mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-11 04:45:57 +03:00
89f0dad016
I _believe_ this is what has been tripping up the check-releses job for the past few days: while updating the signing key, I did not update the key fingerprint to match, and therefore trying to check any signature fails. The failure mode of the existing script is still pretty bad, regadless: looping on the same release until the hard drive is full is definitely not expected. Our retry policies are supposed to have time bounds, and failure should result in cleaning up the workdir. run-full-compat: true
256 lines
11 KiB
YAML
256 lines
11 KiB
YAML
# Copyright (c) 2023 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
parameters:
|
|
var_name: ""
|
|
|
|
steps:
|
|
- bash: |
|
|
set -euo pipefail
|
|
TMP=$(mktemp)
|
|
cat > "$TMP" <<'END'
|
|
PROJ_DIR="$PWD"
|
|
escape_slack() {
|
|
local r
|
|
r="$1"
|
|
r="${r//&/&}"
|
|
r="${r//>/>}"
|
|
r="${r//</<}"
|
|
echo "$r"
|
|
}
|
|
get_gh_auth_header() {
|
|
# Credentials are persisted in a different way on GCP and Azure nodes.
|
|
if header=$(git config 'http.https://github.com/digital-asset/daml.extraheader'); then
|
|
# On Azure nodes, the auth header is stored directly in the git
|
|
# config.
|
|
echo $header
|
|
else
|
|
# On GCP nodes, the credentials are stored as part of the remote
|
|
# url instead of as a separate header. The format is
|
|
# https://username:password@github.com/:user/:repo.git
|
|
echo "Authorization: basic $(git config remote.origin.url | grep -o '://.*:.*@' | cut -c4- | rev | cut -c2- | rev | tr -d '\n' | base64 -w0)"
|
|
fi
|
|
}
|
|
open_pr() {
|
|
local branch title body pr_number header output
|
|
branch="$1"
|
|
title="$2"
|
|
body="${3:-}"
|
|
pr_number="${4:-}"
|
|
header=$(mktemp)
|
|
output=$(mktemp)
|
|
|
|
git branch -D $branch || true
|
|
git checkout -b $branch
|
|
git -c user.name="Azure Pipelines Daml Build" \
|
|
-c user.email="support@digitalasset.com" \
|
|
commit \
|
|
-m "$(printf "$title\n\n$body\n\nCHANGELOG_BEGIN\nCHANGELOG_END\n")"
|
|
git push origin $branch:$branch
|
|
jq -n --arg title "$title" \
|
|
--arg branch "$branch" \
|
|
--arg body "$(printf "$body")" \
|
|
'{"title": $title, "head": $branch, "base": "main", "body": $body}' \
|
|
| curl -H "Content-Type: application/json" \
|
|
-H "$(get_gh_auth_header)" \
|
|
--fail \
|
|
--silent \
|
|
--location \
|
|
--dump-header "$header" \
|
|
--output "$output" \
|
|
-d @- \
|
|
https://api.github.com/repos/digital-asset/daml/pulls
|
|
cat "$header" "$output"
|
|
if [ -n "$pr_number" ]; then
|
|
jq '.number' "$output" > "$pr_number"
|
|
fi
|
|
}
|
|
request_pr_review() {
|
|
local pr_number reviewer
|
|
pr_number="$1"
|
|
reviewer="$2"
|
|
|
|
jq -n --arg reviewer "$reviewer" \
|
|
'{"reviewers": [$reviewer]}' \
|
|
| curl -H "Content-Type: application/json" \
|
|
-H "$(get_gh_auth_header)" \
|
|
--fail \
|
|
--silent \
|
|
--location \
|
|
-d @- \
|
|
"https://api.github.com/repos/digital-asset/daml/pulls/$pr_number/requested_reviewers"
|
|
}
|
|
user_slack_handle() {
|
|
local email sha
|
|
sha=$1
|
|
email=$(git log -n 1 --format=%ae $sha)
|
|
if cat ci/slack_user_ids | grep $email >/dev/null 2>&1; then
|
|
echo $(cat ci/slack_user_ids | grep $email | awk '{print $2}')
|
|
else
|
|
echo ""
|
|
fi
|
|
}
|
|
tell_slack() {
|
|
local message channel
|
|
message="$1"
|
|
channel=${2:-$(Slack.team-daml)}
|
|
jq -n --arg message "$message" '{"text": $message}' \
|
|
| curl -XPOST -i -H 'Content-Type: application/json' -d @- $channel
|
|
}
|
|
wrap_gcloud() (
|
|
cred="$1"
|
|
cmd="$2"
|
|
key=$(mktemp)
|
|
config_dir=$(mktemp -d)
|
|
trap "rm -rf $key $config_dir" EXIT
|
|
echo "$cred" > $key
|
|
export CLOUDSDK_CONFIG="$config_dir"
|
|
export BOTO_CONFIG=/dev/null
|
|
gcloud auth activate-service-account --key-file=$key
|
|
eval "$cmd"
|
|
)
|
|
gcs() (
|
|
cred="$1"
|
|
cmd="${@:2}"
|
|
|
|
wrap_gcloud "$cred" "gsutil $cmd"
|
|
)
|
|
gpg_verify() {
|
|
local key gpg_dir signature_file res
|
|
signature_file=$1
|
|
key=$(mktemp)
|
|
cat > $key <<PUB_KEY
|
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
|
|
mQINBGO9khIBEAC/D5WTgMJQGQso1JfN5RTq6YiCBwJ+L84YfKCPUo1yW7/RQHNZ
|
|
+5rYUQpGf1K5KCIhHtJeQyANzPy9KWnhDX6lIaoau6Dg9JK3SwNv20jDyCzZOjNW
|
|
Gfajy7xVTWXmYM/us8/A5kJN4pwEGIUL73n2uOtOzhpJ6TGLujNKB5EfGUO1L2Jr
|
|
v9BGx2ghv+dbdR3kPX6SYuj7U+tDvoaqJB8729kL14grpBqYy2YhF5eoLyvBaE9x
|
|
brDydUCu5t2Xpr7yI7xGOhUSn2ygoP3e9YSjOhowj5U5oFtTGxvqSf7xd9gkFaZY
|
|
uA58X3su0nxZ/9nbvb2RJPKtlUeOJS8pggXVSSGrHfWw3Bnu2G1pQNO+MYCS0Cu/
|
|
gMxQTnJ4itUNoFb3c9dSnB/VXWxsvlK3F+EdFg9HLNiStJVxPhPwgTo138ohTI1H
|
|
4eGdXpRPZSKNXGRRtWdbEseYBSDBzR0ulAn5TDXFDFjjJ5u7KJfdN7p9YaXWkXpB
|
|
+hvsiWJuvUDxTGlQE02PQjyN5vzj1NaU7CRRLvOYSstsOyTmuYg/xxvqA9XbPdti
|
|
g9AtaeYSjRzq7OBq79FhcmKDOfh7Zc07RRXHy2xTdvw+Iy5HEjk0fYFz+1Gtp78U
|
|
0iTv8tdqyh8dPvmuF7UbGWMJEMMD5d2goEw2ZnkqmLPFK5jq8qAshaQw9wARAQAB
|
|
tDdEaWdpdGFsIEFzc2V0IEhvbGRpbmdzLCBMTEMgPHNlY3VyaXR5QGRpZ2l0YWxh
|
|
c3NldC5jb20+iQJOBBMBCAA4FiEE8m2KCq32ZsyyjyqxZQ7DJTtqj/UFAmO9khIC
|
|
GwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQZQ7DJTtqj/WMbg/+K0Mte9y+
|
|
fCaWxFctfUbtd/JZBzpSCVMLN7PjZYZ50SwN/CqILUTFzzVLIx7uj/CyH/e1IV2O
|
|
RR7mWFTSADmkdrM45RBCvDs2UEIl3Rpsg/4iRpCZo01YQL9Y1XyUid8F3cQYmwPk
|
|
4YMY+tqqEhObAq0ngrGWiEWMUixbbRVqlPvRZDMeUNGdvmSOCs9LZLEnE9m4g2Kn
|
|
lNKddfLZ+sHaq2bfOiB+mZECX6wTusjqQWeJPRdflVWwMxZ7IkG9YoQHGlg8fTMd
|
|
3NqPE9OHOQiZhN4MbY6QZ70WexUNab8Pzf1Co4sSGhywVI3JibcqCNIbHW21+1py
|
|
OItJvdMxeSscOde2Fm5Dqmhf8UE+xgvPXa5xA5Yf40AqwuKt7boGsMf09Lf7zitX
|
|
5Zzl81saIPVC4OcM51t+sNDP6uJIynP5Dp1fxaIlb8gcQDqyWB/REr0vY1pRf/61
|
|
M8+jfUP3RJMbX/tUiCxEG+1uDSGTqj2Ac4TqiXfFKpg+TdEzNFj9VtrzTJT/tIgj
|
|
QlrKM9P9iB/JrNtqgeYrhaBZSpVKx4J7LNeIGdVJvRVzlW3tvCsTIT/lp/iJ1YjI
|
|
FCdb76leR/PgQNdk4wyU4JLXOYueEPAbyiBqQwgmOoT8GpY1PP4dsFfu7MoV0Cq7
|
|
//q+uwegRr5lLV6LwSBuFd1hqQ9ZdjAmmRi5Ag0EY72SEgEQAKP+D3bVJPC6sxSj
|
|
q/3UH9hixNhcmG61w6X1uW0x5jMMYN72ilnDLbgsgA3qEyZ8G/i34nUU4K/WZkWg
|
|
nJ59lOPIVf05yzEnesS6hbHXUzd6ayeWhPUzwxLBPy3yJUw7IRkFF9P9AMBaraAp
|
|
27ZuWy40Ta8bVKc9DgEeWuesyFAqs74W7cRfGm0SCAp8R3I+Syoj66+jpXYJ7sFt
|
|
eW4ITqrQcj64jBtGB8kQOe8JvC4COudXJ1BpKjExxIQlSK729tz0vsi+hzQfac/1
|
|
m3j082sH89ZU8y4GQpjWo6YyEzIxKBgoEogD0CvYOeJ9nK1Uv3pVFKyC1KdysQ+h
|
|
v+9V3zQoOaGF6115cIwQU1ewISUkiCOHzMYkrEXsbBOJlCmomuLnjMhsXht5tV4e
|
|
c8axn6QM7qRfSR/3R0RZwdAca0oZBN4ZOokUuZnR7/FxyiOhKilGW5iX+0m1VvKH
|
|
BImFM/VmCXw4hzcWZUZa5K6Ebpeg7zWN3a1kXZ+Kb2glqWYT5Pq3d1m+RtJOiuyn
|
|
uyr1BnX6OvjTNWTmKPqO8x223dZpNGdK6sfUUeZ67OokI/l2dALOuZRcuCLK32LB
|
|
uJmk/dLt4Bjem9ITFt2ECb1+RTa1aWOm8uS7BKUiDGedW6239h3HebdVenip1voY
|
|
3EdwpiQxgsCD3g2Sbzj9M5UGOsWzABEBAAGJAjwEGAEIACYCGwwWIQTybYoKrfZm
|
|
zLKPKrFlDsMlO2qP9QUCY72SxAUJA8JnsgAKCRBlDsMlO2qP9dfyD/9O76RZYI6w
|
|
8xIEOoK/cw//4IA0bbN/vC2tn5l1zUba6TrXhCYKr96//YJS9Fd239Gf4kC7AEbS
|
|
yf4ARLbezjtOVG33GlfrEFHfghMKhpjMQgb68NFw5U2eLMFc7BB/Fu4vSHqCMZ3I
|
|
ajM/465kq+jLxTNiuI14MFs1OLGD5WbAo9VEzBUbi3mK/CB4xv2UEd2y6ZAZuCXO
|
|
P2+Pr2P7W94ECu/N0dhnitkAirgXrS3nZSduLpjK/SkUzvdY642GHwy0i3M20Ztr
|
|
p7o1Uu7ztlD9yDUbksMyhskG7I+k2NGLAwz/CG91GRrYdUpoWsPlU5XLyxjHCmSC
|
|
q97qiRSKlGO3LbIiTRatrv+4fcdntN0EM/nJefdtKS8+qZqkPMGqURlDJcPnIpHk
|
|
jGccrEJz4aGB0/4Kr9UDBnWDPsH92E6lRa5QlzDOolEqgFHyyRP1JYJH3RGKVlYK
|
|
rcLlluADiRYXCadwtXvnkJGxfg2DGICn5bEInPtM+bEhO3IfqrjipvT/Qx3/N6T+
|
|
hiHyl2Yyi0loUhbWsTuuSz+D07wj/4X1evuaaAc56RSwv0x6rLSjkYj1I7V3nMvc
|
|
e2fwNFiJvLdGfMcIYyxrOwO24cFwzYMYoTDFmf8MkN/H/khKZiksdnIxfcBFfyWu
|
|
PA8s5O3Zs90Ack3IvK7uAhRDz1PpR6Y+1bkCDQRjvZKEARAAuTgK6INJWBEzfrDM
|
|
vM157ZGAM/7pyevj0WCDhqiCFdpH3MVt7+wq0tmR8Oo5Lt4AXqVtzn1bw1sMAkWK
|
|
U6yxLtS7cMiXOAPOtemTzWQkvk9o1FFygRQ8oyp4RUP4wj+W4lYaDhY+tJRDr/sR
|
|
6grYt/lZbfvEPuxL4jGW/dLSKHTLs8kh367Xm1qxqaG1C1tSLusTPb/8uNpOCANh
|
|
A2HAJRCGMox7f295+mEWXujif8yIfYtSQldqh+2bA6vaV3WKtHTPdLa1zzB20rf9
|
|
Mguz4ff3XDJCHPWOKeBOfqVS9CL67TZeOx0nJ6u2JnNDlwlzX7R63v1D/tSTYzPL
|
|
mJeosIjpRQg4ELyyLSkj0lANvY/AwlKeTPkvoc76UwsQRFgxx6ZZjKObjAok6TQK
|
|
HjszRNkeBWbbi8J+zvfS6U3+1qYtvf9Enpp1v1CWfEKZmC68MgspNCzLSOpkoAfe
|
|
k2iQ/XsjKXSsaUXY5A1DljQTVbSs9G3OkQA0Eyv4JPj2KEXPoF/0sIt2QRrayyqk
|
|
1lqN4k9a3zEZ2WpkQLIRK5DgCE/ORHXkperEWrDiAfSvuVl999jxr+Jqi8qvlPrm
|
|
aQd0X5Wc5gpb7X72FMsb2UHaWsUEs6nwoAWnXgA3PGd0r9LihZMJXfMc+LSF/dRK
|
|
fx+PizkTXQbfML8fi7Il9JA1p4UAEQEAAYkEcgQYAQgAJhYhBPJtigqt9mbMso8q
|
|
sWUOwyU7ao/1BQJjvZKEAhsCBQkDwmcAAkAJEGUOwyU7ao/1wXQgBBkBCAAdFiEE
|
|
ytw9HjtcTF+Upl14p79lqq27xJQFAmO9koQACgkQp79lqq27xJQG2hAAp4813NAu
|
|
AOg4C/Yvq8aqnDRDHw/ISs5XsQTfVwbIssSiSTqdJb4jX0rbKW1qzM6l15EmEsPV
|
|
5MCGfN8xfP5+UeeVIJaXLq3BMYJf1An8sun9f8Bp2Wdw6IDlr9VwFZ170JQ2xYvq
|
|
VJ+s/rxbCJ8K9neDPelzN/KXMyUV/uA5D1G92IlItinw4ZqD9e/CjPfIBwfNEMnZ
|
|
nYaku4VGJfzaMHezaUTB8UVyFVN6Zv2PGYEUBCwISM61IdnGKnJza0NMnEvGstXN
|
|
vtnWk7H/12Q4/rDpApy68Qbuo8gbZIifjNY00u2iyx4BEvji418NfTdF5HuPHR4m
|
|
g10cz+FcWxo13PGTXHKprNC9Y4M5nMAZW8z05/2geD8jzmY9Yz3m0GSVF/0cD3pB
|
|
rQ/LXirxgJ2prCuE7Ax8XTTBg7+cjgqk0InKh2pF0sK+2UCbnN4hR+SQvR256hWI
|
|
F+TP/rDryaqdubqCOh7kytPnPqZtL8VqK7yDRhfmgxv3+bpvm+B2qm1okUCkH3bb
|
|
AkvowTBOcyTqLw7hYsREHkYVROYg57GGhMStkzaD+lep9kEUgcaXZF41W02WJeS3
|
|
VYXwooxFBKMhzm+cluLV+ujC+FnRslh7q/u90+3N2VljEjxA4Oj3RNAARzpOs0V2
|
|
BtuUsiPCTvhRLBmdG3RH25jm2hUPexP2+pMyEw//V211M6+MT5a8kCybK5e93I3+
|
|
eT2bfAfd1k0kcQcfbocymxW5DJUqHgBj+G9ZC5PIAeFk+Jfld0y3M186NAvP8I4+
|
|
ZNsJExdQyp1CN53mSWtxAadgHNNhDKX0KwyCarCk04xbf0qjlsrWNbsUI04sM1zt
|
|
C46N/0JsCuG4uAztAfU9hjbLmSxpjf04Qqpc5NDlGLgZ2xQTVmXPlFg1DgrF6fIq
|
|
WZwPa7z1eihkrEERPjnisjuwMd4uO5BIkqh8F7HdOnARYXpftg9LReV973z7i8n9
|
|
4rhpBedAHwVRqWo8owM8DOVTaHAQzMnnzB+6nCoOcZc7PzhWtKKhZupW2DYaLdIh
|
|
nlVCrmMSozkFn3shtOJ76XF2DMDpk0353w6i6rKghWC7TdpXPnWkHkExw4Pjnlse
|
|
1NP2vdz183NKqEKros463i+hOszQj7jb5DiFxxOnKUfxBNEMJXTqYzXdEzw7Sncw
|
|
NwTv4pFxnk3XFJD3IIXMdaCDYmHIJYK5Fwgc0Cop3dRAMJIB+0Q1/p+urDXqZphq
|
|
AGroZ22Z1DXzv7rm1x2drZyOBohc+dqn3zjEx+lwZ6CY8XPiQgbWEzSzY8YT4oUA
|
|
xRcs9cJ+0SK/HhW/EG51YNbr5IMDb3HvycHEreszEvwq2HdnsMIYdM8GC7fl7Zpp
|
|
0r+S1089BYMqKmhepps=
|
|
=srz3
|
|
-----END PGP PUBLIC KEY BLOCK-----
|
|
PUB_KEY
|
|
gpg_dir=$(mktemp -d)
|
|
GNUPGHOME=$gpg_dir gpg --no-tty --quiet --import $key
|
|
GNUPGHOME=$gpg_dir gpg --no-tty --quiet --command-fd 0 --edit-key F26D8A0AADF666CCB28F2AB1650EC3253B6A8FF5 << CMD
|
|
trust
|
|
4
|
|
quit
|
|
CMD
|
|
GNUPGHOME=$gpg_dir gpg --verify $signature_file
|
|
res=$?
|
|
rm -rf $gpg_dir $key
|
|
return $res
|
|
}
|
|
setvar() {
|
|
echo "Setting '$1' to '$2'"
|
|
echo "##vso[task.setvariable variable=$1;isOutput=true]$2"
|
|
}
|
|
next_in_rotation() {
|
|
awk '/^[^#]/ {print $0}' "$PROJ_DIR/release/rotation" | head -n 1
|
|
}
|
|
next_in_rotation_slack() {
|
|
next_in_rotation | awk '{print $1}'
|
|
}
|
|
next_in_rotation_github() {
|
|
next_in_rotation | awk '{print $2}'
|
|
}
|
|
trigger_azure() (
|
|
token=$1
|
|
shift
|
|
build=$1
|
|
shift
|
|
az extension add --name azure-devops
|
|
trap 'az devops logout' EXIT
|
|
echo $token \
|
|
| az devops login --org "https://dev.azure.com/digitalasset"
|
|
az pipelines build queue \
|
|
--definition-name $build \
|
|
--org "https://dev.azure.com/digitalasset" \
|
|
--project daml \
|
|
$@
|
|
)
|
|
|
|
END
|
|
echo "##vso[task.setvariable variable=${{parameters.var_name}}]$TMP"
|
|
displayName: install Bash lib
|
|
condition: always()
|