# to the following (fairly standard) topics and require them to be Mixed Case
[contrib-title-conventional-commits]
types=Fix,Feat,Chore,Docs,Style,Refactor,Perf,Test,Revert,CI,Build
+
+# Require RELENG issues in commit messages
+[body-match-regex]
+regex=(.*)Issue:\s+(?<!IT)RELENG-\d+(.*)
--- /dev/null
+FROM centos:7
+SHELL ["/bin/bash", "-c"]
+
+ARG SIGN_DIR="${WORKSPACE}/m2repo"
+
+RUN echo $'[fedora-infra-sigul] \n\
+name=Fedora builder packages for sigul \n\
+baseurl=https://kojipkgs.fedoraproject.org/repos-dist/epel\$releasever-infra/latest/\$basearch/ \n\
+enabled=1 \n\
+gpgcheck=1 \n\
+gpgkey=https://infrastructure.fedoraproject.org/repo/infra/RPM-GPG-KEY-INFRA-TAGS \n\
+includepkgs=sigul* \n\
+skip_if_unavailable=True' > /etc/yum.repos.d/fedora-infra-sigul.repo
+
+RUN yum install -y -q sigul
+
+RUN mkdir -p /w/workspace && mkdir -p /home/jenkins
+
+COPY ./sigul-sign.sh /
+USER root
+
+ENTRYPOINT ["/bin/bash", "/sigul-sign.sh"]
+CMD ["${SIGN_DIR}"]
lf-boolean () {
if (( $# != 1 )); then
- echo "ERROR: ${FUNCNAME[0]}() line: ${BASH_LINENO[0]} : Missing Required Argument"
+ echo "ERROR: ${FUNCNAME[0]}() line: ${BASH_LINENO[0]} :"\
+ " Missing Required Argument"
return 1
fi
local bool
true) return 0 ;;
false) return 1 ;;
'')
- lf-echo-stderr "ERROR: ${FUNCNAME[0]}() line:{BASH_LINENO[0]} : A boolean cannot be a empty string" >&2
+ lf-echo-stderr "ERROR: ${FUNCNAME[0]}() line:{BASH_LINENO[0]} :"\
+ " A boolean cannot be a empty string" >&2
return 2
;;
*)
- lf-echo-stderr "ERROR: ${FUNCNAME[0]}() line: ${BASH_LINENO[0]} : Invalid value for a boolean: '$bool'"
+ lf-echo-stderr "ERROR: ${FUNCNAME[0]}() line: ${BASH_LINENO[0]} :"\
+ " Invalid value for a boolean: '$bool'"
return 2
;;
esac
# or
# lf-activate-venv lftools
# or
-# lf-activate-venv --python 3.6 git-review
+# lf-activate-venv --python python3.8 git-review
#
# DESCRIPTION
# This function will create a new Python Virtual Environment (venv) and
local options
local set_path=true
local install_args=""
- options=$(getopt -o 'n:p:' -l 'no-path,python:,system-site-packages' -n "${FUNCNAME[0]}" -- "$@" )
+ options=$(getopt -o 'n:p:' -l 'no-path,python:,system-site-packages' \
+ -n "${FUNCNAME[0]}" -- "$@" )
eval set -- "$options"
while true; do
case $1 in
-n|--no-path) set_path=false ; shift ;;
-p|--python) python=$2 ; shift 2 ;;
- --system-site-packages) install_args="--system-site-packages" ; shift ;;
+ --system-site-packages) install_args="--system-site-packages" ;
+ shift ;;
--) shift; break ;;
- *) lf-echo-stderr "${FUNCNAME[0]}(): ERROR: Unknown switch '$1'." ; return 1 ;;
+ *) lf-echo-stderr \
+ "${FUNCNAME[0]}(): ERROR: Unknown switch '$1'." ;
+ return 1 ;;
esac
done
if ! type "$python" > /dev/null; then
# Add version specifier for some packages
for arg in "$@"; do
case $arg in
- jenkins-job-builder) pkg_list+="jenkins-job-builder==${JJB_VERSION:-2.8.0} " ;;
+ jenkins-job-builder)
+ pkg_list+="jenkins-job-builder==${JJB_VERSION:-2.8.0} " ;;
*) pkg_list+="$arg " ;;
esac
done
# if JIRA_URL is not defined, nothing to do
if [[ -v JIRA_URL ]]; then
base_url=$(echo "$JIRA_URL" | awk -F'/' '{print $3}')
- jira_link=$(git rev-list --format=%B --max-count=1 HEAD | grep -io "http[s]*://$base_url/" || true)
+ jira_link=$(git rev-list --format=%B --max-count=1 HEAD | \
+ grep -io "http[s]*://$base_url/" || true)
if [[ -n $jira_link ]]; then
- lf-echo-stderr "${FUNCNAME[0]}(): ERROR: JIRA URL found in commit message"
- lf-echo-stderr 'Add jira references as: Issue: <JIRAKEY>-<ISSUE#>, instead of URLs'
+ lf-echo-stderr \
+ "${FUNCNAME[0]}(): ERROR: JIRA URL found in commit message"
+ lf-echo-stderr \
+ 'Add jira references as: Issue: <JIRAKEY>-<ISSUE#>,'\
+ ' instead of URLs'
return 1
fi
else
lf-jjb-check-ascii () {
if [[ ! -d "jjb" ]]; then
lf-echo-stderr "${FUNCNAME[0]}(): ERROR: missing jjb directory"
- lf-echo-stderr "This function can only be run from top of global-jjb directory"
+ lf-echo-stderr \
+ "This function can only be run from top of global-jjb directory"
return 1
fi
if LC_ALL=C grep -I -r '[^[:print:][:space:]]' jjb/; then
- lf-echo-stderr "${FUNCNAME[0]}(): ERROR: Found YAML files containing non-printable characters."
+ lf-echo-stderr \
+ "${FUNCNAME[0]}(): ERROR: Found YAML files containing"\
+ " non-printable characters."
return 1
fi
- echo "${FUNCNAME[0]}(): INFO: All JJB YAML files contain only printable ASCII characters"
+ echo "${FUNCNAME[0]}(): INFO: All JJB YAML files contain only printable"\
+ " ASCII characters"
return 0
}
# Disable 'unused-variable' check
# shellcheck disable=SC2034
maven_options="--show-version --batch-mode -Djenkins \
- -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn \
- -Dmaven.repo.local=/tmp/r -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r"
+ -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.\
+ transfer.Slf4jMavenTransferListener=warn \
+ -Dmaven.repo.local=/tmp/r \
+ -Dorg.ops4j.pax.url.mvn.localRepository=/tmp/r"
}
submodule-disable: false
packer-builder: openstack
packer-cloud-settings: packer-cloud-env
- packer-version: 1.6.6
+ packer-version: 1.8.2
#####################
# Job Configuration #
sbom-flags: ""
sbom-path: "$WORKSPACE"
sbom-generator: false
- sbom-generator-version: "v0.0.10"
+ sbom-generator-version: "v0.0.15"
sign-artifacts: false
sign-mode: serial
stream: master
git-url: "$GIT_URL/$PROJECT"
github-url: "https://github.com"
java-version: openjdk11 # Scanner is a jar
- nexus-iq-cli-version: 1.89.0-02
+ nexus-iq-cli-version: 1.140.0-01
nexus-iq-namespace: "" # Recommend a trailing dash when set. Example: odl-
pre-build-script: "# pre-build script goes here"
python-version: python3
--- /dev/null
+---
+fixes:
+ - |
+ Fix lf-activate-env code comment. The comment suggests using
+ just the version number ``--python <x.y>``, however as per the
+ code the correct format as per the code is ``--python python<x.y>``
--- /dev/null
+---
+fixes:
+ - |
+ Fix URL path indent, add a default ARG to the Dockerfile to remove WARNING.
+ Set the .asc files permissions to jenkins after the sigul has signed the
+ files.
--- /dev/null
+---
+deprecations:
+ - |
+ Our Sigul bridges now have publicly accessible DNS names, so it is no longer
+ necessary to create an entry in the hosts file. Since this process relies
+ on up-to-date IP addresses being configured in each project's global env
+ vars, it can cause avoidable errors. It is therefore being removed.
--- /dev/null
+---
+fixes:
+ - |
+ Copy SBOM report to the project's m2repo so that is signed by
+ SIGUL and pushed in the same staging package as the maven
+ artifacts.
--- /dev/null
+---
+fixes:
+ - |
+ Update to the latest version of SBOM (v0.0.15) that allows the usage of
+ a custom maven settings file to resolve transitive dependencies.
+ Update thebom-generator script to pass the project's global settings file
+ and update the sbom file name so is better identifiable.
--- /dev/null
+---
+fixes:
+ - |
+ Update the sigul-sign-dir.sh to sign artifacts using docker. The docker
+ image is built on CentOS Streams 8/9. The newer version of sigul 1.1.1
+ available for CentOS 8 is not backwords compatible with the version of
+ sigul on CentOS 7.
+
+ As a temporary workaround build a CentOS7 docker image with sigul
+ installed and use it for signing artificats on platforms where sigul is
+ not readly available.
+
+ Note: the executor node needs to have docker installed, so it can't be
+ a "vanilla" build node but must be a docker node.
--- /dev/null
+---
+upgrade:
+ - |
+ Upgrade NexusIQ Client to more recent version 1.140.0-01.
--- /dev/null
+---
+upgrade:
+ - |
+ Upgrade Packer version to v1.8.2. The version is more recent v1.8.2
+ and has security updates.
+
+ Ref: https://github.com/hashicorp/packer/releases/tag/v1.8.2
--- /dev/null
+---
+fixes:
+ - |
+ Set lf-activate-env to use Python 3.8 while running lftools deploy logs.
+ This fixes the below warnings which when jobs try to use default
+ version of python 3.6 which is EOL.
+
+ CryptographyDeprecationWarning: Python 3.6 is no longer supported
+ by the Python core team. Therefore, support for it is deprecated in
+ cryptography and will be removed in a future release.
+
+ PythonDeprecationWarning: Boto3 will no longer support Python 3.6 starting
+ May 30, 2022. To continue receiving service updates, bug fixes, and
+ security updates please upgrade to Python 3.7 or later.
fi
# Archive the cost date
-mkdir -p "$WORKSPACE/archives/cost"
+mkdir -p "${WORKSPACE}/archives/cost"
echo "INFO: Archiving Costs"
date=$(TZ=GMT date +'%Y-%m-%d %H:%M:%S')
# Format the uptime, cost & stack_cost fields
-printf "%s,%s,%s,%s,%d,%.2f,%.2f,%s\n" "$JOB_NAME" "$BUILD_NUMBER" "$date" \
- "$resource" "$uptime" "$cost" "$stack_cost" "$BUILD_RESULT" > "$WORKSPACE/archives/cost.csv"
+printf "%s,%s,%s,%s,%d,%.2f,%.2f,%s\n" "${JOB_NAME:-}" "${BUILD_NUMBER:-}" "$date" \
+ "$resource" "$uptime" "$cost" "$stack_cost" "${BUILD_RESULT:-}" > "${WORKSPACE}/archives/cost.csv"
# shellcheck disable=SC1090
source ~/lf-env.sh
-lf-activate-venv lftools
+lf-activate-venv --python python3.8 lftools
# Ensure we fail the job if any steps fail
# Disable 'globbing'
echo "S3 build logs: <a href=\"https://$CDN_URL/$s3_path\">https://$CDN_URL/$s3_path</a>"
fi
-
echo "Generating Requirements File"
cat << 'EOF' > "$requirements_file"
+openstacksdk<0.99
python-heatclient
python-openstackclient
python-magnumclient
set -eu
# Add mvn executable into PATH
-export PATH=$PATH:${MVN::-4}
+export PATH=${MVN::-4}:$PATH
SBOM_LOCATION="/tmp/spdx-sbom-generator-${SBOM_GENERATOR_VERSION}-linux-amd64.tar.gz"
echo "INFO: downloading spdx-sbom-generator version ${SBOM_GENERATOR_VERSION}"
URL="https://github.com/spdx/spdx-sbom-generator/releases/download/${SBOM_GENERATOR_VERSION}/\
tar -xzf "${SBOM_LOCATION}" -C ${SBOM_PATH}
echo "INFO: running spdx-sbom-generator"
cd ${SBOM_PATH}
-./spdx-sbom-generator "${SBOM_FLAGS:-}" -o "${WORKSPACE}"/m2repo
+./spdx-sbom-generator "${SBOM_FLAGS:-}" -g "$GLOBAL_SETTINGS_FILE" -o "${WORKSPACE}"/archives
+mv "${WORKSPACE}"/archives/bom-Java-Maven.spdx "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}"
+cp "${WORKSPACE}"/archives/sbom-"${JOB_BASE_NAME}" "${WORKSPACE}"/m2repo/sbom-"${JOB_BASE_NAME}"
mv spdx-sbom-generator /tmp/
rm /tmp/spdx*
echo "---> sbom-generator.sh ends"
# install sigul
sudo yum install -y -q sigul
fi;
-# configure /etc/hosts with the sigul bridge hostname
-# This is needed as build minions can't always get DNS resolution
-# on the bridge
-BRIDGE_HOST=$(grep bridge-hostname "$SIGUL_CONFIG" | awk '{print $2}')
-
-# SIGUL_BRIDGE_IP must be defined as a Jenkins env variable
-cp /etc/hosts hosts
-echo -e "$SIGUL_BRIDGE_IP\t$BRIDGE_HOST" >> hosts
-sudo cp hosts /etc/hosts
-rm hosts
# Ensure we fail the job if any steps fail.
set -e -o pipefail
-lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+OS=$(facter operatingsystem | tr '[:upper:]' '[:lower:]')
+OS_RELEASE=$(facter lsbdistrelease | tr '[:upper:]' '[:lower:]')
+if [[ "$OS_RELEASE" == "8" && "$OS" == 'centos' ]]; then
+ # Get Dockerfile and the enterpoint to build the docker image.
+ wget -O "${WORKSPACE}/sigul-sign.sh" "https://raw.githubusercontent.com/"\
+"lfit/releng-global-jjb/master/shell/sigul-sign.sh"
+ wget -O "${WORKSPACE}/Dockerfile" "https://raw.githubusercontent.com/"\
+"lfit/releng-global-jjb/master/docker/Dockerfile"
+
+ # Setup the docker environment for jenkins user
+ docker build -f ${WORKSPACE}/Dockerfile \
+ --build-arg SIGN_DIR=${SIGN_DIR} \
+ -t sigul-sign .
+
+ docker volume create --driver local \
+ --opt type=none \
+ --opt device=/w/workspace \
+ --opt o=bind \
+ wrkspc_vol
+
+ docker volume inspect wrkspc_vol
+
+ docker run -e SIGUL_KEY="${SIGUL_KEY}" \
+ -e SIGUL_PASSWORD="${SIGUL_PASSWORD}" \
+ -e SIGUL_CONFIG=${SIGUL_CONFIG} \
+ -e SIGN_DIR=${SIGN_DIR} \
+ -e WORKSPACE=${WORKSPACE} \
+ --name sigul-sign \
+ --security-opt label:disable \
+ --mount type=bind,source="/w/workspace",target="/w/workspace" \
+ --mount type=bind,source="/home/jenkins",target="/home/jenkins" \
+ -u root:root -w $(pwd) sigul-sign
+
+ # change the .asc files owner permissions back to jenkins
+ sudo chown -R jenkins:jenkins "${SIGN_DIR}"
+else
+ lftools sign sigul -m "${SIGN_MODE}" "${SIGN_DIR}"
+fi
--- /dev/null
+#!/bin/bash
+# SPDX-License-Identifier: EPL-1.0
+##############################################################################
+# Copyright (c) 2022 The Linux Foundation and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Eclipse Public License v1.0
+# which accompanies this distribution, and is available at
+# http://www.eclipse.org/legal/epl-v10.html
+##############################################################################
+# Script to run the sigul signing from within a CentOS7 docker container
+
+echo "Sign files in: $SIGN_DIR"
+
+set -e # Fail immediately if any if signing fails
+find "${SIGN_DIR}" -type f ! -name "*.asc" \
+ ! -name "*.md5" \
+ ! -name "*.sha1" \
+ ! -name "_maven.repositories" \
+ ! -name "_remote.repositories" \
+ ! -name "*.lastUpdated" \
+ ! -name "maven-metadata-local.xml" \
+ ! -name "maven-metadata.xml" > ${WORKSPACE}/sign.lst
+
+if [ -s ${WORKSPACE}/sign.lst ]; then
+ echo "Sign list is not empty"
+fi
+
+files_to_sign=()
+while IFS= read -rd $'\n' line; do
+ files_to_sign+=("$line")
+ sigul --batch -c "${SIGUL_CONFIG}" sign-data -a -o "${line}.asc" "${SIGUL_KEY}" "${line}" < "${SIGUL_PASSWORD}"
+done < ${WORKSPACE}/sign.lst
+
+if [ "${#files_to_sign[@]}" -eq 0 ]; then
+ echo "ERROR: No files to sign. Quitting..."
+ exit 1
+fi