[v8] Online release process with Github Actions (#2265)

* Add Build-Sign-Release workflow

Commit summary below

Current state of CF CLI release infrastructure is offline and quite
outdated. To make our release process more transparent and inclusive we
decided to move build, signing and release processes online to Github Actions.
* Split out release/upload part of workflow
* Add capabilities to release workflow

At this point working in a workflow separate from build, for separation
of concerns between building&signing, and releasing.

This is a squashed commit of the gha-allplatforms branch, consisting of
the following changes :

- Upload mac installer to S3
- include mac installer in github release
- retrieve mac binaries in release job
- add write permission to github release job
- Add linux packages, and simplify CLAW upload steps
- Switch to sync action to support simpler CLAW S3 upload step
- Add linux packages to GH Release
- Update artifact names in release jobs
- aws s3 ls to debug s3 upload
- bump aws s3 sync to non-default-region change

* Updated for build, release, and units workflows
* Add update-repos workflow

Update-repos workflow is in charge of updating and signing on a
repository level. This workflow should be triggered towards the end of
the release process after all packages are available via distribution
network (after CLAW update). It will update the following repositories:

- Homebrew formula in homebrew-tap git repository
- RPM repo hosted on S3
- Debian repo hosted on S3

Current implementations of the update-repos workflow is matching offline
release process.

Following updates are recommended:

- Implement backup and disaster recovery procedure

- Debian
  - fill license and vendor fields
- RPM
  - sign on the repo level
- Homebrew
  - add arm architecture

* Release pipelines updates
* Removes/Cleans comments

Also, small change to sign-windows-binary.ps1 as
that step was already being done in the sign job

* Update github actions secrets template

for use with the set-github-actions-env-vars.sh script,
or the github cli's 'secret set' subcommand directly

Co-authored-by: Alexander Berezovsky <aberezovsky@vmware.com>
Co-authored-by: George Gelashvili <ggelashvili@vmware.com>
Co-authored-by: Juan Diego Gonzalez <gojuan@vmware.com>
Signed-off-by: Pete Levine <lpete@vmware.com>

.github/license/CF_NOTICE

@@ -0,0 +1,36 @@
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+
+This product contains software that is Copyright (c) 2013-2015 Pivotal Software, Inc.
+
+This product is licensed to you under the Apache License, Version 2.0 (the "License").
+
+You may not use this project except in compliance with the License.
+
+
+Attribution notices:
+
+This product includes software from https://github.com/cloudfoundry/cli/tree/master/vendor/code.cloudfoundry.org/gofileutils/fileutils that is:
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+Copyright (c) 2014-2015 Pivotal Software, Inc.
+and is licensed under the Apache License, Version 2.0.
+
+This product includes software from https://github.com/code.cloudfoundry.org/cli/tree/master/vendor/code.cloudfoundry.org/ykk that is:
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+and is licensed under the Apache License, Version 2.0.
+
+This product includes software from https://github.com/code.cloudfoundry.org/cli/tree/master/vendor/code.cloudfoundry.org/cfnetworking-cli-api that is:
+Copyright (c) 2016-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+and is licensed under the Apache License, Version 2.0.
+
+This product includes software from https://github.com/cloudfoundry/cli/tree/master/vendor/github.com/cloudfoundry/cli-plugin-repo/web that is:
+Copyright (c) 2015-Present CloudFoundry.org Foundation, Inc. All Rights Reserved.
+Copyright (c) 2015 Pivotal Software, Inc.
+and is licensed under the Apache License, Version 2.0.
+
+This product includes software from https://github.com/cloudfoundry/cli/tree/master/vendor/github.com/cloudfoundry/dropsonde that is:
+Copyright (c) 2014-2015 Pivotal Software, Inc.
+and is licensed under the Apache License, Version 2.0.
+
+This product includes software from https://github.com/cloudfoundry/cli/tree/master/vendor/github.com/docker/docker/pkg/term that is:
+Copyright 2012-2016 Docker, Inc.
+and is licensed under the Apache License, Version 2.0.

.github/release/gon.json

@@ -0,0 +1,14 @@
+{
+    "source" : [
+        "./dist/hello-darwin_darwin_amd64/hello",
+        "./dist/hello-darwin_darwin_arm64/hello"
+    ],
+    "bundle_id" : "com.example.hello",
+    "apple_id": {
+        "username" : "none@example.com",
+        "password":  "@env:AC_PASSWORD"
+    },
+    "sign" :{
+        "application_identity" : "test-sign"
+    }
+}

.github/secrets.template.envrc

@@ -0,0 +1,29 @@
+ACTIONS_RUNNER_DEBUG= # boolean
+ACTIONS_STEP_DEBUG= # boolean
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_S3_BUCKET=
+AWS_BUCKET_INTEGRATION=
+AWS_BUCKET_STAGING=
+
+DOCKER_HUB_USERNAME=
+DOCKER_HUB_ACCESS_TOKEN=
+
+GIT_RELEASE_TARGET_REPO=  # repo to draft a release under, in <user>/<repo> format
+GIT_REPO_ACCESS_TOKEN=  # only needed when pushing to a repo other than 'self'
+
+GIT_DEPLOY_HOMEBREW_TAP=
+
+SIGNING_KEY_GPG=
+SIGNING_KEY_GPG_ID=
+SIGNING_KEY_GPG_PASSPHRASE=
+
+SIGNING_CRT_MAC=
+SIGNING_KEY_MAC=
+SIGNING_KEY_MAC_ID=
+SIGNING_KEY_MAC_PASSPHRASE=
+
+SIGNING_KEY_WINDOWS_PFX=
+SIGNING_KEY_WINDOWS_ID=
+SIGNING_KEY_WINDOWS_PASSPHRASE=
+

.github/win/common.iss

@@ -0,0 +1,76 @@
+function NeedsAddPath(Param: string): boolean;
+var
+  OrigPath: string;
+begin
+  if IsAdminLoggedOn then
+  begin
+    if not RegQueryStringValue(HKEY_LOCAL_MACHINE,
+      'SYSTEM\CurrentControlSet\Control\Session Manager\Environment',
+      'Path', OrigPath)
+    then begin
+      Result := True;
+      exit;
+    end;
+   end
+  else
+  begin
+    if not RegQueryStringValue(HKEY_CURRENT_USER,
+      'Environment',
+      'Path', OrigPath)
+    then begin
+      Result := True;
+      exit;
+    end;
+  end;
+  // look for the path with leading and trailing semicolon
+  // Pos() returns 0 if not found
+  Result := Pos(';' + Param + ';', ';' + OrigPath + ';') = 0;
+end;
+
+var
+  OptionPage: TInputOptionWizardPage;
+
+procedure InitializeWizard();
+begin
+  OptionPage :=
+    CreateInputOptionPage(
+      wpWelcome,
+      'Choose installation options', 'Who should this application be installed for?',
+      'Please select whether you wish to make this software available for all users or just yourself.',
+      True, False);
+
+  OptionPage.Add('&Anyone who uses this computer (run as administrator to enable)');
+  OptionPage.Add('&Only for me');
+
+  if IsAdminLoggedOn then
+  begin
+    OptionPage.Values[0] := True;
+  end
+    else
+  begin
+    OptionPage.Values[1] := True;
+    OptionPage.CheckListBox.ItemEnabled[0] := False;
+  end;
+end;
+
+function NextButtonClick(CurPageID: Integer): Boolean;
+begin
+  if CurPageID = OptionPage.ID then
+  begin
+    if (WizardDirValue <> ExpandConstant('{userappdata}\Cloud Foundry')) AND
+      (WizardDirValue <> ExpandConstant('{pf}\Cloud Foundry')) then
+    begin
+      Log('User has selected a custom install path. Will not override.')
+    end
+    else if OptionPage.Values[1] then
+    begin
+      // override the default installation to program files ({pf})
+      WizardForm.DirEdit.Text := ExpandConstant('{userappdata}\Cloud Foundry')
+    end
+    else
+    begin
+      WizardForm.DirEdit.Text := ExpandConstant('{pf}\Cloud Foundry');
+    end;
+  end;
+  Result := True;
+end;

.github/win/innosetup/Dockerfile

@@ -0,0 +1,19 @@
+# This image is not being used by the github actions workflow
+# because gh-actions doesn't support windows based images
+# Keeping this file as we expect to use it in the future
+FROM mcr.microsoft.com/windows/servercore:ltsc2019
+SHELL ["powershell.exe"]
+
+ARG CHOCO_THUMBPRINT=83AC7D88C66CB8680BCE802E0F0F5C179722764B
+RUN mkdir \setup
+
+RUN (New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/install.ps1', '\setup\installChocolatey.ps1')
+RUN (Get-AuthenticodeSignature \setup\installChocolatey.ps1).SignerCertificate.Thumbprint > \setup\thumbprint
+RUN if ((type \setup\thumbprint) -ne $env:CHOCO_THUMBPRINT) { \
+      throw 'chocolatey installer thumbprint does not match expected. see https://docs.chocolatey.org/en-us/information/security' \
+    }
+RUN \setup\installChocolatey.ps1
+RUN Remove-Item -Recurse \setup
+
+
+RUN choco install --no-progress -r -y innosetup

.github/win/install-innosetup.ps1

@@ -0,0 +1,18 @@
+$ErrorActionPreference = "Stop"
+# in the future, this variable should cause PS to exit on non-zero exit codes from commands/exes (as opposed to PS cmdlets)
+$PSNativeCommandUseErrorActionPreference = $true
+# see https://github.com/PowerShell/PowerShell/issues/3415 and https://github.com/PowerShell/PowerShell-RFC/pull/277
+
+# retrieved from https://docs.chocolatey.org/en-us/information/security
+$chocoThumbprint = '83AC7D88C66CB8680BCE802E0F0F5C179722764B'
+
+$scriptPath = (Get-Location).Path + '\installChocolatey.ps1'
+(New-Object System.Net.WebClient).DownloadFile('https://chocolatey.org/install.ps1', $scriptPath)
+(Get-AuthenticodeSignature .\installChocolatey.ps1).SignerCertificate.Thumbprint -eq $chocoThumbprint
+
+Set-ExecutionPolicy Bypass -Scope Process
+.\installChocolatey.ps1
+
+choco install --no-progress -r -y innosetup --force
+
+Get-Command iscc -ErrorAction Continue

.github/win/run-innosetup.ps1

@@ -0,0 +1,20 @@
+param ($InnoSetupConfig, $CfBinary, $InstallerOutput)
+
+$ErrorActionPreference = "Stop"
+# in the future, this variable should cause PS to exit on non-zero exit codes from commands/exes (as opposed to PS cmdlets)
+$PSNativeCommandUseErrorActionPreference = $true
+# see https://github.com/PowerShell/PowerShell/issues/3415 and https://github.com/PowerShell/PowerShell-RFC/pull/277
+
+$innoSetupWorkDir = "$PSScriptRoot"
+$licenseDir = "${PSScriptRoot}\..\license"
+
+Move-Item -Force "$CfBinary" $innoSetupWorkDir\cf8.exe
+
+# convert line-endings
+Get-Content ${licenseDir}\LICENSE-WITH-3RD-PARTY-LICENSES | Set-Content "${innoSetupWorkDir}\LICENSE"
+Get-Content ${licenseDir}\CF_NOTICE | Set-Content "${innoSetupWorkDir}\NOTICE"
+
+iscc "$InnoSetupConfig"
+Move-Item "${innoSetupWorkDir}\Output\mysetup.exe" "$InstallerOutput"
+
+Get-ChildItem "${innoSetupWorkDir}\Output"

.github/win/sign-windows-binary.ps1

@@ -0,0 +1,9 @@
+# expected environment variables
+# SIGNING_KEY_WINDOWS_PASSPHRASE
+
+param ($BinaryFilePath)
+
+# add PATH to signtool.exe
+$env:PATH="$env:PATH;C:\Program Files (x86)\Windows Kits\10\bin\x64"
+
+signtool sign /v /p "$env:SIGNING_KEY_WINDOWS_PASSPHRASE" /fd SHA256 /f "$env:RUNNER_TEMP\cert.pfx" "$BinaryFilePath"

.github/win/windows-installer-v8-x64.iss

@@ -0,0 +1,51 @@
+[Setup]
+ChangesEnvironment=yes
+AlwaysShowDirOnReadyPage=yes
+AppName=Cloud Foundry CLI
+AppVersion=VERSION
+AppVerName=Cloud Foundry CLI version VERSION
+AppPublisher=Cloud Foundry Foundation
+ArchitecturesInstallIn64BitMode=x64 ia64
+ArchitecturesAllowed=x64 ia64
+PrivilegesRequired=none
+DefaultDirName={pf}\Cloud Foundry
+SetupIconFile=cf.ico
+UninstallDisplayIcon={app}\cf.ico
+
+[Registry]
+Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; Check: IsAdminLoggedOn and Uninstall32Bit() and NeedsAddPath(ExpandConstant('{app}'))
+Root: HKCU; Subkey: "Environment"; ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; Check: not IsAdminLoggedOn and Uninstall32Bit() and NeedsAddPath(ExpandConstant('{app}'))
+
+[Files]
+Source: LICENSE; DestDir: "{app}"
+Source: NOTICE; DestDir: "{app}"
+Source: cf8.exe; DestDir: "{app}"
+Source: cf.ico; DestDir: "{app}"
+
+[Run]
+Filename: "{cmd}"; Parameters: "/C mklink ""{app}\cf.exe"" ""{app}\cf8.exe"""
+
+[UninstallDelete]
+Type: files; Name: "{app}\cf.exe"
+Type: dirifempty; Name: "{app}"
+
+[Code]
+function Uninstall32Bit(): Boolean;
+var
+  resultCode: Integer;
+  uninstallString: String;
+  uninstallStringPath: String;
+begin
+  uninstallString := '';
+  uninstallStringPath := 'SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Cloud Foundry CLI_is1';
+  RegQueryStringValue(HKLM, uninstallStringPath, 'UninstallString', uninstallString);
+
+  if uninstallString <> '' then
+  begin
+    uninstallString := RemoveQuotes(uninstallString);
+    Exec(uninstallString, '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART','', SW_HIDE, ewWaitUntilTerminated, resultCode)
+  end;
+  Result := true;
+end;
+
+#include "common.iss"

.github/win/windows-installer-v8-x86.iss

@@ -0,0 +1,31 @@
+[Setup]
+ChangesEnvironment=yes
+AlwaysShowDirOnReadyPage=yes
+AppName=Cloud Foundry CLI
+AppVersion=VERSION
+AppVerName=Cloud Foundry CLI version VERSION
+AppPublisher=Cloud Foundry Foundation
+PrivilegesRequired=none
+DefaultDirName={pf}\Cloud Foundry
+SetupIconFile=cf.ico
+UninstallDisplayIcon={app}\cf.ico
+
+[Registry]
+Root: HKLM; Subkey: "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"; ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; Check: IsAdminLoggedOn and NeedsAddPath(ExpandConstant('{app}'))
+Root: HKCU; Subkey: "Environment"; ValueType: expandsz; ValueName: "Path"; ValueData: "{olddata};{app}"; Check: not IsAdminLoggedOn and NeedsAddPath(ExpandConstant('{app}'))
+
+[Files]
+Source: LICENSE; DestDir: "{app}"
+Source: NOTICE; DestDir: "{app}"
+Source: cf8.exe; DestDir: "{app}"
+Source: cf.ico; DestDir: "{app}"
+
+[Run]
+Filename: "{cmd}"; Parameters: "/C mklink ""{app}\cf.exe"" ""{app}\cf8.exe"""
+
+[UninstallDelete]
+Type: files; Name: "{app}\cf.exe"
+Type: dirifempty; Name: "{app}"
+
+[Code]
+#include "common.iss"