X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=blobdiff_plain;f=shell%2Frelease-job.sh;h=e01d3a93c89d73c0202cf9025c924f63a846bd72;hb=refs%2Fchanges%2F02%2F72702%2F3;hp=a4194388b0b2fdcab60b45ce18cda6874a568570;hpb=3547fa99c9ef73f2f0dc66328ccd91d381df2466;p=releng%2Fglobal-jjb.git

diff --git a/shell/release-job.sh b/shell/release-job.sh
index a4194388..e01d3a93 100644
--- a/shell/release-job.sh
+++ b/shell/release-job.sh
@@ -97,7 +97,7 @@ set_variables_common(){
 
     TAG_RELEASE="${TAG_RELEASE:-None}"
     if [[ $TAG_RELEASE == "None" ]]; then
-        if grep -q "tag_release" $release_file ; then
+        if grep -q "tag_release" "$release_file"; then
             TAG_RELEASE=$(yq -r .tag_release "$release_file")
         else
             TAG_RELEASE=true
@@ -183,7 +183,7 @@ set_variables_packagecloud(){
         VERSION=$(yq -r ".version" "$release_file")
     fi
     if [[ -z ${GIT_TAG:-} ]]; then
-        if grep -q "git_tag" $release_file ; then
+        if grep -q "git_tag" "$release_file"; then
             GIT_TAG=$(yq -r ".git_tag" "$release_file")
         else
             GIT_TAG="$VERSION"
@@ -365,7 +365,13 @@ tag-git-repo(){
             fi
             git config user.name "$RELEASE_USERNAME"
             git config user.email "$RELEASE_EMAIL"
+            echo "INFO: push tag: $GIT_TAG"
             git push origin "$GIT_TAG"
+            # Check if sentinal file exists
+            if [[ -f .testhash ]]; then
+                echo "INFO: push code bundle"
+                git push origin "HEAD:${GERRIT_REFSPEC}"
+            fi
         fi
     fi
 }
@@ -379,8 +385,8 @@ artifact_release_file(){
     mkdir artifacts
     ORG=$(echo "$NEXUS_URL" | awk -F'.' '{print $2}')
 
-    for namequoted in $(yq '.artifacts[].name' $release_file); do
-        pathquoted=$(yq ".artifacts[] |select(.name==$namequoted) |.path" $release_file)
+    for namequoted in $(yq '.artifacts[].name' "$release_file"); do
+        pathquoted=$(yq ".artifacts[] |select(.name==$namequoted) |.path" "$release_file")
 
         #Remove extra yaml quotes
         name="${namequoted#\"}"
@@ -399,6 +405,7 @@ artifact_release_file(){
             wget "${path}"/"${name}" -o artifacts/"${name}"
             if [[ "$JOB_NAME" =~ "merge" ]] && [[ "$DRY_RUN" = false ]]; then
                 #lftools sign sigul artifacts
+                # shellcheck disable=SC2261
                 curl -v -u <NEXUSUSER>:<NEXUSPASS> --upload-file \
                     "${NEXUS_URL}"/content/repositories/releases/org/"${ORG}"/"${VERSION}"/"${name}" \;
             fi
@@ -413,8 +420,8 @@ container_release_file(){
     local lfn_umbrella
     lfn_umbrella="$(echo "$GERRIT_URL" | awk -F"." '{print $2}')"
 
-    for namequoted in $(yq '.containers[].name' $release_file); do
-        versionquoted=$(yq ".containers[] |select(.name==$namequoted) |.version" $release_file)
+    for namequoted in $(yq '.containers[].name' "$release_file"); do
+        versionquoted=$(yq ".containers[] |select(.name==$namequoted) |.version" "$release_file")
 
         #Remove extra yaml quotes
         name="${namequoted#\"}"
@@ -436,8 +443,16 @@ container_release_file(){
             echo "docker tag $container_image_id $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             echo "docker push $CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name:$VERSION"
             if [[ "$JOB_NAME" =~ "merge" ]]; then
+                curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
+                sudo mv cosign-linux-amd64 /usr/local/bin/cosign
+                sudo chmod +x /usr/local/bin/cosign
+                export COSIGN_PASSWORD
                 docker tag "$container_image_id" "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
                 docker push "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"
+                image_sha=$(docker images --no-trunc --quiet \
+                        "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION")
+                image_digest="$CONTAINER_PUSH_REGISTRY/$lfn_umbrella/$name@$image_sha"
+                cosign sign -y --key "$COSIGN_PRIVATE_KEY" "$image_digest"
             fi
             echo "#########################"
         fi
@@ -458,9 +473,25 @@ maven_release_file(){
         gunzip taglist.log.gz
         cat "$PATCH_DIR"/taglist.log
     popd
-    git checkout "$(awk '{print $NF}' "$PATCH_DIR/taglist.log")"
+
+    # compare if the commit sha1 from taglist is the same origin/${GERRIT_BRANCH}
+    # ensure that the tag lands on the target branch
+    # forward from the tagging point, then a spur commit is created
+    # for the tag
+    taghash="$(awk '{print $NF}' "$PATCH_DIR/taglist.log")"
+    # shellcheck disable=SC2046
+    if [ "${taghash}" = $(git rev-parse "origin/${GERRIT_BRANCH}") ]; then
+        git checkout "origin/${GERRIT_BRANCH}"
+        # sentinal file
+        touch .testhash
+    else
+        git checkout "${taghash}"
+    fi
+
     git fetch "$PATCH_DIR/${PROJECT//\//-}.bundle"
     git merge --ff-only FETCH_HEAD
+    # print last few changes to see how the bundle is applied
+    git log --graph --all --decorate --pretty=oneline -n10
     nexus_release
     tag-git-repo
 }
@@ -626,7 +657,7 @@ case $DISTRIBUTION_TYPE in
         fi
         set_variables_packagecloud
         verify_packagecloud_match_release
-        for name in $(yq -r '.packages[].name' $release_file); do
+        for name in $(yq -r '.packages[].name' "$release_file"); do
             package=$name
             packagecloud_verify "$package" "$packagecloud_account"
             if [[ "$JOB_NAME" =~ "merge" ]] && ! $DRY_RUN; then