From 0eae0cefaf439690e9c8876afb466c0af28ed598 Mon Sep 17 00:00:00 2001
From: Trevor Whitney <trevorjwhitney@gmail.com>
Date: Thu, 15 Feb 2024 09:28:29 -0700
Subject: [PATCH] fix: bring in latest release code for packaging

---
 .github/jsonnetfile.lock.json                 |  4 +--
 .../.github/workflows/release-pr.yml          | 28 +++++++++++++--
 .../github.com/grafana/loki-release/Makefile  |  3 +-
 .../grafana/loki-release/main.jsonnet         |  1 +
 .../loki-release/tools/nfpm-env-var-test.sh   | 11 ++++++
 .../loki-release/workflows/build.libsonnet    | 34 +++++++++++++++----
 .github/workflows/minor-release-pr.yml        | 28 +++++++++++++--
 .github/workflows/patch-release-pr.yml        | 28 +++++++++++++--
 8 files changed, 119 insertions(+), 18 deletions(-)
 create mode 100755 .github/vendor/github.com/grafana/loki-release/tools/nfpm-env-var-test.sh

diff --git a/.github/jsonnetfile.lock.json b/.github/jsonnetfile.lock.json
index 1522f482c8e0..afe3db1e1d7f 100644
--- a/.github/jsonnetfile.lock.json
+++ b/.github/jsonnetfile.lock.json
@@ -8,8 +8,8 @@
           "subdir": ""
         }
       },
-      "version": "f2ecd4b9e440db32204d56ea3fa464528791dfb7",
-      "sum": "kwWkJCH7fQrx+taP3aG6DbSSogKZJUOJH+zg90LKJk4="
+      "version": "f72257799328f71b176977c0d153b07cc9d3fed8",
+      "sum": "6yBogVNQP6DztYZgvE7Bbuen9Dvn+v8jk70QPYM0HS0="
     }
   ],
   "legacyImports": false
diff --git a/.github/vendor/github.com/grafana/loki-release/.github/workflows/release-pr.yml b/.github/vendor/github.com/grafana/loki-release/.github/workflows/release-pr.yml
index efb8639c5457..7b8e87f5d52d 100644
--- a/.github/vendor/github.com/grafana/loki-release/.github/workflows/release-pr.yml
+++ b/.github/vendor/github.com/grafana/loki-release/.github/workflows/release-pr.yml
@@ -130,8 +130,6 @@ jobs:
       shell: "bash"
       working-directory: "lib"
   dist:
-    container:
-      image: "grafana/loki-build-image:0.33.0"
     needs:
     - "version"
     runs-on: "ubuntu-latest"
@@ -145,13 +143,36 @@ jobs:
       uses: "google-github-actions/auth@v2"
       with:
         credentials_json: "${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}"
+    - id: "get-secrets"
+      name: "get nfpm signing keys"
+      uses: "grafana/shared-workflows/actions/get-vault-secrets@main"
+      with:
+        common_secrets: |
+          NFPM_SIGNING_KEY=packages-gpg:private-key
+          NFPM_PASSPHRASE=packages-gpg:passphrase
     - env:
         BUILD_IN_CONTAINER: false
         DRONE_TAG: "${{ needs.version.outputs.version }}"
         IMAGE_TAG: "${{ needs.version.outputs.version }}"
+        NFPM_SIGNING_KEY_FILE: "nfpm-private-key.key"
         SKIP_ARM: true
       name: "build artifacts"
-      run: "make dist packages"
+      run: |
+        cat <<EOF | docker run \
+          --interactive \
+          --env BUILD_IN_CONTAINER \
+          --env DRONE_TAG \
+          --env IMAGE_TAG \
+          --env NFPM_PASSPHRASE \
+          --env NFPM_SIGNING_KEY \
+          --env NFPM_SIGNING_KEY_FILE \
+          --env SKIP_ARM \
+          --volume .:/src/loki \
+          --workdir /src/loki \
+          --entrypoint /bin/sh "grafana/loki-build-image:0.33.0"
+          echo "${NFPM_SIGNING_KEY}" > $NFPM_SIGNING_KEY_FILE
+          make dist packages
+        EOF
       shell: "bash"
       working-directory: "release"
     - name: "upload build artifacts"
@@ -382,4 +403,5 @@ name: "create release PR"
     - "release-[0-9]+.[0-9]+.x"
 permissions:
   contents: "write"
+  id-token: "write"
   pull-requests: "write"
diff --git a/.github/vendor/github.com/grafana/loki-release/Makefile b/.github/vendor/github.com/grafana/loki-release/Makefile
index f59164b71fc3..8c62fa764641 100644
--- a/.github/vendor/github.com/grafana/loki-release/Makefile
+++ b/.github/vendor/github.com/grafana/loki-release/Makefile
@@ -39,5 +39,6 @@ dist:
 	cp CHANGELOG.md dist/
 
 packages:
+	./tools/nfpm-env-var-test.sh
 	mkdir -p dist
-	cp CHANGELOG.md dist/
+	cp CHANGELOG.md dist/PACKAGING.MD
diff --git a/.github/vendor/github.com/grafana/loki-release/main.jsonnet b/.github/vendor/github.com/grafana/loki-release/main.jsonnet
index 9723140c5843..56072619f80a 100644
--- a/.github/vendor/github.com/grafana/loki-release/main.jsonnet
+++ b/.github/vendor/github.com/grafana/loki-release/main.jsonnet
@@ -23,6 +23,7 @@
     permissions: {
       contents: 'write',
       'pull-requests': 'write',
+      'id-token': 'write',
     },
     concurrency: {
       group: 'create-release-pr-${{ github.sha }}',
diff --git a/.github/vendor/github.com/grafana/loki-release/tools/nfpm-env-var-test.sh b/.github/vendor/github.com/grafana/loki-release/tools/nfpm-env-var-test.sh
new file mode 100755
index 000000000000..718b0af41579
--- /dev/null
+++ b/.github/vendor/github.com/grafana/loki-release/tools/nfpm-env-var-test.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+if [[ -z "${NFPM_SIGNING_KEY_FILE}" ]]; then
+    echo "NFPM_SIGNING_KEY_FILE is not set"
+    exit 1
+fi
+
+if [[ -z "${NFPM_PASSPHRASE}" ]]; then
+    echo "NFPM_PASSPHRASE is not set"
+    exit 1
+fi
diff --git a/.github/vendor/github.com/grafana/loki-release/workflows/build.libsonnet b/.github/vendor/github.com/grafana/loki-release/workflows/build.libsonnet
index 7685abc08a15..302f7910107f 100644
--- a/.github/vendor/github.com/grafana/loki-release/workflows/build.libsonnet
+++ b/.github/vendor/github.com/grafana/loki-release/workflows/build.libsonnet
@@ -103,21 +103,43 @@ local releaseLibStep = common.releaseLibStep;
 
   dist: function(buildImage, skipArm=true)
     job.new()
-    + job.withContainer({
-      image: buildImage,
-    })
     + job.withSteps([
       common.fetchReleaseRepo,
       common.googleAuth,
+      step.new('get nfpm signing keys', 'grafana/shared-workflows/actions/get-vault-secrets@main')
+      + step.withId('get-secrets')
+      + step.with({
+        common_secrets: |||
+          NFPM_SIGNING_KEY=packages-gpg:private-key
+          NFPM_PASSPHRASE=packages-gpg:passphrase
+        |||,
+      }),
 
       releaseStep('build artifacts')
       + step.withEnv({
         BUILD_IN_CONTAINER: false,
-        SKIP_ARM: skipArm,
-        IMAGE_TAG: '${{ needs.version.outputs.version }}',
         DRONE_TAG: '${{ needs.version.outputs.version }}',
+        IMAGE_TAG: '${{ needs.version.outputs.version }}',
+        NFPM_SIGNING_KEY_FILE: 'nfpm-private-key.key',
+        SKIP_ARM: skipArm,
       })
-      + step.withRun('make dist packages'),
+      + step.withRun(|||
+        cat <<EOF | docker run \
+          --interactive \
+          --env BUILD_IN_CONTAINER \
+          --env DRONE_TAG \
+          --env IMAGE_TAG \
+          --env NFPM_PASSPHRASE \
+          --env NFPM_SIGNING_KEY \
+          --env NFPM_SIGNING_KEY_FILE \
+          --env SKIP_ARM \
+          --volume .:/src/loki \
+          --workdir /src/loki \
+          --entrypoint /bin/sh "%s"
+          echo "${NFPM_SIGNING_KEY}" > $NFPM_SIGNING_KEY_FILE
+          make dist packages
+        EOF
+      ||| % buildImage),
 
       step.new('upload build artifacts', 'google-github-actions/upload-cloud-storage@v2')
       + step.with({
diff --git a/.github/workflows/minor-release-pr.yml b/.github/workflows/minor-release-pr.yml
index 70e2eee3a895..cebaed996af9 100644
--- a/.github/workflows/minor-release-pr.yml
+++ b/.github/workflows/minor-release-pr.yml
@@ -139,8 +139,6 @@ jobs:
       shell: "bash"
       working-directory: "lib"
   dist:
-    container:
-      image: "grafana/loki-build-image:0.33.0"
     needs:
     - "version"
     runs-on: "ubuntu-latest"
@@ -154,13 +152,36 @@ jobs:
       uses: "google-github-actions/auth@v2"
       with:
         credentials_json: "${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}"
+    - id: "get-secrets"
+      name: "get nfpm signing keys"
+      uses: "grafana/shared-workflows/actions/get-vault-secrets@main"
+      with:
+        common_secrets: |
+          NFPM_SIGNING_KEY=packages-gpg:private-key
+          NFPM_PASSPHRASE=packages-gpg:passphrase
     - env:
         BUILD_IN_CONTAINER: false
         DRONE_TAG: "${{ needs.version.outputs.version }}"
         IMAGE_TAG: "${{ needs.version.outputs.version }}"
+        NFPM_SIGNING_KEY_FILE: "nfpm-private-key.key"
         SKIP_ARM: true
       name: "build artifacts"
-      run: "make dist packages"
+      run: |
+        cat <<EOF | docker run \
+          --interactive \
+          --env BUILD_IN_CONTAINER \
+          --env DRONE_TAG \
+          --env IMAGE_TAG \
+          --env NFPM_PASSPHRASE \
+          --env NFPM_SIGNING_KEY \
+          --env NFPM_SIGNING_KEY_FILE \
+          --env SKIP_ARM \
+          --volume .:/src/loki \
+          --workdir /src/loki \
+          --entrypoint /bin/sh "grafana/loki-build-image:0.33.0"
+          echo "${NFPM_SIGNING_KEY}" > $NFPM_SIGNING_KEY_FILE
+          make dist packages
+        EOF
       shell: "bash"
       working-directory: "release"
     - name: "upload build artifacts"
@@ -921,4 +942,5 @@ name: "create release PR"
     - "k[0-9]+"
 permissions:
   contents: "write"
+  id-token: "write"
   pull-requests: "write"
diff --git a/.github/workflows/patch-release-pr.yml b/.github/workflows/patch-release-pr.yml
index d369a8aaa9b8..4e04229ebb69 100644
--- a/.github/workflows/patch-release-pr.yml
+++ b/.github/workflows/patch-release-pr.yml
@@ -139,8 +139,6 @@ jobs:
       shell: "bash"
       working-directory: "lib"
   dist:
-    container:
-      image: "grafana/loki-build-image:0.33.0"
     needs:
     - "version"
     runs-on: "ubuntu-latest"
@@ -154,13 +152,36 @@ jobs:
       uses: "google-github-actions/auth@v2"
       with:
         credentials_json: "${{ secrets.GCS_SERVICE_ACCOUNT_KEY }}"
+    - id: "get-secrets"
+      name: "get nfpm signing keys"
+      uses: "grafana/shared-workflows/actions/get-vault-secrets@main"
+      with:
+        common_secrets: |
+          NFPM_SIGNING_KEY=packages-gpg:private-key
+          NFPM_PASSPHRASE=packages-gpg:passphrase
     - env:
         BUILD_IN_CONTAINER: false
         DRONE_TAG: "${{ needs.version.outputs.version }}"
         IMAGE_TAG: "${{ needs.version.outputs.version }}"
+        NFPM_SIGNING_KEY_FILE: "nfpm-private-key.key"
         SKIP_ARM: false
       name: "build artifacts"
-      run: "make dist packages"
+      run: |
+        cat <<EOF | docker run \
+          --interactive \
+          --env BUILD_IN_CONTAINER \
+          --env DRONE_TAG \
+          --env IMAGE_TAG \
+          --env NFPM_PASSPHRASE \
+          --env NFPM_SIGNING_KEY \
+          --env NFPM_SIGNING_KEY_FILE \
+          --env SKIP_ARM \
+          --volume .:/src/loki \
+          --workdir /src/loki \
+          --entrypoint /bin/sh "grafana/loki-build-image:0.33.0"
+          echo "${NFPM_SIGNING_KEY}" > $NFPM_SIGNING_KEY_FILE
+          make dist packages
+        EOF
       shell: "bash"
       working-directory: "release"
     - name: "upload build artifacts"
@@ -922,4 +943,5 @@ name: "create release PR"
     - "fix-action-names-in-main"
 permissions:
   contents: "write"
+  id-token: "write"
   pull-requests: "write"