From 603b27a1e51fa5d9b11f66091dde1536c11cccbe Mon Sep 17 00:00:00 2001 From: dblock Date: Thu, 28 Jul 2022 13:53:01 -0300 Subject: [PATCH] Release to maven. Signed-off-by: dblock --- java-client/build.gradle.kts | 6 +- jenkins/publish-snapshot.jenkinsfile | 2 +- jenkins/stage-maven-release.jenkinsfile | 110 +++++++++++++++++++ jenkins/stage-maven-release/JenkinsFile | 138 ------------------------ 4 files changed, 114 insertions(+), 142 deletions(-) create mode 100644 jenkins/stage-maven-release.jenkinsfile delete mode 100644 jenkins/stage-maven-release/JenkinsFile diff --git a/java-client/build.gradle.kts b/java-client/build.gradle.kts index 1b242f23c6..98837acd5e 100644 --- a/java-client/build.gradle.kts +++ b/java-client/build.gradle.kts @@ -250,12 +250,12 @@ publishing { repositories{ if (version.toString().endsWith("SNAPSHOT")) { maven("https://aws.oss.sonatype.org/content/repositories/snapshots/") { - name = "snapshots" + name = "snapshotRepo" credentials(PasswordCredentials::class) } } else { - maven { - uri("${rootProject.buildDir}/repository") + maven("${rootProject.buildDir}/repository") { + name = "localRepo" } } } diff --git a/jenkins/publish-snapshot.jenkinsfile b/jenkins/publish-snapshot.jenkinsfile index 306bea88a4..c9a562d0cd 100644 --- a/jenkins/publish-snapshot.jenkinsfile +++ b/jenkins/publish-snapshot.jenkinsfile @@ -15,7 +15,7 @@ pipeline { sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotsRepository' } } - post() { + post { always { cleanWs disableDeferredWipeout: true, deleteDirs: true } diff --git a/jenkins/stage-maven-release.jenkinsfile b/jenkins/stage-maven-release.jenkinsfile new file mode 100644 index 0000000000..b369ec011e --- /dev/null +++ b/jenkins/stage-maven-release.jenkinsfile @@ -0,0 +1,110 @@ +pipeline { + agent { + docker { + label 'Jenkins-Agent-AL2-X64-C54xlarge-Docker-Host' + image 'opensearchstaging/ci-runner:ci-runner-centos7-opensearch-build-v2' + args '-e JAVA_HOME=/opt/java/openjdk-11' + alwaysPull true + } + } + environment { + VERSION = "${params.VERSION}" + ARTIFACT_PATH = "$WORKSPACE/build/repository/org/opensearch/client/opensearch-java/${VERSION}" + } + stages { + stage('parameters') { + steps { + script { + properties([ + parameters([ + string( + name: 'REF', + trim: true + ), + string( + name: 'VERSION', + trim: true + ) + ]) + ]) + if (params.REF.isEmpty() || params.VERSION.isEmpty()) { + currentBuild.result = 'ABORTED' + error('Missing REF and/or VERSION.') + } + } + } + } + stage('Publish to Maven Local') { + steps { + // checkout the commit + git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' + sh('git checkout ${REF}') + + // publish maven artifacts + sh('./gradlew --no-daemon publishPublishMavenPublicationToLocalRepoRepository') + } + } + stage('Sign') { + environment { + // these ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client + // This client is invoked internally by the sign script. + ROLE = "${SIGNER_CLIENT_ROLE}" + EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" + UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" + SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" + } + steps { + // fetch opensearch public key and add to keyring + sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') + sh('gpg --import $WORKSPACE/opensearch.pgp') + + // sign artifacts + git credentialsId: 'jenkins-staging-github-bot-token', + url: 'https://github.com/opensearch-project/opensearch-signer-client.git', + branch: 'main' + + dir('src') { + sh ('./bootstrap') + sh('rm config.cfg') + sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') + + // transform the binary signature to an ascii armored file + sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") + + // verify they are ANSI with PGP SIGNATURE + sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') + + // verify the signatures + sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') + + // remove sig files + sh('rm -f ${ARTIFACT_PATH}/*.sig') + } + } + } + stage('Stage Maven Artifacts') { + tools { + maven 'maven-3.8.2' + } + environment { + REPO_URL = 'https://aws.oss.sonatype.org/' + STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" + BUILD_ID = "${BUILD_NUMBER}" + } + steps { + // checkout the build repo + git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' + + // stage artifacts for release with Sonatype + withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { + sh('$WORKSPACE/publish/stage-maven-release.sh $ARTIFACT_PATH') + } + } + } + } + post { + always { + cleanWs disableDeferredWipeout: true, deleteDirs: true + } + } +} diff --git a/jenkins/stage-maven-release/JenkinsFile b/jenkins/stage-maven-release/JenkinsFile deleted file mode 100644 index faab94e53c..0000000000 --- a/jenkins/stage-maven-release/JenkinsFile +++ /dev/null @@ -1,138 +0,0 @@ -pipeline { - agent { - docker { - label 'Jenkins-Agent-al2-x64-c54xlarge-Docker-Host' - image 'opensearchstaging/ci-runner:al2-x64-arm64-jdkmulti-node10.24.1-cypress6.9.1-20211019' - // Unlike freestyle docker, pipeline docker does not login to the container and run commands - // It use executes which does not source the docker container internal ENV VAR - args '-e JAVA_HOME=/usr/lib/jvm/adoptopenjdk-14-hotspot' - alwaysPull true - } - } - environment { - ARTIFACT_PATH = "/usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/${VERSION}" - OUTPUT_DIR = "$WORKSPACE/maven-signed" - VERSION = "${params.VERSION}" - } - stages { - stage('parameters') { - steps { - script { - properties([ - parameters([ - string( - defaultValue: '', - name: 'REF', - trim: true - ), - string( - name: 'VERSION', - trim: true - ) - ]) - ]) - if (params.REF.isEmpty() || params.VERSION.isEmpty()) { - currentBuild.result = 'ABORTED' - error('One or both of the parameters is empty') - } - } - } - } - stage('Publish to Maven Local') { - steps { - // checkout the commit - git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' - sh('git checkout ${REF}') - - //publish to maven local - sh('./gradlew publishtoMavenLocal') - - //Rename maven-metadata-local.xml to maven-metadata.xml - sh('mv /usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/maven-metadata-local.xml /usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/maven-metadata.xml') - } - } - stage('Sign') { - environment { - // These ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client - // This client is invoked internally by the sign script. - ROLE = "${SIGNER_CLIENT_ROLE}" - EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" - UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" - SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" - } - steps { - // Fetch opensearch public key and add to keyring. - sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') - sh('gpg --import $WORKSPACE/opensearch.pgp') - - // Sign artifacts - git credentialsId: 'jenkins-staging-github-bot-token', - url: 'https://github.com/opensearch-project/opensearch-signer-client.git', branch: 'main' - dir("src"){ - sh ('./bootstrap') - sh('rm config.cfg') - sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') - - // Transform the binary signature to an ascii armored file - sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") - - // Verify they are ANSI with PGP SIGNATURE - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') - - // Verify the signatures - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') - - // Remove sig files - sh('rm -f ${ARTIFACT_PATH}/*.sig') - } - } - } - stage('Generate checksums') { - steps { - dir("$OUTPUT_DIR/org"){ - // copy only required artifacts to other folder so that not everything from .m2 gets staged - sh('cp -r /usr/share/opensearch/.m2/repository/org/opensearch $OUTPUT_DIR/org/') - sh('bash -O extglob -c "rm -rf $OUTPUT_DIR/org/opensearch/!(client)"') - sh ''' - for file in $(find \$OUTPUT_DIR/org/opensearch/client/opensearch-java/ -type f) - do - if [ \${file##*.} != "asc" ] - then - echo "Creating checksum for \$file" - (md5sum \$file | cut -d \' \' -f 1) > \$file.md5 - (sha1sum \$file | cut -d \' \' -f 1) > \$file.sha1 - (sha256sum \$file | cut -d \' \' -f 1) > \$file.sha256 - (sha512sum \$file | cut -d \' \' -f 1) > \$file.sha512 - fi - done - ''' - } - sh('ls -l \$OUTPUT_DIR/org/opensearch/client/opensearch-java/\${VERSION}') - } - } - stage('Stage maven artifacts') { - tools { - maven "maven-3.8.2" - } - environment { - REPO_URL = "https://aws.oss.sonatype.org/" - STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" - BUILD_ID = "${BUILD_NUMBER}" - } - steps { - // checkout the build repo - git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' - - // stage artifacts for release with Sonatype - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { - sh('$WORKSPACE/publish/stage-maven-release.sh $OUTPUT_DIR') - } - } - post() { - always { - cleanWs disableDeferredWipeout: true, deleteDirs: true - } - } - } - } -} \ No newline at end of file