Add deb/rpm package building and publishing (#80)

* Add deb/rpm package building and publishing

Basically copied segmentio/chamber#129

* split linux dist/publish

Author: nickatsegment

.circleci/config.yml

@@ -1,42 +1,76 @@
 version: 2
 jobs:
-  build:
+  test:
     docker:
       - image: circleci/golang:1.10
     working_directory: /go/src/github.com/segmentio/aws-okta
     steps:
       - checkout
       - run:
-          name: Build
+          name: Test
           command: |
-            make govendor dist
+            make test
+
+  dist-linux:
+    docker:
+      - image: circleci/golang:1.10
+    working_directory: /go/src/github.com/segmentio/aws-okta
+    steps:
+      - checkout
+      - run:
+          name: Install nfpm, rpmbuild
+          command: |
+            sudo make -f Makefile.tools nfpm-debian rpmbuild-debian
+      - run:
+          name: Make distributables
+          command: |
+            make -f Makefile.release dist-linux
       - persist_to_workspace:
           root: .
           paths: ['dist/*']
 
-  release:
+  publish-linux:
     docker:
       - image: circleci/golang:1.10
     working_directory: /go/src/github.com/segmentio/aws-okta
     steps:
       - checkout
       - attach_workspace: { at: . }
+      - run:
+          name: Install tools
+          command: |
+            make -f Makefile.tools github-release
+            # this is all for package_cloud :/
+            sudo apt update -q 
+            sudo apt install -yq ruby ruby-dev build-essential
+            # fixes https://askubuntu.com/questions/872399/error-failed-to-build-gem-native-extension-when-trying-to-download-rubocop
+            sudo gem install rake
+            sudo make -f Makefile.tools package_cloud
       - run:
           name: Release
-          # TODO: cache from build step
           command: |
-            make release
+            make -f Makefile.release publish-linux
 
 workflows:
   version: 2
-  test-deploy:
+  # currently we only build/publish for linux: macOS builds require non-FOSS
+  # Keychain libs that require a macOS host to build on
+  # https://github.com/segmentio/aws-okta/issues/81
+  test-dist-publish-linux:
     jobs:
-      - build
-      - release:
+      - test
+      - dist-linux:
+          # needed to ensure dist happens on tag events
+          filters:
+            tags:
+              only: /.*/
+      - publish-linux:
           requires:
-            - build
+            - dist-linux
           filters:
+            # never publish from a branch event
             branches:
               ignore: /.*/
+            # release only on tag push events like vX[.Y.Z...][-whatever]
             tags:
-              only: /v[0-9]+(\.[0-9]+)*/
+              only: /v[0-9]+(\.[0-9]+)*(-[a-zA-Z0-9-]+)?/

.gitignore

@@ -0,0 +1,5 @@
+*~
+*.sw[a-z]
+vendor/*/
+dist/
+packagecloud.conf.json

Makefile

@@ -1,46 +1,33 @@
+# Goals:
+# - user can build binaries on their system without having to install special tools
+# - user can fork the canonical repo and expect to be able to run CircleCI checks
+#
+# This makefile is meant for humans
+
 VERSION := $(shell git describe --tags --always --dirty="-dev")
 LDFLAGS := -ldflags='-X "main.Version=$(VERSION)"'
 
-release: gh-release govendor clean dist
-	github-release release \
-	--security-token $$GH_LOGIN \
-	--user segmentio \
-	--repo aws-okta \
-	--tag $(VERSION) \
-	--name $(VERSION)
-
-	github-release upload \
-	--security-token $$GH_LOGIN \
-	--user segmentio \
-	--repo aws-okta \
-	--tag $(VERSION) \
-	--name aws-okta-$(VERSION)-linux-amd64 \
-	--file dist/aws-okta-$(VERSION)-linux-amd64
-
-release-mac: gh-release govendor clean dist-mac
-	github-release upload \
-	--security-token $$GH_LOGIN \
-	--user segmentio \
-	--repo aws-okta \
-	--tag $(VERSION) \
-	--name aws-okta-$(VERSION)-darwin-amd64 \
-	--file dist/aws-okta-$(VERSION)-darwin-amd64
+test: | govendor
+	govendor sync
+	go test -v ./...
+
+all: dist/aws-okta-$(VERSION)-darwin-amd64 dist/aws-okta-$(VERSION)-linux-amd64
 
 clean:
 	rm -rf ./dist
 
-dist:
-	mkdir dist
-	govendor sync
-	GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o dist/aws-okta-$(VERSION)-linux-amd64
+dist/:
+	mkdir -p dist
 
-dist-mac:
-	mkdir dist
+dist/aws-okta-$(VERSION)-darwin-amd64: | govendor dist/
 	govendor sync
-	GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o dist/aws-okta-$(VERSION)-darwin-amd64
+	GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o $@
 
-gh-release:
-	go get -u github.com/aktau/github-release
+dist/aws-okta-$(VERSION)-linux-amd64: | govendor dist/
+	govendor sync
+	GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o $@
 
 govendor:
 	go get -u github.com/kardianos/govendor
+
+.PHONY: clean all govendor

Makefile.release

@@ -0,0 +1,139 @@
+# Goals:
+# - Linux releases can be published to Github automatically by CircleCI
+#
+# This Makefile is meant for machines
+
+include Makefile
+
+# set --pre-release if not tagged or tree is dirty or there's a `-` in the tag
+ifneq (,$(findstring -,$(VERSION)))
+	GITHUB_RELEASE_FLAGS := "--pre-release"
+	PACKAGECLOUD_NAME_SUFFIX := "-prerelease"
+endif
+
+PACKAGECLOUD_DEB_DISTROS := \
+	debian/stretch \
+	ubuntu/trusty \
+	ubuntu/xenial \
+	ubuntu/bionic
+
+PACKAGECLOUD_RPM_DISTROS := \
+	fedora/27 \
+	fedora/28
+
+publish: publish-github publish-packagecloud
+
+# note: this doesn't include sha256sums
+publish-linux: publish-github-linux publish-packagecloud
+
+publish-github: publish-github-darwin publish-github-linux publish-github-sha256sums
+
+publish-github-darwin: publish-github-darwin-bin
+
+publish-github-linux: publish-github-linux-bin publish-github-deb publish-github-rpm
+
+publish-packagecloud: publish-packagecloud-deb publish-packagecloud-rpm
+
+github-release:
+	github-release release \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	$(GITHUB_RELEASE_FLAGS) \
+	--tag $(VERSION) \
+	--name $(VERSION)
+
+publish-github-darwin-bin: dist/aws-okta-$(VERSION)-darwin-amd64 | github-release
+	github-release upload \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	--tag $(VERSION) \
+	--name aws-okta-$(VERSION)-darwin-amd64 \
+	--file $<
+
+publish-github-linux-bin: dist/aws-okta-$(VERSION)-linux-amd64 | github-release
+	github-release upload \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	--tag $(VERSION) \
+	--name aws-okta-$(VERSION)-linux-amd64 \
+	--file $<
+
+publish-github-deb: dist/aws-okta_$(VERSION)_amd64.deb | github-release
+	github-release upload \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	--tag $(VERSION) \
+	--name aws-okta_$(VERSION)_amd64.deb \
+	--file $<
+
+publish-github-rpm: dist/aws-okta_$(VERSION)_amd64.rpm | github-release
+	github-release upload \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	--tag $(VERSION) \
+	--name aws-okta_$(VERSION)_amd64.rpm \
+	--file $<
+	
+publish-github-sha256sums: dist/aws-okta-$(VERSION).sha256sums | github-release
+	github-release upload \
+	--security-token $$GH_LOGIN \
+	--user segmentio \
+	--repo aws-okta \
+	--tag $(VERSION) \
+	--name aws-okta-$(VERSION).sha256sums \
+	--file dist/aws-okta-$(VERSION).sha256sums
+
+packagecloud.conf.json:
+	@echo "{\"url\":\"https://packagecloud.io\",\"token\":\"$${PACKAGECLOUD_TOKEN}\"}" > $@
+
+# package_cloud prints the last 4 chars of our token :(
+# so we attempt to filter that out
+
+publish-packagecloud-deb: dist/aws-okta_$(VERSION)_amd64.deb packagecloud.conf.json
+	@for v in $(PACKAGECLOUD_DEB_DISTROS); do \
+		package_cloud push --config packagecloud.conf.json segment/aws-okta$(PACKAGECLOUD_NAME_SUFFIX)/$$v $< | \
+			grep -v 'with token:' ; \
+	done
+
+publish-packagecloud-rpm: dist/aws-okta_$(VERSION)_amd64.rpm packagecloud.conf.json
+	@for v in $(PACKAGECLOUD_RPM_DISTROS); do \
+		package_cloud push --config packagecloud.conf.json segment/aws-okta$(PACKAGECLOUD_NAME_SUFFIX)/$$v $< | \
+			grep -v 'with token:' ; \
+	done
+
+dist: dist-darwin dist-linux dist/aws-okta-$(VERSION).sha256sums
+
+dist-darwin: dist/aws-okta-$(VERSION)-darwin-amd64
+	
+dist-linux: dist/aws-okta-$(VERSION)-linux-amd64 dist/aws-okta_$(VERSION)_amd64.deb dist/aws-okta_$(VERSION)_amd64.rpm
+
+dist/aws-okta-$(VERSION).sha256sums: dist/aws-okta-$(VERSION)-darwin-amd64 dist/aws-okta-$(VERSION)-linux-amd64 dist/aws-okta_$(VERSION)_amd64.deb dist/aws-okta_$(VERSION)_amd64.rpm
+	sha256sum $^ | sed 's|dist/||g' > $@
+
+dist/nfpm-$(VERSION).yaml: | dist/
+	sed -e "s/\$${VERSION}/$(VERSION)/g" -e "s|\$${DIST_BIN}|dist/aws-okta-$(VERSION)-linux-amd64|g" < nfpm.yaml.tmpl > $@
+
+dist/aws-okta_$(VERSION)_amd64.deb: dist/nfpm-$(VERSION).yaml dist/aws-okta-$(VERSION)-linux-amd64
+	nfpm -f $< pkg --target $@
+
+dist/aws-okta_$(VERSION)_amd64.rpm: dist/nfpm-$(VERSION).yaml dist/aws-okta-$(VERSION)-linux-amd64
+	nfpm -f $< pkg --target $@
+
+.PHONY: \
+	dist \
+	dist-darwin \
+	dist-linux \
+	publish \
+	publish-github \
+	publish-github-linux \
+	publish-github-linux-bin \
+	publish-github-rpm \
+	publish-github-deb \
+	publish-github-darwin \
+	publish-github-darwin-bin \
+	github-release

Makefile.tools

@@ -0,0 +1,37 @@
+# Tools installation recipes
+#
+# These are fragile, non-portable, and often require root
+#
+NFPM_VERSION := 0.9.3
+#from https://github.com/goreleaser/nfpm/releases/download/v0.9.3/nfpm_0.9.3_checksums.txt
+NFPM_SHA256 := f875ac060a30ec5c164e5444a7278322b276707493fa0ced6bfdd56640f0a6ea
+
+nfpm-debian:
+	cd /tmp && \
+		curl -Ls https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz > nfpm.tar.gz && \
+		echo "${NFPM_SHA256}  nfpm.tar.gz" | \
+		sha256sum -c && \
+		tar xzvf nfpm.tar.gz && \
+		mv nfpm /usr/local/bin
+
+rpmbuild-debian:
+	apt update -q && apt install rpm -yq
+
+rpmbuild-darwin:
+	brew install rpm
+
+sha256sum-darwin:
+	brew install coreutils && ln -s $$(which gsha256sum) /usr/local/bin/sha256sum`
+
+github-release:
+	go get -u github.com/aktau/github-release
+
+package_cloud:
+	gem install package_cloud
+
+.PHONY: nfpm-debian \
+	rpmbuild-debian \
+	rpmbuild-darwin \
+	sha256sum-darwin \
+	github-release \
+	package_cloud

nfpm.yaml.tmpl

@@ -0,0 +1,18 @@
+name: "aws-okta"
+arch: "amd64"
+platform: "linux"
+version: "${VERSION}"
+section: "default"
+priority: "extra"
+provides:
+- aws-okta
+vendor: 'Segment, Inc.'
+maintainer: [email protected]
+homepage: "https://github.com/segmentio/aws-okta"
+license: "MIT"
+# IMHO packages should install to /usr/bin
+bindir: /usr/bin
+files:
+  "${DIST_BIN}": "/usr/bin/aws-okta"
+description: >
+  aws-okta allows you to authenticate with AWS using your Okta credentials.