Migrating Maven sign and release jenkins jobs (opensearch-project#1520)

* Migrate the maven sign release script to build repo Signed-off-by: Zelin Hao <[email protected]>
naveenpajjuri · Feb 10, 2022 · de56d0f · de56d0f
1 parent 33d2840
commit de56d0f
Show file tree

Hide file tree

Showing 23 changed files with 369 additions and 40 deletions.
diff --git a/jenkins/data-prepper/distribution-artifacts.jenkinsfile b/jenkins/data-prepper/distribution-artifacts.jenkinsfile
@@ -30,8 +30,8 @@ pipeline {
                     signatureType = '.sig'
                     signArtifacts(
                             artifactPath: "${artifactsPath}",
-                            signatureType: signatureType,
-                            distributionPlatform: 'linux'
+                            sigtype: signatureType,
+                            platform: 'linux'
                     )
                     filenamesForUrls = []
                     for(artifactFilename in artifactFilenames){

diff --git a/jenkins/opensearch-maven-release/maven-sign-release.jenkinsfile b/jenkins/opensearch-maven-release/maven-sign-release.jenkinsfile
@@ -0,0 +1,72 @@
+lib = library(identifier: 'jenkins@20211123', retriever: legacySCM(scm))
+
+pipeline {
+    agent {
+        docker {
+            label 'Jenkins-Agent-al2-x64-c54xlarge-Docker-Host'
+            image 'opensearchstaging/ci-runner:centos7-x64-arm64-jdkmulti-node10.24.1-cypress6.9.1-20211130'
+            alwaysPull true
+        }
+    }
+    parameters {
+        string(
+            name: 'BUILD_ID',
+            description: 'Build ID of the OpenSearch distribution artifacts to be staged.',
+            trim: true
+        )
+        string(
+            name: 'VERSION',
+            description: 'Version of the OpenSearch distribution artifacts to be staged.',
+            trim: true
+        )
+    }
+    environment {
+        ARTIFACT_PATH = "distribution-build-opensearch/${VERSION}/${BUILD_ID}/linux/x64/builds"
+    }
+    stages {
+        stage('sign') {
+            steps {
+                script {
+                    echo "Downloading from S3."
+                    downloadFromS3(
+                        destPath: "$WORKSPACE/artifacts",
+                        bucket: "${ARTIFACT_BUCKET_NAME}",
+                        path: "${ARTIFACT_PATH}/",
+                        force: true
+                    )
+                    echo "Signing Maven artifacts."
+                    signArtifacts(
+                        artifactPath: "$WORKSPACE/artifacts/$ARTIFACT_PATH/opensearch/manifest.yml",
+                        type: 'maven',
+                        platform: 'linux'
+                    )
+                }
+            }
+        }
+        stage('stage maven artifacts') {
+            tools {
+                maven "maven-3.8.2"
+            }
+            environment {
+                REPO_URL = "https://aws.oss.sonatype.org/"
+                STAGING_PROFILE_ID = "${SONATYPE_STAGING_PROFILE_ID}"
+                BUILD_ID = "${BUILD_ID}"
+            }
+            steps {
+                script {
+                    // stage artifacts for release with Sonatype
+                    withCredentials([usernamePassword(credentialsId: 'Sonatype', usernameVariable: 'SONATYPE_USERNAME', passwordVariable: 'SONATYPE_PASSWORD')]) {
+                        sh('$WORKSPACE/publish/stage-maven-release.sh $WORKSPACE/artifacts/$ARTIFACT_PATH/maven-signed')
+                    }
+                }
+            }
+        }
+    }
+    post() {
+        always {
+            script {
+                postCleanup()
+            }
+        }
+    }
+}
diff --git a/jenkins/sign-artifacts/sign-standalone-artifacts.jenkinsfile b/jenkins/sign-artifacts/sign-standalone-artifacts.jenkinsfile
@@ -43,8 +43,8 @@ pipeline {
                     downloadedFiles = downloadArtifactsFromUrls()
                     signArtifacts(
                             artifactPath: "$WORKSPACE/artifacts",
-                            signatureType: SIGNATURE_TYPE,
-                            distributionPlatform: DISTRIBUTION_PLATFORM
+                            sigtype: SIGNATURE_TYPE,
+                            platform: DISTRIBUTION_PLATFORM
                     )
 
                     filenamesForUrls = []

diff --git a/src/run_sign.py b/src/run_sign.py
@@ -24,6 +24,7 @@ def main():
     parser.add_argument("--component", nargs="?", help="Component name")
     parser.add_argument("--type", nargs="?", help="Artifact type")
     parser.add_argument("--sigtype", choices=ACCEPTED_SIGNATURE_FILE_TYPES, help="Type of Signature file", default=".asc")
+    parser.add_argument("--platform", nargs="?", help="The distribution platform", default="linux")
     parser.add_argument(
         "-v",
         "--verbose",

diff --git a/tests/jenkins/TestDataPrepperDistributionArtifacts.groovy b/tests/jenkins/TestDataPrepperDistributionArtifacts.groovy
@@ -22,7 +22,7 @@ class TestDataPrepperDistributionArtifacts extends BuildPipelineTest {
 
         def bucketName = 'job-s3-bucket-name'
 
-        this.registerLibTester(new SignArtifactsLibTester( '.sig', 'linux',  artifactsPath))
+        this.registerLibTester(new SignArtifactsLibTester( '.sig', 'linux',  artifactsPath, null, null))
 
         this.registerLibTester(new UploadToS3LibTester( artifactsPath, bucketName, 'data-prepper-distribution-artifacts/0.22.1/51/builds/signed'))
 

diff --git a/tests/jenkins/TestDownloadFromS3.groovy b/tests/jenkins/TestDownloadFromS3.groovy
@@ -0,0 +1,28 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+import jenkins.tests.BuildPipelineTest
+import org.junit.Before
+import org.junit.Test
+
+
+class TestDownloadFromS3 extends BuildPipelineTest {
+
+    @Before
+    void setUp() {
+
+        this.registerLibTester(new DownloadFromS3LibTester('/tmp/src/path' , 'dummy_bucket', '/download/path', true))
+
+        super.setUp()
+    }
+
+    @Test
+    public void testDownloadFromS3() {
+        super.testPipeline("tests/jenkins/jobs/DownloadFromS3_Jenkinsfile")
+    }
+}
diff --git a/tests/jenkins/TestMavenSignReleaseJob.groovy b/tests/jenkins/TestMavenSignReleaseJob.groovy
@@ -0,0 +1,46 @@
+/*
+ * Copyright OpenSearch Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+
+import jenkins.tests.BuildPipelineTest
+import org.junit.Before
+import org.junit.Test
+
+class TestMavenSignReleaseJob extends BuildPipelineTest {
+
+    @Before
+    void setUp() {
+
+        def destPath = "${this.workspace}/artifacts"
+
+        def manifestPath = "${this.workspace}/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml"
+
+        def artifactsPath = 'distribution-build-opensearch/1.0.0/123/linux/x64/builds/'
+
+        def bucketName = 'job-s3-bucket-name'
+
+        this.registerLibTester(new DownloadFromS3LibTester(destPath, bucketName, artifactsPath, true))
+
+        this.registerLibTester(new SignArtifactsLibTester( '.sig', 'linux',  manifestPath, 'maven', null))
+
+        super.setUp()
+
+        // Variables for Maven Sign Release job
+        binding.setVariable('VERSION', '1.0.0')
+        binding.setVariable('BUILD_ID', '123')
+        binding.setVariable('ARTIFACT_PATH', 'distribution-build-opensearch/1.0.0/123/linux/x64/builds')
+        binding.setVariable('ARTIFACT_BUCKET_NAME', bucketName)
+        binding.setVariable('SONATYPE_STAGING_PROFILE_ID', 'dummy_id')
+
+        helper.registerAllowedMethod('checkout', [Map], {})
+
+    }
+
+    @Test
+    void MavenSignRelease_test() {
+        super.testPipeline('jenkins/opensearch-maven-release/maven-sign-release.jenkinsfile',
+                'tests/jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile')
+    }
+}
diff --git a/tests/jenkins/TestSignArtifacts.groovy b/tests/jenkins/TestSignArtifacts.groovy
@@ -16,8 +16,8 @@ class TestSignArtifacts extends BuildPipelineTest {
     @Before
     void setUp() {
 
-        this.registerLibTester(new SignArtifactsLibTester( '.sig', 'linux', "${this.workspace}/artifacts" ))
-
+        this.registerLibTester(new SignArtifactsLibTester('.sig', 'linux', "${this.workspace}/artifacts", null, null))
+        this.registerLibTester(new SignArtifactsLibTester(null, 'linux', "${this.workspace}/file.yml", 'maven', null))
         super.setUp()
     }
 

diff --git a/tests/jenkins/TestSignStandaloneArtifactsJob.groovy b/tests/jenkins/TestSignStandaloneArtifactsJob.groovy
@@ -10,11 +10,11 @@ class TestSignStandaloneArtifactsJob extends BuildPipelineTest {
         def filenamesForUrls = ['dummy_1_artifact.tar.gz', 'dummy_1_artifact.tar.gz.sig',
                                 'dummy_2_artifact.tar.gz', 'dummy_2_artifact.tar.gz.sig']
 
-        def signatureType = '.sig'
-        def distributionPlatform = 'linux'
+        def sigtype = '.sig'
+        def platform = 'linux'
         def artifactPath = "${this.workspace}/artifacts"
 
-        this.registerLibTester(new SignArtifactsLibTester(signatureType, distributionPlatform, artifactPath))
+        this.registerLibTester(new SignArtifactsLibTester(sigtype, platform, artifactPath, null, null))
 
         this.registerLibTester(new PrintArtifactDownloadUrlsForStagingLibTester(filenamesForUrls, 'sign_artifacts_job/dummy/upload/path/20/dist/signed'))
 
@@ -26,8 +26,8 @@ class TestSignStandaloneArtifactsJob extends BuildPipelineTest {
         binding.setVariable('URLs', 'https://www.dummy.com/dummy_1_artifact.tar.gz,' +
                 ' https://www.dummy.com/dummy_2_artifact.tar.gz')
         binding.setVariable('S3_FILE_UPLOAD_PATH', '/dummy/upload/path/')
-        binding.setVariable('DISTRIBUTION_PLATFORM', distributionPlatform)
-        binding.setVariable('SIGNATURE_TYPE', signatureType)
+        binding.setVariable('DISTRIBUTION_PLATFORM', platform)
+        binding.setVariable('SIGNATURE_TYPE', sigtype)
     }
 
     @Test

diff --git a/...s/jenkins/jenkinsjob-regression-files/data-prepper/distribution-artifacts.jenkinsfile.txt b/...s/jenkins/jenkinsjob-regression-files/data-prepper/distribution-artifacts.jenkinsfile.txt
@@ -10,7 +10,7 @@
                distribution-artifacts.sh({script=find /tmp/workspace/release/archives/linux/build/distributions | sed -n "s|^/tmp/workspace/release/archives/linux/build/distributions/||p", returnStdout=true})
          distribution-artifacts.stage(Sign Artifacts, groovy.lang.Closure)
             distribution-artifacts.script(groovy.lang.Closure)
-               distribution-artifacts.signArtifacts({artifactPath=/tmp/workspace/release/archives/linux/build/distributions, signatureType=.sig, distributionPlatform=linux})
+               distribution-artifacts.signArtifacts({artifactPath=/tmp/workspace/release/archives/linux/build/distributions, sigtype=.sig, platform=linux})
                   signArtifacts.fileExists(/tmp/workspace/sign.sh)
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
@@ -24,7 +24,7 @@
             export UNSIGNED_BUCKET=signer_client_unsigned_bucket
             export SIGNED_BUCKET=signer_client_signed_bucket
 
-            /tmp/workspace/sign.sh /tmp/workspace/release/archives/linux/build/distributions --sigtype=.sig --component=null --type=null
+            /tmp/workspace/sign.sh /tmp/workspace/release/archives/linux/build/distributions --sigtype=.sig --platform=linux
         )
          distribution-artifacts.stage(Upload Artifacts to Staging Distribution Bucket, groovy.lang.Closure)
             distribution-artifacts.script(groovy.lang.Closure)

diff --git a/...jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt b/...jenkins/jenkinsjob-regression-files/maven-sign-release/maven-sign-release.jenkinsfile.txt
@@ -0,0 +1,36 @@
+   maven-sign-release.run()
+      maven-sign-release.legacySCM(groovy.lang.Closure)
+      maven-sign-release.library({identifier=jenkins@20211123, retriever=null})
+      maven-sign-release.pipeline(groovy.lang.Closure)
+         maven-sign-release.echo(Executing on agent [docker:[image:opensearchstaging/ci-runner:centos7-x64-arm64-jdkmulti-node10.24.1-cypress6.9.1-20211130, reuseNode:false, stages:[:], args:, alwaysPull:true, containerPerStageRoot:false, label:Jenkins-Agent-al2-x64-c54xlarge-Docker-Host]])
+         maven-sign-release.stage(sign, groovy.lang.Closure)
+            maven-sign-release.script(groovy.lang.Closure)
+               maven-sign-release.echo(Downloading from S3.)
+               maven-sign-release.downloadFromS3({destPath=/tmp/workspace/artifacts, bucket=job-s3-bucket-name, path=distribution-build-opensearch/1.0.0/123/linux/x64/builds/, force=true})
+                  downloadFromS3.withAWS({role=Dummy_Download_Role, roleAccount=dummy_account, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure)
+                     downloadFromS3.s3Download({file=/tmp/workspace/artifacts, bucket=job-s3-bucket-name, path=distribution-build-opensearch/1.0.0/123/linux/x64/builds/, force=true})
+               maven-sign-release.echo(Signing Maven artifacts.)
+               maven-sign-release.signArtifacts({artifactPath=/tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml, type=maven, platform=linux})
+                  signArtifacts.fileExists(/tmp/workspace/sign.sh)
+                  signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
+                  signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
+                  signArtifacts.usernamePassword({credentialsId=github_bot_token_name, usernameVariable=GITHUB_USER, passwordVariable=GITHUB_TOKEN})
+                  signArtifacts.withCredentials([[GITHUB_USER, GITHUB_TOKEN]], groovy.lang.Closure)
+                     signArtifacts.sh(
+            #!/bin/bash
+            set +x
+            export ROLE=dummy_signer_client_role
+            export EXTERNAL_ID=signer_client_external_id
+            export UNSIGNED_BUCKET=signer_client_unsigned_bucket
+            export SIGNED_BUCKET=signer_client_signed_bucket
+
+            /tmp/workspace/sign.sh /tmp/workspace/artifacts/distribution-build-opensearch/1.0.0/123/linux/x64/builds/opensearch/manifest.yml --type=maven --platform=linux
+        )
+         maven-sign-release.stage(stage maven artifacts, groovy.lang.Closure)
+            maven-sign-release.script(groovy.lang.Closure)
+               maven-sign-release.usernamePassword({credentialsId=Sonatype, usernameVariable=SONATYPE_USERNAME, passwordVariable=SONATYPE_PASSWORD})
+               maven-sign-release.withCredentials([[SONATYPE_USERNAME, SONATYPE_PASSWORD]], groovy.lang.Closure)
+                  maven-sign-release.sh($WORKSPACE/publish/stage-maven-release.sh $WORKSPACE/artifacts/$ARTIFACT_PATH/maven-signed)
+         maven-sign-release.script(groovy.lang.Closure)
+            maven-sign-release.postCleanup()
+               postCleanup.cleanWs({disableDeferredWipeout=true, deleteDirs=true})
diff --git a/...sjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt b/...sjob-regression-files/sign-standalone-artifacts/sign-standalone-artifacts.jenkinsfile.txt
@@ -8,7 +8,7 @@
                sign-standalone-artifacts.sh(mkdir /tmp/workspace/artifacts)
                sign-standalone-artifacts.sh(curl -SL https://www.dummy.com/dummy_1_artifact.tar.gz -o /tmp/workspace/artifacts/dummy_1_artifact.tar.gz)
                sign-standalone-artifacts.sh(curl -SL https://www.dummy.com/dummy_2_artifact.tar.gz -o /tmp/workspace/artifacts/dummy_2_artifact.tar.gz)
-               sign-standalone-artifacts.signArtifacts({artifactPath=/tmp/workspace/artifacts, signatureType=.sig, distributionPlatform=linux})
+               sign-standalone-artifacts.signArtifacts({artifactPath=/tmp/workspace/artifacts, sigtype=.sig, platform=linux})
                   signArtifacts.fileExists(/tmp/workspace/sign.sh)
                   signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                   signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
@@ -22,7 +22,7 @@
             export UNSIGNED_BUCKET=signer_client_unsigned_bucket
             export SIGNED_BUCKET=signer_client_signed_bucket
 
-            /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --component=null --type=null
+            /tmp/workspace/sign.sh /tmp/workspace/artifacts --sigtype=.sig --platform=linux
         )
                sign-standalone-artifacts.uploadToS3({sourcePath=/tmp/workspace/artifacts, bucket=dummy_bucket_name, path=sign_artifacts_job/dummy/upload/path/20/dist/signed})
                   uploadToS3.withAWS({role=Dummy_Upload_Role, roleAccount=dummy_account, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure)

diff --git a/tests/jenkins/jobs/DownloadFromS3_Jenkinsfile b/tests/jenkins/jobs/DownloadFromS3_Jenkinsfile
@@ -0,0 +1,25 @@
+/*
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * The OpenSearch Contributors require contributions made to
+ * this file be licensed under the Apache-2.0 license or a
+ * compatible open source license.
+ */
+
+pipeline {
+    agent none
+    stages {
+        stage('download') {
+            steps {
+                script {
+                    downloadFromS3(
+                        destPath: '/tmp/src/path',
+                        bucket: 'dummy_bucket',
+                        path: '/download/path',
+                        force: true
+                    )
+                }
+            }
+        }
+    }
+}
diff --git a/tests/jenkins/jobs/DownloadFromS3_Jenkinsfile.txt b/tests/jenkins/jobs/DownloadFromS3_Jenkinsfile.txt
@@ -0,0 +1,8 @@
+   DownloadFromS3_Jenkinsfile.run()
+      DownloadFromS3_Jenkinsfile.pipeline(groovy.lang.Closure)
+         DownloadFromS3_Jenkinsfile.echo(Executing on agent [label:none])
+         DownloadFromS3_Jenkinsfile.stage(download, groovy.lang.Closure)
+            DownloadFromS3_Jenkinsfile.script(groovy.lang.Closure)
+               DownloadFromS3_Jenkinsfile.downloadFromS3({destPath=/tmp/src/path, bucket=dummy_bucket, path=/download/path, force=true})
+                  downloadFromS3.withAWS({role=Dummy_Download_Role, roleAccount=dummy_account, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure)
+                     downloadFromS3.s3Download({file=/tmp/src/path, bucket=dummy_bucket, path=/download/path, force=true})
diff --git a/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt b/tests/jenkins/jobs/PromoteArtifacts_actions_Jenkinsfile.txt
@@ -26,7 +26,7 @@
                   createSha512Checksums.sh({script=basename workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins/zip_dummy_artifact_1.1.0.zip, returnStdout=true})
                   createSha512Checksums.writeFile({file=zip_dummy_artifact_1.1.0.zip.sha512, text=shaHashDummy_zip_dummy_artifact_1.1.0.zip  zip_dummy_artifact_1.1.0.zip})
                   createSha512Checksums.echo(Not generating sha for dummy_artifact_1.1.0.dummy in workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins, doesn't match allowed types [.tar.gz, .zip])
-                  createSignatureFiles.signArtifacts({signatureType=.sig, artifactPath=workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins})
+                  createSignatureFiles.signArtifacts({sigtype=.sig, artifactPath=workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins})
                      signArtifacts.fileExists(workspace/sign.sh)
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
@@ -40,7 +40,7 @@
             export UNSIGNED_BUCKET=signer_client_unsigned_bucket
             export SIGNED_BUCKET=signer_client_signed_bucket
 
-            workspace/sign.sh workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins --sigtype=.sig --component=null --type=null
+            workspace/sign.sh workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins --sigtype=.sig
         )
                   promoteArtifacts.findFiles({glob=**/opensearch-min-1.3.0*.tar.gz,**/opensearch-1.3.0*.tar.gz})
                   promoteArtifacts.getPath()
@@ -49,7 +49,7 @@
                   createSha512Checksums.echo(Not generating sha for ccc in workspace/workspace/file/found.zip, doesn't match allowed types [.tar.gz, .zip])
                   promoteArtifacts.findFiles({glob=**/opensearch-min-1.3.0*.tar.gz,**/opensearch-1.3.0*.tar.gz})
                   promoteArtifacts.getPath()
-                  createSignatureFiles.signArtifacts({signatureType=.sig, artifactPath=workspace/workspace/file/found.zip})
+                  createSignatureFiles.signArtifacts({sigtype=.sig, artifactPath=workspace/workspace/file/found.zip})
                      signArtifacts.fileExists(workspace/sign.sh)
                      signArtifacts.git({url=https://github.com/opensearch-project/opensearch-build.git, branch=main})
                      signArtifacts.sh(curl -sSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --import -)
@@ -63,7 +63,7 @@
             export UNSIGNED_BUCKET=signer_client_unsigned_bucket
             export SIGNED_BUCKET=signer_client_signed_bucket
 
-            workspace/sign.sh workspace/workspace/file/found.zip --sigtype=.sig --component=null --type=null
+            workspace/sign.sh workspace/workspace/file/found.zip --sigtype=.sig
         )
                   promoteArtifacts.withAWS({role=artifactPromotionRole, roleAccount=artifactsAccount, duration=900, roleSessionName=jenkins-session}, groovy.lang.Closure)
                      promoteArtifacts.s3Upload({bucket=prod-bucket-name, path=releases/plugins/discovery-ec2-1.1.0.zip/1.3.0/, workingDir=workspace/artifacts/vars-build/1.3.0/33/linux/x64/builds/opensearch/core-plugins/, includePathPattern=**/discovery-ec2-1.1.0.zip*})