blob: d9549f169325b98459ea6066247e1477aae8e144 [file] [log] [blame]
#!/usr/bin/env groovy
String getLatestSnapshot(repository_stem) {
def script = """
aptly snapshot list --sort=time --raw \
| grep -E '^${repository_stem}-' \
| head -n1
"""
return sh(returnStdout: true, script: script)
}
String getFileContents(filename) {
return sh(returnStdout: true, script: "cat ${filename}").trim()
}
String getKeygripId() {
def script = '''
gpg --no-default-keyring --keyring=release-keyring.gpg --with-colons --list-secret-keys \
| awk -F: '\$1 == "grp" { print \$10 }' \
| head -n1
'''
sh(script: script)
return sh(returnStdout: true, script: script).trim()
}
def workspacePath = "/home/jenkins/workspace"
def buildLabel = "task.publish.unstable-${UUID.randomUUID().toString()}"
def sourcePath = "${workspacePath}/src"
// FIXME(jtgans): Get rid of privileged! This is a security risk!
def jnlpContainer = containerTemplate(name: 'jnlp',
image: 'jenkins/jnlp-slave:alpine')
def debianContainer = containerTemplate(name: 'debian',
image: 'gcr.io/mendel-linux-cloud-infra/mendel-builder:latest',
command: 'cat',
args: '',
ttyEnabled: true,
privileged: true,
alwaysPullImage: true)
def aptlyVolume = persistentVolumeClaim(claimName: 'aptly-state', mountPath: '/var/lib/aptly')
def gpgVolume = secretVolume(secretName: 'mendel-release-credentials', mountPath: '/var/lib/aptly/keyring')
podTemplate(label: buildLabel, containers: [jnlpContainer, debianContainer], volumes: [aptlyVolume, gpgVolume], envVars: []) {
node(buildLabel) {
dir(sourcePath) {
container('debian') {
sh "cp /etc/aptly.conf ~/.aptly.conf"
withEnv(['GNUPGHOME=/var/lib/aptly/.gnupg']) {
def debianMirrorSnapshotName = getLatestSnapshot('debian-buster')
def coreSnapshotName = getLatestSnapshot('core-unstable')
def bspSnapshotName = getLatestSnapshot('enterprise-bsp-unstable')
def keygripId = getKeygripId()
def date = new Date()
String stamp = date.format("yyyyMMdd-HHmmss")
sh """
install -d -m 700 -o root -g root /var/lib/aptly/.gnupg
tar -C /var/lib/aptly/.gnupg -zxf /var/lib/aptly/keyring/release-keyring.tar.gz
chown -R root:root /var/lib/aptly/.gnupg
find /var/lib/aptly/.gnupg -type d -exec chmod 700 '{}' ';'
find /var/lib/aptly/.gnupg -type f -exec chmod 600 '{}' ';'
mkdir -p /var/lib/aptly/publishes/unstable
aptly snapshot merge core-full-unstable-${stamp} ${debianMirrorSnapshotName} ${coreSnapshotName}
aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable core-full-unstable-${stamp} filesystem:unstable:unstable
aptly publish snapshot --passphrase-file=/var/lib/aptly/keyring/passphrase.txt --gpg-key=${keygripId} --distribution=unstable ${bspSnapshotName} filesystem:unstable:unstable
"""
}
}
}
}
}