Skip to content
Main (test, releases)

Zh automatic signing releases in ci #193

Sign in to view logs

Zh automatic signing releases in ci

Zh automatic signing releases in ci #193

Workflow file for this run

.github/workflows/main.yml at a1a2edf
name: Main (test, releases)
on:
# # Indicates I want to run this workflow on all branches, PR, and tags
push:
branches: ["master"]
tags: ["*"]
pull_request:
branches: [ "*" ]
# TiDB versions used in tests - single source of truth
# Latest version of each minor series: 6.1.x, 6.5.x, 7.1.x, 7.5.x, 8.1.x, 8.5.x
env:
TIDB_VERSIONS: "6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3"
jobs:
lint:
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
command:
- make vet
- make fmtcheck
steps:
- name: Checkout Git repo
uses: actions/checkout@v4
- name: Running ${{ matrix.command }}
run: ${{ matrix.command }}
prepare-dependencies:
name: Prepare Dependencies
runs-on: ubuntu-22.04
steps:
- name: Checkout Git repo
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Validate TiDB versions sync
run: |
# Extract TiDB versions from test matrix and compare with env.TIDB_VERSIONS
EXPECTED_VERSIONS="${{ env.TIDB_VERSIONS }}"
MATRIX_VERSIONS=$(grep -A 20 "db_type: tidb" .github/workflows/main.yml | grep "db_version:" | sed 's/.*db_version: "\([0-9.]*\)".*/\1/' | tr '\n' ' ' | xargs)
echo "Expected versions (from env): $EXPECTED_VERSIONS"
echo "Matrix versions (from workflow): $MATRIX_VERSIONS"
# Check if versions match (simple check - both should contain same versions)
MISSING=""
for version in $EXPECTED_VERSIONS; do
if ! echo "$MATRIX_VERSIONS" | grep -q "$version"; then
MISSING="$MISSING $version"
fi
done
if [ -n "$MISSING" ]; then
echo "ERROR: TiDB versions in env.TIDB_VERSIONS not found in test matrix: $MISSING"
echo "Please ensure test matrix includes tidb entries for all versions in env.TIDB_VERSIONS"
exit 1
fi
echo "✓ TiDB versions are in sync"
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Download Terraform
run: |
mkdir -p bin
curl -sfL https://releases.hashicorp.com/terraform/1.5.6/terraform_1.5.6_linux_amd64.zip > bin/terraform.zip
cd bin && unzip terraform.zip && rm terraform.zip && chmod +x terraform
- name: Vendor Go dependencies
run: go mod vendor
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and cache TiUP Playground Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./Dockerfile.tiup-playground
tags: terraform-provider-mysql-tiup-playground:latest
cache-from: type=gha
cache-to: type=gha,mode=max
push: false
load: true
- name: Save TiUP Playground Docker image
run: |
docker save terraform-provider-mysql-tiup-playground:latest | gzip > tiup-playground-image.tar.gz
echo "Image saved: $(du -h tiup-playground-image.tar.gz | cut -f1)"
# Note: Tests now use testcontainers - no mysql-client or Docker Buildx caching needed
# Testcontainers handles container lifecycle and image pulling automatically
# TiUP Playground image is pre-built above and saved as artifact for test jobs
- name: Upload Terraform binary
uses: actions/upload-artifact@v4
with:
name: terraform-binary
path: bin/terraform
retention-days: 1
- name: Upload vendor directory
uses: actions/upload-artifact@v4
with:
name: vendor-dir
path: vendor/
retention-days: 1
compression-level: 6
- name: Upload TiUP Playground Docker image
uses: actions/upload-artifact@v4
with:
name: tiup-playground-image
path: tiup-playground-image.tar.gz
retention-days: 1
compression-level: 6
tests:
runs-on: ubuntu-22.04
needs: [prepare-dependencies]
strategy:
fail-fast: false
matrix:
include:
# MySQL versions
- db_type: mysql
db_version: "5.6"
make_target: "test-mysql-5.6"
- db_type: mysql
db_version: "5.7"
make_target: "test-mysql-5.7"
- db_type: mysql
db_version: "8.0"
make_target: "test-mysql-8.0"
# Percona versions
- db_type: percona
db_version: "5.7"
make_target: "test-percona-5.7"
- db_type: percona
db_version: "8.0"
make_target: "test-percona-8.0"
# MariaDB versions
- db_type: mariadb
db_version: "10.3"
make_target: "test-mariadb-10.3"
- db_type: mariadb
db_version: "10.8"
make_target: "test-mariadb-10.8"
- db_type: mariadb
db_version: "10.10"
make_target: "test-mariadb-10.10"
# TiDB versions - must match env.TIDB_VERSIONS: 6.1.7 6.5.12 7.1.6 7.5.7 8.1.2 8.5.3
- db_type: tidb
db_version: "6.1.7"
make_target: "test-tidb-6.1.7"
- db_type: tidb
db_version: "6.5.12"
make_target: "test-tidb-6.5.12"
- db_type: tidb
db_version: "7.1.6"
make_target: "test-tidb-7.1.6"
- db_type: tidb
db_version: "7.5.7"
make_target: "test-tidb-7.5.7"
- db_type: tidb
db_version: "8.1.2"
make_target: "test-tidb-8.1.2"
- db_type: tidb
db_version: "8.5.3"
make_target: "test-tidb-8.5.3"
steps:
- name: Checkout Git repo
uses: actions/checkout@v4
with:
fetch-depth: 1
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Download Terraform binary
uses: actions/download-artifact@v4
with:
name: terraform-binary
path: bin/
- name: Download vendor directory
uses: actions/download-artifact@v4
with:
name: vendor-dir
path: vendor/
- name: Make Terraform executable
run: chmod +x bin/terraform
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download TiUP Playground Docker image
uses: actions/download-artifact@v4
with:
name: tiup-playground-image
path: ./
- name: Load TiUP Playground Docker image
run: |
echo "Loading pre-built TiUP Playground Docker image..."
gunzip -c tiup-playground-image.tar.gz | docker load
docker images | grep terraform-provider-mysql-tiup-playground
echo "✓ TiUP Playground image loaded successfully"
# Note: TiUP Playground image is pre-built in prepare-dependencies and loaded here
# This avoids rebuilding the image during each test run
# Testcontainers handles container lifecycle and image pulling automatically
- name: Run testcontainers tests via Makefile
env:
GOFLAGS: -mod=vendor
TF_ACC: 1
GOTOOLCHAIN: auto
run: |
export PATH="${{ github.workspace }}/bin:$PATH"
echo "Running ${{ matrix.db_type }} ${{ matrix.db_version }} tests using Makefile target: ${{ matrix.make_target }}"
make ${{ matrix.make_target }}
release:
name: Release
needs: [tests]
# Can't use non-semvar for the testing tag
# https://github.com/orgs/goreleaser/discussions/3708
if: ( startsWith( github.ref, 'refs/tags/v' ) ||
startsWith(github.ref, 'refs/tags/v0.0.0-rc') )
runs-on: ubuntu-22.04
permissions:
contents: write # Required for creating releases
steps:
- name: Checkout Git repo
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history needed for changelog
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version-file: go.mod
- name: Import GPG Subkey
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
# Install gnupg2 if not already available
sudo apt-get update && sudo apt-get install -y gnupg2 || true
# Create GPG directory
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
# Remove any existing gpg.conf to avoid conflicts
rm -f ~/.gnupg/gpg.conf
# Configure GPG for non-interactive use
# pinentry-mode is a valid GPG option, but use simpler config
cat > ~/.gnupg/gpg.conf <<EOF
use-agent
EOF
# Configure gpg-agent for loopback pinentry
cat > ~/.gnupg/gpg-agent.conf <<EOF
allow-loopback-pinentry
EOF
chmod 600 ~/.gnupg/gpg-agent.conf
# Kill any existing gpg-agent and start fresh with loopback pinentry
gpgconf --kill gpg-agent 2>/dev/null || true
gpg-agent --daemon --allow-loopback-pinentry > /dev/null 2>&1 || true
sleep 1 # Give gpg-agent time to start
# Import the subkey
# Write key to temp file (key data is okay, but passphrase never touches disk)
KEY_FILE=$(mktemp)
echo "$GPG_PRIVATE_KEY" > "$KEY_FILE"
# Import the key with passphrase from stdin (never written to disk)
echo "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import "$KEY_FILE"
# Clean up temp file (only contains key data, not passphrase)
rm -f "$KEY_FILE"
# Trust the key (required for signing)
# Format: fingerprint:trust-level: (fingerprint must be uppercase, no spaces, no colons)
# Use ultimate trust (6) for the subkey
FINGERPRINT_UPPER=$(echo "$GPG_FINGERPRINT" | tr '[:lower:]' '[:upper:]' | tr -d ' ' | tr -d ':')
echo "$FINGERPRINT_UPPER:6:" | gpg --batch --import-ownertrust
# Verify key is available
gpg --list-secret-keys --keyid-format LONG
# Preset passphrase in gpg-agent for non-interactive signing
# This allows GoReleaser to sign without prompting for passphrase
KEYGRIP=$(gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" | grep -A1 "^sec" | tail -1 | awk '{print $3}')
if [ -n "$KEYGRIP" ]; then
echo "$GPG_PASSPHRASE" | gpg-preset-passphrase --preset "$KEYGRIP"
echo "✓ Passphrase preset in gpg-agent for keygrip: $KEYGRIP"
else
echo "⚠ Warning: Could not find keygrip for fingerprint $FINGERPRINT_UPPER"
fi
# Test signing capability (GoReleaser will test this anyway, but verify key is importable)
# Note: We skip actual signing test here since --passphrase-fd consumes stdin
# GoReleaser uses --passphrase flag directly, which works differently
echo "✓ GPG key imported successfully"
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: '~> v2'
# Run goreleaser and ignore non-committed files (downloaded artifacts)
args: release --clean --skip=validate
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_TTY: $(tty)
# terraform-provider-release:
# needs: [release]
# name: 'Terraform Provider Release'
# uses: hashicorp/ghaction-terraform-provider-release/.github/workflows/community.yml@v5
# secrets:
# gpg-private-key: '${{ secrets.GPG_PRIVATE_KEY }}'
# with:
# setup-go-version-file: 'go.mod'