-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from Conjur-Enterprise/CNJR-3040-auto-update
CNJR-3040 Self Updating Summon Formula
- Loading branch information
Showing
17 changed files
with
1,529 additions
and
202 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
cyberark_root.crt | ||
.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
# Changelog | ||
All notable changes to this project will be documented in this file. | ||
|
||
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) | ||
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). | ||
|
||
|
||
## [0.0.1] - 2023-11-09 | ||
|
||
### Added | ||
- Pipeline | ||
- Self Updating formula for Summon. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
#!/usr/bin/env groovy | ||
|
||
// Automated release, promotion and dependencies | ||
properties([ | ||
// Include the automated release parameters for the build | ||
release.addParams(), | ||
// Dependencies of the project that should trigger builds | ||
dependencies([ | ||
// Because of auto updating formulae, we don't actually need | ||
// to release this repo everytime one of the projects releases. | ||
// "conjur-enterprise/summon", | ||
// "conjur-enterprise/summon-conjur", | ||
// "conjur-enterprise/summon-aws-secrets", | ||
// "conjur-enterprise/terraform-provider-conjur", | ||
// "conjur-enterprise/secretless-broker" | ||
]) | ||
]) | ||
|
||
// Performs release promotion. No other stages will be run | ||
if (params.MODE == "PROMOTE") { | ||
release.promote(params.VERSION_TO_PROMOTE) { infrapool, sourceVersion, targetVersion, assetDirectory -> | ||
// Any assets from sourceVersion Github release are available in assetDirectory | ||
// Any version number updates from sourceVersion to targetVersion occur here | ||
// Any publishing of targetVersion artifacts occur here | ||
// Anything added to assetDirectory will be attached to the Github Release | ||
|
||
//Note: assetDirectory is on the infrapool agent, not the local Jenkins agent. | ||
} | ||
// Ths is the only part of promote relevant to homebrew-tools... here we copy | ||
// the release from github enterprise to github.com | ||
release.copyEnterpriseRelease(params.VERSION_TO_PROMOTE) | ||
return | ||
} | ||
|
||
pipeline { | ||
agent { label 'conjur-enterprise-common-agent' } | ||
|
||
options { | ||
timestamps() | ||
buildDiscarder(logRotator(numToKeepStr: '30')) | ||
} | ||
|
||
triggers { | ||
cron(getDailyCronString()) | ||
} | ||
|
||
environment { | ||
// Sets the MODE to the specified or autocalculated value as appropriate | ||
MODE = release.canonicalizeMode() | ||
} | ||
|
||
stages { | ||
// Aborts any builds triggered by another project that wouldn't include any changes | ||
stage ("Skip build if triggering job didn't create a release") { | ||
when { | ||
expression { | ||
MODE == "SKIP" | ||
} | ||
} | ||
steps { | ||
script { | ||
currentBuild.result = 'ABORTED' | ||
error("Aborting build because this build was triggered from upstream, but no release was built") | ||
} | ||
} | ||
} | ||
|
||
stage('Get InfraPool ExecutorV2 Agent(s)') { | ||
steps{ | ||
script { | ||
// Request ExecutorV2 agents for 1 hour | ||
infrapool = getInfraPoolAgent.connected(type: "ExecutorV2", quantity: 1, duration: 1)[0] | ||
} | ||
} | ||
} | ||
|
||
// Generates a VERSION file based on the current build number and latest version in CHANGELOG.md | ||
stage('Validate Changelog and set version') { | ||
steps { | ||
script { | ||
updateVersion(infrapool, "CHANGELOG.md", "${BUILD_NUMBER}") | ||
} | ||
} | ||
} | ||
stage('Test Installs') { | ||
steps { | ||
script { | ||
// Summon used to supply a github PAT to avoid | ||
// hitting the github unauthenticated rate limit in CI. | ||
// End users do not need to supply a token to install | ||
// the formulae. | ||
infrapool.agentSh 'tests/run-tests-in-docker.sh' | ||
} | ||
} | ||
} | ||
|
||
stage('Release') { | ||
when { | ||
expression { | ||
MODE == "RELEASE" | ||
} | ||
} | ||
|
||
steps { | ||
script { | ||
release(infrapool, { billOfMaterialsDirectory, assetDirectory -> | ||
/* Publish release artifacts to all the appropriate locations | ||
Copy any artifacts to assetDirectory on the infrapool node | ||
to attach them to the Github release. | ||
If your assets are on the infrapool node in the target | ||
directory, use a copy like this: | ||
infrapool.agentSh "cp target/* ${assetDirectory}" | ||
Note That this will fail if there are no assets, add :|| | ||
if you want the release to succeed with no assets. | ||
If your assets are in target on the main Jenkins agent, use: | ||
infrapool.agentPut(from: 'target/', to: assetDirectory) | ||
*/ | ||
}) | ||
} | ||
} | ||
} | ||
} | ||
post { | ||
always { | ||
releaseInfraPoolAgent() | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
require 'net/http' | ||
require 'uri' | ||
require 'json' | ||
|
||
# Get release info from github | ||
# Extracted into a class so it can be shared by multiple formulae. | ||
|
||
class GithubUpdate | ||
# net::http doesn't handle redirects, so we have to handle them | ||
# here. It also doesnt have raise_for_status (like python requests) | ||
# so we check the http response code and raise if its not a redirect | ||
# or a 200. | ||
def self.get_with_redirect(uri) | ||
for _ in 1..20 | ||
# Ruby <3 includes net/http <0.1.1 where get_response doesn't take | ||
# headers. Macos includes ruby 2.6.0, and to avoid users having to | ||
# update ruby in order to brew install this package, we must make | ||
# sure the library calls used are compatible with net/http v0.1.0 | ||
request = Net::HTTP::Get.new(uri) | ||
using_token = false | ||
# Homebrew seems to santize its environment variables, so we have to | ||
# use a hombrew recognised environment variable. | ||
if ENV.include? 'HOMEBREW_GITHUB_PACKAGE_TOKEN' and not(ENV['HOMEBREW_GITHUB_PACKAGE_TOKEN'].empty?) | ||
using_token = true | ||
# While github allows unauthenticated requests, the rate limit is low | ||
# and easily hit in CI systems. To avoid this, we allow a GITHUB_TOKEN | ||
# to be specified. | ||
request["Authorization"] = "token #{ENV['HOMEBREW_GITHUB_PACKAGE_TOKEN']}" | ||
end | ||
response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| | ||
http.request(request) | ||
} | ||
redirect = response.header['location'] | ||
if redirect != nil | ||
uri = URI.parse(response.header['location']) | ||
elsif response.code == 200.to_s | ||
return response | ||
else | ||
body = response.body | ||
if body.include? "rate limit" | ||
if using_token | ||
raise "Github rate limit exceeded :( "\ | ||
"A token was provided, check its valid and has quota." | ||
else | ||
raise "Github rate limit exceeded :( "\ | ||
"Rate limits are higher for authenticated users so try with a "\ | ||
"Github Personal Access Token eg: " \ | ||
"HOMEBREW_GITHUB_PACKAGE_TOKEN=YOUR_PAT_HERE brew install ... " | ||
end | ||
else | ||
raise "Failed to fetch #{response.uri} Code: #{response.code} Response: #{response.body}." | ||
end | ||
end | ||
end | ||
raise "Too many redirects fetching #{uri}" | ||
end | ||
|
||
def self.getLatestRelease(repo) | ||
|
||
# Can't use graphql unauthenticated, so have to use v3/REST API. | ||
|
||
# Find the latest release | ||
releases_uri = URI.parse("https://api.github.com/repos/#{repo}/releases") | ||
releases_response = self.get_with_redirect(releases_uri) | ||
releases = JSON.parse(releases_response.body) | ||
raise "No GitHub releases found for repo #{repo}" if releases.empty? | ||
latest = releases[0] | ||
|
||
ver = latest["tag_name"].delete_prefix("v") | ||
|
||
# Get list of artifacts from release | ||
artifacts_uri = URI.parse(latest["assets_url"]) | ||
artifacts_response = self.get_with_redirect(artifacts_uri) | ||
artifacts_json = JSON.parse(artifacts_response.body) | ||
|
||
# Find hashes file generated by goreleaser in list of release assets | ||
hashes_artifact_matches = artifacts_json.filter do |a| | ||
a['name'].include? "SHA256SUMS" | ||
end | ||
if hashes_artifact_matches.empty? | ||
raise "SHA256SUMS asset not found attached to github release #{releases_uri}" | ||
end | ||
hashes_artifact = hashes_artifact_matches[0] | ||
|
||
# Download Hashes file | ||
hashes_uri = URI.parse(hashes_artifact['browser_download_url']) | ||
hashes_response = self.get_with_redirect(hashes_uri) | ||
hashes_txt = hashes_response.body | ||
|
||
# Parse hashes file into { filename => {'hash' => hash}} | ||
artifacts = {} | ||
for line in hashes_txt.split("\n") do | ||
hash, file = line.split() | ||
artifacts[file] = {"hash" => hash} | ||
end | ||
|
||
# Add download url to each artifact | ||
# After this loop we have { filename => {'hash' => hash, 'url' => url}} | ||
for artifact in artifacts_json do | ||
name = artifact['name'] | ||
if artifacts.key? name | ||
artifacts[name]['url'] = artifact['browser_download_url'] | ||
end | ||
end | ||
return ver, artifacts | ||
end | ||
|
||
# Map homebrew to goreleaser arch types | ||
def self.arch(type) | ||
return { | ||
"intel" => "amd64", | ||
"arm" => "arm64" | ||
}[String(type)] | ||
end | ||
end |
Oops, something went wrong.