cicd/pipelines/tasks/task_update_unstable.jenkins - gke-jenkins - Git at Google

 #!/usr/bin/env groovy

 String getLatestSnapshot(repository_stem) {
     def script = """
         aptly snapshot list --sort=time --raw \
             | grep -E '^${repository_stem}-' \
             | head -n1
     """

     return sh(returnStdout: true, script: script).trim()
 }

 def installGpgKeyring() {
     sh """
        install -d -m 700 -o root -g root /var/lib/aptly/.gnupg
        tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz
        chown -R root:root /var/lib/aptly/.gnupg
        find /var/lib/aptly/.gnupg -type d -exec chmod 700 '{}' ';'
        find /var/lib/aptly/.gnupg -type f -exec chmod 600 '{}' ';'
        """
 }

 def workspacePath = "/home/jenkins/workspace"
 def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
 def sourcePath = "${workspacePath}/src"

 // FIXME(jtgans): Get rid of privileged! This is a security risk!
 def jnlpContainer = containerTemplate(name: 'jnlp',
                                       image: 'jenkins/jnlp-slave:alpine')
 def debianContainer = containerTemplate(name: 'debian',
                                         image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
                                         command: 'cat',
                                         args: '',
                                         ttyEnabled: true,
                                         privileged: true,
                                         alwaysPullImage: true)
 def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
 def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')

 podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
     node(buildLabel) {
         dir(sourcePath) {
             container('debian') {
                 sh "cp /etc/aptly.conf ~/.aptly.conf"
                 withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
                     def debianMirrorSnapshotName = getLatestSnapshot('debian-buster')
                     def coreSnapshotName = getLatestSnapshot('core-unstable')
                     def bspSnapshotName  = getLatestSnapshot('unstable-bsp-enterprise')
                     def date = new Date()
                     String stamp = date.format("yyyyMMdd-HHmmss")

                     installGpgKeyring()

                     sh """
                        aptly snapshot merge core-full-unstable-${stamp} ${debianMirrorSnapshotName} ${coreSnapshotName}
                        aptly publish switch --batch --passphrase-file=/var/lib/aptly/keyring/passphrase.txt unstable filesystem:public:unstable core-full-unstable-${stamp}
                        aptly publish switch --batch --passphrase-file=/var/lib/aptly/keyring/passphrase.txt unstable-bsp-enterprise filesystem:public:unstable-bsp-enterprise ${bspSnapshotName}
                        """
                 }
             }
         }
     }
 }
	#!/usr/bin/env groovy

	String getLatestSnapshot(repository_stem) {
	def script = """
	aptly snapshot list --sort=time --raw \
	\| grep -E '^${repository_stem}-' \
	\| head -n1
	"""

	return sh(returnStdout: true, script: script).trim()
	}

	def installGpgKeyring() {
	sh """
	install -d -m 700 -o root -g root /var/lib/aptly/.gnupg
	tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz
	chown -R root:root /var/lib/aptly/.gnupg
	find /var/lib/aptly/.gnupg -type d -exec chmod 700 '{}' ';'
	find /var/lib/aptly/.gnupg -type f -exec chmod 600 '{}' ';'
	"""
	}

	def workspacePath = "/home/jenkins/workspace"
	def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
	def sourcePath = "${workspacePath}/src"

	// FIXME(jtgans): Get rid of privileged! This is a security risk!
	def jnlpContainer = containerTemplate(name: 'jnlp',
	image: 'jenkins/jnlp-slave:alpine')
	def debianContainer = containerTemplate(name: 'debian',
	image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
	command: 'cat',
	args: '',
	ttyEnabled: true,
	privileged: true,
	alwaysPullImage: true)
	def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
	def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')

	podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
	node(buildLabel) {
	dir(sourcePath) {
	container('debian') {
	sh "cp /etc/aptly.conf ~/.aptly.conf"
	withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
	def debianMirrorSnapshotName = getLatestSnapshot('debian-buster')
	def coreSnapshotName = getLatestSnapshot('core-unstable')
	def bspSnapshotName = getLatestSnapshot('unstable-bsp-enterprise')
	def date = new Date()
	String stamp = date.format("yyyyMMdd-HHmmss")

	installGpgKeyring()

	sh """
	aptly snapshot merge core-full-unstable-${stamp} ${debianMirrorSnapshotName} ${coreSnapshotName}
	aptly publish switch --batch --passphrase-file=/var/lib/aptly/keyring/passphrase.txt unstable filesystem:public:unstable core-full-unstable-${stamp}
	aptly publish switch --batch --passphrase-file=/var/lib/aptly/keyring/passphrase.txt unstable-bsp-enterprise filesystem:public:unstable-bsp-enterprise ${bspSnapshotName}
	"""
	}
	}
	}
	}
	}