Skip to content

Commit

Permalink
Updated credentials and signing.
Browse files Browse the repository at this point in the history 
Signed-off-by: dblock <dblock@amazon.com>
  • Loading branch information
@dblock
dblock committed Jul 28, 2022
1 parent 144b722 commit d6e7d94
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 38 deletions.
2 changes: 1 addition & 1 deletion jenkins/publish-snapshot.jenkinsfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ pipeline {
stage('Publish to Maven Staging') {
steps {
git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main'
withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) {
withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) {
sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotRepoRepository'
}
}
Expand Down
49 changes: 12 additions & 37 deletions jenkins/stage-maven-release.jenkinsfile
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
lib = library(identifier: 'jenkins@main', retriever: modernSCM([
$class: 'GitSCMSource',
remote: 'https://github.com/opensearch-project/opensearch-build.git',
]))

pipeline {
agent {
docker {
Expand Down Expand Up @@ -45,47 +50,17 @@ pipeline {
}
}
stage('Sign') {
environment {
// these ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client
// this client is invoked internally by the sign script
ROLE = "${SIGNER_CLIENT_ROLE}"
EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}"
UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}"
SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}"
}
steps {
// fetch opensearch public key and add to keyring
sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp')
sh('gpg --import $WORKSPACE/opensearch.pgp')

// sign artifacts
git credentialsId: 'jenkins-staging-github-bot-token',
url: 'https://github.com/opensearch-project/opensearch-signer-client.git',
branch: 'main'

dir('src') {
sh ('./bootstrap')
sh('rm config.cfg')
sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'')

// transform the binary signature to an ascii armored file
sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done")

// verify they are ANSI with PGP SIGNATURE
sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'')

// verify the signatures
sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'')

// remove sig files
sh('rm -f ${ARTIFACT_PATH}/*.sig')
script {
signArtifacts(
artifactPath: "${ARTIFACT_PATH}",
type: 'maven',
platform: 'linux'
)
}
}
}
stage('Stage Maven Artifacts') {
tools {
maven 'maven-3.8.2'
}
environment {
REPO_URL = 'https://aws.oss.sonatype.org/'
STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}"
Expand All @@ -96,7 +71,7 @@ pipeline {
git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main'

// stage artifacts for release with Sonatype
withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) {
withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) {
sh('$WORKSPACE/publish/stage-maven-release.sh $ARTIFACT_PATH')
}
}
Expand Down

0 comments on commit d6e7d94

Please sign in to comment.