CL-Softwares
/
telegraf
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: implement remote artifact signing (#13066)

This commit is contained in:
Brandon Pfeifer 2023-04-10 16:14:10 -04:00 committed by GitHub
parent 82e25a6071
commit c4fcaa7f35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 73 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
.circleci/config.yml
View File

@ -379,6 +379,21 @@ jobs:
--include "*.rpm" \ --include "*.rpm" \
--include "*.zip" \ --include "*.zip" \
--acl public-read --acl public-read
release:
executor: telegraf-ci
steps:
- attach_workspace:
at: '/build'
- run:
command: |
aws s3 sync /build/dist s3://dl.influxdata.com/telegraf/releases/ \
--exclude "*" \
--include "*.deb" \
--include "*.rpm" \
--include "*.tar.gz" \
--include "*.zip" \
--include "*.asc" \
--acl public-read
docker-nightly: docker-nightly:
machine: machine:
image: ubuntu-2004:current image: ubuntu-2004:current
@ -481,6 +496,38 @@ jobs:
PR=${CIRCLE_PULL_REQUEST##*/} PR=${CIRCLE_PULL_REQUEST##*/}
printf -v payload '{ "pullRequestNumber": "%s" }' "$PR" printf -v payload '{ "pullRequestNumber": "%s" }' "$PR"
curl -X POST "https://182c7jdgog.execute-api.us-east-1.amazonaws.com/prod/shareArtifacts" --data "$payload" curl -X POST "https://182c7jdgog.execute-api.us-east-1.amazonaws.com/prod/shareArtifacts" --data "$payload"
package-sign-linux:
circleci_ip_ranges: true
docker:
- image: quay.io/influxdb/rsign:latest
auth:
username: $QUAY_RSIGN_USERNAME
password: $QUAY_RSIGN_PASSWORD
steps:
- add_ssh_keys:
fingerpints:
- 3b:c0:fe:a0:8a:93:33:69:de:22:ac:20:a6:ed:6b:e5
- attach_workspace:
at: .
- run: |
for target in ./dist/*
do
case "${target}"
in
# rsign is shipped on Alpine Linux which uses "busybox ash" instead
# of bash. ash is somewhat more posix compliant and is missing some
# extensions and niceties from bash.
*.deb|*.rpm|*.tar.gz|*.zip)
rsign "${target}"
;;
esac
done
- persist_to_workspace:
root: ./
paths:
- dist
- store_artifacts:
path: ./dist
workflows: workflows:
version: 2 version: 2
@ -656,6 +703,23 @@ workflows:
only: /.*/ only: /.*/
branches: branches:
ignore: /.*/ ignore: /.*/
- 'package-sign-linux':
requires:
- 'i386-package'
- 'ppc64le-package'
- 'riscv64-package'
- 's390x-package'
- 'armel-package'
- 'amd64-package'
- 'mipsel-package'
- 'mips-package'
- 'arm64-package'
- 'armhf-package'
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- 'package-consolidate': - 'package-consolidate':
requires: requires:
- 'i386-package' - 'i386-package'
@ -670,12 +734,20 @@ workflows:
- 'riscv64-package' - 'riscv64-package'
- 'package-sign-mac' - 'package-sign-mac'
- 'package-sign-windows' - 'package-sign-windows'
- 'package-sign-linux'
filters:
tags:
only: /.*/
branches:
ignore: /.*/
- 'release':
requires:
- 'package-consolidate'
filters: filters:
tags: tags:
only: /.*/ only: /.*/
branches: branches:
ignore: /.*/ ignore: /.*/
nightly: nightly:
when: when:
equal: [ scheduled_pipeline, << pipeline.trigger_source >> ] equal: [ scheduled_pipeline, << pipeline.trigger_source >> ]