diff --git a/.github/workflows/build-deb-repo.yml b/.github/workflows/build-deb-repo.yml index f3de652efc0..0858b097e3a 100644 --- a/.github/workflows/build-deb-repo.yml +++ b/.github/workflows/build-deb-repo.yml @@ -99,9 +99,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/build-macos-repo.yml b/.github/workflows/build-macos-repo.yml index 001fe246b9d..58f5ea0bbb5 100644 --- a/.github/workflows/build-macos-repo.yml +++ b/.github/workflows/build-macos-repo.yml @@ -66,9 +66,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/build-onedir-repo.yml b/.github/workflows/build-onedir-repo.yml index 335efe4fad9..4a91b105e8a 100644 --- a/.github/workflows/build-onedir-repo.yml +++ b/.github/workflows/build-onedir-repo.yml @@ -102,9 +102,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/build-rpm-repo.yml b/.github/workflows/build-rpm-repo.yml index 9e3b393c0c4..4d27fd7a659 100644 --- a/.github/workflows/build-rpm-repo.yml +++ b/.github/workflows/build-rpm-repo.yml @@ -96,9 +96,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/build-src-repo.yml b/.github/workflows/build-src-repo.yml index 22434033a09..6f31c6a6489 100644 --- a/.github/workflows/build-src-repo.yml +++ b/.github/workflows/build-src-repo.yml @@ -66,9 +66,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/build-windows-repo.yml b/.github/workflows/build-windows-repo.yml index 29b26a9cb14..d40ccd7252a 100644 --- a/.github/workflows/build-windows-repo.yml +++ b/.github/workflows/build-windows-repo.yml @@ -72,9 +72,11 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4eaa2fec1d4..66261e9fa14 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -139,44 +139,44 @@ jobs: - name: Process Changed Files id: process-changed-files - run: + run: | tools ci process-changed-files ${{ github.event_name }} changed-files.json - name: Check Collected Changed Files if: ${{ github.event_name == 'pull_request' }} - run: + run: | echo '${{ steps.process-changed-files.outputs.changed-files }}' | jq -C '.' - name: Define Runner Types id: runner-types - run: + run: | tools ci runner-types ${{ github.event_name }} - name: Check Defined Runners - run: + run: | echo '${{ steps.runner-types.outputs.runners }}' | jq -C '.' - name: Define Jobs id: define-jobs - run: + run: | tools ci define-jobs ${{ github.event_name }} changed-files.json - name: Check Defined Jobs - run: + run: | echo '${{ steps.define-jobs.outputs.jobs }}' | jq -C '.' - name: Define Testrun id: define-testrun - run: + run: | tools ci define-testrun ${{ github.event_name }} changed-files.json - name: Check Defined Test Run - run: + run: | echo '${{ steps.define-testrun.outputs.testrun }}' | jq -C '.' - name: Check Contents of generated testrun-changed-files.txt if: ${{ fromJSON(steps.define-testrun.outputs.testrun)['type'] != 'full' }} - run: + run: | cat testrun-changed-files.txt || true - name: Upload testrun-changed-files.txt diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 63366fa59b3..157031f8e8f 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -137,44 +137,44 @@ jobs: - name: Process Changed Files id: process-changed-files - run: + run: | tools ci process-changed-files ${{ github.event_name }} changed-files.json - name: Check Collected Changed Files if: ${{ github.event_name == 'pull_request' }} - run: + run: | echo '${{ steps.process-changed-files.outputs.changed-files }}' | jq -C '.' - name: Define Runner Types id: runner-types - run: + run: | tools ci runner-types ${{ github.event_name }} - name: Check Defined Runners - run: + run: | echo '${{ steps.runner-types.outputs.runners }}' | jq -C '.' - name: Define Jobs id: define-jobs - run: + run: | tools ci define-jobs ${{ github.event_name }} changed-files.json - name: Check Defined Jobs - run: + run: | echo '${{ steps.define-jobs.outputs.jobs }}' | jq -C '.' - name: Define Testrun id: define-testrun - run: + run: | tools ci define-testrun ${{ github.event_name }} changed-files.json - name: Check Defined Test Run - run: + run: | echo '${{ steps.define-testrun.outputs.testrun }}' | jq -C '.' - name: Check Contents of generated testrun-changed-files.txt if: ${{ fromJSON(steps.define-testrun.outputs.testrun)['type'] != 'full' }} - run: + run: | cat testrun-changed-files.txt || true - name: Upload testrun-changed-files.txt diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f4ca548cc4..a2fcbf7c136 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -91,7 +91,6 @@ jobs: uses: actions/checkout@v3 with: ssh-key: ${{ secrets.GHA_SSH_KEY }} - fetch-depth: 0 # Full clone to also get the tags - name: Setup Python Tools Scripts uses: ./.github/actions/setup-python-tools-scripts @@ -117,24 +116,27 @@ jobs: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Configure Git shell: bash run: | + git config --global --add safe.directory "$(pwd)" git config --global user.name "Salt Project Packaging" git config --global user.email saltproject-packaging@vmware.com git config --global user.signingkey 64CBBC8173D76B3F git config --global commit.gpgsign true - - name: Setup Salt Release - id: release + - name: Prepare Release + id: prepare-release run: | - tools pkg repo publish release ${{ needs.prepare-workflow.outputs.salt-version }} + tools pkg repo publish release --key-id=64CBBC8173D76B3F ${{ needs.prepare-workflow.outputs.salt-version }} - name: Apply The Release Patch run: | @@ -156,11 +158,11 @@ jobs: uses: ncipollo/release-action@v1.12.0 with: artifactErrorsFailBuild: true - artifacts: ${{ steps.release.outputs.release-artifacts }} - bodyFile: ${{ steps.release.outputs.release-messsage-file }} + artifacts: ${{ steps.prepare-release.outputs.release-artifacts }} + bodyFile: ${{ steps.prepare-release.outputs.release-messsage-file }} draft: false generateReleaseNotes: false - makeLatest: ${{ steps.release.outputs.make-latest }} + makeLatest: fromJSON(${{ steps.prepare-release.outputs.make-latest }}) name: v${{ needs.prepare-workflow.outputs.salt-version }} prerelease: ${{ contains(needs.prepare-workflow.outputs.salt-version, 'rc') }} removeArtifacts: true diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index aee25cf76ac..c240875757d 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -137,44 +137,44 @@ jobs: - name: Process Changed Files id: process-changed-files - run: + run: | tools ci process-changed-files ${{ github.event_name }} changed-files.json - name: Check Collected Changed Files if: ${{ github.event_name == 'pull_request' }} - run: + run: | echo '${{ steps.process-changed-files.outputs.changed-files }}' | jq -C '.' - name: Define Runner Types id: runner-types - run: + run: | tools ci runner-types ${{ github.event_name }} - name: Check Defined Runners - run: + run: | echo '${{ steps.runner-types.outputs.runners }}' | jq -C '.' - name: Define Jobs id: define-jobs - run: + run: | tools ci define-jobs ${{ github.event_name }} changed-files.json - name: Check Defined Jobs - run: + run: | echo '${{ steps.define-jobs.outputs.jobs }}' | jq -C '.' - name: Define Testrun id: define-testrun - run: + run: | tools ci define-testrun ${{ github.event_name }} changed-files.json - name: Check Defined Test Run - run: + run: | echo '${{ steps.define-testrun.outputs.testrun }}' | jq -C '.' - name: Check Contents of generated testrun-changed-files.txt if: ${{ fromJSON(steps.define-testrun.outputs.testrun)['type'] != 'full' }} - run: + run: | cat testrun-changed-files.txt || true - name: Upload testrun-changed-files.txt diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml index dbb23eb211a..ed05ed59b69 100644 --- a/.github/workflows/staging.yml +++ b/.github/workflows/staging.yml @@ -162,44 +162,44 @@ jobs: - name: Process Changed Files id: process-changed-files - run: + run: | tools ci process-changed-files ${{ github.event_name }} changed-files.json - name: Check Collected Changed Files if: ${{ github.event_name == 'pull_request' }} - run: + run: | echo '${{ steps.process-changed-files.outputs.changed-files }}' | jq -C '.' - name: Define Runner Types id: runner-types - run: + run: | tools ci runner-types ${{ github.event_name }} - name: Check Defined Runners - run: + run: | echo '${{ steps.runner-types.outputs.runners }}' | jq -C '.' - name: Define Jobs id: define-jobs - run: + run: | tools ci define-jobs ${{ github.event_name }} changed-files.json - name: Check Defined Jobs - run: + run: | echo '${{ steps.define-jobs.outputs.jobs }}' | jq -C '.' - name: Define Testrun id: define-testrun - run: + run: | tools ci define-testrun ${{ github.event_name }} changed-files.json - name: Check Defined Test Run - run: + run: | echo '${{ steps.define-testrun.outputs.testrun }}' | jq -C '.' - name: Check Contents of generated testrun-changed-files.txt if: ${{ fromJSON(steps.define-testrun.outputs.testrun)['type'] != 'full' }} - run: + run: | cat testrun-changed-files.txt || true - name: Upload testrun-changed-files.txt diff --git a/.github/workflows/templates/layout.yml.jinja b/.github/workflows/templates/layout.yml.jinja index 6e672dbee1e..e2492481b55 100644 --- a/.github/workflows/templates/layout.yml.jinja +++ b/.github/workflows/templates/layout.yml.jinja @@ -176,44 +176,44 @@ jobs: - name: Process Changed Files id: process-changed-files - run: + run: | tools ci process-changed-files ${{ github.event_name }} changed-files.json - name: Check Collected Changed Files if: ${{ github.event_name == 'pull_request' }} - run: + run: | echo '${{ steps.process-changed-files.outputs.changed-files }}' | jq -C '.' - name: Define Runner Types id: runner-types - run: + run: | tools ci runner-types ${{ github.event_name }} - name: Check Defined Runners - run: + run: | echo '${{ steps.runner-types.outputs.runners }}' | jq -C '.' - name: Define Jobs id: define-jobs - run: + run: | tools ci define-jobs ${{ github.event_name }} changed-files.json - name: Check Defined Jobs - run: + run: | echo '${{ steps.define-jobs.outputs.jobs }}' | jq -C '.' - name: Define Testrun id: define-testrun - run: + run: | tools ci define-testrun ${{ github.event_name }} changed-files.json - name: Check Defined Test Run - run: + run: | echo '${{ steps.define-testrun.outputs.testrun }}' | jq -C '.' - name: Check Contents of generated testrun-changed-files.txt if: ${{ fromJSON(steps.define-testrun.outputs.testrun)['type'] != 'full' }} - run: + run: | cat testrun-changed-files.txt || true - name: Upload testrun-changed-files.txt diff --git a/.github/workflows/templates/release.yml.jinja b/.github/workflows/templates/release.yml.jinja index a6ad24615e4..968703e0d96 100644 --- a/.github/workflows/templates/release.yml.jinja +++ b/.github/workflows/templates/release.yml.jinja @@ -122,7 +122,6 @@ permissions: uses: actions/checkout@v3 with: ssh-key: ${{ secrets.GHA_SSH_KEY }} - fetch-depth: 0 # Full clone to also get the tags - name: Setup Python Tools Scripts uses: ./.github/actions/setup-python-tools-scripts @@ -148,24 +147,27 @@ permissions: --query SecretString --output text | jq .default_key -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \ | gpg --import - + sync aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \ --query SecretString --output text| jq .default_passphrase -r | base64 -d \ | gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d - + sync rm "$SECRETS_KEY_FILE" echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf" - name: Configure Git shell: bash run: | + git config --global --add safe.directory "$(pwd)" git config --global user.name "Salt Project Packaging" git config --global user.email saltproject-packaging@vmware.com git config --global user.signingkey 64CBBC8173D76B3F git config --global commit.gpgsign true - - name: Setup Salt Release - id: release + - name: Prepare Release + id: prepare-release run: | - tools pkg repo publish release ${{ needs.prepare-workflow.outputs.salt-version }} + tools pkg repo publish release --key-id=64CBBC8173D76B3F ${{ needs.prepare-workflow.outputs.salt-version }} - name: Apply The Release Patch run: | @@ -187,11 +189,11 @@ permissions: uses: ncipollo/release-action@v1.12.0 with: artifactErrorsFailBuild: true - artifacts: ${{ steps.release.outputs.release-artifacts }} - bodyFile: ${{ steps.release.outputs.release-messsage-file }} + artifacts: ${{ steps.prepare-release.outputs.release-artifacts }} + bodyFile: ${{ steps.prepare-release.outputs.release-messsage-file }} draft: false generateReleaseNotes: false - makeLatest: ${{ steps.release.outputs.make-latest }} + makeLatest: fromJSON(${{ steps.prepare-release.outputs.make-latest }}) name: v${{ needs.prepare-workflow.outputs.salt-version }} prerelease: ${{ contains(needs.prepare-workflow.outputs.salt-version, 'rc') }} removeArtifacts: true diff --git a/tools/changelog.py b/tools/changelog.py index e2becd911b3..8fb6b5e8d4c 100644 --- a/tools/changelog.py +++ b/tools/changelog.py @@ -252,7 +252,7 @@ def update_rpm(ctx: Context, salt_version: str, draft: bool = False): if salt_version is None: salt_version = _get_salt_version(ctx) changes = _get_pkg_changelog_contents(ctx, salt_version) - ctx.info("Salt version is %s", salt_version) + ctx.info(f"Salt version is {salt_version}") orig = ctx.run( "sed", f"s/Version: .*/Version: {salt_version}/g",