From 7d5bd20c905c3e798d626a1d2b9434c927649ac0 Mon Sep 17 00:00:00 2001 From: Alexander Turenko Date: Tue, 23 Jun 2020 02:38:59 +0300 Subject: [PATCH] travis-ci: deploy RPM / Deb packages Now php-tarantool packages are deployed into two kinds of repositories: packagecloud.io and to S3 based ones. The download.tarantool.org now points to the latter, but we keep packagecloud.io for a while to don't break users, which use it directly (we don't recommend it though). See [1] for more info about deprecation of our packagecloud.io repositories. The deployment scripts allows to provide two configurations: production and staging. The former is for deployment from the master branch and from a git tag. The latter is for deployments from a developer branch. It is useful when something should be verified in a specific environment using a built package or when the deployment process itself was modified and should be tested. The difference between production and staging deployment process is how duplicate package versions are handled. It give an error for production deployment, but does not for staging. The new package is discarded in the case for packagecloud.io, but it replaces the old package in S3 repositories. Read comments in the deployment scripts for more details. [1]: https://github.com/tarantool/tarantool/issues/4947 Fixes #117 --- .gitignore | 3 + .travis.yml | 43 +++++ .travis/deploy_packagecloud.sh | 120 +++++++++++++ ...ploy_production_s3_gpg_private_key.asc.enc | Bin 0 -> 5520 bytes .travis/deploy_s3.sh | 160 ++++++++++++++++++ .travis/deploy_s3_dependencies.sh | 10 ++ .../deploy_staging_s3_gpg_private_key.asc.enc | Bin 0 -> 5520 bytes .../update-repo-sh-use-right-gpg-key.patch | 29 ++++ 8 files changed, 365 insertions(+) create mode 100755 .travis/deploy_packagecloud.sh create mode 100644 .travis/deploy_production_s3_gpg_private_key.asc.enc create mode 100755 .travis/deploy_s3.sh create mode 100755 .travis/deploy_s3_dependencies.sh create mode 100644 .travis/deploy_staging_s3_gpg_private_key.asc.enc create mode 100644 .travis/update-repo-sh-use-right-gpg-key.patch diff --git a/.gitignore b/.gitignore index 6b9751b..6f52a5c 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,6 @@ debian/php5-tarantool.substvars debian/php5-tarantool/ build .*.sw[a-z] + +# Unencrypted private GPG keys for deployment. +.travis/*.asc diff --git a/.travis.yml b/.travis.yml index 53d9736..3c9794d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -136,3 +136,46 @@ script: else exit 1 fi + +deploy: + skip_cleanup: true + provider: script + # Don't skip tagged commits. + # + # The script below will skip deployment when appropriate. + # See the link below for better description why it is necessary. + # + # https://github.com/tarantool/tarantool/issues/3745 + on: + all_branches: true + script: + - | + # Skip deployment when it is not expected. + if [ -z "${OS}" ] || [ -z "${DIST}" ]; then + echo "Skip deployment: it is pure testing job w/o any RPM / Deb artefacts" + exit 0 + fi + if [ "${TRAVIS_REPO_SLUG}" != "tarantool/tarantool-php" ]; then + echo "Skip deployment: it is a fork, not the base repository" + exit 0 + fi + if [ "${TRAVIS_EVENT_TYPE}" = "push" ]; then + echo "Skip deployment: event is not 'push': ${TRAVIS_EVENT_TYPE}" + exit 0 + fi + + # Choose destination to push packages. + if [ "${TRAVIS_BRANCH}" == "master" ] || [ -n "${TRAVIS_TAG}" ]; then + echo "Set production deployment parameters" + configuration=production + else + echo "Set staging deployment parameters" + configuration=staging + fi + + # Deploy to packagecloud repositories. + ./.travis/deploy_packagecloud.sh ${configuration} + + # Deploy to S3 based repositories. + ./.travis/deploy_s3_dependencies.sh + ./.travis/deploy_s3.sh ${configuration} diff --git a/.travis/deploy_packagecloud.sh b/.travis/deploy_packagecloud.sh new file mode 100755 index 0000000..c7da44e --- /dev/null +++ b/.travis/deploy_packagecloud.sh @@ -0,0 +1,120 @@ +#!/bin/sh + +# Deploy to packagecloud repositories +# ----------------------------------- +# +# `deploy_packagecloud.sh` is equivalent to +# `deploy_packagecloud.sh staging`. +# +# `deploy_packagecloud.sh staging` requires the following +# environment variables: +# +# - OS +# - DIST +# - DEPLOY_STAGING_PACKAGECLOUD_USER +# - DEPLOY_STAGING_PACKAGECLOUD_TOKEN +# +# `deploy_packagecloud.sh production` requires the following +# environment variables: +# +# - OS +# - DIST +# - DEPLOY_PRODUCTION_PACKAGECLOUD_USER +# - DEPLOY_PRODUCTION_PACKAGECLOUD_TOKEN +# +# If one of those variables is not set or empty, then deployment +# will be skipped. + +# Make shell strictier. +# +# - Exit with a failure on a first failed command. +# - Exit with a failure on an attempt to use an unset variable. +# - Print each executed commmand. +# +# Note: The script expects that Travis-CI will filter sensitive +# information (such as a token): 'Display value in build log' +# toogle should be OFF for to keep a value secure. +set -eux + +configuration=${1:-staging} + +# Choose credentials. +if [ ${configuration} = staging ]; then + DEPLOY_PACKAGECLOUD_USER="${DEPLOY_STAGING_PACKAGECLOUD_USER:-}" + DEPLOY_PACKAGECLOUD_TOKEN="${DEPLOY_STAGING_PACKAGECLOUD_TOKEN:-}" +elif [ ${configuration} = production ]; then + DEPLOY_PACKAGECLOUD_USER="${DEPLOY_PRODUCTION_PACKAGECLOUD_USER:-}" + DEPLOY_PACKAGECLOUD_TOKEN="${DEPLOY_PRODUCTION_PACKAGECLOUD_TOKEN:-}" +else + echo "Unknown configuration: ${configuration}" + exit 1 +fi + +# Skip deployment if some variables are not set or empty. +if [ -z "${OS:-}" ] || [ -z "${DIST:-}" ] || \ + [ -z "${DEPLOY_PACKAGECLOUD_USER}" ] || \ + [ -z "${DEPLOY_PACKAGECLOUD_TOKEN}" ]; then + echo "Skip deployment: some of necessary environment" + echo "variables are not set or empty" + exit 0 +fi + +# Verify that packpack is cloned into the current directory. +packagecloud_tool=./packpack/tools/packagecloud +if [ ! -f "${packagecloud_tool}" ]; then + echo "Could not find ${packagecloud_tool}" + exit 1 +fi + +# Staging repository: keep older packages in case of a +# version clash. +# +# It would be better to replace old ones, but there is no +# such option in the packagecloud tool we use. It may be +# important if we'll have some manual or automatic testing +# upward a staging repository. But at least CI will not fail +# because a package is already exists. +push_args="" +if [ "${configuration}" = staging ]; then + push_args="${push_args} --ignore-duplicates" +fi + +# Setup environment variables for the packagecloud tool. +export PACKAGECLOUD_TOKEN="${DEPLOY_PACKAGECLOUD_TOKEN}" + +# We have tarantool repositories on packagecloud.io up to +# 2_4. The next ones present only in the S3 based storage. +for repo in 1_6 1_7 1_9 1_10 2x 2_2 2_3 2_4; do + # FIXME: Enable *.ddeb when packagecloud.io will support it. + for file in build/*.{rpm,deb,dsc}; do + extension=${file##*.} + + # Skip non-matched globs: say, build/*.rpm on Debian. + basename="$(basename "${file}" ".${extension}")" + [ "${basename}" = "*" ] && continue + + # Push all source files listed in .dsc file together with + # the file. + # + # FIXME: It seems logical to move this logic to the + # packagecloud tool we use. + files="${file}" + if [ "${extension}" = "dsc" ]; then + parse_dsc_file='{ + if ($0 == "Files:") { + FILES_SECTION = 1; + } else if (FILES_SECTION != 0) { + print "build/"$3; + } + }' + files="${files} $(awk "${parse_dsc_file}" "${file}")" + fi + + # FIXME: The tool fetches distributions.json each time. + # It can cache the data somewhere and reuse during some + # time period until expiration. + user=${DEPLOY_PACKAGECLOUD_USER} + ${packagecloud_tool} push ${push_args} ${user}/${repo} ${extension} \ + ${OS} ${DIST} ${files} + done +done diff --git a/.travis/deploy_production_s3_gpg_private_key.asc.enc b/.travis/deploy_production_s3_gpg_private_key.asc.enc new file mode 100644 index 0000000000000000000000000000000000000000..d5af471b09f490d1e4f90d91caae627be764ac70 GIT binary patch literal 5520 zcmV;B6>sW+BR-%0s(mli1>XKebIs$Bvi@X8AxEGEu0cTvQ6}vI+8lo1W^SRy5K+T<)pp;Y-%^thrWYy9cfAC?NgG)}~2U@&GyGGI7v6 zrGXm>E(^*fxzFQMkpA<&pf~%qq8S^&+zuM)zpmCLzb0BAJW--uMIomRbJWi$a9`^0 zKtokyIw`^l0pa8fyU8!+=|kT31h5`!^|@9uRHUBd2HOXTJ}#4!|4)_WCU{JE>UOBj zk&j!$e`0u1qS;AUWWEGN>yF&W`v0l-{&Q|~&$0|)8vm!t96>+(mXdOT>Qc5(o=7#0 z5`%82pEm`^o^4jxF}4Pxbz12NAA*8S0O-*=X2ktMDQ4A2uy$m&sKcD}ZVpPl->M_h zB1Ep-x$#83oVUs!$&UNAEroQ_KK8$QDKM59ZJ7fXtTLwx{tI9)SI3^`T@e|LbaqAl zp4Y@4pv!EXmW9Uc7pKDUU`pFe**ts0M5DNN%*$!IKWn~54H~j_ccRUJ~ferA6 zToe9U^wgYQ)84cH+D~qmc%qwI_U@UKF$_y{k>04~6Iy+y=zWlMs)^^(U=e$FgH#St z{i?{*<>pafdV)7EFHqm@E5>_bFsDQkg2gF{RKkhQ4LTNVP+JB;ksBN|A)0q)(TMg< zj^Fw7uu#Ru;CUuA`FMk$fYB^}U2T&PEbC{awlpGyGHU}R5w9lu5fAnJibvx&6H#vlVh3=QCCP}DZYBFtOAoZ9G#vJ ztD?TTtHy3T!&dHo#UT*WCTw znO^zqvhAMA?WVI&&bu>8r?8^%Sdid0U(&zk=Bo6%oO`)=zJ>!GF=Vv8jZHEsDp22w zd3HV&Ck2ZfZ64|_5X*JX#senSqsx#6t_Uk=x_QL(|ETg*dJ}E~aZd)gKC1|aewawS zuu~-SH0^)V&J=-F2W}UVmhwz^Ywy@&_zW*{%jz*+wLS`tj}ynNSV;v{4O&$A_`tBE zG&P?L_ZXoQABa55!Y4k13Ply)0R*}|7mX%%Gdw=g%E)FZ6_6^xvlq^-bN9* zJcw;TJb6z!*79s0bycZ&3i|4Jo>Z+H z3Q*j?(LnFqgdxw}bBLTDmF&4fZr(5ard6-8>oE_9>f!Hm{rLJSX_@R?HE-&Y({$;A zeUoUk0PJYR1v0FAJQnR>{1xzKPv$bY2m^iRQaE!KBuN~~Fd0^oX1K`Rp8T;=_AFg- z$`(5V#QVRC>xRcaQ6nzo`x272)3gC80}7z!7-EDcuafmzXzs%q@u{&}qk$X#2@wtt z?an*f@i9ggNs?UgGP!8vrG}p-sdUsx^RXmtuMH2IA6=0n5mpJ+H*_0uuYwBU-MbI| z`LpykvHEBX?tXvqQ3$qzt$U1MBcAD?DPh%O-d#Fm50SoKcmLBYoILlk@L7M7M@6N` zP*+0d9XnG9nUq47lyMN;14Nv0f*2gsw`vTz*Dlcy_&w9Vb%<2^|7nMoU%$J($c^pZ zKkrqkZTKlK%Tb^33Z#n)^fTix?Y8UUMLGm96iyMp*3#~A613-YI+?N0i?|aFzKx6u z*d=hQuw8WcPl=!!=_+riqr6qrWkxkC&CO4S)ihcPr?kM26TLy3ZE};td2H zcR6k1ogQ(awGoQ@;1gL;zh<4due8LA%;4C0{zKyIC~~4R{S)adyR#UANLa(wTV)RU z=z&M24hHCai+SgIJH?V$py$seVC`PmDsjf3;BgjMe?op_?vZgQc7$*1#m#W*81>TB zpWYF5X!2UPGLSD)-3zY%xY~`_eAMTN}HfYPVr_CCC?%E7O{dVi>#<%)Y-M8 z8p2>_C<>hq>l#5v7B)wk(sMu~Er2~5-P>1Jvupi^M_fJ-YrYjwN^`zCdZ-G)kMi{~ zLsHG&-CRZw_QrlCRoHDA%9Umomg8M%h0?~{sqAot1%8YjFVW@K+xwzf+AJf%&Xj-x z3%<2#<@^lU6>m#7J7Ob}stV>2z}$91(}o$N`U^jPQUzPe_N*0Ow67n8J9>W%3O)2v z5W_v+{X*kDm^hL@TORa=Y2xA(M0+)NlR=k%o7L+W|7V7aK_hi9#xd{z7}`+xDk!e7 z&OYrBOgig6WS8W@o3_HW^zGSo=mVvb^Mv5;s%loRt%yb25S~meOEgIGAOt)BIP1Jf z_+T+;5_jMp`!PWJpzv}hbfU>cS3yl$>2afFwP@!VL(}AO)l&I26EJ<_yyjf}wOQ*1 zSA}0(g;9U=P7uj?3e$+ZuqU0ai^5RY<*YM^e}F40J(7ZyOz zTdkra=@iyYjDNY7m?fHHz(_{#pc^X`NOyNw-$7Pom_oyGF!VpE20d-kjsk?GxYln8 zaS?M8ws$zzc_Lp#9huaxPK88())c+%@4|D@TYw7g40joW{*KnMV5YlubF(Z*VQGH$)+-)zGs|`n$fc1k`=WMiDO9t=^tIOe)(Rkb1ge zIv!$KxzF>IJOkoQ5#5&C{xg2fWjD$+3YF>is0P`~%gLt59^O4rM9;=kXZq9b%>oe2 zKzb_$uT`jlp%(1CznbdO#gV)pUmCERaCulW_U%9TsNE7OryQdz^G&c|f~CgAGT0sj z&6pi6k}sp!Eptat78KgmDhVGet{#MmH~ew$hQ3NY?DJahARBS58#EAs>4O4h_&!2Y zHh8}%5T`A*-1IE}EVFsQAfN2tnq`Q->eeHYg=50?ay@Xcb9o>AY_r>VsV@lC>W;8| zFnn^kOqUO@D3G|sK|DK*a8BJlrg`EIKKY3D=(FJGa8Kq~b_B_;t5eLU`8jsk02pcq z#rVZc=wm=7AiP7o!IB6f9UihzIJC>J)1%Bi>Hd_5%UN8hGb{gGL`670%nP-^U#AT~ zUIB$meo>oAVU&uqZK>7r-&9Q#iL)pD<6dADKEF z>VUcoR%xcq66DjUh*0>Lb77xwO&q3`tbvh6_VDFvv`o*d_UhZ8v==VqI+Ywc|53++ zJWb3kmZL6V*v!X`lioir*O=SMutxlI4D3Bj8aM%kUT-2+{{of2V}S#;Dq;jX$OKCg z)wPg>uCeAIM0@0dM@hI|8mwdyFpQ%+ub>3#(dj!6kEZPHMhUC*TyH!2ZGCYMgNYuh zEe$JbHIKmWEaiG2aB_?Y}h2S2V! z4wr&5ywBgA7mEk*#2q&5B&iscVgApq$HJ5yhe-~Tm5o7ECkD2(C ze(5;3$NUgNQ22Tr2)W- z+QB0o?YDDv6kA)65i9+lwl#D)r=CKlB+$l6gIduAN8d3a0mWa!;jdkf7!@G~!wFKi zY$RFtNrEUet|x19sO)xbg2`H#$_m}Qpz|X$3-wa=(q`n;hs`>;HX_b3E5AM|a9wZ( zi*Tta(`M*|7`mQ5oIx%ad0F6d-|(iZV*n0etO~wCSaFiP-p^MrkZeUz9ZZ&lO*~o( zbr-;2!Fu&eitL890(gvz~>qmMzn^r^}+ z%rK0F;VDB(EeGAG<{_L8KNmP3QTK$Wo=XcSua!q{wN^hfB?(bw*yOSBBY8TlA-(`0u=vkMg z$oozt@j%A}u0Xqg&y4lN11yl|yK&^C2L9ZMN$6Si?SPGI)J=VVxOeZ!=4En9EH1UH zGye35@SDx?;ddNP7jG}RQUZR(zk)M_)xfTL;m*`)K(}i8;b0TQ)aB@v;DvE+goar2A;s}cL%i!q#BuqOkUAIos)#2p~j{fY8DEo<=v4P1yrK_+D)rfL}<_Bg{ejY8I`WNEZC7crQQ6+=Q#!2=lO5WiYFB;6fzx z*ApwYz;Ks!T?+tcYz@Z_+L7&V^LT;cVo2eY#>Nqh(Cb{&ROs%~DyzKm#}WMEf1Oof z4z!9Ob%5R&IRYeG3Xklvzaj$ZDr!r>zsQ|e3+(!q^3%4bWr}b z^yiGw$`2bs4QjP^$FOf<%fV|d0O(TLJN%hL?e?uKjdcSRy^0c^kc4`CR=9P@oZ^Q9ZYz zR{L8-sz3jKa{OKqNVcB!kK=-; zlm0~TSWQf7m!~hPit5HAWw`LUDL0A`Lmtt=LmJxM3$w#cnp*6x zj1-mSwTqU>WPT+4eA;;K=0krrp{sizh9 z+Hp}1{iKWL{&nrz^ZR>JzLUpgzNV#r@a&Q1=Dmnm0;ZX%CXRDxGQ%C665zN$1Hn=J z+;nRb=rgy2cai+JAp%WT7Z%f_)~QD8B_?k+r$$Ref^lWt4lS54G%tGBKv0$9tCK1b zW1Dd{)KtDy#E19^d6LjwWp~o*JiXihCR2KR{>)#9-PDfx1FR(Aj2CS^dX6^LlRJOd zYaye4BvH8@e?dooW*}A_h`W#(!^4~HwZ)pvQYd`=IXQ7tQ~LZNF#78=c+eiH)?NIg z5v{LHN1up*Yq?-O+#s~Z<~zM{P5ua+e1XFO2hp`?H|P#&C~?FEIc!$!b>Sl%mX58g Sb}we6(R=XVP_q6JPtpz-62}k# literal 0 HcmV?d00001 diff --git a/.travis/deploy_s3.sh b/.travis/deploy_s3.sh new file mode 100755 index 0000000..324cf69 --- /dev/null +++ b/.travis/deploy_s3.sh @@ -0,0 +1,160 @@ +#!/bin/sh + +# Deploy to S3 based repositories +# ------------------------------- +# +# `deploy_s3.sh` is equivalent to `deploy_s3.sh staging`. +# +# `deploy_s3.sh staging` requires the following environment +# variables: +# +# - OS +# - DIST +# - DEPLOY_STAGING_S3_ENDPOINT_URL="https://..." +# - DEPLOY_STAGING_S3_LIVE_DIR="s3://my_bucket/foo/bar/live" +# - DEPLOY_STAGING_S3_RELEASE_DIR="s3://my_bucket/foo/bar/release" +# - DEPLOY_STAGING_S3_ACCESS_KEY_ID +# - DEPLOY_STAGING_S3_SECRET_ACCESS_KEY +# - DEPLOY_STAGING_S3_GPG_KEY_FILE_KEY (32 bytes in hex) +# - DEPLOY_STAGING_S3_GPG_KEY_FILE_IV (16 bytes in hex) +# +# `deploy_s3.sh production` requires the following environment +# variables: +# +# - OS +# - DIST +# - DEPLOY_PRODUCTION_S3_ENDPOINT_URL="https://..." +# - DEPLOY_PRODUCTION_S3_LIVE_DIR="s3://my_bucket/foo/bar/live" +# - DEPLOY_PRODUCTION_S3_RELEASE_DIR="s3://my_bucket/foo/bar/release" +# - DEPLOY_PRODUCTION_S3_ACCESS_KEY_ID +# - DEPLOY_PRODUCTION_S3_SECRET_ACCESS_KEY +# - DEPLOY_PRODUCTION_S3_GPG_KEY_FILE_KEY (32 bytes in hex) +# - DEPLOY_PRODUCTION_S3_GPG_KEY_FILE_IV (16 bytes in hex) +# +# If one of those variables is not set or empty, then deployment +# will be skipped. + +# Make shell strictier. +# +# - Exit with a failure on a first failed command. +# - Exit with a failure on an attempt to use an unset variable. +# - Print each executed commmand. +# +# Note: The script expects that Travis-CI will filter sensitive +# information (such as a token): 'Display value in build log' +# toogle should be OFF for to keep a value secure. +set -eux + +configuration=${1:-staging} + +# Choose URLs, directories, keys and so. +if [ ${configuration} = staging ]; then + DEPLOY_S3_ENDPOINT_URL="${DEPLOY_STAGING_S3_ENDPOINT_URL:-}" + DEPLOY_S3_LIVE_DIR="${DEPLOY_STAGING_S3_LIVE_DIR:-}" + DEPLOY_S3_RELEASE_DIR="${DEPLOY_STAGING_S3_RELEASE_DIR:-}" + DEPLOY_S3_ACCESS_KEY_ID="${DEPLOY_STAGING_S3_ACCESS_KEY_ID:-}" + DEPLOY_S3_SECRET_ACCESS_KEY="${DEPLOY_STAGING_S3_SECRET_ACCESS_KEY:-}" + DEPLOY_S3_GPG_KEY_FILE_KEY="${DEPLOY_STAGING_S3_GPG_KEY_FILE_KEY:-}" + DEPLOY_S3_GPG_KEY_FILE_IV="${DEPLOY_STAGING_S3_GPG_KEY_FILE_IV:-}" +elif [ ${configuration} = production ]; then + DEPLOY_S3_ENDPOINT_URL="${DEPLOY_PRODUCTION_S3_ENDPOINT_URL:-}" + DEPLOY_S3_LIVE_DIR="${DEPLOY_PRODUCTION_S3_LIVE_DIR:-}" + DEPLOY_S3_RELEASE_DIR="${DEPLOY_PRODUCTION_S3_RELEASE_DIR:-}" + DEPLOY_S3_ACCESS_KEY_ID="${DEPLOY_PRODUCTION_S3_ACCESS_KEY_ID:-}" + DEPLOY_S3_SECRET_ACCESS_KEY="${DEPLOY_PRODUCTION_S3_SECRET_ACCESS_KEY:-}" + DEPLOY_S3_GPG_KEY_FILE_KEY="${DEPLOY_PRODUCTION_S3_GPG_KEY_FILE_KEY:-}" + DEPLOY_S3_GPG_KEY_FILE_IV="${DEPLOY_PRODUCTION_S3_GPG_KEY_FILE_IV:-}" +else + echo "Unknown configuration: ${configuration}" + exit 1 +fi + +# Skip deployment if some variables are not set or empty. +if [ -z "${OS:-}" ] || [ -z "${DIST:-}" ] || \ + [ -z "${DEPLOY_S3_ENDPOINT_URL}" ] || \ + [ -z "${DEPLOY_S3_LIVE_DIR}" ] || \ + [ -z "${DEPLOY_S3_RELEASE_DIR}" ] || \ + [ -z "${DEPLOY_S3_ACCESS_KEY_ID}" ] || \ + [ -z "${DEPLOY_S3_SECRET_ACCESS_KEY}" ] || \ + [ -z "${DEPLOY_S3_GPG_KEY_FILE_KEY}" ] || \ + [ -z "${DEPLOY_S3_GPG_KEY_FILE_IV}" ]; then + echo "Skip deployment: some of necessary environment" + echo "variables are not set or empty" + exit 0 +fi + +# Download the tool to deploy to an S3 based repository. +ref=f84cb1aae3144f5677feacf6be31bd4f15e91c2d +base_url="https://raw.githubusercontent.com/tarantool/tarantool/${ref}" +curl -Ssfo update_repo.sh "${base_url}/tools/update_repo.sh" +chmod a+x update_repo.sh + +# FIXME: Upstream the patch. +patch -p1 -i .travis/update-repo-sh-use-right-gpg-key.patch + +# Decrypt a GPG key. +gpg_key_file=".travis/deploy_${configuration}_s3_gpg_private_key.asc" +openssl aes-256-cbc -K "${DEPLOY_S3_GPG_KEY_FILE_KEY}" \ + -iv "${DEPLOY_S3_GPG_KEY_FILE_IV}" -in "${gpg_key_file}.enc" \ + -out "${gpg_key_file}" -d + +# Import GPG key for signing repository files. +gpg --import --batch "${gpg_key_file}" + +# Extract GPG key id for signing repository files. +export GPG_SIGN_KEY="$(gpg --with-colons --import-options show-only \ + --import "${gpg_key_file}" | grep ^sec: | cut -d: -f5)" + +# Setup environment variables for the update_repo.sh tool. +export AWS_S3_ENDPOINT_URL="${DEPLOY_S3_ENDPOINT_URL}" +export AWS_ACCESS_KEY_ID="${DEPLOY_S3_ACCESS_KEY_ID}" +export AWS_SECRET_ACCESS_KEY="${DEPLOY_S3_SECRET_ACCESS_KEY}" + +# ${product} value may affect location of *.deb, *.rpm and related +# files relative to a base repository URL. We can provide it or +# miss: the script will generate correct repository metainfo +# anyway. +# +# However providing meaningful value for this option enables +# grouping of related set of packages into a subdirectory named as +# ${product} (only for Deb repositories at moment of writing +# this). +# +# It is enabled here for consistency with locations of other Deb +# packages in our repositories, but in fact it is the internal +# detail, which does not lead to any change in the user +# experience. +product=php-tarantool + +# Setup arguments that are common for all repositories +# (1.10, 2.1, ...). +update_repo_args="--os=${OS} --distribution=${DIST} --product=${product}" + +# Staging repository: rewrite a package if there is a previous one +# of the same version. +# +# Note: It differs from a logic in deploy_packagecloud.sh. +if [ "${configuration}" = staging ]; then + update_repo_args="${update_repo_args} --force" +fi + +# Deploy to S3 based repositories. +for repo in 1.10 2.1 2.2 2.3 2.4 2.5; do + # Note: The update_repo.sh tool automatically find + # *.{rpm,deb,dsc} within a passed directory, so we just + # pass the directory name: 'build'. + + # FIXME: Machine-local locking that is used in the + # update_repo.sh tool is insufficient when we deploy from a + # just created virtual machine. + + # Deploy to live repository (per-push). + bucket="${DEPLOY_S3_LIVE_DIR}/${repo}" + ./update_repo.sh ${update_repo_args} --bucket="${bucket}" build + + # Deploy to release repository (tagged commits). + if [ -n "${TRAVIS_TAG:-}" ]; then + bucket="${DEPLOY_S3_RELEASE_DIR}/${repo}" + ./update_repo.sh ${update_repo_args} --bucket="${bucket}" build + fi +done diff --git a/.travis/deploy_s3_dependencies.sh b/.travis/deploy_s3_dependencies.sh new file mode 100755 index 0000000..de4246e --- /dev/null +++ b/.travis/deploy_s3_dependencies.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# Prevent procmail package from asking configuration parameters +# interactively. +# See https://github.com/packpack/packpack/issues/7 +export DEBIAN_FRONTEND=noninteractive + +apt-get install -y procmail # for lockfile tool +apt-get install -y awscli +apt-get install -y reprepro diff --git a/.travis/deploy_staging_s3_gpg_private_key.asc.enc b/.travis/deploy_staging_s3_gpg_private_key.asc.enc new file mode 100644 index 0000000000000000000000000000000000000000..bf4225ebed661cd607407f1aedf9fdde5b8d771b GIT binary patch literal 5520 zcmV;B6>sXD9vwbOUzYROjX@o+6a@^p;Op@4%Z3gz%ft$YZnNMPg?rX#p#K>>ahC)1 z)+_o*5y|wTB&Fwa(yS&Mc}_$4A<_LLR^scI(5-GS6sb=`UOCCjpiT7CzK840v#({< z+z)De39(BD%-06LwvO{(Q{2r_-1uh&#uNC%EdM>kMU_hlweY$ z=K9LS$3Ct@_gFQ~85g<(hiOqkNW0{zH2hwJ+E+zqme5^u6<02a z;4#ttawKl8+WHfC&j&anIGKC3d+sLqiF{`tDRN>N8zv^-&hLfjj;;#)0w1`?MtmWm z)4+s`SHsd^MVW`DGmH#rk)PDdv4TszEL4-W%`r3CN?=@Oi%hO5PX;n7Dq`pvp(jNn zi4o(yBK*Osj9uT2yq>4m#=>u`XTz)P8aMqalB~J## zIZ-?xxESp6N$qhV1OL5{?tR;;*&AbirV4?&UAR~hw(ak>+lpsMVvS)+z z#1IK4Hfb3=Dn@g1y}P3ECdusVUsn5W@A*6V&lldSK|XCptg3hv8#A+%`d(Dh;Z$kn z74DYr>Vj8Wc=>QLm-TDp7*5YWKDr2YpOtmzie zeg$w)N}esejV&iYl1e}D^#4KXTDq(er{;R9>^7cJiLWiICTB`JlzqjeLm{~a8;oBY zZkA}7&YF9T2C8_HB#*c@h?oE+*Yb^Z!5oXBw@d`;@z9=r6dfLO&8(qz3lPWzNSTSY ze*a@?uZSxXn|n>ZrC_DNSNDFmE`f;YEth@~69ZWBAM5kJJ%88UT5Ge@9v5Ed4Rk`~ zx7~2mQ^#j58=wdJOeDu3uE*jC=WO|Ok^%>M^;8g~3O2Q-d-C>)f6>*3?y>6OlX7tq zn4d9vuyPY&G+IsyqmXA{6WNap@hBwXAPj#C-n~fk+Q=vYfd?eS>!ifHpkMj+pzm|}pC}4vk-TxL$OKXUh85u=` za`Lx|tdapdxkcpr*WekFt{A^7yh8l{(bLovUjV>Tzy;Y?X|? zrJ_v5r%y18t33#~o{@*DTAzbpsK4!;2o&iYIV2`5>a~63X`>Sv)UM55I!&gPWK<$t zwiaVHxQZDLMhq&sT@1!72D8Xodi6#GI0#KFe)t+6!$l5ecOiE8J+3F6^VagsVfk~T zi^4qbUxQ?HZzMUsV1##NT>K^$^`N~*1S^{Lhs#+mrTYP0>7gG394~2IrctU}Rq{b> zlSvKgOsl$F5btFUg9#H*{wj!{N0zfJwz}EJSw)QAfc`HainN#FqKj{)Y-I%8HnM3z z)rLDaD{(6v?4DA;5_k$!a?2$8PR(FO02yv~Yc6xaG_GP+rY<2yc=#Ij0$GYlIyTRu1upstB`qdQvJTa0`OievB5<#LEW=#JbMP`7h#FlVyp{-ZvUo@U_rUB?`n--u`#I9oD9p(BI_@ z>e@BWU6|@wHS!9(H&@!JqUHPceEPU7?UQl$Y>o4q-=aPu)YExu{n!qze;HS+UeJ_f zN+$4Qq9I%$h|ewPOYOyIy_>kd(!g2^r8Xf8q6EacB)SJsnFN9R?vOlaO-WRmg;J@8 zz3yZbYSpq{&kOEQ2(JaU%v`iKLz|9^2m|X9yz_qwEKGv)R*^?F4#h2&)j?Tw01;l{ zP;1X^R_Q)A{5@if4!C}g?(por!QP3*@vNr4zU1)oioS3F1!$j78p)_Ae?!&UC(Gpj z+8F%~#hxXc%&zE8q5))m#hiG+5(hfz%{#i{k<34h9lNcvh~4X8T)-y1i3JrOo;yxe>s10C9vM2+);Y;8~nFL5J4GY)cN&1v_i% z!8E)=g;LP?=K&h+tBmir?nOiuLCz`OT3VNW*xH5&0rm54D%{%ryjXIypc6R>YuDeG zEOqirN#bK85pWBdWDVP@1E%*?yEDb)J>X0g9GSnx4tYTsQ@!VJLWav$sesMOSS*#U8!|f(dhD_l~Gj zs)sn(l(zt7EKXbC3N+IZ7__#M9po%s@C zR{OU-G0Y9uAhK>E*59~Y5d=X5nc-I_Y=!2#tw1}?(l(#ss~WJatpeNTh}CyoxJx60#IZzdgMEHuTU_xG!~AE)&y|f6Vs?Bzr((O&cOhdO_lS22$CKBC>_L3; zTp9a=rThYAKRAHR!qin;=|5_}uPl2P<;mr41V7K$}&u{%7aYes4`;f*yr~fPW z9woR=nnM@JbHzgXrvDM+-W9GT7KthnD?_e(VoDTt7r)v!G_o-BV<$TN%L=VzbHy4u z?QFI^O#;mtIu!4e12>U)#$hBAAp1=TZ#B?~_L_1DBh49Ieq%6Z{zbc-4k@idFD7jg zIvOb%Hp`j5GXQTPq_wmisN9AK$`n6xK!9I@4;VVS{XPDA`tZr<<67=ef==dHmz*Wn zmu&wd6pjfj?Z;68=qmG{&kMW9Rc>9@6pWBDbS|IjSH>k1PCwS(O{$7(=k#^Y`wLHf zV*~s{=jugkXj&s|Z-7b?3Jbp7$dEo!ma)1PKyUpExW&)(r09n`al-aT^D=G~4-ur$ z2qLv8ARp-{3)Fxjs6bIR_0b`c5ciqsmKBBYDt^snQQ1iesuUA9tNzv?@BrwX@Ox>5 zVvjk{Y7dY8t+XH~n4PS}cxxv9U@ab5XQ~@VjCgV*Mb44`_BF<5EA7 z>wMm#_#ORK>*UD%;MLmjd+Z*!o`NDrsB z`TUEGhab3n=BW@v67vv+rQi}4GNkMlXVl(pR*ZlZO za*he?;c)@Y4#KoVp`#>M9S2exs$#lNcqunAuNcTRyo^gff$P4iYgJr<-a4VyftUm0B!A>$9n7Fu~5pXH}Hc<^_A2*iqPZSTH*{vh41{7IQ zpTROnU2f?FVZ&<-3^Xo4%Fw9AT3sTa}h>f<53x5=oG*x=qn1OP>IvU$PFHkAVu^9g40bMVf4 zY3?I|SvH?+k_?_MwP9{Sn&WZB6Nljpx|%x22RWr{tT(GU_c{9nRg^R4&^`HR0L!iKem}9~%)ue*;RT^WR08yV{u$DXN z*-XY}=_-97m!cNpmjvJGzpf`j5cYe<&2C?5Ba9(p2o?Bwc~c3C;?w?u#kT*2aVY1n z0Rber0<%-#?BeTqdfX|+$AMte5=;MS$?^4SaPdD+li3Yd{EVLR8N}QyoBDn~Sltva ziP1+{>J3bR#O|yaCbME^@mYv`uX_xQwS*4qdKYplTas8%Nnbqm1onQp!ArK56{A(| z!8&==q;PC_T~(_yd_wmox-gkhO48>40CMDjl&d9EpAVdM*+t~~b$XG)l|8WuY%Qt0Vx4o}iW@$|e zxW(DF-kgci5Yu!2o^X1cNAS5Jar6cAhcq?%yaS2CB*|4{?F*`OzNLM{cj`zE zLd_AFW`I^(Idd%4Cfbmiau!iNIeC#>cYYr&x5cO2#pj4X>E+Y~?W^+p2gN-Yk1`xN zhX+ajhKucwsM+}lR)*$e$uRJLlQAMEjOM%zJZh9sR;CMGnJdcFvPUvMm2a2&O4fZJ$q5AT?F z5!#rCRXiY8ikra#EH9K|f|iNn`Jzv1)Fe4)r&j^mt-5LrP-SXW2$R`Sb&zB0(?Y{% zdm6rcD!otzPfH@U>`}^s=g1$Vm_0wH&aMzSLW73Q_z>Hg4NpMuk~-K{i^11Jo}yO` zLMJ8^V?R^wGvH>W51U~9k>~P;heMYlMlkEjp|ObSq=l+*Ji>K|c$1Qy@YiMlB?JG_ zvyh8+Ow4nq8&Sm!|4BL3?maKXx48w#vP;l3(EOq>zv~R5jtVN^r!m=)NRb=1m^2JxP`? zQ}~~q)KoJJ5A3~S1Jb3+t%=8ZsD_;!sD~R=2ML>X*BTv*Ebl|AGyVUTYln%&F3Dcf zqcC(c%&N?Z4Ud67dU|L$b+cXwQGt-32jEz77FSiQ0n2nUEg_Z!~m! zdPb52iObKmxJ+y7uh`gQE!W}*R7{EcYjtl6pp9)u`|E2U+S!-4q+R76lJ%F=`$DWX zcAl7r&1;lA;EX}?HJ-DG34fjQS8+C{tbHNZx8IJvcZtj4xvMe zvvU~Y!ScixpJ))8=V2_EGk0KXH}QqE9}IZuv67_Zvkm1Rj_ zq#6cRfCpxe$*2s?wSonzpAU_tIRo6j$u8}_YD}R?n%5bp0SQ?~8*#ov;U(~vnR_F| SUvgLmEa>~s!x9|lXt{1@uf&A_ literal 0 HcmV?d00001 diff --git a/.travis/update-repo-sh-use-right-gpg-key.patch b/.travis/update-repo-sh-use-right-gpg-key.patch new file mode 100644 index 0000000..59afdc0 --- /dev/null +++ b/.travis/update-repo-sh-use-right-gpg-key.patch @@ -0,0 +1,29 @@ +--- a/update_repo.sh 2020-06-09 17:35:03.332961335 +0300 ++++ b/update_repo.sh 2020-06-23 02:26:55.532653673 +0300 +@@ -415,7 +415,7 @@ + done + # resign the selfsigned InRelease file + $rm_file InRelease +- gpg --clearsign -o InRelease Release ++ gpg -u $GPG_SIGN_KEY --clearsign -o InRelease Release + # resign the Release file + $rm_file Release.gpg + gpg -u $GPG_SIGN_KEY -abs -o Release.gpg Release +@@ -784,7 +784,7 @@ + EOF + done + tail -n 1 repodata.adding/repomd.xml >>repodata/repomd.xml +- gpg --detach-sign --armor repodata/repomd.xml ++ gpg -u $GPG_SIGN_KEY --detach-sign --armor repodata/repomd.xml + + # copy the packages to S3 + for file in $pack_rpms ; do +@@ -901,7 +901,7 @@ + tail -n 1 repomd_saved.xml >>repomd.xml + rm -f repomd_saved.xml repomd.xml.asc + popd +- gpg --detach-sign --armor repodata/repomd.xml ++ gpg -u $GPG_SIGN_KEY --detach-sign --armor repodata/repomd.xml + + # update the metadata at the S3 + $aws_sync_public repodata "$bucket_path/$repopath/repodata"