cicd/pipelines/tasks/task_release_cut.jenkins

#!/usr/bin/env groovy

String getLatestSnapshot(repository_stem) {
    def script = """
        aptly snapshot list --sort=time --raw \
            | grep -E '^${repository_stem}-' \
            | tail -n1
    """

    return sh(returnStdout: true, script: script).trim()
}

def installGpgKeyring() {
    sh """
       install -d -m 700 -o root -g root /var/lib/aptly/.gnupg
       tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz
       chown -R root:root /var/lib/aptly/.gnupg
       find /var/lib/aptly/.gnupg -type d -exec chmod 700 '{}' ';'
       find /var/lib/aptly/.gnupg -type f -exec chmod 600 '{}' ';'
       """
}

def workspacePath = "/home/jenkins/workspace"
def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
def sourcePath = "${workspacePath}/src"

// FIXME(jtgans): Get rid of privileged! This is a security risk!
def jnlpContainer = containerTemplate(name: 'jnlp',
                                      image: 'jenkins/jnlp-slave:alpine')
def debianContainer = containerTemplate(name: 'debian',
                                        image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
                                        command: 'cat',
                                        args: '',
                                        ttyEnabled: true,
                                        privileged: true,
                                        alwaysPullImage: true)
def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')

podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
    node(buildLabel) {
        dir(sourcePath) {
            container('debian') {
                def date = new Date()
                String stamp = date.format("yyyyMMdd-HHmmss")
                def releaseName = params.release
                def boards = params.boards.split(' ')

                if (boards.size() == 0) {
                    error 'No boards to create releases for!'
                }

                sh "cp /etc/aptly.conf ~/.aptly.conf"

                withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
                    installGpgKeyring()

                    def unstableCoreSnapshotName = getLatestSnapshot('core-full-unstable')
                    def releasedCoreSnapshotName = "core-full-${releaseName}-${stamp}"

                    sh """
                       aptly snapshot merge ${releasedCoreSnapshotName} ${unstableCoreSnapshotName}
                       aptly publish snapshot --batch --force-overwrite --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --architectures=source,amd64,arm64,armhf --distribution=${releaseName} ${releasedCoreSnapshotName} filesystem:public:${releaseName}
                       """

                    for (board in boards) {
                        def unstableBspSnapshotName = getLatestSnapshot('unstable-bsp-${board}')
                        def releasedBspSnapshotName = "${releaseName}-bsp-${board}-${stamp}"

                        sh """
                           aptly snapshot merge ${releasedBspSnapshotName} ${unstableBspSnapshotName}
                           aptly publish snapshot --batch --force-overwrite --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --architectures=source,amd64,arm64,armhf --distribution=${releaseName} ${releasedBspSnapshotName} filesystem:public:${releaseName}-bsp-${board}
                           """
                    }
                }
            }
        }
    }
}