From 00b85b9d93eecfa12c08790d8e5a69154540fed7 Mon Sep 17 00:00:00 2001 From: Michele Santoro Date: Fri, 10 May 2024 10:26:06 +0200 Subject: [PATCH 1/3] Add certification into release process --- .github/workflows/release-workflow.yml | 58 ++++++++++--- .jenkins/Jenkinsfile | 116 +++++++++++++++++++++++++ 2 files changed, 161 insertions(+), 13 deletions(-) create mode 100644 .jenkins/Jenkinsfile diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml index 0151f20f4..63b3664b6 100644 --- a/.github/workflows/release-workflow.yml +++ b/.github/workflows/release-workflow.yml @@ -244,14 +244,48 @@ jobs: name: linux-artifacts - name: Fetch Windows Artifacts - uses: actions/download-artifact@v4 - with: - name: windows-artifacts + # Sign SAML-CLI Windows executable + - name: Get Artifact ID (Windows) + if: matrix.os == 'windows-latest' + shell: bash + run: | + # Get the list of artifacts for the specified workflow run + response=$(curl -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository_owner }}/$(echo '${{ github.repository }}' | cut -d'/' -f2)/actions/runs/${{ github.run_id }}/artifacts") + + # Filter out the ID of the artifact with a name that contains "windows" + artifact_id=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("windows-artifacts")) | .id') - - name: Prepare release + # Save the artifact ID in an environment variable + echo "ARTIFACT_ID=$artifact_id" >> $GITHUB_ENV + env: + TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows) + if: matrix.os == 'windows-latest' + shell: bash + run: | + ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-sdk/actions/artifacts/$ARTIFACT_ID/zip" + BRANCH_NAME="pre_release_configuration" + + echo "artifact_url_win=$ARTIFACT_URL_WIN" > parameters.txt + echo "version=${{ github.event.inputs.release_version }}" >> parameters.txt + + git config --global user.email "github-actions@github.com" + git config --global user.name "github-actions" + git checkout -b $BRANCH_NAME + git add parameters.txt + git commit -m "Add parameters.txt with artifact_url_win and version" + git push origin $BRANCH_NAME + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Trigger Jenkins Job, for signing executable + if: matrix.os == 'windows-latest' + shell: bash run: | - # Create Windows CLI zip - zip -9 -r samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip samm.exe *.dll + DATA='{"repository": {"url": "https://github.com/eclipse-esmf/esmf-sdk", "html_url": "https://github.com/eclipse-esmf/esmf-sdk", "owner": { "name": "ESMF"}}, "pusher": { "name": "GitHub Action", "email": "esmf-dev@eclipse.org"}}' + SHA1="$(echo -n "${DATA}" | openssl dgst -sha1 -hmac "${WEBHOOK_SECRET}" | sed 's/SHA1(stdin)= //')" + curl -X POST https://ci.eclipse.org/esmf/github-webhook/ -H "Content-Type: application/json" -H "X-GitHub-Event: push" -H "X-Hub-Signature: sha1=${SHA1}" -d "${DATA}" # Full release: Maven Central # The (apparently) only way to retrieve the staging profile id @@ -293,11 +327,11 @@ jobs: - name: Commit version changes and push to upstream repository uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5 with: - branch: ${{ env.release_branch_name }} - commit_user_name: github-actions - commit_user_email: github-actions@github.com - commit_author: Author - file_pattern: 'documentation/developer-guide/antora.yml pom.xml */pom.xml */*/pom.xml' + branch: ${{ env.release_branch_name }} + commit_user_name: github-actions + commit_user_email: github-actions@github.com + commit_author: Author + file_pattern: 'documentation/developer-guide/antora.yml pom.xml */pom.xml */*/pom.xml' # Full release: Github - name: "Create Github release (full)" @@ -310,7 +344,6 @@ jobs: draft: false prerelease: false files: | - samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip samm-cli-${{ github.event.inputs.release_version }}-linux-x86_64.tar.gz samm-cli-*.jar env: @@ -374,7 +407,6 @@ jobs: draft: false prerelease: true files: | - samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip samm-cli-${{ github.event.inputs.release_version }}-linux-x86_64.tar.gz samm-cli-*.jar env: diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile new file mode 100644 index 000000000..fec1e0fb3 --- /dev/null +++ b/.jenkins/Jenkinsfile @@ -0,0 +1,116 @@ +pipeline { + agent any + + environment { + GITHUB_BOT_TOKEN = credentials('github-bot-token') + } + + stages { + stage('Read parameters file') { + steps { + script { + if (fileExists('parameters.txt')) { + // Read the file + def fileContent = readFile('parameters.txt').trim() + + // Split the file content into lines + def lines = fileContent.split("\n") + + // Iterate over the lines and set the environment variables + lines.each { line -> + def parts = line.split('=') + if (parts.size() == 2) { + env[parts[0]] = parts[1] + } + } + + echo "Artifact URL: ${env.artifact_url_win}" + echo "Version: ${env.version}" + } else { + echo "Error: parameters.txt does not exist." + } + } + } + } + + stage('Download and unpack artifact') { + steps { + script { + sh "curl -L -H 'Accept: application/vnd.github.v3+json' \ + -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \ + '${env.artifact_url_win}' \ + --output 'samm-cli-${env.version}-windows-x86_64.zip'" + sh "mkdir -p unpack_dir" + sh "unzip -o samm-cli-${env.version}-windows-x86_64.zip -d unpack_dir" + sh "ls -a unpack_dir" + } + } + } + + stage('Sign Applications') { + steps { + script { + sh "mkdir -p signed_dir" + sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;" + sh "curl -o signed_dir/samm.exe -F file=@unpack_dir/samm.exe https://cbi.eclipse.org/authenticode/sign" + sh "cd signed_dir" + sh "zip -r ../samm-cli-${env.version}-windows-x86_64-signed.zip *" + } + } + } + + stage('Release signed WINDOWS artifact to GitHub Releases') { + steps { + script { + def repo = "eclipse-esmf/esmf-sdk" + def tagName = "v${env.version}" + def fileName = "samm-cli-${env.version}-windows-x86_64-signed.zip" + def releaseId = "" + + def tagExists = sh(script: """ + curl -s -L \\ + -H "Accept: application/vnd.github+json" \\ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\ + https://api.github.com/repos/${repo}/git/refs/tags/${tagName} | jq -r '.ref' + """, returnStdout: true).trim() + + if (tagExists == "null") { + // Tag does not exist, create a new one + releaseId = sh(script: """ + curl -s -L \\ + -H "Accept: application/vnd.github+json" \\ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\ + -X POST \\ + -d '{ "tag_name": "${tagName}", "name": "${tagName}", "body": "Release ${tagName}" }' \\ + https://api.github.com/repos/${repo}/releases | jq -r '.id' + """, returnStdout: true).trim() + } else { + // Tag exists, use the existing one + releaseId = sh(script: """ + curl -s -L \\ + -H "Accept: application/vnd.github+json" \\ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\ + https://api.github.com/repos/${repo}/releases/tags/${tagName} | jq -r '.id' + """, returnStdout: true).trim() + } + + sh """ + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \\ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @${fileName} \ + "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileName}" + """ + + sh """ + curl -X DELETE \ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \ + "https://api.github.com/repos/eclipse-esmf/esmf-sdk/git/refs/heads/pre_release_configuration" + """ + } + } + } + } +} From 363475969e6dab77586dc80a72e3b787f0f331c1 Mon Sep 17 00:00:00 2001 From: Michele Santoro Date: Fri, 10 May 2024 10:27:03 +0200 Subject: [PATCH 2/3] Remove fetch windows artifact --- .github/workflows/release-workflow.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release-workflow.yml b/.github/workflows/release-workflow.yml index 63b3664b6..dac51542c 100644 --- a/.github/workflows/release-workflow.yml +++ b/.github/workflows/release-workflow.yml @@ -243,7 +243,6 @@ jobs: with: name: linux-artifacts - - name: Fetch Windows Artifacts # Sign SAML-CLI Windows executable - name: Get Artifact ID (Windows) if: matrix.os == 'windows-latest' From ff635e153a627fce8aa6ab8af56bf2701e044d3f Mon Sep 17 00:00:00 2001 From: Michele Santoro Date: Fri, 10 May 2024 11:51:01 +0200 Subject: [PATCH 3/3] Remove signed from zip name --- .jenkins/Jenkinsfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile index fec1e0fb3..708d0a48e 100644 --- a/.jenkins/Jenkinsfile +++ b/.jenkins/Jenkinsfile @@ -54,7 +54,7 @@ pipeline { sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;" sh "curl -o signed_dir/samm.exe -F file=@unpack_dir/samm.exe https://cbi.eclipse.org/authenticode/sign" sh "cd signed_dir" - sh "zip -r ../samm-cli-${env.version}-windows-x86_64-signed.zip *" + sh "zip -r ../samm-cli-${env.version}-windows-x86_64.zip *" } } } @@ -64,7 +64,7 @@ pipeline { script { def repo = "eclipse-esmf/esmf-sdk" def tagName = "v${env.version}" - def fileName = "samm-cli-${env.version}-windows-x86_64-signed.zip" + def fileName = "samm-cli-${env.version}-windows-x86_64.zip" def releaseId = "" def tagExists = sh(script: """