From: Lott, Christopher (cl778h) Date: Wed, 11 Dec 2019 17:08:07 +0000 (-0500) Subject: Extend tag feature of release jobs X-Git-Tag: v0.49.0~9^2 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F03%2F62603%2F7;p=releng%2Fglobal-jjb.git Extend tag feature of release jobs Extend release-yaml schema files to allow git_tag entry. Extend lf-build-with-parameters-maven-release macro with GIT_TAG. Extend release-job.sh: * detect and use optional git_tag string. * detect and reject an existing lightweight tag that blocks push of a gpg-signed tag. * change GERRIT_HOST to GERRIT_URL in method for obtaining LF umbrella project to allow testing in the sandbox. * rename function from tag to tag-gerrit-repo. * simplify tests for presence of Jenkins parameter values * show more details about steps as INFO statements Include schema file contents into documentation; remove the copies. Change-Id: Iee2167b059c7f0ecf86ab6eb8dead36ec96be1b5 Issue-ID: RELENG-2568, RELENG-2586 Signed-off-by: Lott, Christopher (cl778h) --- diff --git a/docs/jjb/lf-release-jobs.rst b/docs/jjb/lf-release-jobs.rst index 7ab16815..2413190d 100644 --- a/docs/jjb/lf-release-jobs.rst +++ b/docs/jjb/lf-release-jobs.rst @@ -3,29 +3,33 @@ Self-Serve Release Jobs ======================= -Self-serve release jobs allow project committers to direct Jenkins to -promote a jar file, container image or Python package from a staging -area to a release area. +Self-serve release jobs allow project committers to promote a jar +file, container image, Python package or PackageCloud artifact from a +staging area to a release area. A release yaml file controls the +process, and Jenkins promotes the artifact when a project committer +merges the release yaml file in Gerrit. To use the self-release process, create a releases/ or .releases/ directory at the root of the project repository, add one release yaml file to it, and submit a change set with that release yaml file. The required contents of the release yaml file are different for each type -of release, see the schemas and examples shown below. The version in -the release yaml file must be a valid Semantic Versioning (SemVer) -string, matching either the pattern "v#.#.#" or "#.#.#" where "#" is -one or more digits. Upon merge of the change, Jenkins will sign the -reference extrapolated by log_dir and promote the artifact. +of release, see the schemas and examples shown below. The version +string in the release yaml file should be a valid Semantic Versioning +(SemVer) string, matching the pattern "#.#.#" where "#" is one or more +digits. A version string matching the pattern "v#.#.#" is also +accepted. Upon merge of the change, a Jenkins job promotes the +artifact and pushes a gpg-signed tag to the repository. .. note:: The release file regex is: (releases\/.*\.yaml|\.releases\/.*\.yaml). In words, the directory name can be ".releases" or "releases"; the file - name can be anything with suffix ".yaml". + name can be anything with suffix ".yaml". Some release jobs require + a specific prefix on the file, as described below. The build node for all release jobs must be CentOS, which supports the -sigul client for accessing a signing server. The build node for -container release jobs must have Docker installed. +sigul client for accessing a signing server to sign a tag. The build +node for container release jobs must have Docker installed. A Jenkins admin user can also trigger a release job via the "Build with parameters" action, removing the need to create and merge a @@ -74,29 +78,15 @@ The following parameters must appear in a maven release yaml file. :project: The name of the project. :version: The semantic version string used for the artifact. -The JSON schema for a maven release file appears below. +:Optional Parameters: -.. code-block:: none + :git_tag: The tag string to sign and push to the Git repository. + (default: the semantic version string) - --- - $schema: "http://json-schema.org/schema#" - $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-schema.yaml" - - required: - - "distribution_type" - - "log_dir" - - "project" - - "version" - - properties: - distribution_type: - type: "string" - log_dir: - type: "string" - project: - type: "string" - version: - type: "string" +The JSON schema for a maven release file appears below. + +.. literalinclude:: ../../schema/release-schema.yaml + :language: yaml Container Release Files @@ -138,42 +128,15 @@ The following parameters must appear in a container release yaml file. Docker images in the container-pull registry to promote to the container-push registry. -The JSON schema for a container release file appears below. +:Optional Parameters: -.. code-block:: none + :git_tag: The tag string to sign and push to the Git repository. + (default: the semantic version string) - --- - $schema: "http://json-schema.org/schema#" - $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-container-schema.yaml" - - required: - - "containers" - - "distribution_type" - - "project" - - "container_release_tag" - - "ref" - - properties: - containers: - type: "array" - properties: - name: - type: "string" - version: - type: "string" - additionalProperties: false - distribution_type: - type: "string" - project: - type: "string" - container_release_tag: - type: "string" - container_pull_registry" - type: "string" - container_push_registry" - type: "string" - ref: - type: "string" +The JSON schema for a container release file appears below. + +.. literalinclude:: ../../schema/release-container-schema.yaml + :language: yaml PyPI Release Files @@ -212,29 +175,15 @@ packages. :version: The semantic version string used for the package in the setup.py file. -The JSON schema for a PyPI release file appears below. +:Optional Parameters: -.. code-block:: none + :git_tag: The tag string to sign and push to the Git repository. + (default: the semantic version string) - --- - $schema: "http://json-schema.org/schema#" - $id: "https://github.com/lfit/releng-global-jjb/blob/master/release-pypi-schema.yaml" - - required: - - "log_dir" - - "pypi_project" - - "python_version" - - "version" - - properties: - log_dir: - type: "string" - pypi_project: - type: "string" - python_version: - type: "string" - version: - type: "string" +The JSON schema for a PyPI release file appears below. + +.. literalinclude:: ../../schema/release-pypi-schema.yaml + :language: yaml PackageCloud Release Files @@ -265,23 +214,12 @@ packages. "curl https://packagecloud.io/api/v1/repos/test_user/test_repo/search?q= | yq -r .[].filename" + The JSON schema for a PackageCloud release file appears below. -.. code-block:: none +.. literalinclude:: ../../schema/release-packagecloud-schema.yaml + :language: yaml - --- - $schema: "http://json-schema.org/schema#" - $id: "https://github.com/lfit/releng-global-jjb/blob/master/packagecloud-release-schema" - - required: - - "package_name" - - properties: - package_name: - type: "array" - properties: - name: - type: "string" Jenkins Jobs ------------ diff --git a/jjb/lf-macros.yaml b/jjb/lf-macros.yaml index 529254c9..69848114 100644 --- a/jjb/lf-macros.yaml +++ b/jjb/lf-macros.yaml @@ -536,11 +536,15 @@ - string: name: VERSION default: "" - description: "This is the tag, Example: 1.0.0" + description: "Version to release, for example: 1.0.0" + - string: + name: GIT_TAG + default: "" + description: "Tag to push to git repo; optional, defaults to VERSION" - string: name: LOG_DIR default: "" - description: "Log dir, example: project-maven-stage-master/17/" + description: "Log dir, for example: project-maven-stage-master/17/" - choice: name: DISTRIBUTION_TYPE choices: diff --git a/jjb/lf-release-jobs.yaml b/jjb/lf-release-jobs.yaml index 4d4a9ca2..6be717da 100644 --- a/jjb/lf-release-jobs.yaml +++ b/jjb/lf-release-jobs.yaml @@ -308,6 +308,10 @@ name: LOG_DIR default: "" description: "The partial path of logs from the PyPI merge job." + - string: + name: GIT_TAG + default: "" + description: "Tag to push to git repo; optional, defaults to VERSION." - string: name: PYPI_PROJECT default: "" diff --git a/releasenotes/notes/add-optional-git-tag-in-release-2e9b641b8f2c525a.yaml b/releasenotes/notes/add-optional-git-tag-in-release-2e9b641b8f2c525a.yaml new file mode 100644 index 00000000..2050fcee --- /dev/null +++ b/releasenotes/notes/add-optional-git-tag-in-release-2e9b641b8f2c525a.yaml @@ -0,0 +1,16 @@ +--- +features: + - | + Extend tag feature of release jobs: + Extend release-yaml schema files to allow git_tag entry. + Extend lf-build-with-parameters-maven-release macro with GIT_TAG. + Extend release-job.sh: + detect and use optional git_tag string. + detect and reject an existing lightweight tag that blocks + push of a gpg-signed tag. + change GERRIT_HOST to GERRIT_URL in method for obtaining LF + umbrella project to allow testing in the sandbox. + rename function from tag to tag-gerrit-repo. + simplify tests for presence of Jenkins parameter values + show more details about steps as INFO statements + Include schema file contents into documentation; remove the copies. diff --git a/schema/release-container-schema.yaml b/schema/release-container-schema.yaml index e3b73583..0b1fe0a2 100644 --- a/schema/release-container-schema.yaml +++ b/schema/release-container-schema.yaml @@ -27,15 +27,17 @@ properties: version: type: "string" additionalProperties: false - distribution_type: - type: "string" - project: - type: "string" container_release_tag: type: "string" container_pull_registry: type: "string" container_push_registry: type: "string" + distribution_type: + type: "string" + git_tag: + type: "string" + project: + type: "string" ref: type: "string" diff --git a/schema/release-pypi-schema.yaml b/schema/release-pypi-schema.yaml index 734198cb..20240ed9 100644 --- a/schema/release-pypi-schema.yaml +++ b/schema/release-pypi-schema.yaml @@ -18,6 +18,8 @@ required: - "version" properties: + git_tag: + type: "string" log_dir: type: "string" pypi_project: diff --git a/schema/release-schema.yaml b/schema/release-schema.yaml index 3c0b9664..1c95eb90 100644 --- a/schema/release-schema.yaml +++ b/schema/release-schema.yaml @@ -20,6 +20,8 @@ required: properties: distribution_type: type: "string" + git_tag: + type: "string" log_dir: type: "string" project: diff --git a/shell/release-job.sh b/shell/release-job.sh index f8837e81..aa347e27 100644 --- a/shell/release-job.sh +++ b/shell/release-job.sh @@ -14,17 +14,16 @@ set -eu -o pipefail echo "INFO: creating virtual environment" virtualenv -p python3 /tmp/venv PATH=/tmp/venv/bin:$PATH -pipup="python -m pip install -q --upgrade pip lftools[nexus] jsonschema niet twine yq" +pipup="python -m pip install -q --upgrade pip lftools jsonschema niet twine yq" echo "INFO: $pipup" $pipup #Functions. set_variables_common(){ - echo "INFO: Setting all common variables" - LOGS_SERVER="${LOGS_SERVER:-None}" - if [ "${LOGS_SERVER}" == 'None' ]; then - echo "ERROR: log server not found" + echo "INFO: Setting common variables" + if [[ -z ${LOGS_SERVER:-} ]]; then + echo "ERROR: LOGS_SERVER not defined" exit 1 fi NEXUS_PATH="${SILO}/${JENKINS_HOSTNAME}/" @@ -40,10 +39,11 @@ set_variables_common(){ echo "INFO: RELEASE FILE: $release_files" fi else - echo "INFO: This job is built with parameters, no release file needed. Continuing..." + echo "INFO: This job is built with parameters, no release file needed." release_file="None" fi + # Jenkins parameter drop-down defaults DISTRIBUTION_TYPE to None DISTRIBUTION_TYPE="${DISTRIBUTION_TYPE:-None}" if [[ $DISTRIBUTION_TYPE == "None" ]]; then DISTRIBUTION_TYPE="$(niet ".distribution_type" "$release_file")" @@ -64,12 +64,18 @@ set_variables_common(){ } set_variables_maven(){ - VERSION="${VERSION:-None}" - if [[ $VERSION == "None" ]]; then + echo "INFO: Setting maven variables" + if [[ -z ${VERSION:-} ]]; then VERSION="$(niet ".version" "$release_file")" fi - LOG_DIR="${LOG_DIR:-None}" - if [[ $LOG_DIR == "None" ]]; then + if [[ -z ${GIT_TAG:-} ]]; then + if grep -q "git_tag" "$release_file" ; then + GIT_TAG="$(niet ".git_tag" "$release_file")" + else + GIT_TAG="$VERSION" + fi + fi + if [[ -z ${LOG_DIR:-} ]]; then LOG_DIR="$(niet ".log_dir" "$release_file")" fi LOGS_URL="${LOGS_SERVER}/${NEXUS_PATH}${LOG_DIR}" @@ -78,15 +84,23 @@ set_variables_maven(){ # Continuing displaying Release Information (Maven) printf "\t%-30s\n" RELEASE_MAVEN_INFO: printf "\t%-30s %s\n" VERSION: $VERSION + printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG printf "\t%-30s %s\n" LOG_DIR: $LOG_DIR printf "\t%-30s %s\n" LOGS_URL: $LOGS_URL } set_variables_container(){ - VERSION="${VERSION:-None}" - if [[ $VERSION == "None" ]]; then + echo "INFO: Setting container variables" + if [[ -z ${VERSION:-} ]]; then VERSION="$(niet ".container_release_tag" "$release_file")" fi + if [[ -z ${GIT_TAG:-} ]]; then + if grep -q "git_tag" "$release_file" ; then + GIT_TAG="$(niet ".git_tag" "$release_file")" + else + GIT_TAG="$VERSION" + fi + fi if grep -q "container_pull_registry" "$release_file" ; then CONTAINER_PULL_REGISTRY="$(niet ".container_pull_registry" "$release_file")" fi @@ -106,29 +120,32 @@ set_variables_container(){ printf "\t%-30s %s\n" CONTAINER_PULL_REGISTRY: $CONTAINER_PULL_REGISTRY printf "\t%-30s %s\n" CONTAINER_PUSH_REGISTRY: $CONTAINER_PUSH_REGISTRY printf "\t%-30s %s\n" GERRIT_REF_TO_TAG: $ref + printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG } set_variables_pypi(){ - # use Jenkins parameter if set; else get value from release file echo "INFO: Setting pypi variables" - LOG_DIR="${LOG_DIR:-None}" - if [[ $LOG_DIR == "None" ]]; then - LOG_DIR="$(yq -er .log_dir "$release_file")" + if [[ -z ${LOG_DIR:-} ]]; then + LOG_DIR="$(niet ".log_dir" "$release_file")" fi LOGS_URL="${LOGS_SERVER}/${NEXUS_PATH}${LOG_DIR}" LOGS_URL=${LOGS_URL%/} # strip any trailing '/' - PYPI_PROJECT="${PYPI_PROJECT:-None}" - if [[ $PYPI_PROJECT == "None" ]]; then - PYPI_PROJECT="$(yq -er .pypi_project "$release_file")" + if [[ -z ${PYPI_PROJECT:-} ]]; then + PYPI_PROJECT="$(niet ".pypi_project" "$release_file")" fi - PYTHON_VERSION="${PYTHON_VERSION:-None}" - if [[ $PYTHON_VERSION == "None" ]]; then - PYTHON_VERSION="$(yq -er .python_version "$release_file")" + if [[ -z ${PYTHON_VERSION:-} ]]; then + PYTHON_VERSION="$(niet ".python_version" "$release_file")" fi - VERSION="${VERSION:-None}" - if [[ $VERSION == "None" ]]; then - VERSION="$(yq -er .version "$release_file")" + if [[ -z ${VERSION:-} ]]; then + VERSION="$(niet ".version" "$release_file")" fi + if [[ -z ${GIT_TAG:-} ]]; then + if grep -q "git_tag" "$release_file" ; then + GIT_TAG="$(niet ".git_tag" "$release_file")" + else + GIT_TAG="$VERSION" + fi + fi # Continuing displaying Release Information (pypi) printf "\t%-30s\n" RELEASE_PYPI_INFO: @@ -138,43 +155,46 @@ set_variables_pypi(){ printf "\t%-30s %s\n" PYPI_PROJECT: "$PYPI_PROJECT" printf "\t%-30s %s\n" PYTHON_VERSION: "$PYTHON_VERSION" printf "\t%-30s %s\n" VERSION: "$VERSION" + printf "\t%-30s %s\n" GIT_TAG: $GIT_TAG } verify_schema(){ - echo "INFO: Verifying $release_file schema." + echo "INFO: Verifying $release_file against schema $release_schema" lftools schema verify "$release_file" "$release_schema" } verify_version(){ - # Verify allowed patterns "v#.#.#" or "#.#.#" aka SemVer - echo "INFO: Verifying version string $VERSION" + # Verify allowed patterns "#.#.#" (SemVer) or "v#.#.#" + echo "INFO: Verifying version $VERSION" allowed_version_regex="^((v?)([0-9]+)\.([0-9]+)\.([0-9]+))$" if [[ $VERSION =~ $allowed_version_regex ]]; then - echo "INFO: The version $VERSION is a valid semantic version" + echo "INFO: The version $VERSION is valid" else - echo "INFO: The version $VERSION is not a semantic valid version" - echo "INFO: Allowed versions are \"v#.#.#\" or \"#.#.#\" aka SemVer" - echo "INFO: See https://semver.org/ for more details on SemVer" + echo "ERROR: The version $VERSION is not valid" + echo "ERROR: Valid versions are \"#.#.#\" (SemVer) or \"v#.#.#\"" + echo "ERROR: See https://semver.org/ for more details on SemVer" exit 1 fi } verify_version_match_release(){ + echo "INFO: Fetching console log from $LOGS_URL" wget -P /tmp "${LOGS_URL}/"console.log.gz - echo "INFO: Comparing version $VERSION with log snippet from maven-stage:" + echo "INFO: Searching for uploaded step and version $VERSION in job log" if zgrep "Successfully uploaded" /tmp/console.log.gz | grep "$VERSION"; then - echo "INFO: version $VERSION matches maven-stage artifacts" + echo "INFO: found expected strings in job log" else echo "ERROR: Defined version in release file does not match staging repo artifacts version to be released" - echo " Please make sure maven-stage job selected as candidate and release version are correct" + echo "ERROR: Please make sure maven stage job log dir and release version are both correct" exit 1 fi } # check prerequisites to detect mistakes in the release YAML file verify_pypi_match_release(){ + echo "INFO: Fetching console log from $LOGS_URL" wget -q -P /tmp "${LOGS_URL}/"console.log.gz - echo "INFO: Searching for strings >$PYPI_PROJECT< and >$VERSION< in job log" + echo "INFO: Searching for uploaded step, project $PYPI_PROJECT and version $VERSION in job log" # pypi-upload.sh generates success message with file list if zgrep -i "uploaded" /tmp/console.log.gz | grep "$PYPI_PROJECT" | grep "$VERSION" ; then echo "INFO: found expected strings in job log" @@ -185,19 +205,25 @@ verify_pypi_match_release(){ } # sigul is only available on Centos -# TODO: write tag_github function -tag(){ +# TODO: write tag-github-repo function +tag-gerrit-repo(){ + echo "INFO: tag gerrit with $GIT_TAG" # Import public signing key gpg --import "$SIGNING_PUBKEY" - if git tag -v "$VERSION"; then - echo "OK: Repo already tagged $VERSION Continuting to release" + if type=$(git cat-file -t "$GIT_TAG"); then + if [[ $type == "tag" ]]; then + echo "INFO: Repo already has signed tag $GIT_TAG, nothing to do" + else + echo "ERROR: Repo has lightweight tag $GIT_TAG, blocks push of signed tag" + exit 1 + fi else - echo "INFO: Repo has not yet been tagged $VERSION" - git tag -am "${PROJECT//\//-} $VERSION" "$VERSION" - sigul --batch -c "$SIGUL_CONFIG" sign-git-tag "$SIGUL_KEY" "$VERSION" < "$SIGUL_PASSWORD" + echo "INFO: Repo has not yet been tagged $GIT_TAG" + git tag -am "${PROJECT//\//-} $GIT_TAG" "$GIT_TAG" + sigul --batch -c "$SIGUL_CONFIG" sign-git-tag "$SIGUL_KEY" "$GIT_TAG" < "$SIGUL_PASSWORD" echo "INFO: Showing latest signature for $PROJECT:" - echo "INFO: git tag -v $VERSION" - git tag -v "$VERSION" + echo "INFO: git tag -v $GIT_TAG" + git tag -v "$GIT_TAG" ########## Merge Part ############## if [[ "$JOB_NAME" =~ "merge" ]] && [[ "$DRY_RUN" = false ]]; then @@ -208,12 +234,13 @@ tag(){ git config user.email "$RELEASE_EMAIL" echo -e "Host $gerrit_ssh\n\tStrictHostKeyChecking no\n" >> ~/.ssh/config chmod 600 ~/.ssh/config - git push origin "$VERSION" + git push origin "$GIT_TAG" fi fi } nexus_release(){ + echo "INFO: Processing nexus release" for staging_url in $(zcat "$PATCH_DIR"/staging-repo.txt.gz | awk -e '{print $2}'); do # extract the domain name from URL NEXUS_URL=$(echo "$staging_url" | sed -e 's|^[^/]*//||' -e 's|/.*$||') @@ -240,7 +267,7 @@ nexus_release(){ container_release_file(){ echo "INFO: Processing container release" local lfn_umbrella - lfn_umbrella="$(echo "$GERRIT_HOST" | awk -F"." '{print $2}')" + lfn_umbrella="$(echo "$GERRIT_URL" | awk -F"." '{print $2}')" for namequoted in $(cat $release_file | yq '.containers[].name'); do versionquoted=$(cat $release_file | yq ".containers[] |select(.name==$namequoted) |.version") @@ -256,9 +283,9 @@ container_release_file(){ echo "INFO: Merge will release $name $version as $VERSION" # Attempt to pull from releases registry to see if the image has been released. if docker pull "$CONTAINER_PUSH_REGISTRY"/"$lfn_umbrella"/"$name":"$VERSION"; then - echo "OK: $VERSION is already released for image $name, Continuing..." + echo "INFO: $VERSION is already released for image $name, Continuing..." else - echo "OK: $VERSION not found in releases, release will be prepared. Continuing..." + echo "INFO: $VERSION not found in releases, release will be prepared. Continuing..." docker pull "$CONTAINER_PULL_REGISTRY"/"$lfn_umbrella"/"$name":"$version" container_image_id="$(docker images | grep $name | grep $version | awk '{print $3}')" echo "INFO: Merge will run the following commands:" @@ -274,10 +301,11 @@ container_release_file(){ echo "INFO: Merge will tag ref: $ref" git checkout "$ref" - tag + tag-gerrit-repo } maven_release_file(){ + echo "INFO: Processing maven release" echo "INFO: wget -P $PATCH_DIR ${LOGS_URL}/staging-repo.txt.gz" wget -P "$PATCH_DIR" "${LOGS_URL}/"staging-repo.txt.gz pushd "$PATCH_DIR" @@ -290,12 +318,13 @@ maven_release_file(){ git fetch "$PATCH_DIR/${PROJECT//\//-}.bundle" git merge --ff-only FETCH_HEAD nexus_release - tag + tag-gerrit-repo } # calls pip to download binary and source distributions from the specified index, # which requires a recent-in-2019 version. Uploads the files it received. pypi_release_file(){ + echo "INFO: Processing pypi release" tgtdir=dist mkdir $tgtdir pip_pfx="pip download -d $tgtdir --no-deps --python-version $PYTHON_VERSION -i $PYPI_INDEX" @@ -333,7 +362,7 @@ pypi_release_file(){ echo "INFO: uploading $filecount distributions to repo $REPOSITORY" $cmd fi - tag + tag-gerrit-repo } packagecloud_verify(){