New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JEP-229] Generate temporary Artifactory tokens and submit them to GitHub repos for CD #1747
Conversation
env.JAVA_HOME = tool 'jdk11' | ||
sh "${mvnHome}/bin/mvn -U clean verify" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
env.JAVA_HOME = tool 'jdk11' | |
sh "${mvnHome}/bin/mvn -U clean verify" | |
withEnv(["JAVA_HOME=${tool 'jdk11'}", "PATH+MVN=$mvnHome"]) { | |
sh 'mvn -U clean verify' | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
see also jenkinsci/workflow-cps-plugin#370 and JENKINS-28718 (automatic in Declarative)
|
||
@Override | ||
@NonNull String toGeneratedGroupName(String baseName) { | ||
// Add 'cd' to indicate this group is for CD only |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that the token can be used for non-continuous (on-demand) delivery as well; it is more about automated publishing. Maybe too fine a distinction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, but the idea here is to help people in a few years better understand what these groups are for through a name that hints at the use. That the "CD" infra can be used to deploy in non-CD ways, granted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(Also cd
is the name of the YAML element that enables the group creation. If you have better suggestions, please tell me.)
src/main/groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryAPI.groovy
Outdated
Show resolved
Hide resolved
.../groovy/io/jenkins/infra/repository_permissions_updater/ArtifactoryPermissionsUpdater.groovy
Outdated
Show resolved
Hide resolved
Also minor HTTP error handling fix
For my reference, the GitHub secret names changed as of f7899b8 to not mention Artifactory specifically. |
Is there a plan to make this live? |
IMO we can squash-merge this at any time :) It's backward compatible with existing stuff and we can carefully onboard new repos. |
Looks like nobody else cared, so I merged this. Slight trouble on trusted.ci as there was no tool I checked the results and they look good, so I will proceed with removing the now obsolete |
So, this is live and ready to use now, and I can proceed with JEP-229 testing?
|
Yes |
Sort of, the pipeline is broken, it does not grant access to a GH token. I asked @olblak on IRC what the scopes of credentials in trusted.ci are, to amend the pipeline, but no answer so far. Once we fix that, we can add |
OK, just let me know when you believe it is actually working. |
|
does this handle multi-module repoes? |
I doubt it. Something for a future enhancement I think. |
See JEP-229.
This adds a new optional element to YAML files,
If set and enabled, 1) a group will be generated in Artifactory, 2) the group is added to the permissions target for the artifact, and 3) a token for the group is generated. This required quite a bit of rework, since so far we managed upload permissions entirely without groups. Now we also need to generate those, because anonymous Artifactory tokens require groups to get permissions. To limit the amount of generated data and make permissions easier to trouble-shoot, the groups created here will always be empty, and only groups for CD-enabled artifacts will be created. Once all of the above is done, the generated token is uploaded to the GitHub repository as a secret.
To not interfere with the previous iteration of the tool, a new prefix
generatedv2
is used for Artifactory permission targets and groups. While in development, this also does not assign real release permissions; instead it operates on thesnapshots
repository.WIP checklist:
"Maybe" list:
Stuff that's not being fixed:
name
andpaths
that leads to errorsFYI @jglick