feat: implement remote artifact signing (#13066)

2023-04-10 16:14:10 -04:00 · 2023-04-10 16:14:10 -04:00 · c4fcaa7f35
parent 82e25a6071
commit c4fcaa7f35
1 changed files with 73 additions and 1 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -379,6 +379,21 @@ jobs:
              --include "*.rpm" \
              --include "*.zip" \
              --acl public-read
+  release:
+    executor: telegraf-ci
+    steps:
+      - attach_workspace:
+          at: '/build'
+      - run:
+          command: |
+            aws s3 sync /build/dist s3://dl.influxdata.com/telegraf/releases/ \
+              --exclude "*" \
+              --include "*.deb" \
+              --include "*.rpm" \
+              --include "*.tar.gz" \
+              --include "*.zip" \
+              --include "*.asc" \
+              --acl public-read
  docker-nightly:
    machine:
      image: ubuntu-2004:current
@ -481,6 +496,38 @@ jobs:
            PR=${CIRCLE_PULL_REQUEST##*/}
            printf -v payload '{ "pullRequestNumber": "%s" }' "$PR"
            curl -X POST "https://182c7jdgog.execute-api.us-east-1.amazonaws.com/prod/shareArtifacts" --data "$payload"
+  package-sign-linux:
+    circleci_ip_ranges: true
+    docker:
+      - image: quay.io/influxdb/rsign:latest
+        auth:
+          username: $QUAY_RSIGN_USERNAME
+          password: $QUAY_RSIGN_PASSWORD
+    steps:
+      - add_ssh_keys:
+          fingerpints:
+            - 3b:c0:fe:a0:8a:93:33:69:de:22:ac:20:a6:ed:6b:e5
+      - attach_workspace:
+          at: .
+      - run: |
+          for target in ./dist/*
+          do
+            case "${target}"
+            in
+              # rsign is shipped on Alpine Linux which uses "busybox ash" instead
+              # of bash. ash is somewhat more posix compliant and is missing some
+              # extensions and niceties from bash.
+              *.deb|*.rpm|*.tar.gz|*.zip)
+                rsign "${target}"
+              ;;
+            esac
+          done
+      - persist_to_workspace:
+          root: ./
+          paths:
+            - dist
+      - store_artifacts:
+          path: ./dist

 workflows:
  version: 2
@ -656,6 +703,23 @@ workflows:
                only: /.*/
              branches:
                ignore: /.*/
+      - 'package-sign-linux':
+          requires:
+            - 'i386-package'
+            - 'ppc64le-package'
+            - 'riscv64-package'
+            - 's390x-package'
+            - 'armel-package'
+            - 'amd64-package'
+            - 'mipsel-package'
+            - 'mips-package'
+            - 'arm64-package'
+            - 'armhf-package'
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
      - 'package-consolidate':
           requires:
            - 'i386-package'
@ -670,12 +734,20 @@ workflows:
            - 'riscv64-package'
            - 'package-sign-mac'
            - 'package-sign-windows'
+            - 'package-sign-linux'
           filters:
            tags:
              only: /.*/
            branches:
              ignore: /.*/
-
+      - 'release':
+          requires:
+            - 'package-consolidate'
+          filters:
+            tags:
+              only: /.*/
+            branches:
+              ignore: /.*/
  nightly:
    when:
      equal: [ scheduled_pipeline, << pipeline.trigger_source >> ]