cicd/pipelines/tasks/task_publish_unstable.jenkins - gke-jenkins - Git at Google

 #!/usr/bin/env groovy

 String getLatestSnapshot(repository_stem) {
     def script = """
         aptly snapshot list --sort=time --raw \
             | grep -E '^${repository_stem}-' \
             | head -n1
     """

     return sh(returnStdout: true, script: script)
 }

 String getFileContents(filename) {
     return sh(returnStdout: true, script: "cat ${filename}").trim()
 }

 String getKeygripId() {
     def script = """
         gpg --no-default-keyring \
             --keyring=release-keyring.gpg \
             --with-colons \
             --list-secret-keys \
         | awk -F: '$1 == "grp" { print $10 }' \
         | head -n1
     """

     return sh(returnStdout: true, script: script).trim()
 }

 def workspacePath = "/home/jenkins/workspace"
 def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
 def sourcePath = "${workspacePath}/src"

 // FIXME(jtgans): Get rid of privileged! This is a security risk!
 def jnlpContainer = containerTemplate(name: 'jnlp',
                                       image: 'jenkins/jnlp-slave:alpine')
 def debianContainer = containerTemplate(name: 'debian',
                                         image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
                                         command: 'cat',
                                         args: '',
                                         ttyEnabled: true,
                                         privileged: true,
                                         alwaysPullImage: true)
 def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
 def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')

 podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
     node(buildLabel) {
         dir(sourcePath) {
             container('debian') {
                 sh "cp /etc/aptly.conf ~/.aptly.conf"
                 withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
                     def debianMirrorSnapshotName = getLatestSnapshot('debian-buster')
                     def coreSnapshotName = getLatestSnapshot('core-unstable')
                     def bspSnapshotName  = getLatestSnapshot('enterprise-bsp-unstable')
                     def keygripId = getKeygripId()

                     def date = new Date()
                     String stamp = date.format("yyyyMMdd-HHmmss")

                     sh """
                        install -d -m 700 -u root -g root /var/lib/aptly/.gnupg
                        tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz

                        mkdir -p /var/lib/aptly/publishes/unstable
                        aptly snapshot merge core-full-unstable-${stamp} ${debianMirrorSnapshotName} ${coreSnapshotName}
                        aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable core-full-unstable-${stamp} filesystem:unstable:unstable
                        aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable ${bspSnapshotName} filesystem:unstable:unstable
                        """
                 }
             }
         }
     }
 }
	#!/usr/bin/env groovy

	String getLatestSnapshot(repository_stem) {
	def script = """
	aptly snapshot list --sort=time --raw \
	\| grep -E '^${repository_stem}-' \
	\| head -n1
	"""

	return sh(returnStdout: true, script: script)
	}

	String getFileContents(filename) {
	return sh(returnStdout: true, script: "cat ${filename}").trim()
	}

	String getKeygripId() {
	def script = """
	gpg --no-default-keyring \
	--keyring=release-keyring.gpg \
	--with-colons \
	--list-secret-keys \
	\| awk -F: '$1 == "grp" { print $10 }' \
	\| head -n1
	"""

	return sh(returnStdout: true, script: script).trim()
	}

	def workspacePath = "/home/jenkins/workspace"
	def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
	def sourcePath = "${workspacePath}/src"

	// FIXME(jtgans): Get rid of privileged! This is a security risk!
	def jnlpContainer = containerTemplate(name: 'jnlp',
	image: 'jenkins/jnlp-slave:alpine')
	def debianContainer = containerTemplate(name: 'debian',
	image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
	command: 'cat',
	args: '',
	ttyEnabled: true,
	privileged: true,
	alwaysPullImage: true)
	def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
	def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')

	podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
	node(buildLabel) {
	dir(sourcePath) {
	container('debian') {
	sh "cp /etc/aptly.conf ~/.aptly.conf"
	withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
	def debianMirrorSnapshotName = getLatestSnapshot('debian-buster')
	def coreSnapshotName = getLatestSnapshot('core-unstable')
	def bspSnapshotName = getLatestSnapshot('enterprise-bsp-unstable')
	def keygripId = getKeygripId()

	def date = new Date()
	String stamp = date.format("yyyyMMdd-HHmmss")

	sh """
	install -d -m 700 -u root -g root /var/lib/aptly/.gnupg
	tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz

	mkdir -p /var/lib/aptly/publishes/unstable
	aptly snapshot merge core-full-unstable-${stamp} ${debianMirrorSnapshotName} ${coreSnapshotName}
	aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable core-full-unstable-${stamp} filesystem:unstable:unstable
	aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable ${bspSnapshotName} filesystem:unstable:unstable
	"""
	}
	}
	}
	}
	}