diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml index c6fcd8a29e762..367e6d3b6a7e5 100644 --- a/.azure-pipelines/pipelines.yml +++ b/.azure-pipelines/pipelines.yml @@ -16,11 +16,13 @@ variables: value: true - name: isMain value: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')] -- name: isRelease +- name: isReleaseBranch value: $[startsWith(variables['Build.SourceBranch'], 'refs/heads/release/v')] +- name: isTaggedRelease + value: $[startsWith(variables['Build.SourceBranch'], 'refs/tags/v')] - name: isStableBranch # A release branch can be either `main` or a `release/v1.x` stable branch - value: $[or(eq(variables['isMain'], 'true'), eq(variables['isRelease'], 'true'))] + value: $[or(eq(variables['isMain'], 'true'), eq(variables['isReleaseBranch'], 'true'))] stages: - stage: precheck @@ -502,6 +504,67 @@ stages: env: GITHUB_TOKEN: $(GitHubPublicRepoOnlyAccessToken) + - job: assets + dependsOn: [] + condition: eq(variables['isTaggedRelease'], 'true') + pool: + vmImage: "ubuntu-20.04" + steps: + - task: DownloadBuildArtifacts@0 + inputs: + buildType: current + artifactName: "bazel.release" + itemPattern: "bazel.release/envoy_binary.tar.gz" + downloadType: single + targetPath: $(Build.StagingDirectory) + - task: DownloadBuildArtifacts@0 + inputs: + buildType: current + artifactName: "bazel.release" + itemPattern: "bazel.release/envoy-contrib_binary.tar.gz" + downloadType: single + targetPath: $(Build.StagingDirectory) + - task: DownloadBuildArtifacts@0 + inputs: + buildType: current + artifactName: "bazel.release.arm64" + itemPattern: "bazel.release.arm64/envoy_binary.tar.gz" + downloadType: single + targetPath: $(Build.StagingDirectory) + - task: DownloadBuildArtifacts@0 + inputs: + buildType: current + artifactName: "bazel.release.arm64" + itemPattern: "bazel.release.arm64/envoy-contrib_binary.tar.gz" + downloadType: single + targetPath: $(Build.StagingDirectory) + - bash: | + set -e + + VERSION="$(cat VERSION.txt)" + + mkdir -p linux/amd64 linux/arm64 publish + + # linux/amd64 + tar zxf $(Build.StagingDirectory)/bazel.release/envoy_binary.tar.gz -C ./linux/amd64 + tar zxf $(Build.StagingDirectory)/bazel.release/envoy-contrib_binary.tar.gz -C ./linux/amd64 + cp -a linux/amd64/build_envoy_release_stripped/envoy "publish/envoy-${VERSION}-linux-x86_64" + cp -a linux/amd64/build_envoy-contrib_release_stripped/envoy "publish/envoy-contrib-${VERSION}-linux-x86_64" + + # linux/arm64 + tar zxf $(Build.StagingDirectory)/bazel.release.arm64/envoy_binary.tar.gz -C ./linux/arm64 + tar zxf $(Build.StagingDirectory)/bazel.release.arm64/envoy-contrib_binary.tar.gz -C ./linux/arm64 + cp -a linux/arm64/build_envoy_release_stripped/envoy "publish/envoy-${VERSION}-linux-aarch_64" + cp -a linux/arm64/build_envoy-contrib_release_stripped/envoy "publish/envoy-contrib-${VERSION}-linux-aarch_64" + + echo "$MAINTAINER_GPG_KEY" | base64 -d | gpg --import - + + ci/publish_github_assets.sh "v${VERSION}" "${PWD}/publish" + workingDirectory: $(Build.SourcesDirectory) + env: + GITHUB_TOKEN: $(GitHubPublicRepoOnlyAccessToken) + MAINTAINER_GPG_KEY: $(MaintainerGPGKey) + - stage: verify dependsOn: ["docker"] jobs: diff --git a/ci/publish_github_assets.sh b/ci/publish_github_assets.sh new file mode 100755 index 0000000000000..22c4b62208e14 --- /dev/null +++ b/ci/publish_github_assets.sh @@ -0,0 +1,82 @@ +#!/bin/bash -e + +RELEASE_VERSION="$1" +PUBLISH_DIR="$2" + +REPO_OWNER="${REPO_OWNER:-envoyproxy}" +REPO_NAME="${REPO_NAME:-envoy}" +RELEASE_API_URL="https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/releases" + + +sign_assets () { + local asset + + rm -f checksums.txt + + for asset in ./*; do + asset="$(echo "${asset}" | cut -d/ -f2)" + if [[ "$asset" =~ ^checksums.txt ]]; then + continue + fi + sha256sum "$asset" >> "checksums.txt" + done + + gpg --clearsign checksums.txt + rm checksums.txt + cat checksums.txt.asc +} + +get_release_id () { + local url="${RELEASE_API_URL}/tags/${1}" + curl \ + -s \ + -X GET \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${url}" \ + | jq '.id' +} + +get_upload_url () { + local url="${RELEASE_API_URL}/${1}" + curl \ + -s \ + -X GET \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + "${url}" \ + | jq -r '.upload_url' +} + +upload_to_github () { + local upload_url="$1" \ + binary="$2" + upload_url="$(echo "$upload_url" | cut -d\{ -f1)" + echo -n "Uploading ${binary} ... " + curl \ + -s \ + -X POST \ + -H "Content-Type: application/octet-stream" \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${GITHUB_TOKEN}" \ + --data-binary "@${binary}" \ + "${upload_url}?name=${binary}" \ + | jq -r '.state' +} + +upload_assets () { + local release_id upload_url + release_id="$(get_release_id "${1}")" + upload_url="$(get_upload_url "$release_id")" + + echo "Upload assets (${PUBLISH_DIR}) -> ${upload_url}" + + for asset in ./*; do + asset="$(echo "${asset}" | cut -d/ -f2)" + upload_to_github "${upload_url}" "$asset" + done +} + +cd "$PUBLISH_DIR" || exit 1 +sign_assets +upload_assets "${RELEASE_VERSION}"