Skip to content

Add certification for samm cli win #572

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 14, 2024
Merged

Add certification for samm cli win #572

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
00b85b9
Add certification into release process
michelu89 May 10, 2024
3634759
Remove fetch windows artifact
michelu89 May 10, 2024
ff635e1
Remove signed from zip name
michelu89 May 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 45 additions & 14 deletions .github/workflows/release-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,15 +243,48 @@ jobs:
with:
name: linux-artifacts

- name: Fetch Windows Artifacts
uses: actions/download-artifact@v4
with:
name: windows-artifacts
# Sign SAML-CLI Windows executable
- name: Get Artifact ID (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
# Get the list of artifacts for the specified workflow run
response=$(curl -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository_owner }}/$(echo '${{ github.repository }}' | cut -d'/' -f2)/actions/runs/${{ github.run_id }}/artifacts")

# Filter out the ID of the artifact with a name that contains "windows"
artifact_id=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("windows-artifacts")) | .id')

- name: Prepare release
# Save the artifact ID in an environment variable
echo "ARTIFACT_ID=$artifact_id" >> $GITHUB_ENV
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-sdk/actions/artifacts/$ARTIFACT_ID/zip"
BRANCH_NAME="pre_release_configuration"

echo "artifact_url_win=$ARTIFACT_URL_WIN" > parameters.txt
echo "version=${{ github.event.inputs.release_version }}" >> parameters.txt

git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions"
git checkout -b $BRANCH_NAME
git add parameters.txt
git commit -m "Add parameters.txt with artifact_url_win and version"
git push origin $BRANCH_NAME
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Trigger Jenkins Job, for signing executable
if: matrix.os == 'windows-latest'
shell: bash
run: |
# Create Windows CLI zip
zip -9 -r samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip samm.exe *.dll
DATA='{"repository": {"url": "https://github.com/eclipse-esmf/esmf-sdk", "html_url": "https://github.com/eclipse-esmf/esmf-sdk", "owner": { "name": "ESMF"}}, "pusher": { "name": "GitHub Action", "email": "esmf-dev@eclipse.org"}}'
SHA1="$(echo -n "${DATA}" | openssl dgst -sha1 -hmac "${WEBHOOK_SECRET}" | sed 's/SHA1(stdin)= //')"
curl -X POST https://ci.eclipse.org/esmf/github-webhook/ -H "Content-Type: application/json" -H "X-GitHub-Event: push" -H "X-Hub-Signature: sha1=${SHA1}" -d "${DATA}"

# Full release: Maven Central
# The (apparently) only way to retrieve the staging profile id
Expand Down Expand Up @@ -293,11 +326,11 @@ jobs:
- name: Commit version changes and push to upstream repository
uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5
with:
branch: ${{ env.release_branch_name }}
commit_user_name: github-actions
commit_user_email: github-actions@github.com
commit_author: Author <actions@github.com>
file_pattern: 'documentation/developer-guide/antora.yml pom.xml */pom.xml */*/pom.xml'
branch: ${{ env.release_branch_name }}
commit_user_name: github-actions
commit_user_email: github-actions@github.com
commit_author: Author <actions@github.com>
file_pattern: 'documentation/developer-guide/antora.yml pom.xml */pom.xml */*/pom.xml'

# Full release: Github
- name: "Create Github release (full)"
Expand All @@ -310,7 +343,6 @@ jobs:
draft: false
prerelease: false
files: |
samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip
samm-cli-${{ github.event.inputs.release_version }}-linux-x86_64.tar.gz
samm-cli-*.jar
env:
Expand Down Expand Up @@ -374,7 +406,6 @@ jobs:
draft: false
prerelease: true
files: |
samm-cli-${{ github.event.inputs.release_version }}-windows-x86_64.zip
samm-cli-${{ github.event.inputs.release_version }}-linux-x86_64.tar.gz
samm-cli-*.jar
env:
Expand Down
116 changes: 116 additions & 0 deletions .jenkins/Jenkinsfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
pipeline {
agent any

environment {
GITHUB_BOT_TOKEN = credentials('github-bot-token')
}

stages {
stage('Read parameters file') {
steps {
script {
if (fileExists('parameters.txt')) {
// Read the file
def fileContent = readFile('parameters.txt').trim()

// Split the file content into lines
def lines = fileContent.split("\n")

// Iterate over the lines and set the environment variables
lines.each { line ->
def parts = line.split('=')
if (parts.size() == 2) {
env[parts[0]] = parts[1]
}
}

echo "Artifact URL: ${env.artifact_url_win}"
echo "Version: ${env.version}"
} else {
echo "Error: parameters.txt does not exist."
}
}
}
}

stage('Download and unpack artifact') {
steps {
script {
sh "curl -L -H 'Accept: application/vnd.github.v3+json' \
-H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \
'${env.artifact_url_win}' \
--output 'samm-cli-${env.version}-windows-x86_64.zip'"
sh "mkdir -p unpack_dir"
sh "unzip -o samm-cli-${env.version}-windows-x86_64.zip -d unpack_dir"
sh "ls -a unpack_dir"
}
}
}

stage('Sign Applications') {
steps {
script {
sh "mkdir -p signed_dir"
sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;"
sh "curl -o signed_dir/samm.exe -F file=@unpack_dir/samm.exe https://cbi.eclipse.org/authenticode/sign"
sh "cd signed_dir"
sh "zip -r ../samm-cli-${env.version}-windows-x86_64.zip *"
}
}
}

stage('Release signed WINDOWS artifact to GitHub Releases') {
steps {
script {
def repo = "eclipse-esmf/esmf-sdk"
def tagName = "v${env.version}"
def fileName = "samm-cli-${env.version}-windows-x86_64.zip"
def releaseId = ""

def tagExists = sh(script: """
curl -s -L \\
-H "Accept: application/vnd.github+json" \\
-H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\
https://api.github.com/repos/${repo}/git/refs/tags/${tagName} | jq -r '.ref'
""", returnStdout: true).trim()

if (tagExists == "null") {
// Tag does not exist, create a new one
releaseId = sh(script: """
curl -s -L \\
-H "Accept: application/vnd.github+json" \\
-H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\
-X POST \\
-d '{ "tag_name": "${tagName}", "name": "${tagName}", "body": "Release ${tagName}" }' \\
https://api.github.com/repos/${repo}/releases | jq -r '.id'
""", returnStdout: true).trim()
} else {
// Tag exists, use the existing one
releaseId = sh(script: """
curl -s -L \\
-H "Accept: application/vnd.github+json" \\
-H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \\
https://api.github.com/repos/${repo}/releases/tags/${tagName} | jq -r '.id'
""", returnStdout: true).trim()
}

sh """
curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \\
-H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
-H "Content-Type: application/octet-stream" \
--data-binary @${fileName} \
"https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileName}"
"""

sh """
curl -X DELETE \
-H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \
"https://api.github.com/repos/eclipse-esmf/esmf-sdk/git/refs/heads/pre_release_configuration"
"""
}
}
}
}
}
Loading