daml/azure-pipelines.yml

# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

# Azure Pipelines file, see https://aka.ms/yaml

# Enable builds on all branches
trigger:
  # Build every commit as our release process relies on
  # the release process being built alone.
  batch: false
  branches:
    include:
      - main
      - release/*

# Enable PR triggers that target the main branch
pr: none

jobs:
- template: ci/build.yml

- job: release
  dependsOn: [ "check_for_release", "Linux", "macOS", "Windows" ]
  condition: and(succeeded(),
                 eq(dependencies.check_for_release.outputs['out.is_release'], 'true'),
                 eq(variables['Build.SourceBranchName'], 'main'))
  pool:
    name: 'ubuntu_20_04'
    demands: assignment -equals default
  variables:
    release_sha: $[ dependencies.check_for_release.outputs['out.release_sha'] ]
    release_tag: $[ dependencies.check_for_release.outputs['out.release_tag'] ]
    trigger_sha: $[ dependencies.check_for_release.outputs['out.trigger_sha'] ]
  steps:
    - template: ci/report-start.yml
    - checkout: self
      persistCredentials: true
    - bash: |
        set -euo pipefail
        git checkout $(release_sha)        
      name: checkout_release
    - template: ci/bash-lib.yml
      parameters:
        var_name: bash-lib
    - bash: |
        set -euo pipefail
        source $(bash-lib)
        if git tag v$(release_tag) $(release_sha); then
          git push origin v$(release_tag)
          mkdir $(Build.StagingDirectory)/release-artifacts
        else
          setvar skip-github TRUE
        fi        
    - task: DownloadPipelineArtifact@0
      inputs:
        artifactName: linux-release
        targetPath: $(Build.StagingDirectory)/release-artifacts
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - task: DownloadPipelineArtifact@0
      inputs:
        artifactName: macos-release
        targetPath: $(Build.StagingDirectory)/release-artifacts
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - task: DownloadPipelineArtifact@0
      inputs:
        artifactName: windows-release
        targetPath: $(Build.StagingDirectory)/release-artifacts
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - bash: |
        set -euo pipefail
        KEY_FILE=$(mktemp)
        GPG_DIR=$(mktemp -d)
        cleanup() {
            rm -rf $KEY_FILE $GPG_DIR
        }
        trap cleanup EXIT
        echo "$GPG_KEY" | base64 -d > $KEY_FILE
        gpg --homedir $GPG_DIR --no-tty --quiet --import $KEY_FILE
        cd $(Build.StagingDirectory)/release-artifacts/github
        sha256sum $(find . -type f | sort) > sha256sums
        # Note: relies on our release artifacts not having spaces in their
        # names. Creates a ${f}.asc with the signature for each $f.
        for f in *; do
            gpg --homedir $GPG_DIR -ab $f
        done
        cd ../artifactory
        for f in *; do
            gpg --homedir $GPG_DIR -ab $f
        done        
      env:
        GPG_KEY: $(gpg-code-signing)
    - task: GitHubRelease@0
      inputs:
        gitHubConnection: 'garyverhaegen-da'
        repositoryName: '$(Build.Repository.Name)'
        action: 'create'
        target: '$(release_sha)'
        tagSource: 'manual'
        tag: 'v$(release_tag)'
        assets: $(Build.StagingDirectory)/release-artifacts/github/*
        assetUploadMode: 'replace'
        title: '$(release_tag)'
        addChangeLog: false
        isPrerelease: true
        releaseNotesSource: 'input'
        releaseNotes: "This is a pre-release. Use at your own risk."
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - bash: |
        set -euo pipefail
        ./ci/publish-artifactory.sh $(Build.StagingDirectory) $(release_tag)        
      env:
        AUTH: $(ARTIFACTORY_USERNAME):$(ARTIFACTORY_PASSWORD)
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - bash: |
        set -euo pipefail

        source $(bash-lib)

        cd $(Build.StagingDirectory)/release-artifacts/github
        for f in *; do
            gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/github/$f"
        done

        cd $(Build.StagingDirectory)/release-artifacts/artifactory
        for f in *; do
            gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/artifactory/$f"
        done        
      name: backup_to_gcs
      env:
        GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
      condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
    - bash: |
        set -euo pipefail
        msg=$(git log -n1 --format=%b HEAD | head -1)
        # Keep this line in sync with RELEASE_PR_NOTIF in ci/cron/wednesday.yml
        if [ "$msg" = "This PR has been created by a script, which is not very smart" ]; then
            pr_handler="<@$(head -1 release/rotation | awk '{print $1}')>"
        else
            pr_handler=""
        fi
        curl -XPOST \
             -i \
             -H 'Content-Type: application/json' \
             --data "{\"text\":\"${pr_handler} Release \`$(release_tag)\` is ready for testing. See <https://github.com/digital-asset/daml/blob/main/release/RELEASE.md|release instructions>. (<https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|build>, <https://github.com/digital-asset/daml/commit/$(trigger_sha)|trigger commit>, <https://github.com/digital-asset/daml/commit/$(release_sha)|target commit>)\"}" \
             $(Slack.team-daml)        
    - template: ci/tell-slack-failed.yml
      parameters:
        trigger_sha: '$(trigger_sha)'
    - template: ci/report-end.yml

- job: compat_versions_pr
  dependsOn:
  - git_sha
  - release
  - check_for_release
  pool:
    name: ubuntu_20_04
    demands: assignment -equals default
  variables:
    release_tag: $[ dependencies.check_for_release.outputs['out.release_tag'] ]
    branch_sha: $[ dependencies.git_sha.outputs['out.branch'] ]
  steps:
  - checkout: self
    persistCredentials: true
  - bash: ci/dev-env-install.sh
  - template: ci/bash-lib.yml
    parameters:
      var_name: bash_lib
  - bash: |
      set -euo pipefail
      eval "$(./dev-env/bin/dade-assist)"

      ## refresh tags, in case someone deleted one
      git fetch --prune --prune-tags

      source $(bash_lib)

      DELAY=1
      while ! curl --fail -I https://repo1.maven.org/maven2/com/daml/ledger-api-test-tool/$(release_tag)/ledger-api-test-tool-$(release_tag).jar; do
          sleep $DELAY
          DELAY=$(( DELAY * 2 ))
          if (( $DELAY > 2000 )); then
              echo "Too many attempts waiting for Maven."
              exit 1
          fi
      done

      trap "git checkout $(branch_sha)" EXIT
      git checkout origin/main
      cp .bazelrc compatibility/
      compatibility/update-versions.sh
      git add compatibility/versions.bzl compatibility/maven_install.json

      BRANCH=update-compat-versions-for-$(release_tag)-$(Build.BuildId)
      TITLE="update compat versions for $(release_tag)"
      open_pr "$BRANCH" "$TITLE"

      setvar "branch" "$BRANCH"      
    name: out

  - template: ci/tell-slack-failed.yml
    parameters:
      trigger_sha: '$(trigger_sha)'

- job: compat_versions_pr_trigger_daily
  dependsOn: compat_versions_pr
  pool:
    vmImage: "ubuntu-18.04"
  variables:
    branch: $[ dependencies.compat_versions_pr.outputs['out.branch'] ]
  steps:
  - checkout: none
  - bash: |
      set -euo pipefail
      az extension add --name azure-devops
      echo "$(System.AccessToken)" | az devops login --org "https://dev.azure.com/digitalasset"
      az pipelines build queue --branch $(branch) --definition-name "digital-asset.daml-daily-compat" --org "https://dev.azure.com/digitalasset" --project daml
      az pipelines build queue --branch $(branch) --definition-name "PRs" --org "https://dev.azure.com/digitalasset" --project daml