From d0e3d62181cc423b823b4431551d0f35b37f67df Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer <maxim.cournoyer@savoirfairelinux.com> Date: Thu, 9 Dec 2021 10:45:51 -0500 Subject: [PATCH] Jenkinsfile: Publish release artifacts for release branches. Previously, the Jenkinsfile did not publish anything except from the repositories: tarballs would not get copied to https://dl.jami.net for the nighty and stable channels, and no commit nor tag would be published for the release. This change addresses these shortcomings with the following changes: 1. Tarballs are produced for the nightly and stable channels, and organized in a sub-directory matching their channel name. 2. Release commits are made to their corresponding channel (stable/nightly). 3. Stable releases are also tagged with 'YYYYmmdd.$day_commits_count.$commit_id'. * Jenkinsfile (SSH_PRIVATE_KEY): Remove variable. (RING_PUBLIC_KEY_FINGERPRINT): Rename to... (JAMI_PUBLIC_KEY_FINGERPRINT): ... this. (GIT_USER_EMAIL, SSH_CRED_ID): New variables. (params.DEPLOY): Fix description. (Checkout channel branch): New stage. (Generate release tarball): Also commit and tag. (Publish release artifacts): New stage to publish conditionally based on the DEPLOY parameter and the selected channel. (Sign & deploy packages): Use the 'sshagent' step to setup SSH access. <--remote-ssh-identity-file>: Remove argument. * scripts/deploy-packages.sh (package_snap): Simplify. Change-Id: I9008ecc2a4ef9820dbc96e26c966ae72110d897d --- Jenkinsfile | 115 +++++++++++++++++++++++++++++-------- scripts/deploy-packages.sh | 6 +- 2 files changed, 94 insertions(+), 27 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 09dc15ee..28cb9744 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -26,14 +26,22 @@ // 2. ws-cleanup plugin // 3. ansicolor plugin +// TODO: +// - GPG-sign release tarballs. +// - GPG-sign release commits. +// - Allow publishing from any node, to avoid relying on a single machine. + // Configuration globals. def SUBMODULES = ['daemon', 'lrc', 'client-gnome', 'client-qt'] def TARGETS = [:] -def SSH_PRIVATE_KEY = '/var/lib/jenkins/.ssh/gplpriv' def REMOTE_HOST = env.SSH_HOST_DL_RING_CX def REMOTE_BASE_DIR = '/srv/repository/ring' -def RING_PUBLIC_KEY_FINGERPRINT = 'A295D773307D25A33AE72F2F64CD5FA175348F84' +def JAMI_PUBLIC_KEY_FINGERPRINT = 'A295D773307D25A33AE72F2F64CD5FA175348F84' def SNAPCRAFT_KEY = '/var/lib/jenkins/.snap/key' +def GIT_USER_EMAIL = 'jenkins@jami.net' +def GIT_USER_NAME = 'jenkins' +def GIT_PUSH_URL = 'ssh://jenkins@review.jami.net:29420/jami-project' +def SSH_CRED_ID = '35cefd32-dd99-41b0-8312-0b386df306ff' pipeline { agent { @@ -72,7 +80,10 @@ pipeline { description: 'Whether to build ARM packages.') booleanParam(name: 'DEPLOY', defaultValue: false, - description: 'Whether and where to deploy packages.') + description: 'Whether to deploy packages.') + booleanParam(name: 'PUBLISH', + defaultValue: false, + description: 'Whether to upload tarball and push to git.') choice(name: 'CHANNEL', choices: 'internal\nnightly\nstable', description: 'The repository channel to deploy to. ' + @@ -107,6 +118,28 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client } } + stage('Configure Git') { + steps { + sh """git config user.name ${GIT_USER_NAME} + git config user.email ${GIT_USER_EMAIL} + git remote set-url origin ${GIT_PUSH_URL} + """ + } + } + + stage('Checkout channel branch') { + when { + expression { + params.CHANNEL != 'internal' + } + } + + steps { + sh "git checkout ${params.CHANNEL} " + + '&& git merge --no-commit FETCH_HEAD' + } + } + stage('Fetch submodules') { steps { echo 'Initializing submodules ' + SUBMODULES.join(', ') + @@ -119,14 +152,47 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client stage('Generate release tarball') { steps { - sh '''#!/usr/bin/env -S bash -l - make portable-release-tarball .tarball-version - ''' + sh """#!/usr/bin/env -S bash -l + git commit -am "New release." + make portable-release-tarball .tarball-version + git tag \$(cat .tarball-version) + """ stash(includes: '*.tar.gz, .tarball-version', name: 'release-tarball') } } + stage('Publish release artifacts') { + when { + expression { + params.PUBLISH && params.CHANNEL != 'internal' + } + } + + environment { + GIT_SSH_COMMAND = 'ssh -o UserKnownHostsFile=/dev/null ' + + '-o StrictHostKeyChecking=no' + } + + steps { + sshagent(credentials: [SSH_CRED_ID]) { + echo "Publishing to git repository..." + // Note: Only stable release tags are published. + script { + if (params.CHANNEL == 'stable') { + sh 'git push --tags' + } else { + sh 'git push' + } + } + echo "Publishing release tarball to https://dl.jami.net..." + sh 'rsync --verbose jami*.tar.gz ' + + "${REMOTE_HOST}:${REMOTE_BASE_DIR}/release/tarballs/" + + "${params.CHANNEL}/" + } + } + } + stage('Build packages') { environment { DISABLE_CONTRIB_DOWNLOADS = 'TRUE' @@ -185,32 +251,33 @@ See https://wiki.savoirfairelinux.com/wiki/Jenkins.jami.net#Configuration_client } steps { - script { - TARGETS.each { target -> - try { - unstash target - } catch (err) { - echo "Failed to unstash ${target}, skipping..." - return + sshagent(credentials: [SSH_CRED_ID]) { + script { + TARGETS.each { target -> + try { + unstash target + } catch (err) { + echo "Failed to unstash ${target}, skipping..." + return + } } - } - def distributionsText = sh( - script: 'find packages/* -maxdepth 1 -type d -print0 ' + - '| xargs -0 -n1 basename -z', - returnStdout: true).trim() - def distributions = distributionsText.split("\0") + def distributionsText = sh( + script: 'find packages/* -maxdepth 1 -type d -print0 ' + + '| xargs -0 -n1 basename -z', + returnStdout: true).trim() + def distributions = distributionsText.split("\0") - distributions.each { distribution -> - echo "Deploying ${distribution} packages..." - sh """scripts/deploy-packages.sh \ + distributions.each { distribution -> + echo "Deploying ${distribution} packages..." + sh """scripts/deploy-packages.sh \ --distribution=${distribution} \ - --keyid="${RING_PUBLIC_KEY_FINGERPRINT}" \ + --keyid="${JAMI_PUBLIC_KEY_FINGERPRINT}" \ --snapcraft-login="${SNAPCRAFT_KEY}" \ - --remote-ssh-identity-file="${SSH_PRIVATE_KEY}" \ --remote-repository-location="${REMOTE_HOST}:${REMOTE_BASE_DIR}/${params.CHANNEL}" \ --remote-manual-download-location="${REMOTE_HOST}:${REMOTE_BASE_DIR}/manual-${params.CHANNEL}" """ + } } } } diff --git a/scripts/deploy-packages.sh b/scripts/deploy-packages.sh index e6046f34..eeb487c1 100755 --- a/scripts/deploy-packages.sh +++ b/scripts/deploy-packages.sh @@ -225,14 +225,14 @@ function package_snap() echo "## deploying snap ##" echo "####################" - if [[ "${CHANNEL:0:19}" == "internal_experiment" ]]; then + if [[ $CHANNEL =~ internal ]]; then DISTRIBUTION_REPOSITORY_FOLDER=$(realpath repositories)/${DISTRIBUTION} mkdir -p ${DISTRIBUTION_REPOSITORY_FOLDER} cp packages/${DISTRIBUTION}*/*.snap ${DISTRIBUTION_REPOSITORY_FOLDER}/ - elif [[ "${CHANNEL:0:7}" == "nightly" ]]; then + elif [[ $CHANNEL =~ nightly ]]; then snapcraft login --with ${SNAPCRAFT_LOGIN} snapcraft push packages/${DISTRIBUTION}*/*.snap --release edge - elif [[ "${CHANNEL:0:6}" == "stable" ]]; then + elif [[ $CHANNEL =~ stable ]]; then snapcraft login --with ${SNAPCRAFT_LOGIN} snapcraft push packages/${DISTRIBUTION}*/*.snap --release stable fi -- GitLab