forked from digital-asset/daml
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-pipelines.yml
162 lines (153 loc) · 6.27 KB
/
azure-pipelines.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# Copyright (c) 2023 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
# Azure Pipelines file, see https://aka.ms/yaml
# Enable builds on all branches
trigger:
# Build every commit as our release process relies on
# the release process being built alone.
batch: false
branches:
include:
- main
- release/*
# Enable PR triggers that target the main branch
pr: none
jobs:
- template: ci/build.yml
- template: ci/check-for-release-job.yml
- job: release
dependsOn: [ "check_for_release", "Linux", "macOS", "Windows" ]
condition: and(succeeded(),
eq(dependencies.check_for_release.outputs['out.is_release'], 'true'),
eq(dependencies.check_for_release.outputs['out.split_release_process'], 'false'),
eq(variables['Build.SourceBranchName'], 'main'))
pool:
name: 'ubuntu_20_04'
demands: assignment -equals default
variables:
release_sha: $[ dependencies.check_for_release.outputs['out.release_sha'] ]
release_tag: $[ dependencies.check_for_release.outputs['out.release_tag'] ]
trigger_sha: $[ dependencies.check_for_release.outputs['out.trigger_sha'] ]
steps:
- template: ci/report-start.yml
- checkout: self
persistCredentials: true
- bash: |
set -euo pipefail
git checkout $(release_sha)
name: checkout_release
- template: ci/bash-lib.yml
parameters:
var_name: bash-lib
- bash: |
set -euo pipefail
source $(bash-lib)
if git tag v$(release_tag) $(release_sha); then
git push origin v$(release_tag)
mkdir $(Build.StagingDirectory)/release-artifacts
else
setvar skip-github TRUE
fi
- task: DownloadPipelineArtifact@0
inputs:
artifactName: linux-release
targetPath: $(Build.StagingDirectory)/release-artifacts
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- task: DownloadPipelineArtifact@0
inputs:
artifactName: macos-release
targetPath: $(Build.StagingDirectory)/release-artifacts
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- task: DownloadPipelineArtifact@0
inputs:
artifactName: windows-release
targetPath: $(Build.StagingDirectory)/release-artifacts
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- bash: |
set -euo pipefail
# Note: this gets dev-env from the release commit, not the trigger commit
eval "$(./dev-env/bin/dade-assist)"
KEY_FILE=$(mktemp)
GPG_DIR=$(mktemp -d)
cleanup() {
rm -rf $KEY_FILE $GPG_DIR
}
trap cleanup EXIT
echo "$GPG_KEY" | base64 -d > $KEY_FILE
gpg --homedir $GPG_DIR --no-tty --quiet --import $KEY_FILE
cd $(Build.StagingDirectory)/release-artifacts/github
sha256sum $(find . -type f | sort) > sha256sums
# Note: relies on our release artifacts not having spaces in their
# names. Creates a ${f}.asc with the signature for each $f.
for f in *; do
gpg --homedir $GPG_DIR -ab $f
done
cd ../artifactory
for f in *; do
gpg --homedir $GPG_DIR -ab $f
done
env:
GPG_KEY: $(gpg-code-signing)
- task: GitHubRelease@0
inputs:
gitHubConnection: 'garyverhaegen-da'
repositoryName: '$(Build.Repository.Name)'
action: 'create'
target: '$(release_sha)'
tagSource: 'manual'
tag: 'v$(release_tag)'
assets: $(Build.StagingDirectory)/release-artifacts/github/*
assetUploadMode: 'replace'
title: '$(release_tag)'
addChangeLog: false
isPrerelease: true
releaseNotesSource: 'input'
releaseNotes: "This is a pre-release. Use at your own risk."
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- bash: |
set -euo pipefail
# Note: this gets dev-env from the release commit, not the trigger commit
eval "$(./dev-env/bin/dade-assist)"
./ci/publish-artifactory.sh $(Build.StagingDirectory) $(release_tag)
env:
AUTH: $(ARTIFACTORY_USERNAME):$(ARTIFACTORY_PASSWORD)
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- bash: |
set -euo pipefail
# Note: this gets dev-env from the release commit, not the trigger commit
eval "$(./dev-env/bin/dade-assist)"
source $(bash-lib)
cd $(Build.StagingDirectory)/release-artifacts/github
for f in *; do
gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/github/$f"
done
cd $(Build.StagingDirectory)/release-artifacts/artifactory
for f in *; do
gcs "$GCRED" cp "$f" "gs://daml-data/releases/$(release_tag)/artifactory/$f"
done
name: backup_to_gcs
env:
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
condition: and(succeeded(), not(eq(variables['skip-github'], 'TRUE')))
- bash: |
set -euo pipefail
source $(bash-lib)
# Note: this gets dev-env from the release commit, not the trigger commit
eval "$(./dev-env/bin/dade-assist)"
msg=$(git log -n1 --format=%b HEAD | head -1)
# Keep this line in sync with RELEASE_PR_NOTIF in ci/cron/wednesday.yml
if [ "$msg" = "This PR has been created by a script, which is not very smart" ]; then
pr_handler="<@$(next_in_rotation_slack)>"
else
pr_handler=""
fi
curl -XPOST \
-i \
-H 'Content-Type: application/json' \
--data "{\"text\":\"${pr_handler} Release \`$(release_tag)\` is ready for testing. See <https://github.com/digital-asset/daml/blob/main/release/RELEASE.md|release instructions>. (<https://dev.azure.com/digitalasset/daml/_build/results?buildId=$(Build.BuildId)|build>, <https://github.com/digital-asset/daml/commit/$(trigger_sha)|trigger commit>, <https://github.com/digital-asset/daml/commit/$(release_sha)|target commit>)\"}" \
$(Slack.team-daml)
- template: ci/tell-slack-failed.yml
parameters:
trigger_sha: '$(trigger_sha)'
- template: ci/report-end.yml
- template: ci/split-release-job.yml