stackitcloud · Benjosh95 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025 · Jul 30, 2025
@@ -17,13 +17,12 @@ permissions:
 
 jobs:
   goreleaser:
-    name: Release
+    name: Build and Release
     runs-on: macOS-latest
+    outputs:
+      gpg_fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}
     env:
       SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
-      # Needed to publish new packages to our S3-hosted APT repo
-      AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -61,11 +60,6 @@ jobs:
           APPLE_KEY_ID: ${{ secrets.APPLE_KEY_ID }}
           SIGNING_CERTIFICATE_BASE64: ${{ secrets.APPLICATION_ID_CERT }}
           AUTHKEY_BASE64: ${{ secrets.APPLE_API_KEY }}
-      # aptly version 1.6.0 results in an segmentation fault. Therefore we fall back to version 1.5.0.
-      # Since it is not possible to specify a version via brew command a formula was added for aptly 1.5.0
-      # (source: https://github.com/Homebrew/homebrew-core/pull/202415/files)
-      - name: Install Aptly version 1.5.0
-        run: brew install aptly.rb
       - name: Install Snapcraft
         uses: samuelmeuli/action-snapcraft@v3
       - name: Run GoReleaser
@@ -75,9 +69,61 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.CLI_RELEASE }}
           GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+      - name: Upload dist artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+          retention-days: 1
+
+  publish-packages:
+    name: Publish Packages
+    runs-on: ubuntu-latest
+    needs: goreleaser
+    if: contains(github.ref_name, '-') == false
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.OBJECT_STORAGE_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.OBJECT_STORAGE_SECRET_ACCESS_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      GPG_PRIVATE_KEY_FINGERPRINT: ${{ needs.goreleaser.outputs.gpg_fingerprint }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        id: import_gpg
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+      # aptly version 1.6.0 results in an segmentation fault. Therefore we fall back to version 1.5.0.
+      # Since it is not possible to specify a version via brew command a formula was added for aptly 1.5.0
+      # (source: https://github.com/Homebrew/homebrew-core/pull/202415/files)
+      - name: Install Aptly version 1.5.0
+        run: |
+          # Install aptly on Ubuntu
+          wget -O - https://www.aptly.info/pubkey.txt | sudo apt-key add -
+          echo "deb https://repo.aptly.info/ squeeze main" | sudo tee -a /etc/apt/sources.list.d/aptly.list
+          sudo apt-get update
+          sudo apt-get install -y aptly
+      - name: Install createrepo_c
+        run: |
+          # Install createrepo_c on Ubuntu
+          sudo apt-get update
+          sudo apt-get install -y createrepo-c
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
       - name: Publish packages to APT repo
-        if: contains(github.ref_name, '-') == false
         env:
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
           GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
         run: ./scripts/publish-apt-packages.sh
+      - name: Publish packages to RPM repo
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+        run: ./scripts/publish-rpm-packages.sh
@@ -0,0 +1,61 @@
+name: RPM Test
+
+on:
+  push:
+    branches:
+      - testrpmworkflow
+  workflow_dispatch:
+
+jobs:
+  rpm-release:
+    runs-on: ubuntu-latest
+    env:
+      GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+      # Use test credentials - replace with your actual test bucket credentials
+      AWS_ACCESS_KEY_ID: ${{ secrets.TEST_OBJECT_STORAGE_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.TEST_OBJECT_STORAGE_SECRET_ACCESS_KEY }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: true
+
+      - name: Install GoReleaser
+        run: go install github.com/goreleaser/goreleaser/v2@latest
+
+      - name: Import GPG key
+        uses: crazy-max/ghaction-import-gpg@v6
+        id: import_gpg
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.GPG_PASSPHRASE }}
+
+      - name: Build RPMs
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          NFPM_LINUX_PACKAGES_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: ./release-rpm.sh
+
+      - name: Install createrepo_c
+        run: sudo apt-get update && sudo apt-get install -y createrepo-c
+
+      - name: Install AWS CLI
+        uses: unfor19/install-aws-cli-action@v1
+        with:
+          version: 2
+
+      - name: Test AWS credentials
+        run: |
+          echo "Testing AWS credentials with test bucket..."
+          aws s3 ls s3://distribution-test/ --endpoint-url https://object.storage.eu01.onstackit.cloud
+          echo "✅ AWS credentials work!"
+
+      - name: Publish RPM repo
+        env:
+          GPG_PRIVATE_KEY_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+        run: ./publish-rpm-repo.sh 
@@ -165,8 +165,7 @@ winget:
     homepage: "https://github.com/stackitcloud/stackit-cli"
     # If set to auto, the release will not be uploaded to the homebrew tap repo
     # if the tag has a prerelease indicator (e.g. v0.0.1-alpha1)
-    # Temporarily not skipping prereleases to test integration with Winget
-    # skip_upload: auto
+    skip_upload: auto
     repository:
       owner: stackitcloud
       name: winget-pkgs

@@ -130,23 +130,108 @@ asset_filters=["stackit-cli_", "_linux_amd64.tar.gz"]
 eget stackitcloud/stackit-cli
 ```
 
-#### RPM package via dnf, yum and zypper
+#### RedHat/Fedora (`dnf`)
 
-The STACKIT CLI is available as [RPM Package](https://github.com/stackitcloud/stackit-cli/releases) and can be installed via dnf, yum and zypper package manager.
+The STACKIT CLI can be installed through the `dnf` package manager on modern RedHat-based distributions.
 
-Just download the rpm package from the [release page](https://github.com/stackitcloud/stackit-cli/releases) and run the install command like the following:
+**Supported distributions:**
+- RHEL 9+
+- Fedora 35+
+- AlmaLinux 9+
+- Rocky Linux 9+
+
+> **Note:** RHEL 8 and older derivatives are not supported due to GPG signature compatibility.
+
+##### Before you begin
+
+To install the STACKIT CLI package, you will need to have the `curl` and `gnupg` packages installed:
+
+```shell
+sudo dnf install curl gnupg
+```
+
+##### Installing
+
+1. Import the STACKIT public key:
+
+```shell
+curl https://packages.stackit.cloud/keys/key.gpg | sudo gpg --dearmor -o /etc/pki/rpm-gpg/RPM-GPG-KEY-stackit
+```
+
+2. Add the STACKIT CLI package repository:
+
+```shell
+sudo tee /etc/yum.repos.d/stackit.repo << EOF
+[stackit]
+name=STACKIT CLI Repository
+baseurl=https://packages.stackit.cloud/rpm/cli/
+enabled=1
+gpgcheck=1
+repo_gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-stackit
+EOF
+```
+
+3. Update repository information and install the `stackit` package:
+
+```shell
+sudo dnf update
+sudo dnf install stackit
+```
+
+#### OpenSUSE (`zypper`)
+
+The STACKIT CLI can be installed through the `zypper` package manager.
+
+**Supported distributions:**
+- OpenSUSE Leap 15.4+
+- OpenSUSE Tumbleweed
+
+##### Before you begin
+
+To install the STACKIT CLI package, you will need to have the `curl` and `gnupg` packages installed:
+
+```shell
+sudo zypper install curl gnupg
+```
+
+##### Installing
+
+1. Import the STACKIT public key:
+
+```shell
+curl https://packages.stackit.cloud/keys/key.gpg | sudo gpg --dearmor -o /etc/pki/rpm-gpg/RPM-GPG-KEY-stackit
+```
+
+2. Add the STACKIT CLI package repository:
+
+```shell
+sudo zypper addrepo -g -f https://packages.stackit.cloud/rpm/cli/ stackit
+sudo zypper --gpg-auto-import-keys refresh
+```
+
+3. Install the `stackit` package:
 
 ```shell
-dnf install stackitcli.rpm
-yum install stackitcli.rpm
-zypper install stackitcli.rpm
+sudo zypper install stackit
+```
+
+#### Manual RPM Installation
+
+Alternatively, you can download the RPM package from the [release page](https://github.com/stackitcloud/stackit-cli/releases) and install it manually:
+
+```shell
+# Download and install directly
+sudo dnf install https://github.com/stackitcloud/stackit-cli/releases/latest/download/stackit_*_linux_amd64.rpm
+
+# Or download first, then install
+wget https://github.com/stackitcloud/stackit-cli/releases/latest/download/stackit_*_linux_amd64.rpm
+sudo dnf install stackit_*_linux_amd64.rpm
 ```
 
-#### Any distribution
+> **Note:** Manual RPM installation requires a modern distribution (RHEL 9+, Fedora 35+, AlmaLinux 9+, Rocky Linux 9+) for GPG signature verification.
 
-Alternatively, you can install via [Homebrew](https://brew.sh/) or refer to one of the installation methods below.
 
-> We are currently working on distributing the CLI on more package managers for Linux.
 
 ### Windows
 

@@ -0,0 +1,42 @@
+version: 2
+
+before:
+  hooks:
+    - go mod tidy
+
+builds:
+  - id: linux-builds
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    binary: "stackit"
+    ldflags:
+      - -s -w
+      - -X github.com/stackitcloud/stackit-cli/internal/cmd.Version={{.Version}}
+      - -X github.com/stackitcloud/stackit-cli/internal/cmd.Commit={{.Commit}}
+      - -X github.com/stackitcloud/stackit-cli/internal/cmd.Date={{.Date}}
+
+archives: [] # No archives, just RPMs
+
+nfpms:
+  - id: linux_packages
+    ids:
+      - linux-builds
+    package_name: stackit
+    vendor: STACKIT
+    homepage: https://github.com/stackitcloud/stackit-cli
+    maintainer: STACKIT Developer Tools Team <developer-tools@stackit.cloud>
+    description: A command-line interface to manage STACKIT resources.
+    license: Apache 2.0
+    formats:
+      - rpm
+    rpm:
+      signature:
+        key_file: "{{ .Env.GPG_KEY_PATH }}"
+    contents:
+      - src: LICENSE.md
+        dst: LICENSE.md 
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -euo pipefail
+
+RPM_OUTPUT_DIR="dist"
+TEMP_DIR=$(mktemp -d)
+GPG_PRIVATE_KEY_FINGERPRINT="${GPG_PRIVATE_KEY_FINGERPRINT:?Set GPG_PRIVATE_KEY_FINGERPRINT}"
+GPG_PASSPHRASE="${GPG_PASSPHRASE:?Set GPG_PASSPHRASE}"
+AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:?Set AWS_ACCESS_KEY_ID}"
+AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:?Set AWS_SECRET_ACCESS_KEY}"
+
+# Test environment S3 bucket
+S3_BUCKET="distribution-test"
+S3_ENDPOINT="https://object.storage.eu01.onstackit.cloud"
+RPM_REPO_PATH="rpm/cli"
+
+echo ">>> Preparing RPM repository structure..."
+mkdir -p "$TEMP_DIR/rpm-repo/RPMS"
+
+echo ">>> Copying built RPMs..."
+cp "$RPM_OUTPUT_DIR"/*.rpm "$TEMP_DIR/rpm-repo/RPMS/"
+
+echo ">>> Creating RPM repository metadata..."
+createrepo_c "$TEMP_DIR/rpm-repo"
+
+echo ">>> Signing repository metadata..."
+gpg --batch --yes --pinentry-mode loopback \
+    --local-user="$GPG_PRIVATE_KEY_FINGERPRINT" \
+    --passphrase="$GPG_PASSPHRASE" \
+    --detach-sign --armor "$TEMP_DIR/rpm-repo/repodata/repomd.xml"
+
+echo ">>> Uploading to test bucket..."
+aws s3 sync "$TEMP_DIR/rpm-repo/" "s3://$S3_BUCKET/$RPM_REPO_PATH/" \
+    --endpoint-url "$S3_ENDPOINT" \
+    --delete
+
+rm -rf "$TEMP_DIR"
+echo ">>> RPM repo published to test bucket: $S3_BUCKET/$RPM_REPO_PATH" 
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# Create temporary GPG key file
+TEMP_KEY_FILE=$(mktemp)
+echo "$GPG_PRIVATE_KEY" > "$TEMP_KEY_FILE"
+
+# Import key into GPG keyring
+gpg --batch --import "$TEMP_KEY_FILE"
+
+# Set environment variables for GoReleaser
+export GPG_KEY_PATH="$TEMP_KEY_FILE"
+export NFPM_LINUX_PACKAGES_RPM_PASSPHRASE="$GPG_PASSPHRASE"
+
+goreleaser release --clean --config goreleaser.rpm.yaml --snapshot
+
+# Clean up
+rm -f "$TEMP_KEY_FILE"
+
+echo "RPM build complete. Find RPMs in ./dist/"