chore: add workflows and scripts for uploading to and downloading fro…

…m stampy (#2586)

* chore: add workflow to transfer signed windows installer to CLI s3 bucket

* chore: add workflow to clean up stampy buckets

* chore: uncomment pack-and-upload-windows job

* chore: add workflow to promote windows installer to stable

* chore: add name for Windows installer to package.json

* chore: add workflow for uploading windows installers to stampy

* chore: update file permissions on script files

* chore: add environment for access to stampy secrets

* chore: change environment name to title case

* chore: move pack and upload windows scripts to pack-upload workflow and add root

.github/workflows/empty-stampy-buckets.yml

@@ -0,0 +1,24 @@
+name: Empty Stampy signed and unsigned buckets
+on:
+  workflow_dispatch
+
+jobs:
+  copy-to-stable:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - name: Empty Stampy signed and unsigned buckets
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
+          STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          node scripts/empty-stampy-buckets.js

.github/workflows/get-signed-from-stampy.yml

@@ -0,0 +1,30 @@
+name: Get signed installers from Stampy
+on:
+  workflow_dispatch
+
+jobs:
+  get-signed-from-stampy:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - uses: actions/checkout@3
+      - name: download signed Windows installer from from Stampy
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        # switch AWS identity to the one that can access stampy
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ .
+      - name: upload signed Windows installer to Heroku CLI s3
+        env:
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: node ./scripts/upload-stampy-signed.js

.github/workflows/pack-upload.yml

@@ -105,25 +105,25 @@ jobs:
           yarn oclif upload tarballs
           ./scripts/upload/deb
 
-  # pack-and-upload-windows:
-  #   runs-on: ubuntu-latest
-  #   env:
-  #     AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  #     AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-  #   steps:
-  #     - uses: actions/checkout@v3
-  #     - uses: actions/setup-node@v3
-  #       with:
-  #         node-version: lts/*
-  #         cache: yarn
-  #     - name: Set up Homebrew
-  #       id: set-up-homebrew
-  #       uses: Homebrew/actions/setup-homebrew@41775cf0c82ef066f1eb39cea1bd74697ca5b735
-  #     - name: Install NSIS
-  #       run: brew install nsis
-  #     - name: yarn install
-  #       run: yarn --immutable --network-timeout 1000000
-  #     - name: pack windows installer
-  #       run: yarn pack:win
-  #     - name: upload windows installer
-  #       run: yarn upload:win
+  pack-and-upload-windows:
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+          cache: yarn
+      - name: Set up Homebrew
+        id: set-up-homebrew
+        uses: Homebrew/actions/setup-homebrew@41775cf0c82ef066f1eb39cea1bd74697ca5b735
+      - name: Install NSIS
+        run: brew install nsis
+      - name: yarn install
+        run: yarn --immutable --network-timeout 1000000
+      - name: pack windows installer
+        run: oclif pack win --defender-exclusion hidden --root="./packages/cli"
+      - name: upload windows installer
+        run: oclif upload win --root="./packages/cli"

.github/workflows/promote-windows.yml

@@ -0,0 +1,38 @@
+name: Promote signed Windows installer
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: version to promote to stable (this should be the latest release version)
+        type: string
+        required: true
+
+jobs:
+  promote:
+    name: Promote ${{ inputs.version }}  of the Windows installer to stable
+    runs-on: ubuntu-latest
+    env:
+      CLOUDFRONT_DISTRIBUTION: ${{ secrets.CLOUDFRONT_DISTRIBUTION }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      AWS_EC2_METADATA_DISABLED: true
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js 16.x
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16.x
+          cache: yarn
+      - run: yarn --immutable --network-timeout 1000000
+      - name: install apt-get dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y awscli jq
+      - name: promote
+        env:
+          prerelease-channel: ${{ inputs.channel || 'beta'}}
+        run: |
+          SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
+          yarn oclif promote --win --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel="stable"
+        shell: bash

.github/workflows/promote.yml

@@ -60,7 +60,6 @@ jobs:
         run: |
           SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]')
           yarn oclif promote --deb --xz --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel=${{ fromJSON(inputs.isStableRelease) && 'stable' || env.prerelease-channel }}
-          # yarn oclif promote --win --xz --root="./packages/cli" --sha="$SHA" --indexes --version=${{ inputs.version }} --channel=${{ fromJson(inputs.isStableRelease) && 'stable' || env.prerelease-channel }}
         shell: bash
       - name: promote Linux install scripts
         run: node ./scripts/postrelease/install_scripts.js

.github/workflows/upload-to-stampy.yml

@@ -0,0 +1,45 @@
+name: Upload unsigned Windows installers to Stampy
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: version to upload (this should be the latest release version)
+        type: string
+        required: true
+
+jobs:
+  get-signed-from-stampy:
+    runs-on: ubuntu-latest
+    environment: Stampy
+    steps:
+      - uses: actions/checkout@3
+      - name: get version sha
+        id: versionSha
+        run: echo SHA=$(npm view heroku@${{ inputs.version }} --json | jq -r '.gitHead[0:7]') >> "$GITHUB_ENV"
+      - name: save filename (without arch/extension) for reuse
+        id: filename
+        run: echo "FILEBASE=heroku-v${{inputs.version}}-${{steps.versionSha.outputs.SHA}}" >> "$GITHUB_ENV"
+      - name: download Windows installers from s3
+        env:
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        run: |
+          aws s3 cp s3://heroku-cli-assets/versions/${{inputs.version}}/${{steps.versionSha.outputs.SHA}}/${{steps.filename.outputs.FILEBASE}}-x86.exe .
+          aws s3 cp s3://heroku-cli-assets/versions/${{inputs.version}}/${{steps.versionSha.outputs.SHA}}/${{steps.filename.outputs.FILEBASE}}-x64.exe .
+      - name: upload unsigned Windows installers to Stampy
+        env:
+          STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
+          STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
+          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+          AWS_EC2_METADATA_DISABLED: true
+        # switch AWS identity to the one that can access stampy
+        run: |
+          ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
+          TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
+          export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
+          export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
+          export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
+          aws s3 cp ${{steps.filename.outputs.FILEBASE}}-x86.exe $STAMPY_UNSIGNED_BUCKET/${{steps.filename.outputs.FILEBASE}}-x86.exe
+          aws s3 cp ${{steps.filename.outputs.FILEBASE}}-x64.exe $STAMPY_UNSIGNED_BUCKET/${{steps.filename.outputs.FILEBASE}}-x64.exe

packages/cli/package.json

@@ -170,6 +170,9 @@
       "sign": "Developer ID Installer: Heroku INC",
       "identifier": "com.heroku.cli"
     },
+    "windows": {
+      "name": "Heroku CLI"
+    },
     "topics": {
       "2fa": {
         "description": "two-factor authentication",
@@ -329,7 +332,6 @@
   "scripts": {
     "build": "rm -rf lib && tsc",
     "lint": "eslint . --ext .ts --config ../../.eslintrc --ignore-path ../../.eslintignore-lib",
-    "pack:win": "oclif pack:win --defender-exclusion hidden",
     "postpublish": "rm -f oclif.manifest.json",
     "posttest": "yarn lint",
     "prepack": "yarn run build && oclif manifest",
@@ -338,7 +340,6 @@
     "test:integration": "yarn pretest && mocha --forbid-only \"test/**/*.integration.test.ts\"",
     "test:smoke": "yarn pretest && mocha --forbid-only \"test/**/smoke.acceptance.test.ts\"",
     "test": "yarn pretest && nyc mocha --forbid-only \"test/**/*.unit.test.ts\" && yarn posttest",
-    "upload:win": "oclif upload:win",
     "version": "oclif readme --multi && git add README.md ../../docs"
   },
   "types": "lib/index.d.ts"

scripts/stampy/empty-stampy-buckets.js

@@ -0,0 +1,18 @@
+const fs = require('fs')
+const exec = require('child_process').exec
+
+fs.readdirSync('.')
+  .filter(f => f.startsWith('heroku-v') && f.endsWith('.exe'))
+  .flatMap(f =>
+    [process.env.STAMPY_UNSIGNED_BUCKET, process.env.STAMPY_SIGNED_BUCKET].map(b => `aws s3 rm ${b}/${f}`),
+  )
+  .map(c => {
+    exec(c, (error, stdout) => {
+      if (error) {
+        console.error(`exec error: ${error}`)
+        return
+      }
+
+      console.log(stdout)
+    })
+  })

scripts/stampy/upload-stampy-signed.js

@@ -0,0 +1,28 @@
+const fs = require('fs')
+const exec = require('child_process').exec
+
+fs.readdirSync('.')
+  .filter(f => f.startsWith('heroku-v') && f.endsWith('.exe'))
+  .map(f => ({
+    filename: f,
+    cli: f.split('-')[0],
+    // do it from the end to account for the possibility of the version having a hyphen in it like 2.2.2-beta.0
+    sha: f.split('-').at(-2),
+  }))
+  .map(f => ({...f, shaIndex: f.filename.split('-').indexOf(f.sha)}))
+  // version is the part between the cli and the sha
+  .map(f => ({...f, version: f.filename.split('-').slice(1, f.shaIndex).join('-').replace('v', '')}))
+  .map(
+    f =>
+      `aws s3 cp ${f.filename} s3://heroku-cli-assets/versions/${f.version}/${f.sha}/${f.filename}`,
+  )
+  .map(f => {
+    exec(f, (error, stdout) => {
+      if (error) {
+        console.error(`exec error: ${error}`)
+        return
+      }
+
+      console.log(stdout)
+    })
+  })