From d6e7d94e4a4be6732b673d8cb71adc3811324c6d Mon Sep 17 00:00:00 2001 From: dblock Date: Thu, 28 Jul 2022 15:54:12 -0300 Subject: [PATCH] Updated credentials and signing. Signed-off-by: dblock --- jenkins/publish-snapshot.jenkinsfile | 2 +- jenkins/stage-maven-release.jenkinsfile | 49 ++++++------------------- 2 files changed, 13 insertions(+), 38 deletions(-) diff --git a/jenkins/publish-snapshot.jenkinsfile b/jenkins/publish-snapshot.jenkinsfile index e7e88f6933..1c31e6fea0 100644 --- a/jenkins/publish-snapshot.jenkinsfile +++ b/jenkins/publish-snapshot.jenkinsfile @@ -11,7 +11,7 @@ pipeline { stage('Publish to Maven Staging') { steps { git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { + withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotRepoRepository' } } diff --git a/jenkins/stage-maven-release.jenkinsfile b/jenkins/stage-maven-release.jenkinsfile index ca87578527..76874d8bb8 100644 --- a/jenkins/stage-maven-release.jenkinsfile +++ b/jenkins/stage-maven-release.jenkinsfile @@ -1,3 +1,8 @@ +lib = library(identifier: 'jenkins@main', retriever: modernSCM([ + $class: 'GitSCMSource', + remote: 'https://github.com/opensearch-project/opensearch-build.git', +])) + pipeline { agent { docker { @@ -45,47 +50,17 @@ pipeline { } } stage('Sign') { - environment { - // these ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client - // this client is invoked internally by the sign script - ROLE = "${SIGNER_CLIENT_ROLE}" - EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" - UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" - SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" - } steps { - // fetch opensearch public key and add to keyring - sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') - sh('gpg --import $WORKSPACE/opensearch.pgp') - - // sign artifacts - git credentialsId: 'jenkins-staging-github-bot-token', - url: 'https://github.com/opensearch-project/opensearch-signer-client.git', - branch: 'main' - - dir('src') { - sh ('./bootstrap') - sh('rm config.cfg') - sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') - - // transform the binary signature to an ascii armored file - sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") - - // verify they are ANSI with PGP SIGNATURE - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') - - // verify the signatures - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') - - // remove sig files - sh('rm -f ${ARTIFACT_PATH}/*.sig') + script { + signArtifacts( + artifactPath: "${ARTIFACT_PATH}", + type: 'maven', + platform: 'linux' + ) } } } stage('Stage Maven Artifacts') { - tools { - maven 'maven-3.8.2' - } environment { REPO_URL = 'https://aws.oss.sonatype.org/' STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" @@ -96,7 +71,7 @@ pipeline { git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' // stage artifacts for release with Sonatype - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { + withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { sh('$WORKSPACE/publish/stage-maven-release.sh $ARTIFACT_PATH') } }