Fix release workflow (#618)

- Ignore build for Windows ARM64
- Install proper UPX version
- Make sure the GCP credentials cannot be committed and pushed from the pipeline
- Increase timeout for Goreleaser

Author: pkosiec

.github/workflows/make-release.yaml

@@ -46,25 +46,49 @@ jobs:
           go-version: ${{env.GO_VERSION}}
       - name: Set up GoReleaser
         run: go install github.com/goreleaser/[email protected]
-      - name: Set up GCS
-        uses: google-github-actions/setup-gcloud@master
-        with:
-          service_account_key: ${{ secrets.GCS_CREDS }}
-          export_default_credentials: true
-      - name: Log into registry
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
       - name: Push release commits and tag
         env:
           RELEASE_VERSION: "${{ github.event.inputs.version }}"
           DASHBOARD_IMAGE_TAG: "${{ github.event.inputs.dashboard_image_tag }}"
         run: ./hack/make-release.sh
+      - name: Log into registry
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+      - name: Install upx 3.96
+        run: |
+          wget https://github.com/upx/upx/releases/download/v3.96/upx-3.96-amd64_linux.tar.xz
+          tar -xf upx-3.96-amd64_linux.tar.xz
+          mv ./upx-3.96-amd64_linux/upx /usr/local/bin/upx
+          upx -V
+      - id: auth
+        name: Authenticate with Google Cloud platform
+        uses: google-github-actions/[email protected]
+        with:
+          create_credentials_file: true
+          cleanup_credentials: true
+          credentials_json: ${{ secrets.GCS_CREDS }}
+      - name: Ignore credentials
+        env:
+          GCP_CREDS_FILEPATH: ${{ steps.auth.outputs.credentials_file_path }}
+        run: |
+          echo "Preventing pushing to the origin..."
+          git remote set-url --push origin no_push
+          
+          GCP_CREDS_FILENAME=$(basename $GCP_CREDS_FILEPATH)
+          echo "Adding ${GCP_CREDS_FILENAME} to local .gitignore..."
+          echo "${GCP_CREDS_FILENAME}" >> .gitignore
+          
+          echo "Committing the change..."
+          git add .gitignore
+          git commit -m "Ignore credentials"
+      - name: Set up Cloud SDK
+        uses: google-github-actions/[email protected]
       - name: Run GoReleaser
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: make release-binaries
       - name: Generate release notes
         run: |
-          npm install -g github-release-notes
+          npm install -g github-release-notes@~0.17.3
           gren release -d -T "${{ secrets.GITHUB_TOKEN }}" --tags "v${{ github.event.inputs.version }}" --override
       - name: Release Helm charts
         run: make release-charts

.gitignore

@@ -53,10 +53,6 @@ coverage.txt
 # Backup files
 *.bak
 
-# UUID file created by `setup-gcloud` GitHub Action when `export_default_credentials` is enabled
-# Read more at https://github.com/GoogleCloudPlatform/github-actions/tree/master/setup-gcloud
-/[a-f,0-9]*-[a-f,0-9]*-[a-f,0-9]*-[a-f,0-9]*-[a-f,0-9]*
-
 # Vim
 *.swp
 *.swo

.goreleaser.yml

@@ -23,6 +23,11 @@ builds:
       - "386"
       - amd64
       - arm64
+    ignore: &build-ignore
+      # upx doesn't support packing Windows Arm64 binaries - see https://github.com/upx/upx/issues/551
+      # once there is more demand from the community to build such binary, we will create a separate build config for this combination
+      - goos: windows
+        goarch: arm64
     hooks: &build-hooks
       # Install upx first, https://github.com/upx/upx/releases
       post: upx -9 "{{ .Path }}"
@@ -37,6 +42,7 @@ builds:
     env: *build-env
     goos: *build-goos
     goarch: *build-arch
+    ignore: *build-ignore
     hooks: *build-hooks
     main: ./cmd/populator
     binary: 'populator-{{ .Os }}-{{ .Arch }}'

Makefile

@@ -204,7 +204,11 @@ release-charts: ## Release Capact Helm Charts
 .PHONY: release-charts
 
 release-binaries: ## Release stable Capact binaries, such as CLI, populator etc.
-	goreleaser release --rm-dist
+	# --skip-validate is needed as we need to locally ignore GCP credentials
+	# by creating a commit, which is not pushed to the origin.
+	# That makes the goreleaser's validation fail with error "it tag {tag} was not made against commit {commit hash}"
+	# Even if we not create such commit, goreleaser would fail because of git dirty state.
+	goreleaser release --skip-validate --rm-dist --timeout 60m
 
 release-latest-binaries: ## Release latest Capact binaries
 	goreleaser release --snapshot --rm-dist --config .goreleaser.latest.yml