daml/azure-cron.yml
Moritz Kiefer bf39f4890c
Upgrade vsce and markdown-it (#12431)
This upgrades vsce to the latest version and also markdown-it which is
unfortunately still pinned to an older version with a vulnerability.

There are some minor changes required to our invocations of vsce. I
tried to test this locally up to the point where it fails due to me
not having a token. We’ll only fully see it working after the next
stable release unfortunately.

changelog_begin
changelog_end
2022-01-17 13:40:42 +00:00

202 lines
8.5 KiB
YAML

# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
# Azure Pipelines file, see https://aka.ms/yaml
# Do not run on PRs
pr: none
# Do not run on merge to main
trigger: none
# Do run on a schedule (hourly)
#
# This is currently (2019-08-15) broken on Azure for GitHub-hosted repos. It
# does, however, work as expected for Azure-hosted repos. As a workaround, we
# have created a repo inside Azure that contains an `azure-pipelines.yml` file
# that just triggers this job.
#
# When the situation is resolved, delete that repo in Azure and uncomment the
# following. In the meantime, this should stay commented so we avoid running
# jobs twice when Azure fixes this issue.
#schedules:
#- cron: "0 * * * *"
# displayName: hourly cron
# branches:
# include:
# - main
# always: true
jobs:
- job: docs
timeoutInMinutes: 120
pool:
name: 'ubuntu_20_04'
demands: assignment -equals default
steps:
- checkout: self
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade assist)"
bazel build //ci/cron:cron
./bazel-bin/ci/cron/cron docs
env:
AWS_ACCESS_KEY_ID: $(AWS_ACCESS_KEY_ID)
AWS_SECRET_ACCESS_KEY: $(AWS_SECRET_ACCESS_KEY)
- template: ci/tell-slack-failed.yml
- job: docker_image
timeoutInMinutes: 60
pool:
name: 'ubuntu_20_04'
demands: assignment -equals default
steps:
- checkout: self
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade-assist)"
HEAD=$(git rev-parse HEAD)
while ! nix-build --no-out-link -A tools.sed -A tools.jq -A tools.curl -A tools.base64 nix; do :; done
trap 'rm -rf ~/.docker' EXIT
echo $DOCKER_PASSWORD | docker login --username $DOCKER_LOGIN --password-stdin
echo $DOCKER_CONTENT_TRUST_KEY | base64 -d > ~/.docker/da_automation.key
chmod 600 ~/.docker/da_automation.key
docker trust key load ~/.docker/da_automation.key --name $DOCKER_CONTENT_TRUST_USERNAME
RELEASES=$(curl https://api.github.com/repos/digital-asset/daml/releases -sSfL | jq -r '.[] | .tag_name')
DIR=$(pwd)
VERSIONS=$(curl 'https://hub.docker.com/v2/repositories/digitalasset/daml-sdk/tags/?page_size=10000' -sSfL)
# Our docker tags should be stable. Therefore, we only build the image if it has not already
# been built before and we checkout the Dockerfile for the release tag.
# We do not update docker images for older releases so only docker images for SDK releases
# >= 0.13.43 are built this way.
for version in $(echo $RELEASES | sed -e 's/ /\n/g'); do
LAST_UPDATE=$(echo $VERSIONS | jq -r '.results[] | select(.name == "'${version#v}'") | .last_updated')
if [[ -n "$LAST_UPDATE" ]]; then
echo "${version#v} already exists, skipping."
else
echo "Building version ${version#v}..."
git checkout "$version"
cd ci/docker/daml-sdk
docker build -t digitalasset/daml-sdk:${version#v} --build-arg VERSION=${version#v} .
# Despite the name not suggesting it at all, this actually signs
# _and pushes_ the image; see
# https://docs.docker.com/engine/security/trust/#signing-images-with-docker-content-trust
docker trust sign digitalasset/daml-sdk:${version#v}
cd "$DIR"
git checkout $HEAD
echo "Done."
fi
done
env:
DOCKER_LOGIN: $(DOCKER_LOGIN)
DOCKER_PASSWORD: $(DOCKER_PASSWORD)
DOCKER_CONTENT_TRUST_KEY: $(DOCKER_CONTENT_TRUST_KEY)
DOCKER_CONTENT_TRUST_USERNAME: $(DOCKER_CONTENT_TRUST_USERNAME)
# Does not appear explicitly in the script, but is used by
# docker trust key load
DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE: $(DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE)
- template: ci/tell-slack-failed.yml
- job: vscode_marketplace
timeoutInMinutes: 10
pool:
name: 'ubuntu_20_04'
demands: assignment -equals default
steps:
- checkout: self
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade-assist)"
AUTH=$(echo -n "OAuth:${MARKETPLACE_TOKEN}" | base64 -w0)
MARKET=$(curl -H "Authorization: Basic $AUTH" \
-H "Accept: application/json;api-version=5.0-preview.2" \
-sSfL \
"https://marketplace.visualstudio.com/_apis/gallery/publishers/DigitalAssetHoldingsLLC/extensions/daml?flags=1" \
| jq -r '.versions[0].version')
# This jq expression should ensure that we always upload the
# highest-number version. Here is how this works:
#
# 1. The GitHub API documentation does not specify the order for the
# "list releases" endpoint, but does specify that the "latest"
# endpoint returns the release that points to the most recent commit.
# Assuming the same sort order is applied for the list endpoint
# (which empirically seems to hold so far), this means that they may
# be out-of-order wrt version numbers, e.g. 1.1.0 may appear after
# 1.0.2.
# 2. The `.tag_name | .[1:] | split (".") | map(tonumber)` part will
# turn "v1.0.2" into an array [1, 0, 2].
# 3. jq documents its sort method to sort numbers in numeric order
# and arrays in lexical order (ascending in both cases).
#
# This is required because, while the VSCode Marketplace does show
# _a_ version number, it doesn't handle versions at all: we can only
# have one version on the marketplace at any given time, and any
# upload replaces the existing version.
GITHUB=$(curl https://api.github.com/repos/digital-asset/daml/releases -sSfL \
| jq -r '. | map(select(.prerelease == false)
| .tag_name
| .[1:]
| split (".")
| map(tonumber))
| sort
| reverse
| .[0]
| map(tostring)
| join(".")')
if [[ "$GITHUB" != "$MARKET" ]] && git merge-base --is-ancestor 798e96c9b9034eac85ace786b9e1955cf380285c v$GITHUB; then
echo "Publishing $GITHUB to VSCode Marketplace"
git checkout v$GITHUB
cp LICENSE compiler/daml-extension
trap "rm -rf $PWD/compiler/daml-extension/LICENSE" EXIT
cd compiler/daml-extension
sed -i "s/__VERSION__/$GITHUB/" package.json
# This produces out/src/extension.js
bazel run --run_under="cd $PWD &&" @nodejs//:yarn install
bazel run --run_under="cd $PWD &&" @nodejs//:yarn compile
bazel run --run_under="cd $PWD && " @daml_extension_deps//vsce/bin:vsce -- publish --yarn $GITHUB -p $MARKETPLACE_TOKEN
else
if [[ "$GITHUB" == "$MARKET" ]]; then
echo "Version on marketplace is already the latest ($GITHUB)."
else
echo "Latest version is not ready for marketplace publication."
fi
fi
env:
MARKETPLACE_TOKEN: $(VSCODE_MARKETPLACE_TOKEN)
- template: ci/tell-slack-failed.yml
- job: download_stats
timeoutInMinutes: 10
pool:
name: "ubuntu_20_04"
demands: assignment -equals default
steps:
- checkout: self
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade-assist)"
STATS=$(mktemp)
curl https://api.github.com/repos/digital-asset/daml/releases -sSfL | gzip -9 > $STATS
GCS_KEY=$(mktemp)
cleanup () {
rm -f $GCS_KEY
}
trap cleanup EXIT
echo "$GOOGLE_APPLICATION_CREDENTIALS_CONTENT" > $GCS_KEY
gcloud auth activate-service-account --key-file=$GCS_KEY
BOTO_CONFIG=/dev/null gsutil cp $STATS gs://daml-data/downloads/$(date -u +%Y%m%d_%H%M%SZ).json.gz
env:
GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
- template: ci/tell-slack-failed.yml