envoyproxy · phlax · Oct 16, 2022 · Oct 14, 2022
diff --git a/.azure-pipelines/pipelines.yml b/.azure-pipelines/pipelines.yml
@@ -16,11 +16,13 @@ variables:
   value: true
 - name: isMain
   value: $[eq(variables['Build.SourceBranch'], 'refs/heads/main')]
-- name: isRelease
+- name: isReleaseBranch
   value: $[startsWith(variables['Build.SourceBranch'], 'refs/heads/release/v')]
+- name: isTaggedRelease
+  value: $[startsWith(variables['Build.SourceBranch'], 'refs/tags/v')]
 - name: isStableBranch
   # A release branch can be either `main` or a `release/v1.x` stable branch
-  value: $[or(eq(variables['isMain'], 'true'), eq(variables['isRelease'], 'true'))]
+  value: $[or(eq(variables['isMain'], 'true'), eq(variables['isReleaseBranch'], 'true'))]
 
 stages:
 - stage: precheck
@@ -502,6 +504,67 @@ stages:
       env:
         GITHUB_TOKEN: $(GitHubPublicRepoOnlyAccessToken)
 
+  - job: assets
+    dependsOn: []
+    condition: eq(variables['isTaggedRelease'], 'true')
+    pool:
+      vmImage: "ubuntu-20.04"
+    steps:
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.release"
+        itemPattern: "bazel.release/envoy_binary.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.release"
+        itemPattern: "bazel.release/envoy-contrib_binary.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.release.arm64"
+        itemPattern: "bazel.release.arm64/envoy_binary.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        buildType: current
+        artifactName: "bazel.release.arm64"
+        itemPattern: "bazel.release.arm64/envoy-contrib_binary.tar.gz"
+        downloadType: single
+        targetPath: $(Build.StagingDirectory)
+    - bash: |
+        set -e
+
+        VERSION="$(cat VERSION.txt)"
+
+        mkdir -p linux/amd64 linux/arm64 publish
+
+        # linux/amd64
+        tar zxf $(Build.StagingDirectory)/bazel.release/envoy_binary.tar.gz -C ./linux/amd64
+        tar zxf $(Build.StagingDirectory)/bazel.release/envoy-contrib_binary.tar.gz -C ./linux/amd64
+        cp -a linux/amd64/build_envoy_release_stripped/envoy "publish/envoy-${VERSION}-linux-x86_64"
+        cp -a linux/amd64/build_envoy-contrib_release_stripped/envoy "publish/envoy-contrib-${VERSION}-linux-x86_64"
+
+        # linux/arm64
+        tar zxf $(Build.StagingDirectory)/bazel.release.arm64/envoy_binary.tar.gz -C ./linux/arm64
+        tar zxf $(Build.StagingDirectory)/bazel.release.arm64/envoy-contrib_binary.tar.gz -C ./linux/arm64
+        cp -a linux/arm64/build_envoy_release_stripped/envoy "publish/envoy-${VERSION}-linux-aarch_64"
+        cp -a linux/arm64/build_envoy-contrib_release_stripped/envoy "publish/envoy-contrib-${VERSION}-linux-aarch_64"
+
+        echo "$MAINTAINER_GPG_KEY" | base64 -d | gpg --import -
+
+        ci/publish_github_assets.sh "v${VERSION}" "${PWD}/publish"
+      workingDirectory: $(Build.SourcesDirectory)
+      env:
+        GITHUB_TOKEN: $(GitHubPublicRepoOnlyAccessToken)
+        MAINTAINER_GPG_KEY: $(MaintainerGPGKey)
+
 - stage: verify
   dependsOn: ["docker"]
   jobs:

diff --git a/ci/publish_github_assets.sh b/ci/publish_github_assets.sh
@@ -0,0 +1,82 @@
+#!/bin/bash -e
+
+RELEASE_VERSION="$1"
+PUBLISH_DIR="$2"
+
+REPO_OWNER="${REPO_OWNER:-envoyproxy}"
+REPO_NAME="${REPO_NAME:-envoy}"
+RELEASE_API_URL="https://api.github.com/repos/${REPO_OWNER}/${REPO_NAME}/releases"
+
+
+sign_assets () {
+    local asset
+
+    rm -f checksums.txt
+
+    for asset in ./*; do
+        asset="$(echo "${asset}" | cut -d/ -f2)"
+        if [[ "$asset" =~ ^checksums.txt ]]; then
+            continue
+        fi
+        sha256sum "$asset" >> "checksums.txt"
+    done
+
+    gpg --clearsign checksums.txt
+    rm checksums.txt
+    cat checksums.txt.asc
+}
+
+get_release_id () {
+    local url="${RELEASE_API_URL}/tags/${1}"
+    curl \
+        -s \
+        -X GET \
+        -H "Accept: application/vnd.github+json" \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        "${url}" \
+        | jq '.id'
+}
+
+get_upload_url () {
+    local url="${RELEASE_API_URL}/${1}"
+    curl \
+        -s \
+        -X GET \
+        -H "Accept: application/vnd.github+json" \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        "${url}" \
+        | jq -r '.upload_url'
+}
+
+upload_to_github () {
+    local upload_url="$1" \
+          binary="$2"
+    upload_url="$(echo "$upload_url" | cut -d\{ -f1)"
+    echo -n "Uploading ${binary} ... "
+    curl \
+        -s \
+        -X POST \
+        -H "Content-Type: application/octet-stream" \
+        -H "Accept: application/vnd.github+json" \
+        -H "Authorization: Bearer ${GITHUB_TOKEN}" \
+        --data-binary "@${binary}" \
+        "${upload_url}?name=${binary}" \
+            | jq -r '.state'
+}
+
+upload_assets () {
+    local release_id upload_url
+    release_id="$(get_release_id "${1}")"
+    upload_url="$(get_upload_url "$release_id")"
+
+    echo "Upload assets (${PUBLISH_DIR}) -> ${upload_url}"
+
+    for asset in ./*; do
+        asset="$(echo "${asset}" | cut -d/ -f2)"
+        upload_to_github "${upload_url}" "$asset"
+    done
+}
+
+cd "$PUBLISH_DIR" || exit 1
+sign_assets
+upload_assets "${RELEASE_VERSION}"