From c1075d63b94006165d96e344817a0cd8774772fe Mon Sep 17 00:00:00 2001 From: Daniel Fox Date: Wed, 27 Mar 2024 09:21:50 -0700 Subject: [PATCH] Clean up release promotions [cp #8657] --- .semaphore/release/release.yml | 95 ++++++++++++++++++++++++---------- 1 file changed, 67 insertions(+), 28 deletions(-) diff --git a/.semaphore/release/release.yml b/.semaphore/release/release.yml index 4b6430b8aeb..f70d94fb29b 100644 --- a/.semaphore/release/release.yml +++ b/.semaphore/release/release.yml @@ -2,32 +2,44 @@ version: v1.0 name: Publish official release agent: machine: - type: f1-standard-2 + type: f1-standard-4 os_image: ubuntu2004 execution_time_limit: - minutes: 600 + minutes: 800 blocks: - name: "Publish official release" + dependencies: [] skip: # Only run on branches, not PRs. when: "branch !~ '.+'" task: secrets: - - name: quay-robot-calico+semaphoreci - - name: docker - - name: oss-release-secrets - - name: google-service-account-for-gce - - name: openstack-signing-publishing + - name: quay-robot-calico+semaphoreci + - name: docker + - name: oss-release-secrets + - name: google-service-account-for-gce + - name: openstack-signing-publishing prologue: commands: # Load the github access secrets. First fix the permissions. - chmod 0600 /home/semaphore/.keys/git_ssh_rsa - ssh-add /home/semaphore/.keys/git_ssh_rsa + # For some reason, /mnt is 100 GB and has a qemu-nbd image file. + # Let's delete it and use it for our own purposes (building calico + # without running out of space) + - sudo killall qemu-nbd || true + - sudo rm -f /mnt/docker.qcow2 + - sudo chown $(id -u):$(id -g) /mnt/ + - mkdir calico + - sudo mount --bind /mnt calico # Checkout the code and unshallow it. + # (this is going to throw an error because it can't remove + # the `calico` directory, which is a mount, but it will + # continue anyway) - checkout - - retry git fetch --unshallow + - retry git fetch --quiet --unshallow # Semaphore mounts a copy-on-write FS as /var/lib/docker in order to provide a pre-loaded cache of # some images. However, the cache is not useful to us and the copy-on-write FS is a big problem given # how much we churn docker containers during the build. Disable it. @@ -39,35 +51,62 @@ blocks: # Log in to container registries needed for release. - echo $DOCKER_TOKEN | docker login --username "$DOCKER_USER" --password-stdin - echo $QUAY_TOKEN | docker login --username "$QUAY_USER" --password-stdin quay.io - # Credentials for accessing gcloud, needed to create a GCP VM. - - export GOOGLE_APPLICATION_CREDENTIALS=$HOME/secrets/secret.google-service-account-key.json + # Credentials for accessing gcloud, needed to push images to gcr + - export GOOGLE_APPLICATION_CREDENTIALS=$HOME/secrets/gcr-credentials.json - gcloud auth activate-service-account --key-file=${GOOGLE_APPLICATION_CREDENTIALS} + # Manually log in to GCR until we can test the gcr credentials helper + - cat ${GOOGLE_APPLICATION_CREDENTIALS} | docker login -u _json_key --password-stdin https://gcr.io + - cat ${GOOGLE_APPLICATION_CREDENTIALS} | docker login -u _json_key --password-stdin https://eu.gcr.io + - cat ${GOOGLE_APPLICATION_CREDENTIALS} | docker login -u _json_key --password-stdin https://asia.gcr.io + - cat ${GOOGLE_APPLICATION_CREDENTIALS} | docker login -u _json_key --password-stdin https://us.gcr.io jobs: - - name: "Release on GCP VM" + - name: "Release on Semaphore VM" execution_time_limit: - minutes: 180 + minutes: 360 env_vars: - name: VAR_FILE value: /home/semaphore/secrets/release.tfvars commands: - - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make GIT_BRANCH=${SEMAPHORE_GIT_BRANCH} -C hack/release apply; fi - - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make GIT_BRANCH=${SEMAPHORE_GIT_BRANCH} -C hack/release release; fi - - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make GIT_BRANCH=${SEMAPHORE_GIT_BRANCH} -C hack/release release-publish; fi - - name: "Build Openstack Packages" - execution_time_limit: - minutes: 60 - env_vars: - - name: SECRET_KEY - value: /home/semaphore/secrets/launchpad-gpg-key-dfox.key - - name: GCLOUD_ARGS - value: --zone us-east1-c --project tigera-wp-tcp-redirect - - name: HOST - value: ubuntu@binaries-projectcalico-org + - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make GIT_BRANCH=${SEMAPHORE_GIT_BRANCH} release; fi + - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make GIT_BRANCH=${SEMAPHORE_GIT_BRANCH} release-publish; fi + - name: "Build Openstack Packages" + dependencies: ["Publish official release"] + skip: + when: "branch !~ '.+'" + task: + secrets: + - name: quay-robot-calico+semaphoreci + - name: docker + - name: oss-release-secrets + - name: google-service-account-for-gce + - name: openstack-signing-publishing + prologue: commands: + # Load the github access secrets. First fix the permissions. + - chmod 0600 /home/semaphore/.keys/git_ssh_rsa + - ssh-add /home/semaphore/.keys/git_ssh_rsa + # Checkout the code and unshallow it. + - checkout + # Free up space on the build machine. + - sudo rm -rf ~/.kiex ~/.phpbrew ~/.rbenv ~/.nvm ~/.kerl ~/.sbt ~/.npm /usr/lib/jvm /opt/firefox* /opt/apache-maven* /opt/scala /usr/local/golang + # Install more tools - sudo apt update - - sudo apt install -y moreutils - - make publish-openstack + - sudo apt install -y moreutils patchelf + jobs: + - name: "Build Openstack Packages" + execution_time_limit: + minutes: 60 + env_vars: + - name: SECRET_KEY + value: /home/semaphore/secrets/launchpad-gpg-key-dfox.key + - name: GCLOUD_ARGS + value: --zone us-east1-c --project tigera-wp-tcp-redirect + - name: HOST + value: ubuntu@binaries-projectcalico-org + commands: + - if [ -z "${SEMAPHORE_GIT_PR_NUMBER}" ]; then make publish-openstack; fi epilogue: always: commands: - - make VAR_FILE=/home/semaphore/secrets/release.tfvars -C hack/release destroy + - test -d hack/release/packaging/output && mv -v hack/release/packaging/output hack/release/packaging/openstack + - artifact push workflow hack/release/packaging/openstack