New releases

[sobolevn]

I am working on new automated releases right now.

Here's the plan:

1. We will trigger releases on tags like v*
2. GitHub Actions will run three jobs: deb, rpm, apk
3. All three jobs will be executed with a single docker image I am building, it is based on /~https://github.com/jordansissel/fpm/blob/master/Dockerfile Looks like that it is capable of producing all three packages
4. Next, we will upload them to Artifactory via simple curl, probably we would also need to trigger index recalculation
5. Artifactory will sign the releases
6. Done!

Some more things we need:

• Current e2e testing of releases is wrong, it tests only a small part of the releasing process: how fpm creates bundles. I think that the most important part is different: how gpg signatures work and how packages are installed from custom repos. One more thing we do wrong is that we test our releases on images that already have all the deps we need. This is wrong!
• So, my plan is to create one more workflow (let's call it e2e). It will run once a day to ensure that it is possible to install our packages on major platforms like debian, ubuntu, alpine, centos, fedora. I will create just simple almost-empty docker images for this. These images won't have any dependencies of git-secret. So, we can also test that eveything is correct
• Scripts that we use to test our installation will be included into our docs, so they would be always up-to-date. I think that I can even attach workflow badges near them

GitHub:

• One morre thing to cover, we need create GitHub releases. Right now there's a script that does this, I need to investigate how well it works
• I won't attach any binary artifacts to GitHub releases, because they are not signed. v0.4.0.alpha1 is an exception here (Bintray is down at the moment)

Sounds like a simple plan to me! 👍

Related #646
Related #657 and #658

[sobolevn]

Local problems:

• I cannot make Artifactory to sign my apk release for some reason

fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
fetch https://gitsecret.jfrog.io/artifactory/git-secret-apk/all/main/x86_64/APKINDEX.tar.gz
ERROR: https://gitsecret.jfrog.io/artifactory/git-secret-apk/all/main: No such file or directory
WARNING: Ignoring https://gitsecret.jfrog.io/artifactory/git-secret-apk/all/main: UNTRUSTED signature
v3.13.5-83-g28eddc6b6a [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.5-80-gdd4db2c12a [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
1 errors; 13887 distinct packages available

• Alpine does not have all architecture, so we would need to cover popular ones individually, list: http://dl-cdn.alpinelinux.org/alpine/v3.13/main/
• Reindex calls are different for each platform 😒

[sobolevn]

I cannot make Artifactory to sign my apk release for some reason

Solved, by using new RSA key pair, created by: abuild-keygen -a -i
Public key:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqFaPaxW5hlr8VVZEfkS
cNk3KFik2lUHUqcfuof05YS0+bVnqEdYfaqClY7kcOWvzGC71cMPCShQTkQb6/Fc
fDqz0+sKxqwcWv0cXNbbUkxck7cMHd07GkfMkViIqyfugjWEecUAyMmrGpKWJcVA
ts5+88xMNYsJwVX94mTUysZUbLaOAyvbJ5e6IwTpR/WKpujnefXVJxVvwlgco2gd
iYyMEi9dFmM5AJ89nDBxJ0uCjvUawcdMeMvK+w2Bv+8C2ji5QllkZSU7w9YjPA3b
IG42b2hNZZGfoAJwM11Z0FpLZhcUJaG3TKcySVyE9RZG94Uqa94415Rw7VPH0jjv
MwIDAQAB
-----END PUBLIC KEY-----

[sobolevn]

Ok, only GitHub releases are left! 👍

[sobolevn]

This is what I got from github_generate_changelog:

# Changelog

## [Unreleased](/~https://github.com/sobolevn/git-secret/tree/HEAD)

[Full Changelog](/~https://github.com/sobolevn/git-secret/compare/v0.4.0.alpha1...HEAD)

**Closed issues:**

- Broken installation using Bintray APT repository \(403 Forbidden\) [\#665](/~https://github.com/sobolevn/git-secret/issues/665)
- debian-gnupg1 tests actualy test with gnupg2 [\#660](/~https://github.com/sobolevn/git-secret/issues/660)
- Bintray is going away [\#646](/~https://github.com/sobolevn/git-secret/issues/646)

**Merged pull requests:**

- Adds release-ci script to test installation [\#664](/~https://github.com/sobolevn/git-secret/pull/664) ([sobolevn](/~https://github.com/sobolevn))
- Adds new installation instructions for deb and rpm [\#662](/~https://github.com/sobolevn/git-secret/pull/662) ([sobolevn](/~https://github.com/sobolevn))

## [v0.4.0.alpha1](/~https://github.com/sobolevn/git-secret/tree/v0.4.0.alpha1) (2021-05-04)

[Full Changelog](/~https://github.com/sobolevn/git-secret/compare/0.4.0.alpha1...v0.4.0.alpha1)

**Closed issues:**

- New CI [\#657](/~https://github.com/sobolevn/git-secret/issues/657)
- forbidden while trying to download https://dl.bintray.com/sobolevn/deb/git-secret\_0.3.3\_all.deb [\#656](/~https://github.com/sobolevn/git-secret/issues/656)

**Merged pull requests:**

- New CI [\#658](/~https://github.com/sobolevn/git-secret/pull/658) ([sobolevn](/~https://github.com/sobolevn))

## [0.4.0.alpha1](/~https://github.com/sobolevn/git-secret/tree/0.4.0.alpha1) (2021-04-14)

[Full Changelog](/~https://github.com/sobolevn/git-secret/compare/v0.3.3...0.4.0.alpha1)

**Closed issues:**

- Request for clarification: Access to historical secrets after revocation [\#653](/~https://github.com/sobolevn/git-secret/issues/653)
- document that we try to avoid force-pushes, because they are more confusing than useful generally [\#652](/~https://github.com/sobolevn/git-secret/issues/652)
- Do we really need the sha-256 hashes in mapping.cfg [\#649](/~https://github.com/sobolevn/git-secret/issues/649)
- DUP: issue error if user tries to 'tell' an email that already has access, so it's clearer [\#635](/~https://github.com/sobolevn/git-secret/issues/635)
- change 'tell' to give an error if you tell the same email address twice, so it works more clearly [\#634](/~https://github.com/sobolevn/git-secret/issues/634)
- Issue with multiple keys with same email. [\#633](/~https://github.com/sobolevn/git-secret/issues/633)
- Works with github actions [\#628](/~https://github.com/sobolevn/git-secret/issues/628)
- test issue [\#623](/~https://github.com/sobolevn/git-secret/issues/623)
- Release new version of git-secret, because it's been about a year and there are fixes/features [\#621](/~https://github.com/sobolevn/git-secret/issues/621)
- will add subcommand add --all? [\#619](/~https://github.com/sobolevn/git-secret/issues/619)
- arrange for gh-pages branch to be completely autogenerated [\#548](/~https://github.com/sobolevn/git-secret/issues/548)

**Merged pull requests:**

- Add security disclaimer for git-secret-killperson specifying what is and is not readable by a user after having been removed from the repository's keyring [\#654](/~https://github.com/sobolevn/git-secret/pull/654) ([MathiasPius](/~https://github.com/MathiasPius))
- Issue 634 tell duplicate emails [\#637](/~https://github.com/sobolevn/git-secret/pull/637) ([joshrabinowitz](/~https://github.com/joshrabinowitz))
- add bash string escaping to \_add\_ignored\_file [\#626](/~https://github.com/sobolevn/git-secret/pull/626) ([friedenberg](/~https://github.com/friedenberg))
- Edit Fedora package URL [\#625](/~https://github.com/sobolevn/git-secret/pull/625) ([gombosg](/~https://github.com/gombosg))
- Issue548 gh pages in master [\#616](/~https://github.com/sobolevn/git-secret/pull/616) ([jsmailes](/~https://github.com/jsmailes))



\* *This Changelog was automatically generated by [github_changelog_generator](/~https://github.com/github-changelog-generator/github-changelog-generator)*

Changelog

Unreleased

Full Changelog

Closed issues:

• Broken installation using Bintray APT repository (403 Forbidden) #665
• debian-gnupg1 tests actualy test with gnupg2 #660
• Bintray is going away #646

Merged pull requests:

• Adds release-ci script to test installation #664 (sobolevn)
• Adds new installation instructions for deb and rpm #662 (sobolevn)

v0.4.0.alpha1 (2021-05-04)

Full Changelog

Closed issues:

• New CI #657
• forbidden while trying to download https://dl.bintray.com/sobolevn/deb/git-secret\_0.3.3\_all.deb #656

Merged pull requests:

• New CI #658 (sobolevn)

0.4.0.alpha1 (2021-04-14)

Full Changelog

Closed issues:

• Request for clarification: Access to historical secrets after revocation #653
• document that we try to avoid force-pushes, because they are more confusing than useful generally #652
• Do we really need the sha-256 hashes in mapping.cfg #649
• DUP: issue error if user tries to 'tell' an email that already has access, so it's clearer #635
• change 'tell' to give an error if you tell the same email address twice, so it works more clearly #634
• Issue with multiple keys with same email. #633
• Works with github actions #628
• test issue #623
• Release new version of git-secret, because it's been about a year and there are fixes/features #621
• will add subcommand add --all? #619
• arrange for gh-pages branch to be completely autogenerated #548

Merged pull requests:

• Add security disclaimer for git-secret-killperson specifying what is and is not readable by a user after having been removed from the repository's keyring #654 (MathiasPius)
• Issue 634 tell duplicate emails #637 (joshrabinowitz)
• add bash string escaping to _add_ignored_file #626 (friedenberg)
• Edit Fedora package URL #625 (gombosg)
• Issue548 gh pages in master #616 (jsmailes)

* This Changelog was automatically generated by github_changelog_generator

[sobolevn]

Ok, now full test:

1. I will remove existing deb/rpm/apk packages for several minutes
2. I will publich v0.4.0 tag
3. It should trigget the whole release process
4. Profit!

[joshrabinowitz]

I think you also have to click on 'create release' on the v0.4.0 tag here?
/~https://github.com/sobolevn/git-secret/tags

[sobolevn]

@joshrabinowitz it will happen auto-magically by /~https://github.com/sobolevn/git-secret/blob/master/.github/workflows/release.yml#L29-L42

But, we are out of rate-limits, because of my testing suite. I will release packages now: /~https://github.com/sobolevn/git-secret/actions/runs/816873670

And re-run this job in an hour: /~https://github.com/sobolevn/git-secret/runs/2518292516?check_suite_focus=true and 0.4.0 will be offically released!

[sobolevn]

Done! /~https://github.com/sobolevn/git-secret/releases/tag/v0.4.0

Release CI: /~https://github.com/sobolevn/git-secret/actions/runs/817584719

The release process is fully automated now. I hope that it will be reliable! 👍
Docs: /~https://github.com/sobolevn/git-secret/blob/master/CONTRIBUTING.md#release-process
Happy to answer any questions.

[sobolevn]

brew: Homebrew/homebrew-core#76809