From a42e97bc2d7db96dfccc7bc05517e1188ab7f57a Mon Sep 17 00:00:00 2001 From: dblock Date: Thu, 28 Jul 2022 10:50:27 -0300 Subject: [PATCH 1/3] Publish snapshot to maven. Signed-off-by: dblock --- java-client/build.gradle.kts | 11 +++++++++-- jenkins/publish-snapshot.jenkinsfile | 25 +++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 2 deletions(-) create mode 100644 jenkins/publish-snapshot.jenkinsfile diff --git a/java-client/build.gradle.kts b/java-client/build.gradle.kts index 8b89af51cd..1b242f23c6 100644 --- a/java-client/build.gradle.kts +++ b/java-client/build.gradle.kts @@ -248,8 +248,15 @@ tasks.withType { publishing { repositories{ - maven { - url = uri("${rootProject.buildDir}/repository") + if (version.toString().endsWith("SNAPSHOT")) { + maven("https://aws.oss.sonatype.org/content/repositories/snapshots/") { + name = "snapshots" + credentials(PasswordCredentials::class) + } + } else { + maven { + uri("${rootProject.buildDir}/repository") + } } } publications { diff --git a/jenkins/publish-snapshot.jenkinsfile b/jenkins/publish-snapshot.jenkinsfile new file mode 100644 index 0000000000..306bea88a4 --- /dev/null +++ b/jenkins/publish-snapshot.jenkinsfile @@ -0,0 +1,25 @@ +pipeline { + agent { + docker { + label 'Jenkins-Agent-AL2-X64-C54xlarge-Docker-Host' + image 'opensearchstaging/ci-runner:ci-runner-centos7-opensearch-build-v2' + args '-e JAVA_HOME=/opt/java/openjdk-11' + alwaysPull true + } + } + stages { + stage('Publish to Maven Staging') { + steps { + git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' + withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { + sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotsRepository' + } + } + post() { + always { + cleanWs disableDeferredWipeout: true, deleteDirs: true + } + } + } + } +} From 144b7226b9460d787cdd63ea6ac6c824b1f38aff Mon Sep 17 00:00:00 2001 From: dblock Date: Thu, 28 Jul 2022 13:53:01 -0300 Subject: [PATCH 2/3] Release to maven. Signed-off-by: dblock --- java-client/build.gradle.kts | 6 +- jenkins/publish-snapshot.jenkinsfile | 4 +- jenkins/stage-maven-release.jenkinsfile | 110 +++++++++++++++++++ jenkins/stage-maven-release/JenkinsFile | 138 ------------------------ 4 files changed, 115 insertions(+), 143 deletions(-) create mode 100644 jenkins/stage-maven-release.jenkinsfile delete mode 100644 jenkins/stage-maven-release/JenkinsFile diff --git a/java-client/build.gradle.kts b/java-client/build.gradle.kts index 1b242f23c6..98837acd5e 100644 --- a/java-client/build.gradle.kts +++ b/java-client/build.gradle.kts @@ -250,12 +250,12 @@ publishing { repositories{ if (version.toString().endsWith("SNAPSHOT")) { maven("https://aws.oss.sonatype.org/content/repositories/snapshots/") { - name = "snapshots" + name = "snapshotRepo" credentials(PasswordCredentials::class) } } else { - maven { - uri("${rootProject.buildDir}/repository") + maven("${rootProject.buildDir}/repository") { + name = "localRepo" } } } diff --git a/jenkins/publish-snapshot.jenkinsfile b/jenkins/publish-snapshot.jenkinsfile index 306bea88a4..e7e88f6933 100644 --- a/jenkins/publish-snapshot.jenkinsfile +++ b/jenkins/publish-snapshot.jenkinsfile @@ -12,10 +12,10 @@ pipeline { steps { git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { - sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotsRepository' + sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotRepoRepository' } } - post() { + post { always { cleanWs disableDeferredWipeout: true, deleteDirs: true } diff --git a/jenkins/stage-maven-release.jenkinsfile b/jenkins/stage-maven-release.jenkinsfile new file mode 100644 index 0000000000..ca87578527 --- /dev/null +++ b/jenkins/stage-maven-release.jenkinsfile @@ -0,0 +1,110 @@ +pipeline { + agent { + docker { + label 'Jenkins-Agent-AL2-X64-C54xlarge-Docker-Host' + image 'opensearchstaging/ci-runner:ci-runner-centos7-opensearch-build-v2' + args '-e JAVA_HOME=/opt/java/openjdk-11' + alwaysPull true + } + } + environment { + VERSION = "${params.VERSION}" + ARTIFACT_PATH = "$WORKSPACE/build/repository/org/opensearch/client/opensearch-java/${VERSION}" + } + stages { + stage('parameters') { + steps { + script { + properties([ + parameters([ + string( + name: 'REF', + trim: true + ), + string( + name: 'VERSION', + trim: true + ) + ]) + ]) + if (params.REF.isEmpty() || params.VERSION.isEmpty()) { + currentBuild.result = 'ABORTED' + error('Missing REF and/or VERSION.') + } + } + } + } + stage('Publish to Maven Local') { + steps { + // checkout the commit + git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' + sh('git checkout ${REF}') + + // publish maven artifacts + sh('./gradlew --no-daemon publishPublishMavenPublicationToLocalRepoRepository') + } + } + stage('Sign') { + environment { + // these ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client + // this client is invoked internally by the sign script + ROLE = "${SIGNER_CLIENT_ROLE}" + EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" + UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" + SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" + } + steps { + // fetch opensearch public key and add to keyring + sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') + sh('gpg --import $WORKSPACE/opensearch.pgp') + + // sign artifacts + git credentialsId: 'jenkins-staging-github-bot-token', + url: 'https://github.com/opensearch-project/opensearch-signer-client.git', + branch: 'main' + + dir('src') { + sh ('./bootstrap') + sh('rm config.cfg') + sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') + + // transform the binary signature to an ascii armored file + sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") + + // verify they are ANSI with PGP SIGNATURE + sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') + + // verify the signatures + sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') + + // remove sig files + sh('rm -f ${ARTIFACT_PATH}/*.sig') + } + } + } + stage('Stage Maven Artifacts') { + tools { + maven 'maven-3.8.2' + } + environment { + REPO_URL = 'https://aws.oss.sonatype.org/' + STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" + BUILD_ID = "${BUILD_NUMBER}" + } + steps { + // checkout the build repo + git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' + + // stage artifacts for release with Sonatype + withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { + sh('$WORKSPACE/publish/stage-maven-release.sh $ARTIFACT_PATH') + } + } + } + } + post { + always { + cleanWs disableDeferredWipeout: true, deleteDirs: true + } + } +} diff --git a/jenkins/stage-maven-release/JenkinsFile b/jenkins/stage-maven-release/JenkinsFile deleted file mode 100644 index faab94e53c..0000000000 --- a/jenkins/stage-maven-release/JenkinsFile +++ /dev/null @@ -1,138 +0,0 @@ -pipeline { - agent { - docker { - label 'Jenkins-Agent-al2-x64-c54xlarge-Docker-Host' - image 'opensearchstaging/ci-runner:al2-x64-arm64-jdkmulti-node10.24.1-cypress6.9.1-20211019' - // Unlike freestyle docker, pipeline docker does not login to the container and run commands - // It use executes which does not source the docker container internal ENV VAR - args '-e JAVA_HOME=/usr/lib/jvm/adoptopenjdk-14-hotspot' - alwaysPull true - } - } - environment { - ARTIFACT_PATH = "/usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/${VERSION}" - OUTPUT_DIR = "$WORKSPACE/maven-signed" - VERSION = "${params.VERSION}" - } - stages { - stage('parameters') { - steps { - script { - properties([ - parameters([ - string( - defaultValue: '', - name: 'REF', - trim: true - ), - string( - name: 'VERSION', - trim: true - ) - ]) - ]) - if (params.REF.isEmpty() || params.VERSION.isEmpty()) { - currentBuild.result = 'ABORTED' - error('One or both of the parameters is empty') - } - } - } - } - stage('Publish to Maven Local') { - steps { - // checkout the commit - git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' - sh('git checkout ${REF}') - - //publish to maven local - sh('./gradlew publishtoMavenLocal') - - //Rename maven-metadata-local.xml to maven-metadata.xml - sh('mv /usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/maven-metadata-local.xml /usr/share/opensearch/.m2/repository/org/opensearch/client/opensearch-java/maven-metadata.xml') - } - } - stage('Sign') { - environment { - // These ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client - // This client is invoked internally by the sign script. - ROLE = "${SIGNER_CLIENT_ROLE}" - EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" - UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" - SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" - } - steps { - // Fetch opensearch public key and add to keyring. - sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') - sh('gpg --import $WORKSPACE/opensearch.pgp') - - // Sign artifacts - git credentialsId: 'jenkins-staging-github-bot-token', - url: 'https://github.com/opensearch-project/opensearch-signer-client.git', branch: 'main' - dir("src"){ - sh ('./bootstrap') - sh('rm config.cfg') - sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') - - // Transform the binary signature to an ascii armored file - sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") - - // Verify they are ANSI with PGP SIGNATURE - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') - - // Verify the signatures - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') - - // Remove sig files - sh('rm -f ${ARTIFACT_PATH}/*.sig') - } - } - } - stage('Generate checksums') { - steps { - dir("$OUTPUT_DIR/org"){ - // copy only required artifacts to other folder so that not everything from .m2 gets staged - sh('cp -r /usr/share/opensearch/.m2/repository/org/opensearch $OUTPUT_DIR/org/') - sh('bash -O extglob -c "rm -rf $OUTPUT_DIR/org/opensearch/!(client)"') - sh ''' - for file in $(find \$OUTPUT_DIR/org/opensearch/client/opensearch-java/ -type f) - do - if [ \${file##*.} != "asc" ] - then - echo "Creating checksum for \$file" - (md5sum \$file | cut -d \' \' -f 1) > \$file.md5 - (sha1sum \$file | cut -d \' \' -f 1) > \$file.sha1 - (sha256sum \$file | cut -d \' \' -f 1) > \$file.sha256 - (sha512sum \$file | cut -d \' \' -f 1) > \$file.sha512 - fi - done - ''' - } - sh('ls -l \$OUTPUT_DIR/org/opensearch/client/opensearch-java/\${VERSION}') - } - } - stage('Stage maven artifacts') { - tools { - maven "maven-3.8.2" - } - environment { - REPO_URL = "https://aws.oss.sonatype.org/" - STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" - BUILD_ID = "${BUILD_NUMBER}" - } - steps { - // checkout the build repo - git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' - - // stage artifacts for release with Sonatype - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { - sh('$WORKSPACE/publish/stage-maven-release.sh $OUTPUT_DIR') - } - } - post() { - always { - cleanWs disableDeferredWipeout: true, deleteDirs: true - } - } - } - } -} \ No newline at end of file From 4d9e13c00b4ec5ae91d10fa0c54cd8a7298778d8 Mon Sep 17 00:00:00 2001 From: dblock Date: Thu, 28 Jul 2022 15:54:12 -0300 Subject: [PATCH 3/3] Updated credentials and signing. Signed-off-by: dblock --- jenkins/publish-snapshot.jenkinsfile | 4 +- jenkins/stage-maven-release.jenkinsfile | 49 ++++++------------------- 2 files changed, 14 insertions(+), 39 deletions(-) diff --git a/jenkins/publish-snapshot.jenkinsfile b/jenkins/publish-snapshot.jenkinsfile index e7e88f6933..4af5ac0c50 100644 --- a/jenkins/publish-snapshot.jenkinsfile +++ b/jenkins/publish-snapshot.jenkinsfile @@ -8,10 +8,10 @@ pipeline { } } stages { - stage('Publish to Maven Staging') { + stage('Publish to Sonatype Snapshots Repo') { steps { git url: 'https://github.com/opensearch-project/opensearch-java.git', branch: 'main' - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { + withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'ORG_GRADLE_PROJECT_snapshotsUsername', passwordVariable: 'ORG_GRADLE_PROJECT_snapshotsPassword')]) { sh './gradlew --no-daemon publishPublishMavenPublicationToSnapshotRepoRepository' } } diff --git a/jenkins/stage-maven-release.jenkinsfile b/jenkins/stage-maven-release.jenkinsfile index ca87578527..76874d8bb8 100644 --- a/jenkins/stage-maven-release.jenkinsfile +++ b/jenkins/stage-maven-release.jenkinsfile @@ -1,3 +1,8 @@ +lib = library(identifier: 'jenkins@main', retriever: modernSCM([ + $class: 'GitSCMSource', + remote: 'https://github.com/opensearch-project/opensearch-build.git', +])) + pipeline { agent { docker { @@ -45,47 +50,17 @@ pipeline { } } stage('Sign') { - environment { - // these ENV variables are required by https://github.com/opensearch-project/opensearch-signer-client - // this client is invoked internally by the sign script - ROLE = "${SIGNER_CLIENT_ROLE}" - EXTERNAL_ID = "${SIGNER_CLIENT_EXTERNAL_ID}" - UNSIGNED_BUCKET = "${SIGNER_CLIENT_UNSIGNED_BUCKET}" - SIGNED_BUCKET = "${SIGNER_CLIENT_SIGNED_BUCKET}" - } steps { - // fetch opensearch public key and add to keyring - sh('curl https://artifacts.opensearch.org/publickeys/opensearch.pgp -o $WORKSPACE/opensearch.pgp') - sh('gpg --import $WORKSPACE/opensearch.pgp') - - // sign artifacts - git credentialsId: 'jenkins-staging-github-bot-token', - url: 'https://github.com/opensearch-project/opensearch-signer-client.git', - branch: 'main' - - dir('src') { - sh ('./bootstrap') - sh('rm config.cfg') - sh('ls -d ${ARTIFACT_PATH}/* | xargs -I {} sh -c \'./opensearch-signer-client -i {} -o {}.sig -p pgp\'') - - // transform the binary signature to an ascii armored file - sh("for i in `ls -d ${ARTIFACT_PATH}/*.sig`; do (cat \$i | gpg --enarmor | sed 's/ARMORED FILE/SIGNATURE/g') > \${i%%.sig}.asc; done") - - // verify they are ANSI with PGP SIGNATURE - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'cat {} | grep PGP\'') - - // verify the signatures - sh('ls -d ${ARTIFACT_PATH}/*.asc | xargs -I {} sh -c \'gpg --verify {} \'') - - // remove sig files - sh('rm -f ${ARTIFACT_PATH}/*.sig') + script { + signArtifacts( + artifactPath: "${ARTIFACT_PATH}", + type: 'maven', + platform: 'linux' + ) } } } stage('Stage Maven Artifacts') { - tools { - maven 'maven-3.8.2' - } environment { REPO_URL = 'https://aws.oss.sonatype.org/' STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}" @@ -96,7 +71,7 @@ pipeline { git url: 'https://github.com/opensearch-project/opensearch-build.git', branch: 'main' // stage artifacts for release with Sonatype - withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { + withCredentials([usernamePassword(credentialsId: 'jenkins-sonatype-creds', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) { sh('$WORKSPACE/publish/stage-maven-release.sh $ARTIFACT_PATH') } }