WARNING: Due to issues with the windows drone executor's poor escaping when it echoes commands, I have moved the error message functionality into the PS build functions in build.assets/windows/build.ps1. This means that any failures that occur during the code checkout step will not be reported.
I'm not sure that this is the correct tradeoff, but it may well suffice for now.
Uses Drone to build Teleport Connect for Windows on a Native
Windows builder.
This PR adds 2 pipelines to the Drone YAML:
1. `push-build-native-windows-amd64`: Invoked on a push to master,
branch/v*, etc., and asserts that Teleport Connect can be built, and
2. `build-native-windows-amd64`: Invoked when a branch tag is
committed to the teleport Repo. Builds Teleport Connect and uploads
it to dronestorage
These builds are run on a native windows builder (as opposed to tsh,
which is built in a linux environment and cross-compiled for Windows)
* Add proof of concept of Connect pipeline
The proof of concept includes a lot of copy-pasted lines which will get
cleared up in subsequent commits.
* Extract copying artifacts into separate functions
The tag pipeline no longer needs to worry about Connect artifacts.
* Reuse steps to install & cleanup toolchains
* Share toolchain configuration commands between pipelines
* Share build commands among different pipelines
* Download webapps only if a pipeline builds Connect
As seen by the changes to .drone.yml, this removes unnecessary webapps
clones from these tag pipelines: build-darwin-amd64, build-darwin-amd64-pkg,
build-darwin-amd64-pkg-tsh. None of them needs webapps to function anymore
and the pkg pipelines never needed webapps in the first place.
In order to do so, we add a new make target:
make teleterm
This (temporarily) assumes that the gravitational/webapps repo is
cloned at the right version as a sibling to the teleport repo.
(We'll be able to get rid of this when we merge webapps into Teleport)
Additionally, update dronegen to include the name of the calling
function that generated the snippet instead of the line number.
This gets rid of lots of superfluous diffs in the generated
.drone.yml file.
Lastly, rewrite the Go program for getting the right webapps version
in bash, because Go is not available at this step of the drone pipeline.
Co-authored-by: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Code signing is failing on Darwin builds, and the most likely candidate is a locked keychain at build time.
This patch adds an explicit keychain unlock immediately prior to signing in order make sure the signing keys are available.
Switch from `make release-amd64` to make release-windows in Drone builds, making
release builds similar to "regular" builds (that already use
`make release-windows-unsigned`).
Fixes current woes caused by FIDO2=yes in Windows release builds. (Note that
ARCH is implied by the build.)
* Use `make release-windows` on Drone, make it similar to `make release`
* Update .drone.yaml
`$WORKSPACE_DIR/go/.version.txt` is available only in tag pipelines, so
we can't read it in pipelines that run on pushes to master.
Instead, let's always use `make print-version`. It'll return the correct
value no matter what pipeline is used.
This commit updates drone to build Teleport Connect by:
* cloning `gravitational/webapps` as a sibling directory to
gravitational/teleport
* checkout out the right version of webapps by running a simple
Go program (this step is only necessary until we move webapps
into the teleport repo)
* Running the Teleport Connect build and copying artifacts
Code signing should run on tag builds automatically as part the
electron build, assuming the Apple Account credentials are
properly loaded into the keychain.
Notarization will also happen automatically if both
`$APPLE_USERNAME` and `$APPLE_PASSWORD` are set.
In order to make the above happen, this patch also includes:
* Installing and removing a per-build Node instance in the
toolchain directory on Darwin
* Moving the toolchain temporary directory out of ~/ and into /tmp.
Drone usually sets `$HOME` to a temporary directory for each build,
but unfortunately we need it to point to the actual build user's
home directory in order for the notarisation tooling to find the
right keychain. Having $HOME point to a long-lived directory risks
both pollution from build detritus and builds stomping on one another.
In an in an attempt to isolate the builds from each other and protect
`~build` as best we can, as much of the build state as possible
(including ephemeral toolchains) has been moved under `/tmp`.
Co-authored-by: Trent Clarke <trent@goteleport.com>
Add a script to build libfido2 (and its dependencies) on macOS and enable FIDO2
static builds.
I decided to build all dependencies instead of pulling from Homebrew for a few
reasons:
1. There is no libcbor.a in a brew package
2. This captures library versions within the Teleport source code, allowing us
to build binaries against different versions of libfido2 (and its
dependencies).
I've also bumped libfido2 to 1.11.0. I've been running it locally and we are
still pre-release, so it seems like a good time to do it.
(See https://developers.yubico.com/libfido2/Release_Notes.html.)
#9160
* Build libfido2 and dependencies for macOS
* Build tsh with static fido2 on Drone
* Bump libfido2 versions in all builds
* Attempt to appease linters
* Use temp dirs inside LIB_CACHE
* Move LIB_CACHE outside of HOME
HOME is reassigned in macOS builders, but we want a "stable" cache
directory. /tmp is used by build-package.sh and build-pkg-tsh.sh.
* Rename script to build-fido2-macos.sh
* Regenerate Drone files
Add the TOUCHID=yes Makefile toggle and enable it on Drone.
Complements #12751.
#9160
* Enable touchid builds on Drone
* Update Drone URL in error message
* Run `make dronegen`
Prior to this patch the teleport buildbox version has been tagged with the Go version for the current release. This bit us during the Teleport 9 development cycle, as both Teleport 8 and 9 use the same version of Go but require different versions of Rust, and we were unable to distinguish between the 2 buildbox versions.
At the time, Teleport 8 was individually patched to create a new `teleport8` buildbox tag, decoupling the buildbox version from the Go version. This was never ported into master and now we find the teleport 9 branch sharing the same buildbox tag as master.
This patch forward-ports all the changes made to `branch/v8` and updates them for master, creating a new `teleport10` buildbox tag. The idea is that we will create a new tag for teleport11 at the same time the release branch for Teleport 10 is mad at some point in the future.
Once this is merged, Drone will create and push new buildbox images, which will become available for CI. A subsequent patch will update the CI scripts to use the new `teleport10` buildbox images.
* Release service PoC
* Use release service credentials
* Remove credentials from FS on exit
* Fix trap invocation
* Add darwin compatibility
* Actually fail on unexpected status
* Re-add CREDENTIALS (forgotten)
* Try to skip irrelevant files
* Run "upload to S3" before "register artifacts"
Do not break existing flow in case the new step fails
* Switch to a new (staging) certificate for releases
Add new buildboxes for centos7 and centos7-fips.
For now, we will continue to support both CentOS 6 and 7.
Eventually we will drop support for CentOS 6, and the only
supported CentOS builds will be these new CentOS 7 builds.
Fixes#9028
Download Rust and Go per-build to ensure that the right version is used
and that builds do not step on each other.
Also rungs cbindgen in quiet mode to suppress the annoying output it
spews for non-public symbols.
In #7897 we started signing Windows builds by default, which requires
a signing certificate. This certificate is only available during tag
builds, so push builds now fail.
This modifies the `push-build-windows-amd64` job to use the
`release-windows-unsigned` Makefile step on push builds to fix the
job failure.
* Sign tsh.exe on tag builds
This adds a Makefile step to sign tsh.exe when the
`$WINDOWS_SIGNING_CERTIFICATE` env var is set to a base64-encoded
pkcs12 code signing certificate. The certificate must not be password
protected.
This includes a sample cert (`cert-dummy.pfx`) for CI pipeline
testing. It should be removed in any eventual PR, along with the
other modifications to the drone pipeline. The cert is imported into
the environment in the `Makefile` for testing purposes; in practice
it will be imported from a secure secret store (drone secrets, etc).
* Improve Windows code signing
- Split signing into a separate step; `release-windows-unsigned` now
performs the build, `release-windows` signs the binary.
- Require `release-windows` to successfully generate a signed
binary.
- Clearly mark unsigned binaries and archives as such.
- Guard against stdout secret leakage in Makefiles.
- Move temporary cert data from Makefile into dronegen to test
full pipeline.
* Use an invalid cert string for testing purposes.
* Pass certs to the build process via a statically named file
Signed Windows builds now depend on a `.gitignore`'d
`windows-signing-cert.pfx` at the root of the source directory. This
should ease testing and help avoid accidental secret leakage.
* Use production secret
* Remove windows-signing-cert.pfx before continuing to the next step
Additionally, fix variable reference as the bracket syntax does not
seem to play nice with Drone.
* Update .gitignore
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
Introduce new make targets to check and add license headers to files
("make lint-license" and "make fix-license"). License checking is now a part of
"make lint" as well.
Initial attempts used goheader, but it caused "make lint-go" to become about 9x
slower (if not more), plus it only targets go files. Google's addlicense is fast
enough and targets however many file types we want.
Existing files that were missing licenses got the header added, using the
current year as the license date.
* Introduce lint-license and fix-license make targets
* Ignore generated files
* Add license to go files
* Replace irregular licenses with standard copyright/license
* Add license to proto files
* Install addlicense in build.assets Dockerfile
* Port darwin CI pipelines to Dronegen
* Apply suggestions from code review
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>
* Rename helper functions for consistency
Co-authored-by: Gus Luxton <gus@goteleport.com>
Co-authored-by: Andrew Lytvynov <andrew@goteleport.com>