Skip to content

[Promotion] allow to promote debian to a signed repository #16636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 4, 2025
+141 −26
Merged

[Promotion] allow to promote debian to a signed repository #16636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
113 changes: 96 additions & 17 deletions buildkite/scripts/release/manager.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,9 @@ function storage_list() {
local path=$2

case $backend in
local)
ls "$path"
;;
gs)
gsutil list "$path"
;;
Expand All @@ -207,6 +210,9 @@ function storage_md5() {
local path=$2

case $backend in
local)
md5sum "$path" | awk '{print $1}'
;;
gs)
gsutil hash -h -m "$path" | grep "Hash (md5)" | awk '{print $3}'
;;
Expand All @@ -226,6 +232,9 @@ function storage_download() {
local local_path=$3

case $backend in
local)
cp "$remote_path" "$local_path"
;;
gs)
gsutil cp "$remote_path" "$local_path"
;;
Expand Down Expand Up @@ -288,11 +297,21 @@ function publish_debian() {
local __verify=$7
local __dry_run=$8
local __backend=$9
local __debian_repo=${10}
local __debian_sign_key=${11}

get_cached_debian_or_download $__backend $__artifact $__codename "$__network"
local __artifact_full_name=$(get_artifact_with_suffix $__artifact $__network)
local __deb=$DEBIAN_CACHE_FOLDER/$__codename/"${__artifact_full_name}"

if [[ $__debian_sign_key != "" ]]; then
local __sign_arg=("--sign" "$__debian_sign_key")
local __signed_arg="--signed"
else
local __sign_arg=()
local __signed_arg=""
fi

if [[ $__source_version != "$__target_version" ]]; then
echo " 🗃️ Rebuilding $__artifact debian from $__source_version to $__target_version"
prefix_cmd "$SUBCOMMAND_TAB" reversion --deb ${__deb} \
Expand All @@ -309,11 +328,14 @@ function publish_debian() {
echo " 🍥 Publishing $__artifact debian to $__channel channel with $__target_version version"
echo " 📦 Target debian version: $(calculate_debian_version $__artifact $__target_version $__codename "$__network" )"
if [[ $__dry_run == 0 ]]; then
# shellcheck disable=SC2068
prefix_cmd "$SUBCOMMAND_TAB" source $SCRIPTPATH/../../../scripts/debian/publish.sh \
--names "$DEBIAN_CACHE_FOLDER/$__codename/${__artifact_full_name}_${__target_version}.deb" \
--version $__target_version \
--bucket $__debian_repo \
-c $__codename \
-r $__channel
-r $__channel \
${__sign_arg[@]}

if [[ $__verify == 1 ]]; then

Expand All @@ -323,7 +345,8 @@ function publish_debian() {
-p $__artifact_full_name \
--version $__target_version \
-m $__codename \
-c $__channel
-r $__debian_repo \
-c $__channel ${__signed_arg}
fi
fi
}
Expand Down Expand Up @@ -392,6 +415,16 @@ function promote_debian() {
local __network=$7
local __verify=$8
local __dry_run=$9
local __debian_repo=${10}
local __debian_sign_key=${11}

if [[ $__debian_sign_key != "" ]]; then
local __sign_arg=("--sign" "$__debian_sign_key")
local __signed_arg="--signed"
else
local __sign_arg=()
local __signed_arg=""
fi

echo " 🍥 Promoting $__artifact debian from $__source_channel to $__target_channel, from $__source_version to $__target_version"
echo " 📦 Target debian version: $(calculate_debian_version $__artifact $__target_version $__codename "$__network")"
Expand All @@ -407,11 +440,11 @@ function promote_debian() {
--release ${__source_channel} \
--new-version ${__target_version} \
--suite ${__source_channel} \
--repo ${DEBIAN_REPO} \
--repo ${__debian_repo} \
--new-suite ${__target_channel} \
--new-name ${__artifact_full_name} \
--new-release ${__target_channel} \
--codename ${__codename} \
--codename ${__codename}

if [[ $__verify == 1 ]]; then
echo " 📋 Verifying: $__artifact debian to $__target_channel channel with $__target_version version"
Expand All @@ -420,7 +453,8 @@ function promote_debian() {
-p $__artifact_full_name \
--version $__target_version \
-m $__codename \
-c $__target_channel
-r $__debian_repo \
-c $__target_channel ${__signed_arg}
fi
fi
}
Expand Down Expand Up @@ -451,6 +485,8 @@ function publish_help(){
printf " %-25s %s\n" "--verify" "[bool] verify packages are published correctly. WARINING: it requires docker engine to be installed";
printf " %-25s %s\n" "--dry-run" "[bool] doesn't publish anything. Just print what would be published";
printf " %-25s %s\n" "--backend" "[string] backend to use for storage. e.g gs,hetzner. default: gs";
printf " %-25s %s\n" "--debian-repo" "[string] debian repository to publish to. default: $DEBIAN_REPO";
printf " %-25s %s\n" "--debian-sign-key" "[string] debian signing key to use. default: lack of presence = no signing";
echo ""
echo "Example:"
echo ""
Expand Down Expand Up @@ -479,6 +515,8 @@ function publish(){
local __verify=0
local __dry_run=0
local __backend="gs"
local __debian_repo=$DEBIAN_REPO
local __debian_sign_key=""

while [ ${#} -gt 0 ]; do
error_message="❌ Error: a value is needed for '$1'";
Expand Down Expand Up @@ -538,6 +576,14 @@ function publish(){
__backend=${2:?$error_message}
shift 2;
;;
--debian-repo )
__debian_repo=${2:?$error_message}
shift 2;
;;
--debian-sign-key )
__debian_sign_key=${2:?$error_message}
shift 2;
;;
* )
echo -e "❌ ${RED} !! Unknown option: $1${CLEAR}\n";
echo "";
Expand Down Expand Up @@ -580,6 +626,9 @@ function publish(){
echo " - Only debians: $__only_debians"
echo " - Verify: $__verify"
echo " - Dry run: $__dry_run"
echo " - Backend: $__backend"
echo " - Debian repo: $__debian_repo"
echo " - Debian sign key: $__debian_sign_key"
echo ""

if [[ $__backend != "gs" && $__backend != "hetzner" ]]; then
Expand Down Expand Up @@ -617,7 +666,9 @@ function publish(){
"" \
$__verify \
$__dry_run \
$__backend
$__backend \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand All @@ -635,7 +686,9 @@ function publish(){
"" \
$__verify \
$__dry_run \
$__backend
$__backend \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand All @@ -653,7 +706,9 @@ function publish(){
$network \
$__verify \
$__dry_run \
$__backend
$__backend \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand All @@ -672,8 +727,9 @@ function publish(){
$network \
$__verify \
$__dry_run \
$__backend

$__backend \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand Down Expand Up @@ -717,6 +773,8 @@ function promote_help(){
printf " %-25s %s\n" "--only-debians" "[bool] publish only debian packages";
printf " %-25s %s\n" "--verify" "[bool] verify packages are published correctly. WARINING: it requires docker engine to be installed";
printf " %-25s %s\n" "--dry-run" "[bool] doesn't publish anything. Just print what would be published";
printf " %-25s %s\n" "--debian-repo" "[string] debian repository to publish to. default: $DEBIAN_REPO";
printf " %-25s %s\n" "--debian-sign-key" "[string] debian signing key to use. default: lack of presence = no signing";
echo ""
echo "Example:"
echo ""
Expand Down Expand Up @@ -744,6 +802,8 @@ function promote(){
local __only_debians=0
local __verify=0
local __dry_run=0
local __debian_repo=$DEBIAN_REPO
local __debian_sign_key=""


while [ ${#} -gt 0 ]; do
Expand Down Expand Up @@ -800,7 +860,15 @@ function promote(){
__dry_run=1
shift 1;
;;
* )
--debian-repo )
__debian_repo=${2:?$error_message}
shift 2;
;;
--debian-sign-key )
__debian_sign_key=${2:?$error_message}
shift 2;
;;
* )
echo -e "${RED} !! Unknown option: $1${CLEAR}\n";
echo "";
promote_help; exit 1;
Expand All @@ -813,7 +881,7 @@ function promote(){
promote_help; exit 1;
fi

if [[ -z ${__source_version+x} ]]; then
if [[ -z ${__source_version+x} ]]; then
echo -e "❌ ${RED} !! Source version (--source-version) is required${CLEAR}\n";
promote_help; exit 1;
fi
Expand Down Expand Up @@ -884,7 +952,9 @@ function promote(){
$__target_channel \
"" \
$__verify \
$__dry_run
$__dry_run \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand All @@ -903,7 +973,9 @@ function promote(){
$__target_channel \
"" \
$__verify \
$__dry_run
$__dry_run \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand All @@ -921,7 +993,9 @@ function promote(){
$__target_channel \
$network \
$__verify \
$__dry_run
$__dry_run \
$__debian_repo \
$__debian_sign_key

fi

Expand All @@ -941,8 +1015,9 @@ function promote(){
$__target_channel \
$network \
$__verify \
$__dry_run

$__dry_run \
$__debian_repo \
$__debian_sign_key
fi

if [[ $__only_debians == 0 ]]; then
Expand Down Expand Up @@ -1087,6 +1162,7 @@ function verify(){
-p $artifact \
--version $__version \
-m $__codename \
-r $__debian_repo \
-c $__channel
fi

Expand All @@ -1104,6 +1180,7 @@ function verify(){
-p $artifact \
--version $__version \
-m $__codename \
-r $__debian_repo \
-c $__channel

echo ""
Expand Down Expand Up @@ -1135,6 +1212,7 @@ function verify(){
-p $__artifact_full_name \
--version $__version \
-m $__codename \
-r $__debian_repo \
-c $__channel

echo ""
Expand Down Expand Up @@ -1166,6 +1244,7 @@ function verify(){
-p $__artifact_full_name \
--version $__version \
-m $__codename \
-r $__debian_repo \
-c $__channel
echo ""
fi
Expand Down
Loading