TAG_RELEASE="${TAG_RELEASE:-None}"
if [[ $TAG_RELEASE == "None" ]]; then
- if grep -q "tag_release" $release_file ; then
+ if grep -q "tag_release" "$release_file"; then
TAG_RELEASE=$(yq -r .tag_release "$release_file")
else
TAG_RELEASE=true
VERSION=$(yq -r ".version" "$release_file")
fi
if [[ -z ${GIT_TAG:-} ]]; then
- if grep -q "git_tag" $release_file ; then
+ if grep -q "git_tag" "$release_file"; then
GIT_TAG=$(yq -r ".git_tag" "$release_file")
else
GIT_TAG="$VERSION"
OVERRIDE_SEMVER_REGEX="${OVERRIDE_SEMVER_REGEX:-None}"
if [[ $OVERRIDE_SEMVER_REGEX == "None" ]]; then
# Use the semver regex taken from https://github.com/fsaintjacques/semver-tool
- semver_regex="^[vV]?(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(\-(0|[1-9][0-9]*|[0-9]*[A-Za-z-][0-9A-Za-z-]*)(\.(0|[1-9][0-9]*|[0-9]*[A-Za-z-][0-9A-Za-z-]*))*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$"
+ pat1="(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)"
+ pat2="(0|[1-9][0-9]*|[0-9]*[A-Za-z-][0-9A-Za-z-]*)"
+ pat3="(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)"
+ semver_regex="^[vV]?${pat1}(\-${pat2}(\.${pat2})*)?${pat3}?$"
else
semver_regex="${OVERRIDE_SEMVER_REGEX}"
fi
fi
git config user.name "$RELEASE_USERNAME"
git config user.email "$RELEASE_EMAIL"
+ echo "INFO: push tag: $GIT_TAG"
git push origin "$GIT_TAG"
+ # Check if sentinal file exists
+ if [[ -f .testhash ]]; then
+ echo "INFO: push code bundle"
+ git push origin "HEAD:${GERRIT_REFSPEC}"
+ fi
fi
fi
}
mkdir artifacts
ORG=$(echo "$NEXUS_URL" | awk -F'.' '{print $2}')
- for namequoted in $(yq '.artifacts[].name' $release_file); do
- pathquoted=$(yq ".artifacts[] |select(.name==$namequoted) |.path" $release_file)
+ for namequoted in $(yq '.artifacts[].name' "$release_file"); do
+ pathquoted=$(yq ".artifacts[] |select(.name==$namequoted) |.path" "$release_file")
#Remove extra yaml quotes
name="${namequoted#\"}"
wget "${path}"/"${name}" -o artifacts/"${name}"
if [[ "$JOB_NAME" =~ "merge" ]] && [[ "$DRY_RUN" = false ]]; then
#lftools sign sigul artifacts
- curl -v -u <NEXUSUSER>:<NEXUSPASS> --upload-file "${NEXUS_URL}"/content/repositories/releases/org/"${ORG}"/"${VERSION}"/"${name}" \;
+ # shellcheck disable=SC2261
+ curl -v -u <NEXUSUSER>:<NEXUSPASS> --upload-file \
+ "${NEXUS_URL}"/content/repositories/releases/org/"${ORG}"/"${VERSION}"/"${name}" \;
fi
echo "#########################"
fi
local lfn_umbrella
lfn_umbrella="$(echo "$GERRIT_URL" | awk -F"." '{print $2}')"
- for namequoted in $(yq '.containers[].name' $release_file); do
- versionquoted=$(yq ".containers[] |select(.name==$namequoted) |.version" $release_file)
+ for namequoted in $(yq '.containers[].name' "$release_file"); do
+ versionquoted=$(yq ".containers[] |select(.name==$namequoted) |.version" "$release_file")
#Remove extra yaml quotes
name="${namequoted#\"}"
echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
if [[ "$JOB_NAME" =~ "merge" ]]; then
+ curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+ sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+ sudo chmod +x /usr/local/bin/cosign
+ export COSIGN_PASSWORD
docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
+ image_sha=$(docker images --no-trunc --quiet \
+ "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
+ image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
+ cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
fi
echo "#########################"
fi
gunzip taglist.log.gz
cat "$PATCH_DIR"/taglist.log
popd
- git checkout "$(awk '{print $NF}' "$PATCH_DIR/taglist.log")"
+
+ # compare if the commit sha1 from taglist is the same origin/${GERRIT_BRANCH}
+ # ensure that the tag lands on the target branch
+ # forward from the tagging point, then a spur commit is created
+ # for the tag
+ taghash="$(awk '{print $NF}' "$PATCH_DIR/taglist.log")"
+ # shellcheck disable=SC2046
+ if [ "${taghash}" = $(git rev-parse "origin/${GERRIT_BRANCH}") ]; then
+ git checkout "origin/${GERRIT_BRANCH}"
+ # sentinal file
+ touch .testhash
+ else
+ git checkout "${taghash}"
+ fi
+
git fetch "$PATCH_DIR/${PROJECT//\//-}.bundle"
git merge --ff-only FETCH_HEAD
+ # print last few changes to see how the bundle is applied
+ git log --graph --all --decorate --pretty=oneline -n10
nexus_release
tag-git-repo
}
fi
set_variables_packagecloud
verify_packagecloud_match_release
- for name in $(yq -r '.packages[].name' $release_file); do
+ for name in $(yq -r '.packages[].name' "$release_file"); do
package=$name
packagecloud_verify "$package" "$packagecloud_account"
if [[ "$JOB_NAME" =~ "merge" ]] && ! $DRY_RUN; then
Code Review / releng / global-jjb.git / blobdiff