-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CLI-2823] Add chocolatey to goreleaser config #2365
base: main
Are you sure you want to change the base?
Conversation
.goreleaser.yml
Outdated
goarch: | ||
- amd64 | ||
hooks: | ||
# TODO: We might have to convert some of these to global before/after hooks since we'll now have multiple Windows binaries w/ different ldflags |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, let's try to avoid running az login
more than once. When this is automated in Semaphore it won't result in an annoying pop-up, but might result in a longer release time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(and I guess we only need to download the signing secret once, too)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from just the annoyance of two popups, I actually discovered a pretty annoying thing when I was testing this: if you log in w/ one of the tabs and close out the other, goreleaser just blocks on that pre-hook.
Converting it into a global before
hook worked perfectly, though (I'll update the remote branch soon).
For the downloading, we have some options. What I tried is downloading to two separate files so that the removal post hook doesn't remove the file before the other build's post hook can sign with it. This works, although it's a bit clunky carrying two copies of the signing file with different names.
The other option is to download the file in the global before
hook and remove it in the global after
hook. The documentation for the after hook has weird wording which is why I didn't try it first.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other option is to download the file in the global before hook and remove it in the global after hook.
👍
.goreleaser.yml
Outdated
release_notes: https://docs.confluent.io/confluent-cli/current/release-notes.html | ||
# TODO | ||
api_key: "{{ .Env.CHOCOLATEY_API_KEY }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we be reading this directly from vault
instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah if we do end up using the chocolatey repo, that's what we'll do. This is just a "don't forget this" placeholder.
Actually, no matter which repo we end up using we'll need a corresponding api-key, so we'll be likely be storing and reading it from vault
no matter what we go with.
.goreleaser.yml
Outdated
@@ -178,6 +178,33 @@ builds: | |||
post: | |||
- cmd: ./lib/osslsigncode sign -n "Confluent CLI" -i "https://confluent.io" -pkcs12 CLIEVCodeSigningCertificate2.pfx -in {{ .Path }} -out {{ .Path }} | |||
- cmd: rm CLIEVCodeSigningCertificate2.pfx | |||
- id: confluent-windows-amd64-chocolatey |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might want to come up with a more generic name, i.e. confluent-windows-amd64-disableupdates
in case we want to support scoop
(or other Windows package managers) in the future. We should probably consider doing the same for the linux/darwin builds too.
docker/Dockerfile_windows_amd64
Outdated
@@ -0,0 +1,15 @@ | |||
FROM --platform=linux/amd64 ubuntu:jammy-20231211.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we have other Dockerfiles like this one. Let's make sure they're all using the same ubuntu version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't, unfortunately.
The other Ubuntu image doesn't have a new enough version of mingw-w64
to be able to cross compile for Windows.
This Ubuntu image has glibc
version 2.35, which is too high for cross compiling Linux arm64 without a breaking change.
#!/bin/bash | ||
|
||
function cleanup { | ||
shred --force --remove --zero --iterations=10 CLIEVCodeSigningCertificate2.pfx |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not the end of the world if we don't do this since the CI machines get reset between runs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, but I'm writing this so far on the assumption that we might be releasing before we fully switch to the CI.
Release Notes
Breaking Changes
New Features
Bug Fixes
Checklist
What
Add a new Windows build (w/ updates disabled) for Chocolatey.
Add the chocolatey block to the goreleaser file.
References
https://goreleaser.com/customization/chocolatey/
Test & Review
TODO: test locally
Open Questions / Follow-ups