Migrate release pipeline from Drone to GHA

.drone/drone.jsonnet

@@ -61,135 +61,7 @@ local aws_prod_secret_access_key = secret('AWS_SECRET_ACCESS_KEY-prod', 'infra/d
 local alpine_git_image = 'alpine/git:v2.30.2';
 
 //# Pipelines & resources
-
 [
-  local ghTokenFilename = '/drone/src/gh-token.txt';
-  // Build and release packages
-  // Tested by installing the packages on a systemd container
-  pipeline('release') {
-    trigger: {
-      event: ['tag', 'pull_request'],
-    },
-    image_pull_secrets: [
-      docker_config_json_secret.name,
-    ],
-    volumes+: [
-      {
-        name: 'cgroup',
-        host: {
-          path: '/sys/fs/cgroup',
-        },
-      },
-      {
-        name: 'docker',
-        host: {
-          path: '/var/run/docker.sock',
-        },
-      },
-    ],
-    // Launch systemd containers to test the packages
-    services: [
-      {
-        name: 'systemd-debian',
-        image: 'jrei/systemd-debian:12',
-        volumes: [
-          {
-            name: 'cgroup',
-            path: '/sys/fs/cgroup',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'systemd-centos',
-        image: 'jrei/systemd-centos:8',
-        volumes: [
-          {
-            name: 'cgroup',
-            path: '/sys/fs/cgroup',
-          },
-        ],
-        privileged: true,
-      },
-    ],
-    steps+: [
-      {
-        name: 'fetch',
-        image: 'docker:git',
-        commands: ['git fetch --tags'],
-      },
-      {
-        name: 'Generate GitHub token',
-        image: 'us.gcr.io/kubernetes-dev/github-app-secret-writer:latest',
-        environment: {
-          GITHUB_APP_ID: { from_secret:  tempo_app_id_secret.name },
-          GITHUB_APP_INSTALLATION_ID: { from_secret:  tempo_app_installation_id_secret.name },
-          GITHUB_APP_PRIVATE_KEY: { from_secret: tempo_app_private_key_secret.name },
-        },
-        commands: [
-          '/usr/bin/github-app-external-token > %s' % ghTokenFilename,
-        ],
-      },
-      {
-        name: 'write-key',
-        image: 'golang:1.23',
-        commands: ['printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE'],
-        environment: {
-          NFPM_SIGNING_KEY: { from_secret: gpg_private_key.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-      },
-      {
-        name: 'test release',
-        image: 'golang:1.23',
-        commands: ['make release-snapshot'],
-        environment: {
-          NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-      },
-      {
-        name: 'test deb package',
-        image: 'docker',
-        commands: ['./tools/packaging/verify-deb-install.sh'],
-        volumes: [
-          {
-            name: 'docker',
-            path: '/var/run/docker.sock',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'test rpm package',
-        image: 'docker',
-        commands: ['./tools/packaging/verify-rpm-install.sh'],
-        volumes: [
-          {
-            name: 'docker',
-            path: '/var/run/docker.sock',
-          },
-        ],
-        privileged: true,
-      },
-      {
-        name: 'release',
-        image: 'golang:1.23',
-        commands: [
-          'export GITHUB_TOKEN=$(cat %s)' % ghTokenFilename,
-          'make release'
-        ],
-        environment: {
-          NFPM_DEFAULT_PASSPHRASE: { from_secret: gpg_passphrase.name },
-          NFPM_SIGNING_KEY_FILE: '/drone/src/private-key.key',
-        },
-        when: {
-          event: ['tag'],
-        },
-      },
-    ],
-  },
-] + [
   docker_username_secret,
   docker_password_secret,
   docker_config_json_secret,

.drone/drone.yml

@@ -1,97 +1,4 @@
 ---
-depends_on: []
-image_pull_secrets:
-- dockerconfigjson
-kind: pipeline
-name: release
-platform:
-  arch: amd64
-  os: linux
-services:
-- image: jrei/systemd-debian:12
-  name: systemd-debian
-  privileged: true
-  volumes:
-  - name: cgroup
-    path: /sys/fs/cgroup
-- image: jrei/systemd-centos:8
-  name: systemd-centos
-  privileged: true
-  volumes:
-  - name: cgroup
-    path: /sys/fs/cgroup
-steps:
-- commands:
-  - git fetch --tags
-  image: docker:git
-  name: fetch
-- commands:
-  - /usr/bin/github-app-external-token > /drone/src/gh-token.txt
-  environment:
-    GITHUB_APP_ID:
-      from_secret: tempo_app_id_secret
-    GITHUB_APP_INSTALLATION_ID:
-      from_secret: tempo_app_installation_id_secret
-    GITHUB_APP_PRIVATE_KEY:
-      from_secret: tempo_app_private_key_secret
-  image: us.gcr.io/kubernetes-dev/github-app-secret-writer:latest
-  name: Generate GitHub token
-- commands:
-  - printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE
-  environment:
-    NFPM_SIGNING_KEY:
-      from_secret: gpg_private_key
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: write-key
-- commands:
-  - make release-snapshot
-  environment:
-    NFPM_DEFAULT_PASSPHRASE:
-      from_secret: gpg_passphrase
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: test release
-- commands:
-  - ./tools/packaging/verify-deb-install.sh
-  image: docker
-  name: test deb package
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - ./tools/packaging/verify-rpm-install.sh
-  image: docker
-  name: test rpm package
-  privileged: true
-  volumes:
-  - name: docker
-    path: /var/run/docker.sock
-- commands:
-  - export GITHUB_TOKEN=$(cat /drone/src/gh-token.txt)
-  - make release
-  environment:
-    NFPM_DEFAULT_PASSPHRASE:
-      from_secret: gpg_passphrase
-    NFPM_SIGNING_KEY_FILE: /drone/src/private-key.key
-  image: golang:1.23
-  name: release
-  when:
-    event:
-    - tag
-trigger:
-  event:
-  - tag
-  - pull_request
-volumes:
-- host:
-    path: /sys/fs/cgroup
-  name: cgroup
-- host:
-    path: /var/run/docker.sock
-  name: docker
----
 get:
   name: username
   path: infra/data/ci/docker_hub
@@ -171,6 +78,6 @@ kind: secret
 name: gpg_passphrase
 ---
 kind: signature
-hmac: 829444ce9d30e58a656ca6369a79ecdb01aa76e56c2562c77eb734bf15677eda
+hmac: 3c75d5aee874c3a55608d626bfdca5d28ef23ecefebc5b9cdfc43aa8f6a19cec
 
 ...

.github/workflows/release.yml

@@ -0,0 +1,64 @@
+name: release
+on:
+  push:
+    tags:
+      - 'v*'
+  pull_request:
+
+# Needed to login to DockerHub
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+
+  release:
+    if: github.repository == 'grafana/tempo'  # skip in forks
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: fetch tags
+      - run: git fetch --tags
+
+      - id: "get-secrets"
+        name: "get nfpm signing keys"
+        uses: "grafana/shared-workflows/actions/get-vault-secrets@main"
+        with:
+          common_secrets: |
+            NFPM_SIGNING_KEY=packages-gpg:private-key
+            NFPM_DEFAULT_PASSPHRASE=packages-gpg:passphrase
+
+      - name: write-key
+        run: printf "%s" "$NFPM_SIGNING_KEY" > $NFPM_SIGNING_KEY_FILE
+        env:
+          NFPM_SIGNING_KEY_FILE: /tmp/nfpm-private-key.key
+
+      - name: test release
+        run: make release-snapshot
+
+      - name: test deb package
+        run: |
+          docker run --name debcontainer -it --detach jrei/systemd-debian:12 /bin/sh
+          docker cp ./dist/tempo*_amd64.deb debcontainer:.
+          docker cp ./tools/packaging/wait-for-ready.sh debcontainer:.
+          docker exec debcontainer dpkg -i ./tempo*_amd64.deb
+          docker exec debcontainer [ "$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
+          docker exec debcontainer apt update && apt install -y curl
+          docker exec debcontainer ./wait-for-ready.sh)
+
+      - name: test rpm package
+        run: |
+          docker run --name rpmcontainer -it --detach jrei/systemd-centos:8 /bin/sh
+          docker cp ./dist/tempo*_amd64.rpm rpmcontainer:.
+          docker cp ./tools/packaging/wait-for-ready.sh rpmcontainer:.
+          docker exec rpmcontainer rpm --import https://packages.grafana.com/gpg.key
+          docker exec rpmcontainer rpm -i ./tempo*_amd64.rpm
+          docker exec rpmcontainer [ "$(systemctl is-active tempo)" = "active" ] || (echo "tempo is inactive" && exit 1)
+          docker exec rpmcontainer apt update && apt install -y curl
+          docker exec rpmcontainer ./wait-for-ready.sh)
+
+      - name: release
+        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+        run: make release