-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable CD #117
Comments
Just to ensure we are on the same page, will the workflow be:
|
Not quite—https://github.com/jenkins-infra/github-reusable-workflows/blob/f771babb1fd571cb03e36d875eb61184c796aa4b/.github/workflows/maven-cd.yml#L19-L24 first verifies that the Jenkins CI build was passing, using https://github.com/jenkins-infra/verify-ci-status-action, and this is why we first asked you to get the Jenkins build up and running. Then, if various other conditions are met, like the pull request being something other than a routine dependency update (tested via https://github.com/jenkins-infra/github-reusable-workflows/blob/f771babb1fd571cb03e36d875eb61184c796aa4b/.github/workflows/maven-cd.yml#L35-L41) we proceed to do the CD release. All of the above should work out of the box for you, but where we run into differences for this component is in the CD release itself. https://github.com/jenkins-infra/github-reusable-workflows/blob/f771babb1fd571cb03e36d875eb61184c796aa4b/.github/workflows/maven-cd.yml#L43 certainly won't work here, as this needs to run on Windows 2019 rather than Ideally we would find a way to improve or enhance https://github.com/jenkins-infra/jenkins-maven-cd-action to accomodate this workflow rather than copying and pasting the code into this repository. |
One thing I just thought of that might help you is that when deploying the CD release with Maven https://github.com/jenkins-infra/jenkins-maven-cd-action/blob/5f5529707ac2bef1ff86da2553ce465ed669aa65/run.sh#L8 you will need to have the certificate and password defined as environment variables (stored as secrets in GitHub), so you can key off the presence of those environment variables in the Maven build to do the signing. Something like e.g. <profiles>
<profile>
<id>sign-native</id>
<activation>
<os>
<family>Windows</family>
</os>
<property>
<name>env.CERTIFICATE</name>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<executions>
<execution>
<id>sign-native</id>
<goals>
<goal>exec</goal>
</goals>
<phase>process-resources</phase>
<configuration>
<executable>sign.cmd</executable>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles> although note that I haven't tried to run this code. |
To be honest, it seems very complicated and will involve again new discussions with other teams. On the other way, you seem to know exactly what it needs and seems like a few hours of work. So my polite request, could you help on this and do this change? |
I can't commit to doing this task. Parameterizing the CD workflow to allow for a non-Ubuntu VM seems like the easiest task, so I would start there. I have no experience with Windows key signing and didn't sign the currently shipping binaries, so I have no idea what that actually looks like beyond the hints Oleg left in this repository's |
I'll take a look onto that thus. |
After taking a look at this on my side, I opened a jenkins-infra issue (jenkins-infra/helpdesk#4076) to see if we can have an official action supporting this on Windows. |
The expectation is that you would write or modify any GitHub Actions based CD workflows, reaching out to the infrastructure team only if a certificate is needed.
Then I will give you directions, step-by-step. At a high-level, the first task will be for you to get the entire CD workflow working using copy and pasted code in this repository, and the second task will be to figure out how to generalize this back into the reusable workflows. The rest of this comment will focus on the first high-level task, since the second is too far off to envision clearly. Start by reverse engineering the signing process and coming up with a design for how this should be signed. Research the common ways of code signing Windows binaries, and list them. Then reverse engineer how the existing shipping binaries were signed. Determine if we should sign these binaries the same way or a different way. Report your conclusions, and then when consensus has been reached, we can reach out to the infrastructure team for help with a certificate (if a certificate is needed). Codewise, create a pull request in
|
Allow me to make it easier to justify, then. The justification is as follows: the existing shipping binaries were signed manually by a maintainer who is not currently active. To ship changes to these binaries without causing a regression, we need to ensure that the new release is at feature parity with the old one (i.e., if the old release was signed, the new release must be signed as well). And to sign in a way that is sustainable (i.e., one that doesn't cause the same maintenance challenges in the future when a maintainer moves on), the signing process should be automated. |
Now that #116 has landed, the next step is to enable JEP-229 CD for this repository, using GitHub Actions (as is standard for CD in the Jenkins project). The CD work should largely follow https://www.jenkins.io/doc/developer/publishing/releasing-cd/ but may be slightly more involved in that it needs to run on a Windows 2019 system in GitHub Actions rather than a Linux system in GitHub Actions (as the instructions currently describe).
The standard process used in Jenkins is to run CD after CI has passed, skipping the tests in CD. Since this CD build is more complicated, and since the test suite runs in milliseconds, it may be desirable to also run the tests again during CD.
One complication is that CD needs to sign the binaries after building them but before putting them in the JAR. The signing should take place as described here with some commands like:
It may be necessary to engage with the Jenkins infrastructure team for access to a certificate. The password for the certificate can be stored by a GitHub administrator as a secret in the "Actions secrets and variables" configuration for this repository, where it may be consumed by the CD (but not CI!) build.
The text was updated successfully, but these errors were encountered: