Code Review / releng / global-jjb.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
Feat: Use Sigstore Cosign to sign docker images and push signature
[releng/global-jjb.git] / shell / release-job.sh
diff --git a/shell/release-job.sh b/shell/release-job.sh
index 56e37c3..57e4038 100644 (file)
--- a/shell/release-job.sh
+++ b/shell/release-job.sh
@@ -365,11 +365,12 @@ tag-git-repo(){
             fi
             git config user.name "$RELEASE_USERNAME"
             git config user.email "$RELEASE_EMAIL"
+            echo "INFO: push tag: $GIT_TAG"
+            git push origin "$GIT_TAG"
             # Check if sentinal file exists
-            if [[ ! -f .testhash ]]; then
-                git push origin "${GERRIT_BRANCH}" "$GIT_TAG"
-            else
-                git push origin "$GIT_TAG"
+            if [[ -f .testhash ]]; then
+                echo "INFO: push code bundle"
+                git push origin "HEAD:${GERRIT_REFSPEC}"
             fi
         fi
     fi
@@ -404,6 +405,7 @@ artifact_release_file(){
             wget "${path}"/"${name}" -o artifacts/"${name}"
             if [[ "$JOB_NAME" =~ "merge" ]] && [[ "$DRY_RUN" = false ]]; then
                 #lftools sign sigul artifacts
+                # shellcheck disable=SC2261
                 curl -v -u <NEXUSUSER>:<NEXUSPASS> --upload-file \
                     "${NEXUS_URL}"/content/repositories/releases/org/"${ORG}"/"${VERSION}"/"${name}" \;
             fi
@@ -441,8 +443,16 @@ container_release_file(){
             echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             if [[ "$JOB_NAME" =~ "merge" ]]; then
+                curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+                sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+                sudo chmod +x /usr/local/bin/cosign
+                export COSIGN_PASSWORD
                 docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
                 docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
+                image_sha=$(docker images --no-trunc --quiet \
+                        "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
+                image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
+                cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
             fi
             echo "#########################"
         fi
@@ -469,7 +479,8 @@ maven_release_file(){
     # forward from the tagging point, then a spur commit is created
     # for the tag
     taghash="$(awk '{print $NF}' "$PATCH_DIR/taglist.log")"
-    if [ "${taghash}" = $(git rev-parse origin/${GERRIT_BRANCH}) ]; then
+    # shellcheck disable=SC2046
+    if [ "${taghash}" = $(git rev-parse "origin/${GERRIT_BRANCH}") ]; then
         git checkout "origin/${GERRIT_BRANCH}"
         # sentinal file
         touch .testhash
@@ -479,6 +490,8 @@ maven_release_file(){
 
     git fetch "$PATCH_DIR/${PROJECT//\//-}.bundle"
     git merge --ff-only FETCH_HEAD
+    # print last few changes to see how the bundle is applied
+    git log --graph --all --decorate --pretty=oneline -n10
     nexus_release
     tag-git-repo
 }
Global Jenkins Job Builder templates