forked from stackitcloud/stackit-cli
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpublish-rpm-packages.sh
More file actions
executable file
·112 lines (94 loc) · 4.51 KB
/
publish-rpm-packages.sh
File metadata and controls
executable file
·112 lines (94 loc) · 4.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
#!/usr/bin/env bash
# This script is used to publish new RPM packages to the CLI RPM repository
# Usage: ./publish-rpm-packages.sh
set -eo pipefail
PACKAGES_BUCKET_URL="https://packages.stackit.cloud"
PUBLIC_KEY_FILE_PATH="keys/key.gpg"
RPM_REPO_PATH="rpm/cli"
RPM_BUCKET_NAME="distribution"
GORELEASER_PACKAGES_FOLDER="dist/"
# We need to disable the key database daemon (keyboxd)
# This can be done by removing "use-keyboxd" from ~/.gnupg/common.conf (see https://github.com/gpg/gnupg/blob/master/README)
echo -n >~/.gnupg/common.conf
# Create RPM repository directory structure
printf ">>> Creating RPM repository structure \n"
mkdir -p rpm-repo/x86_64
mkdir -p rpm-repo/i386
mkdir -p rpm-repo/aarch64
# Copy RPM packages to appropriate architecture directories
printf "\n>>> Copying RPM packages to architecture directories \n"
# Copy x86_64 packages (amd64)
for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_amd64.rpm; do
if [ -f "$rpm_file" ]; then
cp "$rpm_file" rpm-repo/x86_64/
printf "Copied %s to x86_64/\n" "$(basename "$rpm_file")"
fi
done
# Copy i386 packages
for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_386.rpm; do
if [ -f "$rpm_file" ]; then
cp "$rpm_file" rpm-repo/i386/
printf "Copied %s to i386/\n" "$(basename "$rpm_file")"
fi
done
# Copy aarch64 packages (arm64)
for rpm_file in "${GORELEASER_PACKAGES_FOLDER}"*_arm64.rpm; do
if [ -f "$rpm_file" ]; then
cp "$rpm_file" rpm-repo/aarch64/
printf "Copied %s to aarch64/\n" "$(basename "$rpm_file")"
fi
done
# Download existing repository content (RPMs and metadata) if it exists
printf "\n>>> Downloading existing repository content \n"
aws s3 sync s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ rpm-repo/ --endpoint-url "${AWS_ENDPOINT_URL}" --exclude "*.asc" || echo "No existing repository found, creating new one"
# Create repository metadata for each architecture
printf "\n>>> Creating repository metadata \n"
for arch in x86_64 i386 aarch64; do
if [ -d "rpm-repo/${arch}" ] && [ -n "$(find "rpm-repo/${arch}" -mindepth 1 -maxdepth 1 -print -quit)" ]; then
printf "Creating metadata for %s...\n" "$arch"
# List what we're working with
file_list=$(find "rpm-repo/${arch}" -maxdepth 1 -type f -exec basename {} \; | tr '\n' ' ')
printf "Files in %s: %s\n" "$arch" "${file_list% }"
# Create repository metadata
createrepo_c --update rpm-repo/${arch}
# Sign the repository metadata
printf "Signing repository metadata for %s...\n" "$arch"
# Remove existing signature file if it exists
rm -f rpm-repo/${arch}/repodata/repomd.xml.asc
gpg --batch --pinentry-mode loopback --detach-sign --armor \
--local-user "${GPG_PRIVATE_KEY_FINGERPRINT}" \
--passphrase "${GPG_PASSPHRASE}" \
rpm-repo/${arch}/repodata/repomd.xml
# Verify the signature was created
if [ -f "rpm-repo/${arch}/repodata/repomd.xml.asc" ]; then
printf "Repository metadata signed successfully for %s\n" "$arch"
else
printf "WARNING: Repository metadata signature not created for %s\n" "$arch"
fi
else
printf "No packages found for %s, skipping...\n" "$arch"
fi
done
# Upload the updated repository to S3 in two phases (repodata pointers last)
# clients reading the repo won't see a state where repomd.xml points to files not uploaded yet.
printf "\n>>> Uploading repository to S3 (phase 1: all except repomd*) \n"
aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ \
--endpoint-url "${AWS_ENDPOINT_URL}" \
--delete \
--exclude "*/repodata/repomd.xml" \
--exclude "*/repodata/repomd.xml.asc"
printf "\n>>> Uploading repository to S3 (phase 2: repomd* only) \n"
aws s3 sync rpm-repo/ s3://${RPM_BUCKET_NAME}/${RPM_REPO_PATH}/ \
--endpoint-url "${AWS_ENDPOINT_URL}" \
--exclude "*" \
--include "*/repodata/repomd.xml" \
--include "*/repodata/repomd.xml.asc"
# Upload the public key
# Also uploaded in APT publish; intentionally redundant
# Safe to overwrite and ensures updates if APT fails or key changes.
printf "\n>>> Uploading public key \n"
gpg --armor --export "${GPG_PRIVATE_KEY_FINGERPRINT}" > public-key.asc
aws s3 cp public-key.asc s3://${RPM_BUCKET_NAME}/${PUBLIC_KEY_FILE_PATH} --endpoint-url "${AWS_ENDPOINT_URL}"
printf "\n>>> RPM repository published successfully! \n"
printf "Repository URL: %s/%s/ \n" "$PACKAGES_BUCKET_URL" "$RPM_REPO_PATH"
printf "Public key URL: %s/%s \n" "$PACKAGES_BUCKET_URL" "$PUBLIC_KEY_FILE_PATH"