Self-Serve Release Jobs
=======================
-Self-serve release jobs allow project committers to direct Jenkins to
-promote a jar file, container image or Python package from a staging
-area to a release area.
+Self-serve release jobs allow project committers to promote a jar
+file, container image, Python package or PackageCloud artifact from a
+staging area to a release area. A release yaml file controls the
+process, and Jenkins promotes the artifact when a project committer
+merges the release yaml file in Gerrit.
To use the self-release process, create a releases/ or .releases/
directory at the root of the project repository, add one release yaml
file to it, and submit a change set with that release yaml file. The
required contents of the release yaml file are different for each type
-of release, see the schemas and examples shown below. The version in
-the release yaml file must be a valid Semantic Versioning (SemVer)
-string, matching either the pattern "v#.#.#" or "#.#.#" where "#" is
-one or more digits. Upon merge of the change, Jenkins will sign the
-reference extrapolated by log_dir and promote the artifact.
+of release, see the schemas and examples shown below. The version
+string in the release yaml file should be a valid Semantic Versioning
+(SemVer) string, matching the pattern "#.#.#" where "#" is one or more
+digits. A version string matching the pattern "v#.#.#" is also
+accepted. Upon merge of the change, a Jenkins job promotes the
+artifact and pushes a gpg-signed tag to the repository.
.. note::
The release file regex is: (releases\/.*\.yaml|\.releases\/.*\.yaml).
In words, the directory name can be ".releases" or "releases"; the file
- name can be anything with suffix ".yaml".
+ name can be anything with suffix ".yaml". Some release jobs require
+ a specific prefix on the file, as described below.
The build node for all release jobs must be CentOS, which supports the
-sigul client for accessing a signing server. The build node for
-container release jobs must have Docker installed.
+sigul client for accessing a signing server to sign a tag. The build
+node for container release jobs must have Docker installed.
A Jenkins admin user can also trigger a release job via the "Build
with parameters" action, removing the need to create and merge a
:project: The name of the project.
:version: The semantic version string used for the artifact.
-The JSON schema for a maven release file appears below.
+:Optional Parameters:
-.. code-block:: none
+ :git_tag: The tag string to sign and push to the Git repository.
+ (default: the semantic version string)
- ---
- $schema: "http://json-schema.org/schema#"
- $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-schema.yaml"
-
- required:
- - "distribution_type"
- - "log_dir"
- - "project"
- - "version"
-
- properties:
- distribution_type:
- type: "string"
- log_dir:
- type: "string"
- project:
- type: "string"
- version:
- type: "string"
+The JSON schema for a maven release file appears below.
+
+.. literalinclude:: ../../schema/release-schema.yaml
+ :language: yaml
Container Release Files
Docker images in the container-pull registry to promote to the
container-push registry.
-The JSON schema for a container release file appears below.
+:Optional Parameters:
-.. code-block:: none
+ :git_tag: The tag string to sign and push to the Git repository.
+ (default: the semantic version string)
- ---
- $schema: "http://json-schema.org/schema#"
- $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-container-schema.yaml"
-
- required:
- - "containers"
- - "distribution_type"
- - "project"
- - "container_release_tag"
- - "ref"
-
- properties:
- containers:
- type: "array"
- properties:
- name:
- type: "string"
- version:
- type: "string"
- additionalProperties: false
- distribution_type:
- type: "string"
- project:
- type: "string"
- container_release_tag:
- type: "string"
- container_pull_registry"
- type: "string"
- container_push_registry"
- type: "string"
- ref:
- type: "string"
+The JSON schema for a container release file appears below.
+
+.. literalinclude:: ../../schema/release-container-schema.yaml
+ :language: yaml
PyPI Release Files
:version: The semantic version string used for the package in the
setup.py file.
-The JSON schema for a PyPI release file appears below.
+:Optional Parameters:
-.. code-block:: none
+ :git_tag: The tag string to sign and push to the Git repository.
+ (default: the semantic version string)
- ---
- $schema: "http://json-schema.org/schema#"
- $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-pypi-schema.yaml"
-
- required:
- - "log_dir"
- - "pypi_project"
- - "python_version"
- - "version"
-
- properties:
- log_dir:
- type: "string"
- pypi_project:
- type: "string"
- python_version:
- type: "string"
- version:
- type: "string"
+The JSON schema for a PyPI release file appears below.
+
+.. literalinclude:: ../../schema/release-pypi-schema.yaml
+ :language: yaml
PackageCloud Release Files
"curl https://packagecloud.io/api/v1/repos/test_user/test_repo/search?q=
| yq -r .[].filename"
+
The JSON schema for a PackageCloud release file appears below.
-.. code-block:: none
+.. literalinclude:: ../../schema/release-packagecloud-schema.yaml
+ :language: yaml
- ---
- $schema: "http://json-schema.org/schema#"
- $id: "https://github.com/lfit/releng-global-jjb/blob/master/packagecloud-release-schema"
-
- required:
- - "package_name"
-
- properties:
- package_name:
- type: "array"
- properties:
- name:
- type: "string"
Jenkins Jobs
------------
echo "INFO: creating virtual environment"
virtualenv -p python3 /tmp/venv
PATH=/tmp/venv/bin:$PATH
-pipup="python -m pip install -q --upgrade pip lftools[nexus] jsonschema niet twine yq"
+pipup="python -m pip install -q --upgrade pip lftools jsonschema niet twine yq"
echo "INFO: $pipup"
$pipup
#Functions.
set_variables_common(){
- echo "INFO: Setting all common variables"
- LOGS_SERVER="${LOGS_SERVER:-None}"
- if [ "${LOGS_SERVER}" == 'None' ]; then
- echo "ERROR: log server not found"
+ echo "INFO: Setting common variables"
+ if [[ -z ${LOGS_SERVER:-} ]]; then
+ echo "ERROR: LOGS_SERVER not defined"
exit 1
fi
NEXUS_PATH="${SILO}/${JENKINS_HOSTNAME}/"
echo "INFO: RELEASE FILE: $release_files"
fi
else
- echo "INFO: This job is built with parameters, no release file needed. Continuing..."
+ echo "INFO: This job is built with parameters, no release file needed."
release_file="None"
fi
+ # Jenkins parameter drop-down defaults DISTRIBUTION_TYPE to None
DISTRIBUTION_TYPE="${DISTRIBUTION_TYPE:-None}"
if [[ $DISTRIBUTION_TYPE == "None" ]]; then
DISTRIBUTION_TYPE="$(niet ".distribution_type" "$release_file")"
}
set_variables_maven(){
- VERSION="${VERSION:-None}"
- if [[ $VERSION == "None" ]]; then
+ echo "INFO: Setting maven variables"
+ if [[ -z ${VERSION:-} ]]; then
VERSION="$(niet ".version" "$release_file")"
fi
- LOG_DIR="${LOG_DIR:-None}"
- if [[ $LOG_DIR == "None" ]]; then
+ if [[ -z ${GIT_TAG:-} ]]; then
+ if grep -q "git_tag" "$release_file" ; then
+ GIT_TAG="$(niet ".git_tag" "$release_file")"
+ else
+ GIT_TAG="$VERSION"
+ fi
+ fi
+ if [[ -z ${LOG_DIR:-} ]]; then
LOG_DIR="$(niet ".log_dir" "$release_file")"
fi
LOGS_URL="${LOGS_SERVER}/${NEXUS_PATH}${LOG_DIR}"
# Continuing displaying Release Information (Maven)
printf "\t%-30s\n" RELEASE_MAVEN_INFO:
printf "\t%-30s %s\n" VERSION: $VERSION
+ printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG
printf "\t%-30s %s\n" LOG_DIR: $LOG_DIR
printf "\t%-30s %s\n" LOGS_URL: $LOGS_URL
}
set_variables_container(){
- VERSION="${VERSION:-None}"
- if [[ $VERSION == "None" ]]; then
+ echo "INFO: Setting container variables"
+ if [[ -z ${VERSION:-} ]]; then
VERSION="$(niet ".container_release_tag" "$release_file")"
fi
+ if [[ -z ${GIT_TAG:-} ]]; then
+ if grep -q "git_tag" "$release_file" ; then
+ GIT_TAG="$(niet ".git_tag" "$release_file")"
+ else
+ GIT_TAG="$VERSION"
+ fi
+ fi
if grep -q "container_pull_registry" "$release_file" ; then
CONTAINER_PULL_REGISTRY="$(niet ".container_pull_registry" "$release_file")"
fi
printf "\t%-30s %s\n" CONTAINER_PULL_REGISTRY: $CONTAINER_PULL_REGISTRY
printf "\t%-30s %s\n" CONTAINER_PUSH_REGISTRY: $CONTAINER_PUSH_REGISTRY
printf "\t%-30s %s\n" GERRIT_REF_TO_TAG: $ref
+ printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG
}
set_variables_pypi(){
- # use Jenkins parameter if set; else get value from release file
echo "INFO: Setting pypi variables"
- LOG_DIR="${LOG_DIR:-None}"
- if [[ $LOG_DIR == "None" ]]; then
- LOG_DIR="$(yq -er .log_dir "$release_file")"
+ if [[ -z ${LOG_DIR:-} ]]; then
+ LOG_DIR="$(niet ".log_dir" "$release_file")"
fi
LOGS_URL="${LOGS_SERVER}/${NEXUS_PATH}${LOG_DIR}"
LOGS_URL=${LOGS_URL%/} # strip any trailing '/'
- PYPI_PROJECT="${PYPI_PROJECT:-None}"
- if [[ $PYPI_PROJECT == "None" ]]; then
- PYPI_PROJECT="$(yq -er .pypi_project "$release_file")"
+ if [[ -z ${PYPI_PROJECT:-} ]]; then
+ PYPI_PROJECT="$(niet ".pypi_project" "$release_file")"
fi
- PYTHON_VERSION="${PYTHON_VERSION:-None}"
- if [[ $PYTHON_VERSION == "None" ]]; then
- PYTHON_VERSION="$(yq -er .python_version "$release_file")"
+ if [[ -z ${PYTHON_VERSION:-} ]]; then
+ PYTHON_VERSION="$(niet ".python_version" "$release_file")"
fi
- VERSION="${VERSION:-None}"
- if [[ $VERSION == "None" ]]; then
- VERSION="$(yq -er .version "$release_file")"
+ if [[ -z ${VERSION:-} ]]; then
+ VERSION="$(niet ".version" "$release_file")"
fi
+ if [[ -z ${GIT_TAG:-} ]]; then
+ if grep -q "git_tag" "$release_file" ; then
+ GIT_TAG="$(niet ".git_tag" "$release_file")"
+ else
+ GIT_TAG="$VERSION"
+ fi
+ fi
# Continuing displaying Release Information (pypi)
printf "\t%-30s\n" RELEASE_PYPI_INFO:
printf "\t%-30s %s\n" PYPI_PROJECT: "$PYPI_PROJECT"
printf "\t%-30s %s\n" PYTHON_VERSION: "$PYTHON_VERSION"
printf "\t%-30s %s\n" VERSION: "$VERSION"
+ printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG
}
verify_schema(){
- echo "INFO: Verifying $release_file schema."
+ echo "INFO: Verifying $release_file against schema $release_schema"
lftools schema verify "$release_file" "$release_schema"
}
verify_version(){
- # Verify allowed patterns "v#.#.#" or "#.#.#" aka SemVer
- echo "INFO: Verifying version string $VERSION"
+ # Verify allowed patterns "#.#.#" (SemVer) or "v#.#.#"
+ echo "INFO: Verifying version $VERSION"
allowed_version_regex="^((v?)([0-9]+)\.([0-9]+)\.([0-9]+))$"
if [[ $VERSION =~ $allowed_version_regex ]]; then
- echo "INFO: The version $VERSION is a valid semantic version"
+ echo "INFO: The version $VERSION is valid"
else
- echo "INFO: The version $VERSION is not a semantic valid version"
- echo "INFO: Allowed versions are \"v#.#.#\" or \"#.#.#\" aka SemVer"
- echo "INFO: See https://semver.org/ for more details on SemVer"
+ echo "ERROR: The version $VERSION is not valid"
+ echo "ERROR: Valid versions are \"#.#.#\" (SemVer) or \"v#.#.#\""
+ echo "ERROR: See https://semver.org/ for more details on SemVer"
exit 1
fi
}
verify_version_match_release(){
+ echo "INFO: Fetching console log from $LOGS_URL"
wget -P /tmp "${LOGS_URL}/"console.log.gz
- echo "INFO: Comparing version $VERSION with log snippet from maven-stage:"
+ echo "INFO: Searching for uploaded step and version $VERSION in job log"
if zgrep "Successfully uploaded" /tmp/console.log.gz | grep "$VERSION"; then
- echo "INFO: version $VERSION matches maven-stage artifacts"
+ echo "INFO: found expected strings in job log"
else
echo "ERROR: Defined version in release file does not match staging repo artifacts version to be released"
- echo " Please make sure maven-stage job selected as candidate and release version are correct"
+ echo "ERROR: Please make sure maven stage job log dir and release version are both correct"
exit 1
fi
}
# check prerequisites to detect mistakes in the release YAML file
verify_pypi_match_release(){
+ echo "INFO: Fetching console log from $LOGS_URL"
wget -q -P /tmp "${LOGS_URL}/"console.log.gz
- echo "INFO: Searching for strings >$PYPI_PROJECT< and >$VERSION< in job log"
+ echo "INFO: Searching for uploaded step, project $PYPI_PROJECT and version $VERSION in job log"
# pypi-upload.sh generates success message with file list
if zgrep -i "uploaded" /tmp/console.log.gz | grep "$PYPI_PROJECT" | grep "$VERSION" ; then
echo "INFO: found expected strings in job log"
}
# sigul is only available on Centos
-# TODO: write tag_github function
-tag(){
+# TODO: write tag-github-repo function
+tag-gerrit-repo(){
+ echo "INFO: tag gerrit with $GIT_TAG"
# Import public signing key
gpg --import "$SIGNING_PUBKEY"
- if git tag -v "$VERSION"; then
- echo "OK: Repo already tagged $VERSION Continuting to release"
+ if type=$(git cat-file -t "$GIT_TAG"); then
+ if [[ $type == "tag" ]]; then
+ echo "INFO: Repo already has signed tag $GIT_TAG, nothing to do"
+ else
+ echo "ERROR: Repo has lightweight tag $GIT_TAG, blocks push of signed tag"
+ exit 1
+ fi
else
- echo "INFO: Repo has not yet been tagged $VERSION"
- git tag -am "${PROJECT//\//-} $VERSION" "$VERSION"
- sigul --batch -c "$SIGUL_CONFIG" sign-git-tag "$SIGUL_KEY" "$VERSION" < "$SIGUL_PASSWORD"
+ echo "INFO: Repo has not yet been tagged $GIT_TAG"
+ git tag -am "${PROJECT//\//-} $GIT_TAG" "$GIT_TAG"
+ sigul --batch -c "$SIGUL_CONFIG" sign-git-tag "$SIGUL_KEY" "$GIT_TAG" < "$SIGUL_PASSWORD"
echo "INFO: Showing latest signature for $PROJECT:"
- echo "INFO: git tag -v $VERSION"
- git tag -v "$VERSION"
+ echo "INFO: git tag -v $GIT_TAG"
+ git tag -v "$GIT_TAG"
########## Merge Part ##############
if [[ "$JOB_NAME" =~ "merge" ]] && [[ "$DRY_RUN" = false ]]; then
git config user.email "$RELEASE_EMAIL"
echo -e "Host $gerrit_ssh\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config
chmod 600 ~/.ssh/config
- git push origin "$VERSION"
+ git push origin "$GIT_TAG"
fi
fi
}
nexus_release(){
+ echo "INFO: Processing nexus release"
for staging_url in $(zcat "$PATCH_DIR"/staging-repo.txt.gz | awk -e '{print $2}'); do
# extract the domain name from URL
NEXUS_URL=$(echo "$staging_url" | sed -e 's|^[^/]*//||' -e 's|/.*$||')
container_release_file(){
echo "INFO: Processing container release"
local lfn_umbrella
- lfn_umbrella="$(echo "$GERRIT_HOST" | awk -F"." '{print $2}')"
+ lfn_umbrella="$(echo "$GERRIT_URL" | awk -F"." '{print $2}')"
for namequoted in $(cat $release_file | yq '.containers[].name'); do
versionquoted=$(cat $release_file | yq ".containers[] |select(.name==$namequoted) |.version")
echo "INFO: Merge will release $name $version as $VERSION"
# Attempt to pull from releases registry to see if the image has been released.
if docker pull "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"; then
- echo "OK: $VERSION is already released for image $name, Continuing..."
+ echo "INFO: $VERSION is already released for image $name, Continuing..."
else
- echo "OK: $VERSION not found in releases, release will be prepared. Continuing..."
+ echo "INFO: $VERSION not found in releases, release will be prepared. Continuing..."
docker pull "$CONTAINER_PULL_REGISTRY"/"$lfn_umbrella"/"$name":"$version"
container_image_id="$(docker images | grep $name | grep $version | awk '{print $3}')"
echo "INFO: Merge will run the following commands:"
echo "INFO: Merge will tag ref: $ref"
git checkout "$ref"
- tag
+ tag-gerrit-repo
}
maven_release_file(){
+ echo "INFO: Processing maven release"
echo "INFO: wget -P $PATCH_DIR ${LOGS_URL}/staging-repo.txt.gz"
wget -P "$PATCH_DIR" "${LOGS_URL}/"staging-repo.txt.gz
pushd "$PATCH_DIR"
git fetch "$PATCH_DIR/${PROJECT//\//-}.bundle"
git merge --ff-only FETCH_HEAD
nexus_release
- tag
+ tag-gerrit-repo
}
# calls pip to download binary and source distributions from the specified index,
# which requires a recent-in-2019 version. Uploads the files it received.
pypi_release_file(){
+ echo "INFO: Processing pypi release"
tgtdir=dist
mkdir $tgtdir
pip_pfx="pip download -d $tgtdir --no-deps --python-version $PYTHON_VERSION -i $PYPI_INDEX"
echo "INFO: uploading $filecount distributions to repo $REPOSITORY"
$cmd
fi
- tag
+ tag-gerrit-repo
}
packagecloud_verify(){
Code Review / releng / global-jjb.git / commitdiff