/bin/bash
#
# Deploy artifacts (e.g. dmg, deb files) built by Travis to downloads.mixxx.org.
# Run within the cmake_build directory.

set -eu -o pipefail

USER=mixxx
HOSTNAME=downloads-hostgator.mixxx.org
TRAVIS_DESTDIR=public_html/downloads/builds/travis
SSH_KEY=../build/certificates/downloads-hostgator.mixxx.org.key
SSH="ssh -i ${SSH_KEY} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"

if [[ "${TRAVIS_PULL_REQUEST}" != "false" ]]; then
echo "Skipping deploy since we are in a pull request."
exit 0
fi

DEST_PATH=${TRAVIS_DESTDIR}/${TRAVIS_BRANCH}/
TMP_PATH=${TRAVIS_DESTDIR}/.tmp/$TRAVIS_BUILD_ID/

echo Deploying to $TMP_PATH, then to $DEST_PATH.

# Remove permissions for group and other users so that ssh-keygen does not
# complain about the key not being protected.
chmod go-rwx ${SSH_KEY}

# "Unlock" the key by removing its password. This is easier than messing with ssh-agent.
ssh-keygen -p -P ${DOWNLOADS_HOSTGATOR_DOT_MIXXX_DOT_ORG_KEY_PASSWORD} -N "" -f ${SSH_KEY}

# Always upload to a temporary path.
shopt -s extglob
rsync -e "${SSH}" --rsync-path="mkdir -p ${TMP_PATH} && rsync" -r --delete-after --quiet *.@(deb|dmg) ${USER}@${HOSTNAME}:${TMP_PATH}

# Move from the temporary path to the final destination.
$SSH ${USER}@${HOSTNAME} "mkdir -p ${DEST_PATH} && mv ${TMP_PATH}/* ${DEST_PATH} && rmdir ${TMP_PATH}"

0 comments on commit 9226812

Please sign in to comment.