# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved. # SPDX-License-Identifier: Apache-2.0 # Azure Pipelines file, see https://aka.ms/yaml # Do not run on PRs pr: none # Do not run on merge to main trigger: none # Do run on a schedule (hourly) # # This is currently (2019-08-15) broken on Azure for GitHub-hosted repos. It # does, however, work as expected for Azure-hosted repos. As a workaround, we # have created a repo inside Azure that contains an `azure-pipelines.yml` file # that just triggers this job. # # When the situation is resolved, delete that repo in Azure and uncomment the # following. In the meantime, this should stay commented so we avoid running # jobs twice when Azure fixes this issue. #schedules: #- cron: "0 * * * *" # displayName: hourly cron # branches: # include: # - main # always: true jobs: - job: docs timeoutInMinutes: 120 pool: name: 'ubuntu_20_04' demands: assignment -equals default steps: - checkout: self - bash: ci/dev-env-install.sh displayName: 'Build/Install the Developer Environment' - bash: | set -euo pipefail eval "$(dev-env/bin/dade assist)" bazel build //ci/cron:cron ./bazel-bin/ci/cron/cron docs env: AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY) - template: ci/tell-slack-failed.yml - job: docker_image timeoutInMinutes: 60 pool: name: 'ubuntu_20_04' demands: assignment -equals default steps: - checkout: self - bash: | set -euo pipefail eval "$(dev-env/bin/dade-assist)" HEAD=$(git rev-parse HEAD) while ! nix-build -A tools.sed -A tools.jq -A tools.curl -A tools.base64 nix; do :; done trap 'rm -rf ~/.docker' EXIT echo $DOCKER_PASSWORD | docker login --username $DOCKER_LOGIN --password-stdin echo $DOCKER_CONTENT_TRUST_KEY | base64 -d > ~/.docker/da_automation.key chmod 600 ~/.docker/da_automation.key docker trust key load ~/.docker/da_automation.key --name $DOCKER_CONTENT_TRUST_USERNAME RELEASES=$(curl https://api.github.com/repos/digital-asset/daml/releases -sSfL | jq -r '.[] | .tag_name') DIR=$(pwd) VERSIONS=$(curl 'https://hub.docker.com/v2/repositories/digitalasset/daml-sdk/tags/?page_size=10000' -sSfL) # Our docker tags should be stable. Therefore, we only build the image if it has not already # been built before and we checkout the Dockerfile for the release tag. # We do not update docker images for older releases so only docker images for SDK releases # >= 0.13.43 are built this way. for version in $(echo $RELEASES | sed -e 's/ /\n/g'); do LAST_UPDATE=$(echo $VERSIONS | jq -r '.results[] | select(.name == "'${version#v}'") | .last_updated') if [[ -n "$LAST_UPDATE" ]]; then echo "${version#v} already exists, skipping." else echo "Building version ${version#v}..." git checkout "$version" cd ci/docker/daml-sdk docker build -t digitalasset/daml-sdk:${version#v} --build-arg VERSION=${version#v} . # Despite the name not suggesting it at all, this actually signs # _and pushes_ the image; see # https://docs.docker.com/engine/security/trust/#signing-images-with-docker-content-trust docker trust sign digitalasset/daml-sdk:${version#v} cd "$DIR" git checkout $HEAD echo "Done." fi done env: DOCKER_LOGIN: $(DOCKER_LOGIN) DOCKER_PASSWORD: $(DOCKER_PASSWORD) DOCKER_CONTENT_TRUST_KEY: $(DOCKER_CONTENT_TRUST_KEY) DOCKER_CONTENT_TRUST_USERNAME: $(DOCKER_CONTENT_TRUST_USERNAME) # Does not appear explicitly in the script, but is used by # docker trust key load DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: $(DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE) - template: ci/tell-slack-failed.yml - job: vscode_marketplace timeoutInMinutes: 10 pool: name: 'ubuntu_20_04' demands: assignment -equals default steps: - checkout: self - bash: | set -euo pipefail eval "$(dev-env/bin/dade-assist)" AUTH=$(echo -n "OAuth:${MARKETPLACE_TOKEN}" | base64 -w0) MARKET=$(curl -H "Authorization: Basic $AUTH" \ -H "Accept: application/json;api-version=5.0-preview.2" \ -sSfL \ "https://marketplace.visualstudio.com/_apis/gallery/publishers/DigitalAssetHoldingsLLC/extensions/daml?flags=1" \ | jq -r '.versions[0].version') # This jq expression should ensure that we always upload the # highest-number version. Here is how this works: # # 1. The GitHub API documentation does not specify the order for the # "list releases" endpoint, but does specify that the "latest" # endpoint returns the release that points to the most recent commit. # Assuming the same sort order is applied for the list endpoint # (which empirically seems to hold so far), this means that they may # be out-of-order wrt version numbers, e.g. 1.1.0 may appear after # 1.0.2. # 2. The `.tag_name | .[1:] | split (".") | map(tonumber)` part will # turn "v1.0.2" into an array [1, 0, 2]. # 3. jq documents its sort method to sort numbers in numeric order # and arrays in lexical order (ascending in both cases). # # This is required because, while the VSCode Marketplace does show # _a_ version number, it doesn't handle versions at all: we can only # have one version on the marketplace at any given time, and any # upload replaces the existing version. GITHUB=$(curl https://api.github.com/repos/digital-asset/daml/releases -sSfL \ | jq -r '. | map(select(.prerelease == false) | .tag_name | .[1:] | split (".") | map(tonumber)) | sort | reverse | .[0] | map(tostring) | join(".")') if [[ "$GITHUB" != "$MARKET" ]] && git merge-base --is-ancestor 798e96c9b9034eac85ace786b9e1955cf380285c v$GITHUB; then echo "Publishing $GITHUB to VSCode Marketplace" git checkout v$GITHUB cd compiler/daml-extension # This produces out/src/extension.js bazel run @nodejs//:yarn bazel run @nodejs//:yarn compile bazel run --run_under="cd $PWD && " @daml_extension_deps//vsce/bin:vsce -- publish --yarn $GITHUB -p $MARKETPLACE_TOKEN else if [[ "$GITHUB" == "$MARKET" ]]; then echo "Version on marketplace is already the latest ($GITHUB)." else echo "Latest version is not ready for marketplace publication." fi fi env: MARKETPLACE_TOKEN: $(VSCODE_MARKETPLACE_TOKEN) - template: ci/tell-slack-failed.yml - job: download_stats timeoutInMinutes: 10 pool: name: "ubuntu_20_04" demands: assignment -equals default steps: - checkout: self - bash: | set -euo pipefail eval "$(dev-env/bin/dade-assist)" STATS=$(mktemp) curl https://api.github.com/repos/digital-asset/daml/releases -sSfL | gzip -9 > $STATS GCS_KEY=$(mktemp) cleanup () { rm -f $GCS_KEY } trap cleanup EXIT echo "$GOOGLE_APPLICATION_CREDENTIALS_CONTENT" > $GCS_KEY gcloud auth activate-service-account --key-file=$GCS_KEY BOTO_CONFIG=/dev/null gsutil cp $STATS gs://daml-data/downloads/$(date -u +%Y%m%d_%H%M%SZ).json.gz env: GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT) - template: ci/tell-slack-failed.yml