mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 09:17:43 +03:00
ca976fe3d7
Because there's no reason not to. The only obstacle to automating the normal release process is that we need an explicit manual validation step for our audit log when creating a release, but split-releases are created in the Assemblty repo, so we can have the audit log over there. The diff is going to be very messy because there's a lot of stuff moving around. The only thing that is not just moving a job to a separate file is the `ci/daily-snapshot.yml` file, which is 100% new and is meant as a new Azure Pipelines entrypoint (which I will create after this gets approved). I have made a reasonable effort to create individual commits that simplify reviewing, but I expect it's still going to be kind of a mess. I'm open to opening separate PRs to ~bump my stats~ move one job at a time if that makes reviewing (and testing) easier. CHANGELOG_BEGIN CHANGELOG_END
240 lines
8.4 KiB
YAML
240 lines
8.4 KiB
YAML
# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# Azure Pipelines file, see https://aka.ms/yaml
|
|
|
|
# Enable builds on all branches
|
|
trigger:
|
|
# Build every commit as our release process relies on
|
|
# the release process being built alone.
|
|
batch: false
|
|
branches:
|
|
include:
|
|
- main
|
|
- release/*
|
|
|
|
# Enable PR triggers that target the main branch
|
|
pr: none
|
|
|
|
jobs:
|
|
- template: ci/build.yml
|
|
- template: ci/check-for-release-job.yml
|
|
|
|
- job: release
|
|
dependsOn: [ "check_for_release", "Linux", "macOS", "Windows" ]
|
|
condition: and(succeeded(),
|
|
eq(dependencies.check_for_release.outputs['out.is_release'], 'true'),
|
|
eq(dependencies.check_for_release.outputs['out.split_release_process'], 'false'),
|
|
eq(variables['Build.SourceBranchName'], 'main'))
|
|
pool:
|
|
name: 'ubuntu_20_04'
|
|
demands: assignment -equals default
|
|
variables:
|
|
release_sha: $[ dependencies.check_for_release.outputs['out.release_sha'] ]
|
|
release_tag: $[ dependencies.check_for_release.outputs['out.release_tag'] ]
|
|
trigger_sha: $[ dependencies.check_for_release.outputs['out.trigger_sha'] ]
|
|
steps:
|
|
- template: ci/report-start.yml
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: |
|
|
set -euo pipefail
|
|
git checkout $(release_sha)
|
|
name: checkout_release
|
|
- template: ci/bash-lib.yml
|
|
parameters:
|
|
var_name: bash-lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
source $(bash-lib)
|
|
if git tag v$(release_tag) $(release_sha); then
|
|
git push origin v$(release_tag)
|
|
mkdir $(Build.StagingDirectory)/release-artifacts
|
|
else
|
|
setvar skip-github TRUE
|
|
fi
|
|
- task: DownloadPipelineArtifact@0
|
|
inputs:
|
|
artifactName: linux-release
|
|
targetPath: $(Build.StagingDirectory)/release-artifacts
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- task: DownloadPipelineArtifact@0
|
|
inputs:
|
|
artifactName: macos-release
|
|
targetPath: $(Build.StagingDirectory)/release-artifacts
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- task: DownloadPipelineArtifact@0
|
|
inputs:
|
|
artifactName: windows-release
|
|
targetPath: $(Build.StagingDirectory)/release-artifacts
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- bash: |
|
|
set -euo pipefail
|
|
# Note: this gets dev-env from the release commit, not the trigger commit
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
KEY_FILE=$(mktemp)
|
|
GPG_DIR=$(mktemp -d)
|
|
cleanup() {
|
|
rm -rf $KEY_FILE $GPG_DIR
|
|
}
|
|
trap cleanup EXIT
|
|
echo "$GPG_KEY" | base64 -d > $KEY_FILE
|
|
gpg --homedir $GPG_DIR --no-tty --quiet --import $KEY_FILE
|
|
cd $(Build.StagingDirectory)/release-artifacts/github
|
|
sha256sum $(find . -type f | sort) > sha256sums
|
|
# Note: relies on our release artifacts not having spaces in their
|
|
# names. Creates a ${f}.asc with the signature for each $f.
|
|
for f in *; do
|
|
gpg --homedir $GPG_DIR -ab $f
|
|
done
|
|
cd ../artifactory
|
|
for f in *; do
|
|
gpg --homedir $GPG_DIR -ab $f
|
|
done
|
|
env:
|
|
GPG_KEY: $(gpg-code-signing)
|
|
- task: GitHubRelease@0
|
|
inputs:
|
|
gitHubConnection: 'garyverhaegen-da'
|
|
repositoryName: '$(Build.Repository.Name)'
|
|
action: 'create'
|
|
target: '$(release_sha)'
|
|
tagSource: 'manual'
|
|
tag: 'v$(release_tag)'
|
|
assets: $(Build.StagingDirectory)/release-artifacts/github/*
|
|
assetUploadMode: 'replace'
|
|
title: '$(release_tag)'
|
|
addChangeLog: false
|
|
isPrerelease: true
|
|
releaseNotesSource: 'input'
|
|
releaseNotes: "This is a pre-release. Use at your own risk."
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- bash: |
|
|
set -euo pipefail
|
|
# Note: this gets dev-env from the release commit, not the trigger commit
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
./ci/publish-artifactory.sh $(Build.StagingDirectory) $(release_tag)
|
|
env:
|
|
AUTH: $(ARTIFACTORY_USERNAME):$(ARTIFACTORY_PASSWORD)
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- bash: |
|
|
set -euo pipefail
|
|
|
|
# Note: this gets dev-env from the release commit, not the trigger commit
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
source $(bash-lib)
|
|
|
|
cd $(Build.StagingDirectory)/release-artifacts/github
|
|
for f in *; do
|
|
gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/github/$f"
|
|
done
|
|
|
|
cd $(Build.StagingDirectory)/release-artifacts/artifactory
|
|
for f in *; do
|
|
gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/artifactory/$f"
|
|
done
|
|
name: backup_to_gcs
|
|
env:
|
|
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
|
|
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
|
|
- bash: |
|
|
set -euo pipefail
|
|
source $(bash-lib)
|
|
# Note: this gets dev-env from the release commit, not the trigger commit
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
msg=$(git log -n1 --format=%b HEAD | head -1)
|
|
# Keep this line in sync with RELEASE_PR_NOTIF in ci/cron/wednesday.yml
|
|
if [ "$msg" = "This PR has been created by a script, which is not very smart" ]; then
|
|
pr_handler="<@$(next_in_rotation_slack)>"
|
|
else
|
|
pr_handler=""
|
|
fi
|
|
curl -XPOST \
|
|
-i \
|
|
-H 'Content-Type: application/json' \
|
|
--data "{\"text\":\"${pr_handler} Release \`$(release_tag)\` is ready for testing. See <https://github.com/digital-asset/daml/blob/main/release/RELEASE.md|release instructions>. (<https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|build>, <https://github.com/digital-asset/daml/commit/$(trigger_sha)|trigger commit>, <https://github.com/digital-asset/daml/commit/$(release_sha)|target commit>)\"}" \
|
|
$(Slack.team-daml)
|
|
- template: ci/tell-slack-failed.yml
|
|
parameters:
|
|
trigger_sha: '$(trigger_sha)'
|
|
- template: ci/report-end.yml
|
|
|
|
- template: ci/split-release-job.yml
|
|
|
|
- job: compat_versions_pr
|
|
dependsOn:
|
|
- git_sha
|
|
- release
|
|
- check_for_release
|
|
pool:
|
|
name: ubuntu_20_04
|
|
demands: assignment -equals default
|
|
variables:
|
|
release_tag: $[ dependencies.check_for_release.outputs['out.release_tag'] ]
|
|
branch_sha: $[ dependencies.git_sha.outputs['out.branch'] ]
|
|
steps:
|
|
- checkout: self
|
|
persistCredentials: true
|
|
- bash: ci/dev-env-install.sh
|
|
- template: ci/bash-lib.yml
|
|
parameters:
|
|
var_name: bash_lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
eval "$(./dev-env/bin/dade-assist)"
|
|
|
|
## refresh tags, in case someone deleted one
|
|
git fetch --prune --prune-tags
|
|
|
|
source $(bash_lib)
|
|
|
|
DELAY=1
|
|
while ! curl --fail -I https://repo1.maven.org/maven2/com/daml/ledger-api-test-tool/$(release_tag)/ledger-api-test-tool-$(release_tag).jar; do
|
|
sleep $DELAY
|
|
DELAY=$(( DELAY * 2 ))
|
|
if (( $DELAY > 2000 )); then
|
|
echo "Too many attempts waiting for Maven."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
cp .bazelrc compatibility/
|
|
compatibility/update-versions.sh
|
|
git add compatibility/versions.bzl compatibility/maven_install.json
|
|
|
|
|
|
if ! git diff --cached --quiet; then
|
|
BRANCH=update-compat-versions-for-$(release_tag)-$(Build.BuildId)
|
|
TITLE="update compat versions for $(release_tag)"
|
|
open_pr "$BRANCH" "$TITLE"
|
|
setvar "branch" "$BRANCH"
|
|
else
|
|
echo "No changes"
|
|
setvar "branch" ""
|
|
fi
|
|
|
|
|
|
name: out
|
|
|
|
- template: ci/tell-slack-failed.yml
|
|
parameters:
|
|
trigger_sha: '$(trigger_sha)'
|
|
|
|
- job: compat_versions_pr_trigger_daily
|
|
dependsOn: compat_versions_pr
|
|
pool:
|
|
vmImage: "ubuntu-18.04"
|
|
variables:
|
|
branch: $[ dependencies.compat_versions_pr.outputs['out.branch'] ]
|
|
steps:
|
|
- checkout: none
|
|
- template: ci/bash-lib.yml
|
|
parameters:
|
|
var_name: bash-lib
|
|
- bash: |
|
|
set -euo pipefail
|
|
source $(bash-lib)
|
|
trigger_azure $(System.AccessToken) PRs --branch $(branch)
|
|
trigger_azure $(System.AccessToken) digital-asset.daml-daily-compat --branch $(branch)
|
|
condition: and(succeeded(), not(eq(variables['branch'], '')))
|