1 .. _lf-global-jjb-release:
3 Self-Serve Release Jobs
4 =======================
6 Self-serve release jobs allow project committers to promote a jar
7 file, container image, Python package or PackageCloud artifact from a
8 staging area to a release area. A release yaml file controls the
9 process, and Jenkins promotes the artifact when a project committer
10 merges the release yaml file in Gerrit.
12 To use the self-release process, create a releases/ or .releases/
13 directory at the root of the project repository, add one release yaml
14 file to it, and submit a change set with that release yaml file. The
15 required contents of the release yaml file are different for each type
16 of release, see the schemas and examples shown below. The version
17 string in the release yaml file should be a valid Semantic Versioning
18 (SemVer) string, matching the pattern "#.#.#" where "#" is one or more
19 digits. A version string matching the pattern "v#.#.#" is also
20 accepted. Upon merge of the change, a Jenkins job promotes the
21 artifact and pushes a gpg-signed tag to the repository.
25 The release file regex is: (releases\/.*\.yaml|\.releases\/.*\.yaml).
26 In words, the directory name can be ".releases" or "releases"; the file
27 name can be anything with suffix ".yaml". Some release jobs require
28 a specific prefix on the file, as described below.
30 The build node for all release jobs must be CentOS, which supports the
31 sigul client for accessing a signing server to sign a tag. The build
32 node for container release jobs must have Docker installed.
34 A Jenkins admin user can also trigger a release job via the "Build
35 with parameters" action, removing the need to create and merge a
36 release yaml file. The user must enter parameters in the same way as
37 a release yaml file, except for the special USE_RELEASE_FILE and
38 DRY_RUN check boxes. The user must uncheck the USE_RELEASE_FILE check
39 box if the job should run without a release file, instead passing the
40 required information as build parameters. The user can check the
41 DRY_RUN check box to test the job while skipping upload of files to
42 the release repository.
44 For example, the parameters for a Maven release are as follows::
46 GERRIT_BRANCH = master
48 LOG_DIR = example-project-maven-stage-master/17/
49 DISTRIBUTION_TYPE = maven
50 USE_RELEASE_FILE = false
56 An example of a maven release file appears below.
60 $ cat releases/maven-release.yaml
62 distribution_type: maven
63 log_dir: example-project-maven-stage-master/17/
64 project: example-project
68 The following parameters must appear in a maven release yaml file.
72 :distribution_type: Must be "maven".
73 :log_dir: The suffix of the logs URL reported on completion by the
74 Jenkins stage job that created and pushed the artifact
75 to the staging repository. For example, use value
76 "example-project-maven-stage-master/17" for the logs URL
77 https://logs.lf-project.org/production/vex-sjc-lfp-jenkins-prod-1/example-project-maven-stage-master/17
78 :project: The name of the project.
79 :version: The semantic version string used for the artifact.
83 :git_tag: The tag string to sign and push to the Git repository.
84 (default: the semantic version string)
86 The JSON schema for a maven release file appears below.
88 .. literalinclude:: ../../schema/release-schema.yaml
92 Container Release Files
93 -----------------------
95 An example of a container release file appears below.
99 $ cat releases/container-release.yaml
101 distribution_type: container
102 container_release_tag: 1.0.0
103 container_pull_registry: nexus.onap.org:10003
104 container_push_registry: nexus.onap.org:10002
106 ref: d1b9cd2dd345fbeec0d3e2162e008358b8b663b2
109 version: 1.0.0-20190806T184921Z
110 - name: test-frontend
111 version: 1.0.0-20190806T184921Z
114 The following parameters must appear in a container release yaml file.
116 :Required Parameters:
118 :distribution_type: Must be "container".
119 :container_release_tag: The string to use as a Docker tag on all
121 :container_pull_registry: The Nexus registry that supplies the staged
123 :container_push_registry: The Nexus registry that receives the released
125 :project: The name of the project.
126 :ref: The git commit reference (SHA-1 code) to tag with the version string.
127 :containers: A list of name and version (tag) pairs that specify the
128 Docker images in the container-pull registry to promote to the
129 container-push registry.
131 :Optional Parameters:
133 :git_tag: The tag string to sign and push to the Git repository.
134 (default: the semantic version string)
136 The JSON schema for a container release file appears below.
138 .. literalinclude:: ../../schema/release-container-schema.yaml
145 An example of a PyPI release file appears below. Name of the release file must
146 start with "pypi". For example releases/pypi-1.0.0-mypackage.yaml
150 $ cat releases/pypi-1.0.0-mypackage.yaml
152 pypi_project: mypackage
153 python_version: '3.4'
155 log_dir: example-project-pypi-merge-master/17
158 The following parameters must appear in the PyPI release yaml file.
159 These are not part of the Jenkins job definition to allow independent
160 self-release of a package maintained in a git repository with other
163 :Required Parameters:
165 :log_dir: The suffix of the logs URL reported on completion by the
166 Jenkins merge job that created and pushed the distribution files
167 to the staging repository. For example, use value
168 "example-project-pypi-merge-master/17" for the logs URL
169 https://logs.lf-project.org/production/vex-sjc-lfp-jenkins-prod-1/example-project-pypi-merge-master/17
170 :pypi_project: The PyPI project name at the staging and
171 release repositories, for example "mypackage".
172 :python_version: The Python interpreter version to use for pip
173 "Requires-Python" compatibility checks, for example '3', '3.7' or 3.7.4.
174 Put valid decimal values such as 3 or 3.7 in quotes to pass schema validation.
175 :version: The semantic version string used for the package in the
178 :Optional Parameters:
180 :git_tag: The tag string to sign and push to the Git repository.
181 (default: the semantic version string)
183 The JSON schema for a PyPI release file appears below.
185 .. literalinclude:: ../../schema/release-pypi-schema.yaml
189 PackageCloud Release Files
190 --------------------------
192 An example of a PackageCloud release file appears below. Name of release file
193 must start with "packagecloud". For example releases/packagecloud-1.6-tree.yaml
197 $ cat releases/packagecloud-1.6-tree.yaml
199 package_name: tree-1.6.0
201 - name: tree-1.6.0-10.el7.x86_64.rpm
203 ref: 5555cd2dd345fbeec0d3e2162e00835852342cda
204 log_dir: example-project-packagecloud-merge/21
207 The following parameters must appear in the PackageCloud release yaml file.
208 These are not part of the Jenkins job definition to allow independent
209 self-release of a package maintained in a git repository with other
212 :Required Parameters:
214 :package_name: Name of the release package.
215 :packages: A list of names that specify the packages to promote.
216 Found in jenkins console log when using gem to push package eg.
217 "Pushing /path/of/package/name-of-package.rpm... success!"
218 OR using rest api call to query packagecloud.io repo
219 "curl https://packagecloud.io/api/v1/repos/test_user/test_repo/search?q=
220 | yq -r .[].filename"
221 :ref: The git commit reference (SHA-1 code) to tag with the version string.
222 :log_dir: The suffix of the logs URL reported on completion by the
223 Jenkins merge job that created and pushed the distribution files
224 to the staging repository. For example, use value
225 "example-project-packagecloud-merge-/21" for the logs URL
226 https://logs.lf-project.org/production/vex-sjc-lfp-jenkins-prod-1/example-project-packagecloud-merge/21
227 :version: The semantic version string used for the package.
229 :Optional Parameters:
231 :git_tag: The tag string to sign and push to the Git repository.
232 (default: the semantic version string)
234 The JSON schema for a PackageCloud release file appears below.
236 .. literalinclude:: ../../schema/release-packagecloud-schema.yaml
243 An example of a Jenkins job configuration that uses the global-jjb
244 templates for maven and container release jobs appears next.
249 name: my-project-release
251 project-name: my-project
252 build-node: centos7-docker-4c-4g
253 mvn-settings: my-project-settings
255 - '{project-name}-gerrit-release-jobs'
260 Release Engineers: please follow the setup guide below before adding the job definition.
269 Release verify and merge jobs are the same except for their scm,
270 trigger, and builders definition. This anchor is the common template.
278 This template supports Maven and Container release jobs.
280 :Template Name: {project-name}-release-merge
282 :Comment Trigger: remerge
284 :Required parameters:
286 :build-node: The node to run build on.
287 :jenkins-ssh-release-credential: Credential to use for SSH. (Generally set
289 :project: Git repository name
290 :project-name: Jenkins job name prefix
292 :Optional parameters:
294 :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
295 :build-timeout: Timeout in minutes before aborting build. (default: 15)
297 :gerrit_merge_triggers: Override Gerrit Triggers.
298 :gerrit_trigger_file_paths: Override file paths filter which checks which
299 file modifications will trigger a build.
302 - compare-type: REG_EXP
303 pattern: '(releases\/.*\.yaml|\.releases\/.*\.yaml)'
309 This template supports Maven and Container release jobs.
311 :Template Name: {project-name}-release-verify
313 :Comment Trigger: recheck|reverify
315 :Required Parameters:
317 :build-node: The node to run build on.
318 :jenkins-ssh-credential: Credential to use for SSH. (Generally set
320 :project: Git repository name
321 :project-name: Jenkins job name prefix
323 :Optional Parameters:
325 :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
326 :build-node: The node to run build on.
327 :build-timeout: Timeout in minutes before aborting build. (default: 15)
328 :gerrit-skip-vote: Skip voting for this job. (default: false)
329 :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
331 :gerrit_verify_triggers: Override Gerrit Triggers.
332 :gerrit_trigger_file_paths: Override file paths filter which checks which
333 file modifications will trigger a build.
336 - compare-type: REG_EXP
337 pattern: '(releases\/.*\.yaml|\.releases\/.*\.yaml)'
343 Publishes a Python package on merge of a patch set with a release yaml
344 file. Checks the format of the version string, downloads the package
345 artifacts from the PyPI staging repository, uploads the package
346 artifacts to the PyPI release repository, tags the git repository,
347 signs the tag and pushes the tag to the git server. The release merge
348 template accepts neither a branch nor a stream parameter.
352 - {project-name}-pypi-release-merge
353 - gerrit-pypi-release-merge
354 - github-pypi-release-merge
356 :Comment Trigger: remerge
358 :Required Parameters:
360 :build-node: The node to run build on, which must be Centos.
361 :jenkins-ssh-release-credential: Credential to use for SSH. (Generally set
363 :project: Git repository name
364 :project-name: Jenkins job name prefix
366 :Optional Parameters:
368 :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
369 :build-timeout: Timeout in minutes before aborting build. (default: 15)
370 :disable-job: Whether to disable the job (default: false)
371 :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
372 :pypi-stage-index: Base URL of the PyPI staging repository.
373 (default https://test.pypi.org/simple)
374 :pypi-repo: Key for the PyPI release repository in the .pypirc file,
375 should be the repository pypy.org. (default: pypi)
376 :use-release-file: Whether to use the release file. (default: true)
378 :gerrit_trigger_file_paths: Override file paths filter which checks which
379 file modifications will trigger a build.
382 - compare-type: REG_EXP
383 pattern: '(releases\/pypi.*\.yaml|\.releases\/pypi.*\.yaml)'
388 Verifies a Python package project on creation of a patch set with a
389 release yaml file. Checks the contents of the release yaml file,
390 checks the format of the version string, and downloads the release
391 artifacts from the specified PyPI staging repository. The release
392 verify template accepts neither a branch nor a stream parameter.
396 - {project-name}-pypi-release-verify
397 - gerrit-pypi-release-verify
398 - github-pypi-release-verify
400 :Comment Trigger: recheck
402 :Required Parameters:
404 :build-node: The node to run build on, which must be Centos.
405 :jenkins-ssh-credential: Credential to use for SSH. (Generally set
407 :project: Git repository name
408 :project-name: Jenkins job name prefix
410 :Optional Parameters:
412 :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
413 :build-timeout: Timeout in minutes before aborting build. (default: 15)
414 :disable-job: Whether to disable the job (default: false)
415 :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
416 :pypi-stage-index: Base URL of the PyPI staging repository.
417 (default https://test.pypi.org/simple)
418 :pypi-repo: Key for the PyPI release repository in the .pypirc file,
419 should be the repository pypy.org (default: pypi)
420 :use-release-file: Whether to use the release file. (default: true)
422 :gerrit_trigger_file_paths: Override file paths filter which checks which
423 file modifications will trigger a build.
426 - compare-type: REG_EXP
427 pattern: '(releases\/pypi.*\.yaml|\.releases\/pypi.*\.yaml)'
429 PackageCloud Release Verify
430 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
432 This template supports PackageCloud release jobs.
434 :Template Name: {project-name}-packagecloud-release-verify
436 :Comment Trigger: recheck|reverify
438 :Required Parameters:
440 :build-node: The node to run build on.
441 :jenkins-ssh-credential: Credential to use for SSH. (Generally set
443 :project: Git repository name
444 :project-name: Jenkins job name prefix
446 :Optional Parameters:
448 :build-days-to-keep: Days to keep build logs in Jenkins. (default: 7)
449 :build-node: The node to run build on.
450 :build-timeout: Timeout in minutes before aborting build. (default: 15)
451 :gerrit-skip-vote: Skip voting for this job. (default: false)
452 :git-url: URL clone project from. (default: $GIT_URL/$PROJECT)
454 :gerrit_verify_triggers: Override Gerrit Triggers.
455 :gerrit_trigger_file_paths: Override file paths filter which checks which
456 file modifications will trigger a build.
459 - compare-type: REG_EXP
460 pattern: '(releases\/packagecloud.*\.yaml|\.releases\/packagecloud.*\.yaml)'
463 PackageCloud Release Merge
464 ~~~~~~~~~~~~~~~~~~~~~~~~~~
466 This template supports PackageCloud release jobs.
468 :template name: {project-name}-packagecloud-release-merge
470 :comment trigger: remerge
472 :required parameters:
474 :build-node: the node to run build on.
475 :jenkins-ssh-release-credential: credential to use for ssh. (generally set
477 :project: git repository name
478 :project-name: jenkins job name prefix
480 :optional parameters:
482 :build-days-to-keep: days to keep build logs in jenkins. (default: 7)
483 :build-timeout: timeout in minutes before aborting build. (default: 15)
485 :gerrit_merge_triggers: override gerrit triggers.
486 :gerrit_trigger_file_paths: override file paths filter which checks which
487 file modifications will trigger a build.
490 - compare-type: reg_exp
491 pattern: '(releases\/packagecloud.*\.yaml|\.releases\/packagecloud.*\.yaml)'
494 Setup for LFID, Nexus, Jenkins and Gerrit
495 -----------------------------------------
497 This section is for the Linux Foundation release engineering team.
502 Create an ``lfid`` and an ``ssh-key``
504 ``YOUR_RELEASE_USERNAME`` for example: onap-release
506 ``YOUR_RELEASE_EMAIL`` for example: collab-it+onap-release@linuxfoundation.org
512 ssh-keygen -t rsa -C "collab-it+odl-release@linuxfoundation.org" -f /tmp/odl-release
515 `Create an LFID with the above values <https://identity.linuxfoundation.org>`_
521 Create a Nexus account called ``'jenkins-release'`` with promote privileges.
523 .. image:: ../_static/nexus-promote-privs.png
528 Log into your Gerrit with ``YOUR_RELEASE_USERNAME``, upload the public
529 part of the ``ssh-key`` you created earlier. Log out of Gerrit and log
530 in again with your normal account for the next steps.
533 In Gerrit create a new group called ``self-serve-release`` and give it
534 direct push rights via ``All-Projects`` Add ``YOUR_RELEASE_USERNAME``
535 to group ``self-serve-release`` and group ``Non-Interactive Users``
538 In All project, grant group self-serve-release the following:
542 [access "refs/heads/*"]
543 push = group self-serve-release
544 [access "refs/tags/*"]
545 createTag = group self-serve-release
546 createSignedTag = group self-serve-release
547 forgeCommitter = group self-serve-release
548 push = group self-serve-release
554 Add a global credential to Jenkins called ``jenkins-release`` and set
555 the ID: ``'jenkins-release'`` as its value insert the private half of
556 the ``ssh-key`` that you created for your Gerrit user.
558 Add Global variables in Jenkins:
559 Jenkins configure -> Global properties -> Environment variables::
561 RELEASE_USERNAME = YOUR_RELEASE_USERNAME
562 RELEASE_EMAIL = YOUR_RELEASE_EMAIL
567 Add these variables to your global-vars-$SILO.sh file or they will
570 Jenkins configure -> Managed Files -> Add a New Config -> Custom File
575 Name: SIGNING_PUBKEY (optional)
576 Comment: SIGNING_PUBKEY (optional)
578 Content: (Ask Andy for the public signing key)
579 -----BEGIN PGP PUBLIC KEY BLOCK-----
582 Add or edit the managed file in Jenkins called ``lftoolsini``,
583 appending a nexus section: Jenkins Settings -> Managed files -> Add
584 (or edit) -> Custom file
589 username=jenkins-release
590 password=<plaintext password>
595 Upgrade your project's global-jjb if needed, then add the following to
596 your global defaults file (e.g., jjb/defaults.yaml).
600 jenkins-ssh-release-credential: jenkins-release