Jenkinsfile: Publish release artifacts for release branches.

Previously, the Jenkinsfile did not publish anything except from the repositories: tarballs would not get copied to https://dl.jami.net for the nighty and stable channels, and no commit nor tag would be published for the release. This change addresses these shortcomings with the following changes: 1. Tarballs are produced for the nightly and stable channels, and organized in a sub-directory matching their channel name. 2. Release commits are made to their corresponding channel (stable/nightly). 3. Stable releases are also tagged with 'YYYYmmdd.$day_commits_count.$commit_id'. * Jenkinsfile (SSH_PRIVATE_KEY): Remove variable. (RING_PUBLIC_KEY_FINGERPRINT): Rename to... (JAMI_PUBLIC_KEY_FINGERPRINT): ... this. (GIT_USER_EMAIL, SSH_CRED_ID): New variables. (params.DEPLOY): Fix description. (Checkout channel branch): New stage. (Generate release tarball): Also commit and tag. (Publish release artifacts): New stage to publish conditionally based on the DEPLOY parameter and the selected channel. (Sign & deploy packages): Use the 'sshagent' step to setup SSH access. <--remote-ssh-identity-file>: Remove argument. * scripts/deploy-packages.sh (package_snap): Simplify. Change-Id: I9008ecc2a4ef9820dbc96e26c966ae72110d897d

Jenkinsfile: Publish release artifacts for release branches.
d0e3d621 · Maxim Cournoyer · Maxim Cournoyer · 37be4c3b · d0e3d621 · d0e3d621
Unverified Commit d0e3d621 authored 3 years ago by Maxim Cournoyer Committed by Maxim Cournoyer 3 years ago
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -26,14 +26,22 @@
 // 2. ws-cleanup plugin
 // 3. ansicolor plugin

+// TODO:
+// - GPG-sign release tarballs.
+// - GPG-sign release commits.
+// - Allow publishing from any node, to avoid relying on a single machine.
+
 // Configuration globals.
 def SUBMODULES = ['daemon', 'lrc', 'client-gnome', 'client-qt']
 def TARGETS = [:]
-def SSH_PRIVATE_KEY = '/var/lib/jenkins/.ssh/gplpriv'
 def REMOTE_HOST = env.SSH_HOST_DL_RING_CX
 def REMOTE_BASE_DIR = '/srv/repository/ring'
-def RING_PUBLIC_KEY_FINGERPRINT = 'A295D773307D25A33AE72F2F64CD5FA175348F84'
+def JAMI_PUBLIC_KEY_FINGERPRINT = 'A295D773307D25A33AE72F2F64CD5FA175348F84'
 def SNAPCRAFT_KEY = '/var/lib/jenkins/.snap/key'
+def GIT_USER_EMAIL = 'jenkins@jami.net'
+def GIT_USER_NAME = 'jenkins'
+def GIT_PUSH_URL = 'ssh://jenkins@review.jami.net:29420/jami-project'
+def SSH_CRED_ID = '35cefd32-dd99-41b0-8312-0b386df306ff'

 pipeline {
    agent {
@@ -72,7 +80,10 @@ pipeline {
                     description: 'Whether to build ARM packages.')
        booleanParam(name: 'DEPLOY',
                     defaultValue: false,
-                     description: 'Whether and where to deploy packages.')
+                     description: 'Whether to deploy packages.')
+        booleanParam(name: 'PUBLISH',
+                     defaultValue: false,
+                     description: 'Whether to upload tarball and push to git.')
        choice(name: 'CHANNEL',
               choices: 'internal\nnightly\nstable',
               description: 'The repository channel to deploy to. ' +
@@ -107,6 +118,28 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client
            }
        }

+        stage('Configure Git') {
+            steps {
+                sh """git config user.name ${GIT_USER_NAME}
+                      git config user.email ${GIT_USER_EMAIL}
+                      git remote set-url origin ${GIT_PUSH_URL}
+                   """
+            }
+        }
+
+        stage('Checkout channel branch') {
+            when {
+                expression {
+                    params.CHANNEL != 'internal'
+                }
+            }
+
+            steps {
+                sh "git checkout ${params.CHANNEL} " +
+                    '&& git merge --no-commit FETCH_HEAD'
+            }
+        }
+
        stage('Fetch submodules') {
            steps {
                echo 'Initializing submodules ' + SUBMODULES.join(', ') +
@@ -119,14 +152,47 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client

        stage('Generate release tarball') {
            steps {
-                sh '''#!/usr/bin/env -S bash -l
-                   make portable-release-tarball .tarball-version
-                   '''
+                sh """#!/usr/bin/env -S bash -l
+                      git commit -am "New release."
+                      make portable-release-tarball .tarball-version
+                      git tag \$(cat .tarball-version)
+                   """
                stash(includes: '*.tar.gz, .tarball-version',
                      name: 'release-tarball')
            }
        }

+        stage('Publish release artifacts') {
+            when {
+                expression {
+                    params.PUBLISH && params.CHANNEL != 'internal'
+                }
+            }
+
+            environment {
+                GIT_SSH_COMMAND = 'ssh -o UserKnownHostsFile=/dev/null ' +
+                    '-o StrictHostKeyChecking=no'
+            }
+
+            steps {
+                sshagent(credentials: [SSH_CRED_ID]) {
+                    echo "Publishing to git repository..."
+                    // Note: Only stable release tags are published.
+                    script {
+                        if (params.CHANNEL == 'stable') {
+                            sh 'git push --tags'
+                        } else {
+                            sh 'git push'
+                        }
+                    }
+                    echo "Publishing release tarball to https://dl.jami.net..."
+                    sh 'rsync --verbose jami*.tar.gz ' +
+                        "${REMOTE_HOST}:${REMOTE_BASE_DIR}/release/tarballs/" +
+                        "${params.CHANNEL}/"
+                }
+            }
+        }
+
        stage('Build packages') {
            environment {
                DISABLE_CONTRIB_DOWNLOADS = 'TRUE'
@@ -185,32 +251,33 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client
            }

            steps {
-                script {
-                    TARGETS.each { target ->
-                        try {
-                            unstash target
-                        } catch (err) {
-                            echo "Failed to unstash ${target}, skipping..."
-                            return
+                sshagent(credentials: [SSH_CRED_ID]) {
+                    script {
+                        TARGETS.each { target ->
+                            try {
+                                unstash target
+                            } catch (err) {
+                                echo "Failed to unstash ${target}, skipping..."
+                                return
+                            }
                        }
-                    }

-                    def distributionsText = sh(
-                        script: 'find packages/* -maxdepth 1 -type d -print0 ' +
-                            '| xargs -0 -n1 basename -z',
-                        returnStdout: true).trim()
-                    def distributions = distributionsText.split("\0")
+                        def distributionsText = sh(
+                            script: 'find packages/* -maxdepth 1 -type d -print0 ' +
+                                '| xargs -0 -n1 basename -z',
+                            returnStdout: true).trim()
+                        def distributions = distributionsText.split("\0")

-                    distributions.each { distribution ->
-                        echo "Deploying ${distribution} packages..."
-                        sh """scripts/deploy-packages.sh \
+                        distributions.each { distribution ->
+                            echo "Deploying ${distribution} packages..."
+                            sh """scripts/deploy-packages.sh \
  --distribution=${distribution} \
-  --keyid="${RING_PUBLIC_KEY_FINGERPRINT}" \
+  --keyid="${JAMI_PUBLIC_KEY_FINGERPRINT}" \
  --snapcraft-login="${SNAPCRAFT_KEY}" \
-  --remote-ssh-identity-file="${SSH_PRIVATE_KEY}" \
  --remote-repository-location="${REMOTE_HOST}:${REMOTE_BASE_DIR}/${params.CHANNEL}" \
  --remote-manual-download-location="${REMOTE_HOST}:${REMOTE_BASE_DIR}/manual-${params.CHANNEL}"
 """
+                        }
                    }
                }
            }

--- a/scripts/deploy-packages.sh
+++ b/scripts/deploy-packages.sh
@@ -225,14 +225,14 @@ function package_snap()
    echo "## deploying snap ##"
    echo "####################"

-    if [[ "${CHANNEL:0:19}" == "internal_experiment" ]]; then
+    if [[ $CHANNEL =~ internal ]]; then
        DISTRIBUTION_REPOSITORY_FOLDER=$(realpath repositories)/${DISTRIBUTION}
        mkdir -p ${DISTRIBUTION_REPOSITORY_FOLDER}
        cp packages/${DISTRIBUTION}*/*.snap ${DISTRIBUTION_REPOSITORY_FOLDER}/
-    elif [[ "${CHANNEL:0:7}" == "nightly" ]]; then
+    elif [[ $CHANNEL =~ nightly ]]; then
        snapcraft login --with ${SNAPCRAFT_LOGIN}
        snapcraft push packages/${DISTRIBUTION}*/*.snap --release edge
-    elif [[ "${CHANNEL:0:6}" == "stable" ]]; then
+    elif [[ $CHANNEL =~ stable ]]; then
        snapcraft login --with ${SNAPCRAFT_LOGIN}
        snapcraft push packages/${DISTRIBUTION}*/*.snap --release stable
    fi