Commit 919d8a4a authored by Alexander Wellbrock's avatar Alexander Wellbrock
Browse files

Merge branch 'develop' into 'main'

Add automated GPG signatures

See merge request !5
parents 5c703fa3 9b73b97d
Pipeline #7405 passed with stages
in 39 minutes and 11 seconds
......@@ -4,3 +4,4 @@
.cache/
.tmp/
grub.cfg
.COMMIT_FILE
......@@ -7,13 +7,21 @@ include:
stages:
- lint
- build
- ostree-test
- ostree-test:build-1
- ostree-test:build-2
- ostree-test:sign
- ostree-test:image
- ostree-test:delta
- tag
- release
variables:
CI_REGISTRY_IMAGE_VERSION: "0.3.9"
CI_REGISTRY_IMAGE_VERSION: "0.4.0"
CI_REGISTRY_IMAGE: "quay.io/os-forge/rpm-ostree-engine"
CI_OSTREE_REF_NAME: OSTreeBeard
CI_OSTREE_FILES: ./ostree-files
CI_OSTREE_SPEC: ostree.json
CI_OSTREE_TREECOMPOSE: treecompose-post.sh
shellcheck:
image: docker.io/library/fedora:33
......@@ -33,32 +41,152 @@ container-build-aarch64:
tags:
- aarch64
ostree-test:
stage: ostree-test
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-x86_64"
ostree-test:build-1:
extends: .build-ostree
inherit:
variables:
- CI_OSTREE_REF_NAME
- CI_OSTREE_FILES
- CI_OSTREE_SPEC
- CI_OSTREE_TREECOMPOSE
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
- CI_REGISTRY_IMAGE
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-aarch64"
stage: ostree-test:build-1
before_script:
- export OSTREE_REF="$(rpm-ostree-engine-ci-ref --name="OSTreeBeard")"
- export IMAGE_NAME="${OSTREE_REF//\//-}-$(date +%Y%m%d).raw"
# Prepare loop devices for image build
- for i in `seq 0 7`; do mknod /dev/loop$i b 7 $i || :; done
script:
# Test if ref is set correctly
- if [[ ! "$OSTREE_REF" =~ "OSTreeBeard/" ]] || [[ ! "$OSTREE_REF" =~ "/x86_64" ]]; then exit 1; fi
- mkdir -p /remote-storage/repo
- ostree --repo=/remote-storage/repo init --mode=archive
# Prepare test repo (shipped with container)
- mkdir -p ./test-repo
- cp -rv /resources/test/test-repo/* ./test-repo
- cd ./test-repo
- ln -s /resources/grub.cfg ./grub.cfg
- rpm-ostree-engine-build --ref="$OSTREE_REF" --ostree-files=ostree-files --spec="ostree.json"
- rpm-ostree-engine-image --ref="$OSTREE_REF" --output="$IMAGE_NAME" --mirror=./.deploy-repo
# Compress the Image
- xz -0 -T0 ./"$IMAGE_NAME"
- ls -lh
- cp -rv /resources/test/test-repo/* ./
after_script:
- rm ./.deploy-repo
- mv /remote-storage/repo ./.deploy-repo
cache:
key: "$CI_COMMIT_REF_SLUG"
policy: push
paths:
- ./.deploy-repo/
tags:
- aarch64
- selinux
- cache:openalchemist
ostree-test:build-2:
extends: .build-ostree
inherit:
variables:
- CI_OSTREE_REF_NAME
- CI_OSTREE_FILES
- CI_OSTREE_SPEC
- CI_OSTREE_TREECOMPOSE
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
- CI_REGISTRY_IMAGE
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-aarch64"
stage: ostree-test:build-2
before_script:
- mkdir /remote-storage
- mv ./.deploy-repo /remote-storage/repo
# Prepare test repo (shipped with container)
- cp -rv /resources/test/test-repo/* ./
after_script:
- rm ./.deploy-repo
- mv /remote-storage/repo ./.deploy-repo
cache:
key: "$CI_COMMIT_REF_SLUG"
policy: pull-push
paths:
- ./.deploy-repo/
tags:
- aarch64
- selinux
- cache:openalchemist
rules:
- if: $CI_COMMIT_REF_PROTECTED == "true"
ostree-test:sign:
extends: .sign-ostree
inherit:
variables:
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
- CI_REGISTRY_IMAGE
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-aarch64"
stage: ostree-test:sign
before_script:
- mkdir /remote-storage
- mv ./.deploy-repo /remote-storage/repo
after_script:
- rm ./.deploy-repo
- mv /remote-storage/repo ./.deploy-repo
cache:
key: "$CI_COMMIT_REF_SLUG"
policy: pull-push
paths:
- ./.deploy-repo/
tags:
- aarch64
- selinux
- cache:openalchemist
ostree-test:image:
extends: .build-image
inherit:
variables:
- CI_OSTREE_REF_NAME
- CI_REGISTRY_IMAGE
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-aarch64"
stage: ostree-test:image
before_script:
- mkdir /remote-storage
- mv ./.deploy-repo /remote-storage/repo
after_script:
# Test if compressed image exists
- if [ ! -e ./"$IMAGE_NAME".xz ]; then exit 1; fi
cache:
key: "$CI_COMMIT_REF_SLUG"
policy: pull
paths:
- ./.deploy-repo/
artifacts:
paths:
- ./*.raw.xz
expire_in: 1 day
tags:
- aarch64
- selinux
- cache:openalchemist
ostree-test:delta-aarch64:
extends: .build-deltas
inherit:
variables:
- CI_OSTREE_REF_NAME
- CI_REGISTRY_IMAGE
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
image: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-x86_64"
stage: ostree-test:delta
variables:
CI_OSTREE_REF_ARCH: aarch64
before_script:
- mkdir /remote-storage
- mv ./.deploy-repo /remote-storage/repo
cache:
key: "$CI_COMMIT_REF_SLUG"
policy: pull
paths:
- ./.deploy-repo/
tags:
- x86_64
- cache:openalchemist
rules:
- if: $CI_COMMIT_REF_PROTECTED == "true"
container-manifest:
stage: tag
......
......@@ -77,7 +77,7 @@ An example `.gitlab-ci.yml`:
```yaml
include:
- project: 'os-forge/rpm-ostree-engine'
ref: 'v0.3.9'
ref: 'v0.4.0'
file: 'gitlab-ci-template.yml'
variables:
......
stages:
- lint
- build
- sign
- image
- deltas
......@@ -24,18 +25,53 @@ stages:
- CI_SSHFS_PATH
- CI_SSHFS_PRIVATE_KEY
- CI_OSTREE_REF_NAME
- CI_OSTREE_FILES
- CI_OSTREE_SPEC
- CI_OSTREE_TREECOMPOSE
image: quay.io/os-forge/rpm-ostree-engine:0.3.9
- CI_OSTREE_BUILD_OPTIONS
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
image: quay.io/os-forge/rpm-ostree-engine:0.4.0
before_script:
- rpm-ostree-engine-mount sshfs --sshfs-target="$CI_SSHFS_TARGET" --sshfs-auth="$CI_SSHFS_AUTH" --sshfs-path="$CI_SSHFS_PATH" --sshfs-key="$(echo "$CI_SSHFS_PRIVATE_KEY" | tr -d '\r')"
script:
# Symlink CI mount points
- ln -s /remote-storage/repo ./.deploy-repo
- ln -s /cache ./.cache
# Setup GPG
- if [ "$CI_GPG_KEY" != "" ]; then cat "$CI_GPG_KEY" | gpg --batch --import; fi
# Build OSTree commit and image
- rpm-ostree-engine-build --ref="$(rpm-ostree-engine-ci-ref --name="$CI_OSTREE_REF_NAME")" --ostree-files="$CI_OSTREE_FILES" --spec="$CI_OSTREE_SPEC" --treecompose="$CI_OSTREE_TREECOMPOSE"
- rpm-ostree-engine-build --ref="$(rpm-ostree-engine-ci-ref --name="$CI_OSTREE_REF_NAME")" --gpg-key-id="$CI_GPG_KEY_ID" --gpg-key-passphrase="$CI_GPG_KEY_PASSPHRASE" "$CI_OSTREE_BUILD_OPTIONS"
after_script:
- sync
artifacts:
paths:
- ./.COMMIT_FILE
.sign-ostree:
stage: sign
inherit:
default: false
variables:
- CI_SSHFS_TARGET
- CI_SSHFS_AUTH
- CI_SSHFS_PATH
- CI_SSHFS_PRIVATE_KEY
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
image: quay.io/os-forge/rpm-ostree-engine:0.4.0
before_script:
# Mount remote repo storage
- rpm-ostree-engine-mount sshfs --sshfs-target="$CI_SSHFS_TARGET" --sshfs-auth="$CI_SSHFS_AUTH" --sshfs-path="$CI_SSHFS_PATH" --sshfs-key="$(echo "$CI_SSHFS_PRIVATE_KEY" | tr -d '\r')"
script:
# Symlink CI mount points
- ln -s /remote-storage/repo ./.deploy-repo
- ln -s /cache ./.cache
# Setup GPG
- if [ "$CI_GPG_KEY" != "" ]; then cat "$CI_GPG_KEY" | gpg --batch --import; fi
# Unlock the gpg key so it can be used in ostree later on
- if [ "$CI_GPG_KEY_PASSPHRASE" != "" ]; then echo "$CI_GPG_KEY_PASSPHRASE" | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s "$(mktemp)"; fi
# Build OSTree commit and image
- ostree --repo=./.deploy-repo gpg-sign "$(cat ./.COMMIT_FILE)" "$CI_GPG_KEY_ID"
after_script:
- sync
......@@ -50,7 +86,7 @@ stages:
- CI_SSHFS_PRIVATE_KEY
- CI_OSTREE_REF_NAME
- CI_OSTREE_REMOTE
image: quay.io/os-forge/rpm-ostree-engine:0.3.9
image: quay.io/os-forge/rpm-ostree-engine:0.4.0
before_script:
- rpm-ostree-engine-mount sshfs --sshfs-target="$CI_SSHFS_TARGET" --sshfs-auth="$CI_SSHFS_AUTH" --sshfs-path="$CI_SSHFS_PATH" --sshfs-key="$(echo "$CI_SSHFS_PRIVATE_KEY" | tr -d '\r')"
script:
......@@ -85,15 +121,21 @@ stages:
- CI_SSHFS_PATH
- CI_SSHFS_PRIVATE_KEY
- CI_OSTREE_REF_NAME
- CI_OSTREE_REF_BRANCH
- CI_OSTREE_REF_ARCH
image: quay.io/os-forge/rpm-ostree-engine:0.3.9
- CI_GPG_KEY
- CI_GPG_KEY_PASSPHRASE
- CI_GPG_KEY_ID
image: quay.io/os-forge/rpm-ostree-engine:0.4.0
before_script:
- rpm-ostree-engine-mount sshfs --sshfs-target="$CI_SSHFS_TARGET" --sshfs-auth="$CI_SSHFS_AUTH" --sshfs-path="$CI_SSHFS_PATH" --sshfs-key="$(echo "$CI_SSHFS_PRIVATE_KEY" | tr -d '\r')"
script:
- ostree --repo=./.deploy-repo static-delta generate "$CI_OSTREE_REF_NAME/stable/${CI_OSTREE_REF_ARCH:-$(rpm --eval %{_arch})}"
- ostree --repo=./.deploy-repo static-delta generate --from=$CI_OSTREE_REF_NAME/stable/${CI_OSTREE_REF_ARCH:-$(rpm --eval %{_arch})}^^ --to=$CI_OSTREE_REF_NAME/stable/${CI_OSTREE_REF_ARCH:-$(rpm --eval %{_arch})}
- ostree --repo=./.deploy-repo summary -u
# Symlink CI mount points
- ln -s /remote-storage/repo ./.deploy-repo
- ln -s /cache ./.cache
# Setup GPG
- if [ "$CI_GPG_KEY" != "" ]; then cat "$CI_GPG_KEY" | gpg --batch --import; fi
# Build deltas
- rpm-ostree-engine-delta --ref="$(rpm-ostree-engine-ci-ref --name="$CI_OSTREE_REF_NAME" --branch="$CI_OSTREE_REF_BRANCH" --arch="$CI_OSTREE_REF_ARCH")" --gpg-key-id="$CI_GPG_KEY_ID" --gpg-key-passphrase="$CI_GPG_KEY_PASSPHRASE"
after_script:
- sync
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
#!/bin/sh
set -e
set -x
printUsage() {
echo "
rpm-ostree-engine build tool
Usage of $0:
$0 [--clean] [--gpg-key-id=KEYID]
Examples:
$0
$0 --clean --gpg-key-id=ABCDEF1234
$0 --ostree-files=ostree-files --spec=ostree.json --treecompose=treecomose-post.sh --name=nameIt --branch=develop
"
echo "rpm-ostree-engine build tool
Usage of $0:
$0 [--clean] [--ref=REF]
Options:
--clean Removes all temporary (hidden) directories.
--gpg-key-id=KEYID ID of GPG key to sign the commit.
--gpg-key-passphrase=PASSPHRASE Passphrase used to by-pass pinentry prompt.
--ref=REF OSTree ref. E.g. name/branch/arch
--treecompose=POSTPROCESS File path to script run in post-processing.
--spec=TREEFILE RPM-OSTree treefile.
--ostree-files=DIR Root configuration directory.
--source-branch=BRANCH Git branch of the source repository to use.
--source-url=URL A remote git repository URL to fedora IoT.
--help Show this message.
Examples:
$0
$0 --ref=OSTreeBeard/develop/x86_64
$0 --gpg-key-id=ABCDEF1234
$0 --gpg-key-id=ABCDEF1234 --gpg-key-passphrase=super-secret
$0 --ostree-files=ostree-files --spec=ostree.json --treecompose=treecomose-post.sh --ref=OSTreeBeard/develop/x86_64"
exit 1
}
......@@ -30,37 +39,49 @@ OSTREE_REF="OSTreeBeard/develop/$(rpm --eval "%{_arch}")"
for i in "$@"
do
case $i in
-c|--clean)
CLEAN="yes"
shift
;;
--gpg-key-id=*)
GPG_KEYID="${i#*=}"
shift
;;
--ostree-files=*)
OSTREE_FILES_DIR="${i#*=}"
shift
;;
--treecompose=*)
OSTREE_FILES_TREECOMPOSE="${i#*=}"
shift
;;
--spec=*)
OSTREE_FILE="${i#*=}"
shift
;;
--ref=*)
OSTREE_REF="${i#*=}"
shift
;;
-h|--help)
printUsage
shift
;;
*)
# further/unknown options
;;
-c|--clean)
CLEAN="yes"
shift
;;
--gpg-key-id=*)
GPG_KEYID="${i#*=}"
shift
;;
--gpg-key-passphrase=*)
GPG_PASSPHRASE="${i#*=}"
shift
;;
--ostree-files=*)
OSTREE_FILES_DIR="${i#*=}"
shift
;;
--treecompose=*)
OSTREE_FILES_TREECOMPOSE="${i#*=}"
shift
;;
--spec=*)
OSTREE_FILE="${i#*=}"
shift
;;
--ref=*)
OSTREE_REF="${i#*=}"
shift
;;
--source-branch=*)
SOURCE_BRANCH="${i#*=}"
shift
;;
--source-url=*)
SOURCE_URL="${i#*=}"
shift
;;
-h|--help)
printUsage
shift
;;
*)
# further/unknown options
;;
esac
done
......@@ -69,6 +90,9 @@ if [ "$(id -u)" != "0" ]; then
exit
fi
set -e
set -x
CACHE_DIR="$BASE_DIR/.cache"
BUILD_REPO="$BASE_DIR/.build-repo"
SOURCE_REPO="$BASE_DIR/.source-repo"
......@@ -125,9 +149,12 @@ fi
rpm-ostree compose tree --unified-core --cachedir="$CACHE_DIR" --repo="$BUILD_REPO" --write-commitid-to="$COMMIT_FILE" "$WK_DIR/$OSTREE_FILE"
if [ "$GPG_KEYID" != "" ]; then
ostree --repo="$BUILD_REPO" commit --gpg-sign="$GPG_KEYID" -b "$OSTREE_REF" -s "$COMMIT_SUBJECT" --tree=ref="$(cat "$COMMIT_FILE")"
if [ "$GPG_PASSPHRASE" != "" ]; then
echo "$GPG_PASSPHRASE" | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s "$(mktemp)"
fi
ostree --repo="$BUILD_REPO" commit --gpg-sign="$GPG_KEYID" -b "$OSTREE_REF" -s "$COMMIT_SUBJECT" --tree=ref="$(cat "$COMMIT_FILE")" > "./.COMMIT_FILE"
else
ostree --repo="$BUILD_REPO" commit -b "$OSTREE_REF" -s "$COMMIT_SUBJECT" --tree=ref="$(cat "$COMMIT_FILE")"
ostree --repo="$BUILD_REPO" commit -b "$OSTREE_REF" -s "$COMMIT_SUBJECT" --tree=ref="$(cat "$COMMIT_FILE")" > "./.COMMIT_FILE"
fi
ostree --repo="$DEPLOY_REPO" pull-local "$BUILD_REPO" "$OSTREE_REF"
......
......@@ -3,31 +3,35 @@
set -e
printUsage() {
echo "
rpm-ostree-engine CI ref helper
echo "rpm-ostree-engine CI ref helper
Set's branch to 'stable' if invoked in main-branch pipeline,
'develop' otherwise. Uses build machines arch for last part.
The resulting OSTree ref is <name>/<branch>/<arch>.
Set's branch to 'stable' if invoked in main-branch pipeline,
'develop' otherwise. Uses build machines arch for last part.
The resulting OSTree ref is <name>/<branch>/<arch>.
Usage of $0:
$0 [--name=*] [--branch=*]
Usage of $0:
$0 --name=* [--branch=*] [--arch=*]
Examples:
$0
$0 [--name=OStreeBeard] [--branch=develop]
$0 [--name=OStreeBeard]
Options:
--name ref name (mandatory)
--branch one of 'develop' or 'stable' if left unspecified
--arch host architecture if unspecified
Output:
OSTreeBeard/develop/x86_64
OSTreeBeard/your-ci-branch/aarch64
"
Examples:
$0
$0 [--name=OStreeBeard]
$0 [--name=OStreeBeard] [--branch=develop]
$0 [--name=OStreeBeard] [--branch=develop] [--arch=aarch64]
Output:
OSTreeBeard/develop/x86_64
OSTreeBeard/your-ci-branch/aarch64"
exit 1
}
OSTREE_REF_NAME="OStreeBeard"
OSTREE_REF_BRANCH="develop"
OSTREE_REF_ARCH="$(rpm --eval "%{_arch}")"
OSTREE_REF_NAME=""
OSTREE_REF_BRANCH=""
OSTREE_REF_ARCH=""
for i in "$@"
do
......@@ -40,6 +44,10 @@ case $i in
OSTREE_REF_BRANCH="${i#*=}"
shift
;;
--arch=*)
OSTREE_REF_ARCH="${i#*=}"
shift
;;
-h|--help)
printUsage
shift
......@@ -50,11 +58,24 @@ case $i in
esac
done
# Set proper reference
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ] && [ "$CI_COMMIT_BRANCH" != "" ]; then
OSTREE_REF_BRANCH=stable
elif [ "$CI_COMMIT_BRANCH" != "" ]; then
OSTREE_REF_BRANCH="$CI_COMMIT_REF_SLUG"
if [ "$OSTREE_REF_NAME" = "" ]; then
echo "Error: please specify a name for your ostree ref"
printUsage
fi
# Set proper branch
if [ "$OSTREE_REF_BRANCH" = "" ]; then
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ] && [ "$CI_COMMIT_BRANCH" != "" ]; then
OSTREE_REF_BRANCH=stable
elif [ "$CI_COMMIT_BRANCH" != "" ]; then
OSTREE_REF_BRANCH="$CI_COMMIT_REF_SLUG"
else
OSTREE_REF_BRANCH="develop"
fi
fi
if [ "$OSTREE_REF_ARCH" = "" ]; then
OSTREE_REF_ARCH="$(rpm --eval "%{_arch}")"
fi
echo "$OSTREE_REF_NAME/$OSTREE_REF_BRANCH/$OSTREE_REF_ARCH"
#!/bin/bash
printUsage() {
echo "rpm-ostree-engine delta tool
Usage of $0:
$0 [--gpg-key-id=KEYID] [--gpg-key-passphrase=PASSPHRASE] [--ref=REF] [--repo=PATH]
Options:
--gpg-key-id=KEYID ID of GPG key to sign the commit.
--gpg-key-passphrase=PASSPHRASE Passphrase used to by-pass pinentry prompt.
--ref=REF OSTree ref. E.g. name/branch/arch
--repo=PATH Path to the rpm-ostree repository
--help Show this message.
Examples:
$0
$0 --ref=OSTreeBeard/develop/x86_64
$0 --ref=OSTreeBeard/develop/x86_64 --gpg-key-id=ABCDEF1234
$0 --ref=OSTreeBeard/develop/x86_64 --gpg-key-id=ABCDEF1234 --gpg-key-passphrase=super-secret
$0 --ref=OSTreeBeard/develop/x86_64 --repo=/path/to/repo"
exit 1
}
BASE_DIR=$(pwd)
REPO="$BASE_DIR/.deploy-repo"
EXTRA_OPTIONS=()
OSTREE_REF="OSTreeBeard/develop/$(rpm --eval "%{_arch}")"
for i in "$@"
do
case $i in
--gpg-key-id=*)
GPG_KEYID="${i#*=}"
shift
;;
--gpg-key-passphrase=*)
GPG_PASSPHRASE="${i#*=}"
shift
;;
--ref=*)
OSTREE_REF="${i#*=}"
shift
;;
--repo=*)
REPO="${i#*=}"
shift
;;
-h|--help)
printUsage
shift
;;
*)
# further/unknown options
;;
esac
done
if [ "$(id -u)" != "0" ]; then
echo "Please run build with sudo"
exit
fi
set -e
set -x
if [ "$GPG_KEYID" != "" ]; then
EXTRA_OPTIONS+=("--gpg-sign=$GPG_KEYID")
if [ "$GPG_PASSPHRASE" != "" ]; then
echo "$GPG_PASSPHRASE" | gpg --batch --always-trust --yes --passphrase-fd 0 --pinentry-mode=loopback -s "$(mktemp)"
fi
fi
if ostree --repo="$REPO" show "$OSTREE_REF" | grep "Parent"; then
ostree --repo="$REPO" static-delta generate "$OSTREE_REF"
else
echo "Main ref has no parent. No deltas generated."
fi
if ostree --repo="$REPO" show "$OSTREE_REF"^^ | grep "Parent"; then