CI: Travis -> GitHub Actions; Create Release Binaries and Container Images

[sheurich]

As a follow-on to https://github.com/letsencrypt/pebble/pull/439 this change request implements the first step of building a new CI system for Pebble. As this is a testbed environment for Boulder, some of these changes may prove to be useful in the latter context.

Per https://github.com/letsencrypt/pebble/issues/434#issuecomment-1958432503, GitHub Actions is a reasonable choice for a new CI implementation to supersede Travis. Much, but not all, of the existing functionality is present in this initial set of changes.

Items currently implemented include:

• Binary production of pebble and challtestsrv for platforms:
  • AMD64
    • darwin
    • linux
    • windows
  • ARM64
    • darwin
    • linux
    • windows
• Multiplatform docker images published on the GitHub Container Registry for platforms:
  • linux/amd64
  • linux/arm64
  • windows/amd64
• Golang linting.
• Golang coverage.
• Local test scripts for Go and Docker:
  • ./build.sh
  • ./docker.sh
  • ./test.sh

This PR also adds a -version flag to Pebble, which is set during release build to the Git commit ref.

This change builds on earlier work done in https://github.com/letsencrypt/pebble/pull/379 and https://github.com/letsencrypt/pebble/pull/442.

[ldez]

I think we can merge our 2 PRs #442 My PR is the basics, and your PR is the release part.

[sheurich]

I think we can merge our 2 PRs #442

@ldez Yes let's do that. I can take a look tomorrow.

[ldez]

I mean I think my PR can be merged and your PR will just need to be "cleaned" to remove the duplication with mine. By "merge" I meant "complementary", I know it was not clear.

[sheurich]

@ldez glad you found https://github.com/letsencrypt/pebble/issues/440! I spent some time troubleshooting at the CI level but hadn't checked Pebble itself yet.

[sheurich]

@ldez I think all of the changes have been made and would appreciate another review. The PR description hasn't yet been updated to match the actual changes.

[sheurich]

This will be ready for review soon, pending a bug fix.

[sheurich]

I think this should be ready for review @mcpherrinm

[mcpherrinm]

It doesn’t have to be in this PR, but we are generally standardizing on either distroless or debian-slim as the base for docker images instead of alpine. We can make that change later, or it would be helpful if you want to make it here while we’re changing the docker files.

I’ll review more fully later today

[sheurich]

It doesn’t have to be in this PR, but we are generally standardizing on either distroless or debian-slim as the base for docker images instead of alpine.

I had assumed that Alpine was chosen over Debian as a derivative of the strategy outlined in the Pebble README:

In places where the ACME specification allows customization/CA choice Pebble aims to make choices different from Boulder.

It's no problem to change to Distroless for release. I will add that update to this PR.

[sheurich]

Since cgo is not needed by pebble or pebble-challtestsrv, the release image can be FROM scratch. This WFM but are there other requirements which need glibc or other items from distroless?

[mcpherrinm]

Scratch is fine by me

[sheurich]

@mcpherrinm the scratch change is implemented and a few other bugs have been squashed.

[sheurich]

The four shell scripts (docker, lint, mods, and test) seem like they'll be kinda difficult to keep in sync with the commands in the corresponding github actions.

I agree.

Can we either have the github actions call these scripts directly, or leave them out, or clearly document in both places how best to keep them in sync?

I found them useful and like the idea of being able to run the same checks/tests as CI locally. I will update the workflows to call the scripts.

On the other hand, the scripts' functionality is already subsumed into the various workflows and isn't as useful now. I'm removing them.

[mcpherrinm]

Merged and tagged as v2.5.0