diff --git a/.github/workflows/post-merge.yaml b/.github/workflows/post-merge.yaml index 13ae673c2b..b8904e7746 100644 --- a/.github/workflows/post-merge.yaml +++ b/.github/workflows/post-merge.yaml @@ -57,10 +57,61 @@ jobs: run: make ci-go-test-coverage timeout-minutes: 30 + release-build: + name: Release Build (linux, windows) + runs-on: ubuntu-18.04 + needs: generate + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Build Linux and Windows + run: make ci-go-build-linux ci-go-build-windows + timeout-minutes: 30 + env: + TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} + + - name: Upload binaries + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + + release-build-darwin: + name: Release Build (darwin) + runs-on: macos-latest + needs: generate + steps: + - name: Check out code + uses: actions/checkout@v2 + + - id: go_version + name: Read go version + run: echo "::set-output name=go_version::$(cat .go-version)" + + - name: Install Go (${{ steps.go_version.outputs.go_version }}) + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.go_version.outputs.go_version }} + + - name: Build Darwin + run: make build-darwin + timeout-minutes: 30 + env: + TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} + + - name: Upload binaries (darwin) + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + deploy-edge: name: Push Edge Release runs-on: ubuntu-18.04 - needs: generate + needs: [release-build, release-build-darwin] steps: - name: Check out code uses: actions/checkout@v2 @@ -69,10 +120,11 @@ jobs: run: make ci-release-test timeout-minutes: 60 - - name: Build Release Binaries - env: - TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - run: make release-local + - name: Download release binaries + uses: actions/download-artifact@v2 + with: + name: binaries + path: _release - name: Deploy OPA Edge env: diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml index cb702fd297..c88f7739ab 100644 --- a/.github/workflows/post-tag.yaml +++ b/.github/workflows/post-tag.yaml @@ -6,8 +6,60 @@ on: - '*' jobs: + release-build: + name: Release Build (linux, windows) + runs-on: ubuntu-18.04 + needs: generate + steps: + - name: Check out code + uses: actions/checkout@v2 + + - name: Build Linux and Windows + run: make ci-go-build-linux ci-go-build-windows + timeout-minutes: 30 + env: + TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} + + - name: Upload binaries + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + + release-build-darwin: + name: Release Build (darwin) + runs-on: macos-latest + needs: generate + steps: + - name: Check out code + uses: actions/checkout@v2 + + - id: go_version + name: Read go version + run: echo "::set-output name=go_version::$(cat .go-version)" + + - name: Install Go (${{ steps.go_version.outputs.go_version }}) + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.go_version.outputs.go_version }} + + - name: Build Darwin + run: make build-darwin + timeout-minutes: 30 + env: + TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} + + - name: Upload binaries (darwin) + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + build: name: Push Latest Release + needs: [release-build, release-build-darwin] runs-on: ubuntu-latest steps: - name: Check out code @@ -21,10 +73,11 @@ jobs: run: make ci-release-test timeout-minutes: 60 - - name: Build Release Binaries - env: - TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - run: make release + - name: Download release binaries + uses: actions/download-artifact@v2 + with: + name: binaries + path: _release - name: Build and Deploy OPA Docker Images id: build-and-deploy diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index df07a623fa..36db3a9f1f 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -13,10 +13,44 @@ jobs: - name: Check out code uses: actions/checkout@v2 - - name: Build Golang - run: make ci-go-build-all-platforms + - name: Build Linux and Windows + run: make ci-go-build-linux ci-go-build-windows timeout-minutes: 30 + - name: Upload binaries + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + + go-build-darwin: + name: Go Build (darwin) + runs-on: macos-latest + steps: + - name: Check out code + uses: actions/checkout@v2 + + - id: go_version + name: Read go version + run: echo "::set-output name=go_version::$(cat .go-version)" + + - name: Install Go (${{ steps.go_version.outputs.go_version }}) + uses: actions/setup-go@v2 + with: + go-version: ${{ steps.go_version.outputs.go_version }} + + - name: Build Darwin + run: make build-darwin + timeout-minutes: 30 + + - name: Upload binaries (darwin) + uses: actions/upload-artifact@v2 + if: always() + with: + name: binaries + path: _release + go-test: name: Go Test runs-on: ubuntu-18.04 diff --git a/.go-version b/.go-version index e71519696f..c807441cfe 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.16 +1.16.3 diff --git a/Dockerfile b/Dockerfile index ca47d60013..0c73f264b5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ MAINTAINER Torin Sandall USER ${USER} ARG BIN_DIR=. -COPY ${BIN_DIR}/opa_docker_amd64 /opa +COPY ${BIN_DIR}/opa_linux_amd64 /opa ENTRYPOINT ["/opa"] CMD ["run"] diff --git a/Makefile b/Makefile index a14572e987..86dc8382f9 100644 --- a/Makefile +++ b/Makefile @@ -7,8 +7,11 @@ VERSION := $(shell ./build/get-build-version.sh) CGO_ENABLED ?= 1 WASM_ENABLED ?= 1 -# Force modules on and to use the vendor directory. -GO := CGO_ENABLED=$(CGO_ENABLED) GO111MODULE=on GOFLAGS=-mod=vendor go +# See https://golang.org/cmd/go/#hdr-Build_modes: +# > -buildmode=exe +# > Build the listed main packages and everything they import into +# > executables. Packages not named main are ignored. +GO := CGO_ENABLED=$(CGO_ENABLED) GOFLAGS="-buildmode=exe" go GO_TEST_TIMEOUT := -timeout 30m GO_TAGS := -tags= @@ -22,6 +25,12 @@ GOOS := $(shell go env GOOS) DOCKER_RUNNING := $(shell docker ps >/dev/null 2>&1 && echo 1 || echo 0) +# We use root because the windows build, invoked through the ci-go-build-windows +# target, installs the gcc mingw32 cross-compiler. +# For image-quick, it's overridden, so that the built binary isn't root-owned. +DOCKER_UID ?= 0 +DOCKER_GID ?= 0 + ifeq ($(shell tty > /dev/null && echo 1 || echo 0), 1) DOCKER_FLAGS := --rm -it else @@ -79,7 +88,8 @@ generate: wasm-lib-build build: go-build .PHONY: image -image: ci-go-build-docker +image: + DOCKER_UID=$(shell id -u) DOCKER_GID=$(shell id -g) $(MAKE) ci-go-build-linux @$(MAKE) image-quick .PHONY: install @@ -221,7 +231,7 @@ wasm-rego-testgen-install: CI_GOLANG_DOCKER_MAKE := $(DOCKER) run \ $(DOCKER_FLAGS) \ - -u $(shell id -u):$(shell id -g) \ + -u $(DOCKER_UID):$(DOCKER_GID) \ -v $(PWD):/src \ -w /src \ -e GOCACHE=/src/.go/cache \ @@ -247,23 +257,22 @@ ci-check-working-copy: generate .PHONY: ci-wasm ci-wasm: wasm-test -.PHONY: build-docker -build-docker: ensure-release-dir - $(GO) build $(GO_TAGS) -o $(RELEASE_DIR)/opa_docker_$(GOARCH) -ldflags $(LDFLAGS) - .PHONY: build-linux build-linux: ensure-release-dir - @$(MAKE) build GOOS=linux CGO_ENABLED=0 WASM_ENABLED=0 + @$(MAKE) build GOOS=linux + chmod +x opa_linux_$(GOARCH) mv opa_linux_$(GOARCH) $(RELEASE_DIR)/ .PHONY: build-darwin build-darwin: ensure-release-dir - @$(MAKE) build GOOS=darwin CGO_ENABLED=0 WASM_ENABLED=0 + @$(MAKE) build GOOS=darwin + chmod +x opa_darwin_$(GOARCH) mv opa_darwin_$(GOARCH) $(RELEASE_DIR)/ .PHONY: build-windows build-windows: ensure-release-dir - @$(MAKE) build GOOS=windows CGO_ENABLED=0 WASM_ENABLED=0 + build/ensure-windows-toolchain.sh + @$(MAKE) build GOOS=windows CC=x86_64-w64-mingw32-gcc mv opa_windows_$(GOARCH) $(RELEASE_DIR)/opa_windows_$(GOARCH).exe .PHONY: ensure-release-dir @@ -271,7 +280,7 @@ ensure-release-dir: mkdir -p $(RELEASE_DIR) .PHONY: build-all-platforms -build-all-platforms: build-docker build-linux build-darwin build-windows +build-all-platforms: build-linux build-darwin build-windows .PHONY: image-quick image-quick: diff --git a/build/ensure-windows-toolchain.sh b/build/ensure-windows-toolchain.sh new file mode 100755 index 0000000000..e3ad5549d5 --- /dev/null +++ b/build/ensure-windows-toolchain.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -exo pipefail +CC=x86_64-w64-mingw32-gcc +PKG=gcc-mingw-w64-x86-64 + +type -f ${CC} 2>/dev/null && exit 0 + +apt-get update && \ + apt-get install --no-install-recommends -y ${PKG} diff --git a/build/gen-man.sh b/build/gen-man.sh index 66022fca65..d277df7a14 100755 --- a/build/gen-man.sh +++ b/build/gen-man.sh @@ -1,3 +1,3 @@ #!/bin/sh -GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run ./build/generate-man $@ +GOOS="" GOARCH="" go run ./build/generate-man $@ diff --git a/build/gen-run-go.sh b/build/gen-run-go.sh index 60e24135f5..4a7cab97d2 100755 --- a/build/gen-run-go.sh +++ b/build/gen-run-go.sh @@ -2,4 +2,4 @@ set -e -GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run -tags generate $@ \ No newline at end of file +GOOS= GOARCH= CC= go run -tags generate $@ diff --git a/build/run-goimports.sh b/build/run-goimports.sh index e52c13fe49..f81fbc302a 100755 --- a/build/run-goimports.sh +++ b/build/run-goimports.sh @@ -1,3 +1,3 @@ #!/bin/sh -GOFLAGS=-mod=vendor GO111MODULE=on GOOS="" GOARCH="" go run -tags=opa_wasm ./vendor/golang.org/x/tools/cmd/goimports -local github.com/open-policy-agent/opa $@ +GOOS="" GOARCH="" go run -tags=opa_wasm ./vendor/golang.org/x/tools/cmd/goimports -local github.com/open-policy-agent/opa $@ diff --git a/cmd/build_test.go b/cmd/build_test.go index 01404a6344..c08ffe0040 100644 --- a/cmd/build_test.go +++ b/cmd/build_test.go @@ -169,6 +169,10 @@ func TestBuildErrorVerifyNonBundle(t *testing.T) { } func TestBuildVerificationConfigError(t *testing.T) { + if os.Getuid() == 0 { + t.Skip("cannot be run as root") + } + files := map[string]string{ "public.pem": "foo", } diff --git a/keys/keys_test.go b/keys/keys_test.go index 4c90487327..5f768d06e2 100644 --- a/keys/keys_test.go +++ b/keys/keys_test.go @@ -131,9 +131,31 @@ ypZ/TdlnuGC1cOpAVyU7k32IJ9CRbt3nwEf5U54LRXLLQjFixWZHwKdDiMTF4ws0 if !reflect.DeepEqual(kc, expected) { t.Fatalf("Expected key config %v but got %v", expected, kc) } + }) +} + +func TestNewKeyConfigFileError(t *testing.T) { + if os.Geteuid() == 0 { + t.Skip("cannot run as root") + } + publicKey := `-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA9KaakMv1XKKDaSch3PFR +3a27oaHp1GNTTNqvb1ZaHZXp+wuhYDwc/MTE67x9GCifvQBWzEGorgTq7aisiOyl +vKifwz6/wQ+62WHKG/sqKn2Xikp3P63aBIPlZcHbkyyRmL62yeyuzYoGvLEYel+m +z5SiKGBwviSY0Th2L4e5sGJuk2HOut6emxDi+E2Fuuj5zokFJvIT6Urlq8f3h6+l +GeR6HUOXqoYVf7ff126GP7dticTVBgibxkkuJFmpvQSW6xmxruT4k6iwjzbZHY7P +ypZ/TdlnuGC1cOpAVyU7k32IJ9CRbt3nwEf5U54LRXLLQjFixWZHwKdDiMTF4ws0 ++wIDAQAB +-----END PUBLIC KEY-----` + + files := map[string]string{ + "public.pem": publicKey, + } + + test.WithTempFS(files, func(rootDir string) { // simulate error while reading file - err = os.Chmod(filepath.Join(rootDir, "public.pem"), 0111) + err := os.Chmod(filepath.Join(rootDir, "public.pem"), 0111) if err != nil { t.Fatalf("Unexpected error %v", err) }