Merge pull request #3726 from ActiveState/CP-1073

Update CI to not deploy directly to production on release branches

Author: MDrakos

.github/workflows/build.yml

@@ -180,8 +180,6 @@ jobs:
           EOF
           )"
         env:
-          CODE_SIGNING_PASSWD: ${{ secrets.CODE_SIGNING_PASSWD }}
-          MSI_CERT_BASE64: ${{ secrets.MSI_CERT_BASE64 }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           JIRA_USERNAME: ${{ secrets.JIRA_EMAIL }}
           JIRA_TOKEN: ${{ secrets.JIRA_TOKEN }}
@@ -242,43 +240,6 @@ jobs:
         shell: bash
         run: parallelize results Build-MCP
 
-      - # === Prepare Windows Cert ===
-        name: Prepare Windows Cert
-        shell: bash
-        if: runner.os == 'Windows'
-        run: |
-          echo $MSI_CERT_BASE64 | base64 --decode > Cert.p12
-        env:
-          MSI_CERT_BASE64: ${{ secrets.MSI_CERT_BASE64 }}
-
-      - # === Sign Binaries (Windows only) ===
-        name: Sign Binaries (Windows only)
-        shell: bash
-        if: runner.os == 'Windows' && contains(fromJSON('["refs/heads/beta", "refs/heads/release", "refs/heads/LTS"]'), github.ref)
-        run: |
-          export PATH=/c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/:/c/Program\ Files\ \(x86\)/Windows\ Kits/10/bin/10.0.26100.0/x64:$PATH
-
-          signtool.exe sign -fd SHA1 -d "ActiveState State Tool" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state.exe
-          signtool.exe sign -fd SHA1 -d "ActiveState State Service" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state-svc.exe
-          signtool.exe sign -fd SHA1 -d "ActiveState State Installer" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state-installer.exe
-          signtool.exe sign -fd SHA1 -d "ActiveState State Tool Remote Installer" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state-remote-installer.exe
-          signtool.exe sign -fd SHA1 -d "ActiveState State MCP" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state-mcp.exe
-        env:
-          CODE_SIGNING_PASSWD: ${{ secrets.CODE_SIGNING_PASSWD }}
-
-      - # === Sign Install Scripts (Windows only) ===
-        name: Sign Install Scripts (Windows only)
-        shell: powershell
-        if: runner.os == 'Windows' && contains(fromJSON('["refs/heads/beta", "refs/heads/release", "refs/heads/LTS"]'), github.ref)
-        run: |
-          $branchInfix = $Env:GITHUB_REF.Replace("refs/heads/", "").Replace("release", "")
-          $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
-          $cert.Import('Cert.p12',$env:CODE_SIGNING_PASSWD,'DefaultKeySet')
-          Set-AuthenticodeSignature -FilePath build\installers\$branchInfix\install.ps1 -Certificate $cert
-          Set-AuthenticodeSignature -FilePath build\installers\$branchInfix\legacy-install.ps1 -Certificate $cert
-        env:
-          CODE_SIGNING_PASSWD: ${{ secrets.CODE_SIGNING_PASSWD }}
-
       - # === Generate Update ===
         name: Generate Update
         shell: bash
@@ -318,6 +279,7 @@ jobs:
             fi
           fi
 
+          echo "Deploying for integration tests"
           state run deploy-updates
           state run deploy-installers
           state run deploy-remote-installer
@@ -531,9 +493,18 @@ jobs:
         name: Deploy
         shell: bash
         run: |
-          state run deploy-updates
-          state run deploy-installers
-          state run deploy-remote-installer
+          # Deploy to staging for release branches, regular deploy for others
+          if [[ "$GITHUB_REF" == "refs/heads/beta" || "$GITHUB_REF" == "refs/heads/release" || "$GITHUB_REF" =~ ^refs/heads/LTS ]]; then
+            echo "Deploying to staging directory for release branch: $GITHUB_REF"
+            DEPLOY_TO_STAGING=true state run deploy-updates
+            DEPLOY_TO_STAGING=true state run deploy-installers
+            DEPLOY_TO_STAGING=true state run deploy-remote-installer
+          else
+            echo "Deploying normally for non-release branch: $GITHUB_REF"
+            state run deploy-updates
+            state run deploy-installers
+            state run deploy-remote-installer
+          fi
 
       - # === Cleanup Session Artifacts ===
         name: Cleanup Session Artifacts

.github/workflows/release.yml

@@ -48,21 +48,14 @@ jobs:
         shell: bash
         timeout-minutes: 15
         run: |
-          echo $MSI_CERT_BASE64 | base64 --decode > Cert.p12
-          export PATH=/c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.11/bin/:/c/Program\ Files\ \(x86\)/Windows\ Kits/10/bin/10.0.16299.0/x86/:$PATH
-
           GOOS=windows state run build-remote-installer
-          signtool.exe sign -d "ActiveState State Tool Remote Installer" -f "Cert.p12" -p ${CODE_SIGNING_PASSWD} ./build/state-remote-installer.exe
           state run generate-remote-install-deployment windows amd64
 
           GOOS=linux state run build-remote-installer
           state run generate-remote-install-deployment linux amd64
 
           GOOS=darwin state run build-remote-installer
           state run generate-remote-install-deployment darwin amd64
-        env:
-          CODE_SIGNING_PASSWD: ${{ secrets.CODE_SIGNING_PASSWD }}
-          MSI_CERT_BASE64: ${{ secrets.MSI_CERT_BASE64 }}
 
       - # === Configure AWS credentials ==
         name: Configure AWS credentials

activestate.yaml

@@ -208,7 +208,15 @@ scripts:
 
       echo "If using tokens make sure to run 'go run extras/aws-mfa-auth/main.go' on TheHomeRepot first."
 
-      go run scripts/ci/s3-deployer/main.go ${constants.BUILD_TARGET_PREFIX_DIR}/update us-east-1 state-tool update/state
+      PREFIX="update/state"
+      if [ "$DEPLOY_TO_STAGING" = "true" ]; then
+        PREFIX="staging/$PREFIX"
+        echo "Deploying updates to staging: $PREFIX"
+      else
+        echo "Deploying updates to production: $PREFIX"
+      fi
+
+      go run scripts/ci/s3-deployer/main.go ${constants.BUILD_TARGET_PREFIX_DIR}/update us-east-1 state-tool $PREFIX
   - name: build-install-scripts
     language: bash
     standalone: true
@@ -247,16 +255,49 @@ scripts:
   - name: deploy-installers
     language: bash
     standalone: true
-    description: Deploys update files to S3. This steps is automated by CI and should never be ran manually unless you KNOW WHAT YOU'RE DOING.
+    description: Deploys installer files to S3. This steps is automated by CI and should never be ran manually unless you KNOW WHAT YOU'RE DOING.
     value: |
-      go run scripts/ci/s3-deployer/main.go build/installers us-east-1 state-tool update/state
+      PREFIX="update/state"
+      if [ "$DEPLOY_TO_STAGING" = "true" ]; then
+        PREFIX="staging/$PREFIX"
+        echo "Deploying installers to staging: $PREFIX"
+      else
+        echo "Deploying installers to production: $PREFIX"
+      fi
+
+      go run scripts/ci/s3-deployer/main.go build/installers us-east-1 state-tool $PREFIX
   - name: deploy-remote-installer
     language: bash
     standalone: true
     value: |
       set -e
       $constants.SET_ENV
-      go run scripts/ci/s3-deployer/main.go $BUILD_TARGET_DIR/remote-installer us-east-1 state-tool remote-installer
+      
+      PREFIX="remote-installer"
+      if [ "$DEPLOY_TO_STAGING" = "true" ]; then
+        PREFIX="staging/$PREFIX"
+        echo "Deploying remote installer to staging: $PREFIX"
+      else
+        echo "Deploying remote installer to production: $PREFIX"
+      fi
+      
+      go run scripts/ci/s3-deployer/main.go $BUILD_TARGET_DIR/remote-installer us-east-1 state-tool $PREFIX
+  - name: promote-staging-to-production
+    language: bash
+    standalone: true
+    description: Promotes files from staging directory to production. This should be run manually after Windows binaries have been signed.
+    value: |
+      set -e
+      echo "Promoting staging files to production..."
+      echo "WARNING: This will move all files from staging/ to production. Make sure Windows binaries have been signed!"
+      read -p "Are you sure you want to continue? (y/N): " -n 1 -r
+      echo
+      if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        echo "Promotion cancelled."
+        exit 1
+      fi
+      
+      go run scripts/ci/s3-promoter/main.go us-east-1 state-tool
   - name: build-workflow-assets
     language: bash
     standalone: true

scripts/ci/s3-promoter/main.go

@@ -0,0 +1,160 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"runtime"
+	"strings"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+	"github.com/aws/aws-sdk-go-v2/service/s3/types"
+
+	"github.com/ActiveState/cli/internal/condition"
+)
+
+var awsRegionName, awsBucketName, basePrefix string
+var client *s3.Client
+
+func main() {
+	if !condition.InUnitTest() {
+		if len(os.Args) != 3 && len(os.Args) != 4 {
+			log.Fatalf("Usage: %s <region-name> <bucket-name> [base-prefix]", os.Args[0])
+		}
+
+		awsRegionName = os.Args[1]
+		awsBucketName = os.Args[2]
+		if len(os.Args) == 4 {
+			basePrefix = os.Args[3]
+			if basePrefix != "" && !strings.HasSuffix(basePrefix, "/") {
+				basePrefix += "/"
+			}
+		}
+
+		run()
+	}
+}
+
+func run() {
+	fmt.Printf("Promoting staging files to production in bucket: %s\n", awsBucketName)
+	if basePrefix != "" {
+		fmt.Printf("Using base prefix: %s\n", basePrefix)
+	}
+
+	createClient()
+
+	// List all objects with <basePrefix>staging/ prefix
+	allObjects, err := listObjectsWithPrefix(basePrefix + "staging/")
+	if err != nil {
+		log.Fatalf("Failed to list staging objects: %v", err)
+	}
+
+	// Filter out the root staging directory itself (but keep subdirectories)
+	var stagingObjects []types.Object
+	stagingPrefix := basePrefix + "staging/"
+	for _, obj := range allObjects {
+		if *obj.Key == stagingPrefix {
+			continue
+		}
+		stagingObjects = append(stagingObjects, obj)
+	}
+
+	if len(stagingObjects) == 0 {
+		fmt.Println("No staging files found to promote.")
+		return
+	}
+
+	fmt.Printf("Found %d staging files to promote:\n", len(stagingObjects))
+	for _, obj := range stagingObjects {
+		fmt.Printf("  - %s\n", *obj.Key)
+	}
+
+	// Copy each staging object to production location and delete the staging version
+	for _, obj := range stagingObjects {
+		stagingKey := *obj.Key
+		relativeKey := strings.TrimPrefix(stagingKey, basePrefix+"staging/")
+		destinationKey := basePrefix + "release/" + relativeKey
+
+		fmt.Printf("Promoting %s -> %s\n", stagingKey, destinationKey)
+
+		err := copyObject(stagingKey, destinationKey)
+		if err != nil {
+			log.Fatalf("Failed to copy %s to %s: %v", stagingKey, destinationKey, err)
+		}
+
+		err = deleteObject(stagingKey)
+		if err != nil {
+			log.Fatalf("Failed to delete staging object %s: %v", stagingKey, err)
+		}
+	}
+
+	fmt.Printf("Successfully promoted %d files from staging to production.\n", len(stagingObjects))
+}
+
+func createClient() {
+	var err error
+
+	cfg, err := config.LoadDefaultConfig(context.Background(),
+		config.WithRegion(awsRegionName),
+	)
+	if err != nil {
+		log.Fatalf("failed to load config, %s", err.Error())
+	}
+
+	// For Windows workstations, you might need to handle profile selection differently
+	if runtime.GOOS == "windows" && !condition.OnCI() {
+		cfg, err = config.LoadDefaultConfig(context.Background(),
+			config.WithRegion(awsRegionName),
+			config.WithSharedConfigProfile("mfa"),
+		)
+		if err != nil {
+			log.Fatalf("failed to load config with profile, %s", err.Error())
+		}
+	}
+
+	client = s3.NewFromConfig(cfg)
+}
+
+func listObjectsWithPrefix(prefix string) ([]types.Object, error) {
+	var objects []types.Object
+
+	paginator := s3.NewListObjectsV2Paginator(client, &s3.ListObjectsV2Input{
+		Bucket: aws.String(awsBucketName),
+		Prefix: aws.String(prefix),
+	})
+
+	for paginator.HasMorePages() {
+		page, err := paginator.NextPage(context.Background())
+		if err != nil {
+			return nil, err
+		}
+		objects = append(objects, page.Contents...)
+	}
+
+	return objects, nil
+}
+
+func copyObject(sourceKey, destinationKey string) error {
+	copySource := fmt.Sprintf("%s/%s", awsBucketName, sourceKey)
+
+	_, err := client.CopyObject(context.Background(), &s3.CopyObjectInput{
+		Bucket:     aws.String(awsBucketName),
+		CopySource: aws.String(copySource),
+		Key:        aws.String(destinationKey),
+		ACL:        types.ObjectCannedACLPublicRead,
+	})
+
+	return err
+}
+
+func deleteObject(key string) error {
+	_, err := client.DeleteObject(context.Background(), &s3.DeleteObjectInput{
+		Bucket: aws.String(awsBucketName),
+		Key:    aws.String(key),
+	})
+
+	return err
+}