1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
|
#!/bin/bash
# Copyright 2015 The Bazel Authors. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -eu
# Main deploy functions for the continous build system
# Just source this file and use the various method:
# bazel_build build bazel and run all its test
# bazel_release use the artifact generated by bazel_build and push
# them to github for a release and to GCS for a release candidate.
# Also prepare an email for announcing the release.
# Load common.sh
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$(dirname ${SCRIPT_DIR})/release/common.sh"
if ! command -v gsutil &>/dev/null; then
echo "Required tool 'gsutil' not found. Please install it:"
echo "See https://cloud.google.com/sdk/downloads for instructions."
exit 1
fi
if ! command -v github-release &>/dev/null; then
echo "Required tool 'github-release' not found. Download it from here:"
echo "https://github.com/c4milo/github-release/releases"
echo "Just extract the archive and put the binary on your PATH."
exit 1
fi
if ! command -v debsign &>/dev/null; then
echo "Required tool 'debsign' not found. Please install it via apt-get:"
echo "apt-get install devscripts"
exit 1
fi
if ! command -v reprepro &>/dev/null; then
echo "Required tool 'reprepro' not found. Please install it via apt-get:"
echo "apt-get install reprepro"
exit 1
fi
if ! command -v gpg &>/dev/null; then
echo "Required tool 'gpg' not found. Please install it via apt-get:"
echo "apt-get install gnupg"
exit 1
fi
if ! command -v pandoc &>/dev/null; then
echo "Required tool 'pandoc' not found. Please install it via apt-get:"
echo "apt-get install pandoc"
exit 1
fi
# if ! command -v ssmtp &>/dev/null; then
# echo "Required tool 'ssmtp' not found. Please install it via apt-get:"
# echo "apt-get install ssmtp"
# exit 1
# fi
export APT_GPG_KEY_ID=$(gsutil cat gs://bazel-encrypted-secrets/release-key.gpg.id)
# Generate a string from a template and a list of substitutions.
# The first parameter is the template name and each subsequent parameter
# is taken as a couple: first is the string the substitute and the second
# is the result of the substitution.
function generate_from_template() {
local value="$1"
shift
while (( $# >= 2 )); do
value="${value//$1/$2}"
shift 2
done
echo "${value}"
}
# Generate the email for the release.
# The first line of the output will be the recipient, the second line
# the mail subjects and the subsequent lines the mail, its content.
# If no planed release, then this function output will be empty.
function generate_email() {
RELEASE_CANDIDATE_URL="https://releases.bazel.build/%release_name%/rc%rc%/index.html"
RELEASE_URL="https://github.com/bazelbuild/bazel/releases/tag/%release_name%"
local release_name=$(get_release_name)
local rc=$(get_release_candidate)
local args=(
"%release_name%" "${release_name}"
"%rc%" "${rc}"
"%relnotes%" "# $(get_full_release_notes)"
)
if [ -n "${rc}" ]; then
args+=(
"%url%" "$(generate_from_template "${RELEASE_CANDIDATE_URL}" "${args[@]}")"
)
generate_from_template \
"$(cat "${SCRIPT_DIR}/rc_email.txt")" \
"${args[@]}"
elif [ -n "${release_name}" ]; then
args+=(
"%url%" "$(generate_from_template "${RELEASE_URL}" "${args[@]}")"
)
generate_from_template \
"$(cat "${SCRIPT_DIR}/release_email.txt")" "${args[@]}"
fi
}
function get_release_page() {
echo "# $(get_full_release_notes)"'
_Notice_: Bazel installers contain binaries licensed under the GPLv2 with
Classpath exception. Those installers should always be redistributed along with
the source code.
Some versions of Bazel contain a bundled version of OpenJDK. The license of the
bundled OpenJDK and other open-source components can be displayed by running
the command `bazel license`. The vendor and version information of the bundled
OpenJDK can be displayed by running the command `bazel info java-runtime`.
The binaries and source-code of the bundled OpenJDK can be
[downloaded from our mirror server](https://mirror.bazel.build/openjdk/index.html).
_Security_: All our binaries are signed with our
[public key](https://bazel.build/bazel-release.pub.gpg) 48457EE0.
'
}
# Deploy a github release using a third party tool:
# https://github.com/c4milo/github-release
# This methods expects the following arguments:
# $1..$n files generated by package_build (should not contains the README file)
# Please set GITHUB_TOKEN to talk to the Github API.
function release_to_github() {
local artifact_dir="$1"
local release_name=$(get_release_name)
local rc=$(get_release_candidate)
if [ -n "${release_name}" ] && [ -z "${rc}" ]; then
local github_token="$(gsutil cat gs://bazel-encrypted-secrets/github-token.enc | \
gcloud kms decrypt --location global --keyring buildkite --key github-token --ciphertext-file - --plaintext-file -)"
GITHUB_TOKEN=${github_token} github-release "bazelbuild/bazel" "${release_name}" "" "$(get_release_page)" "${artifact_dir}/*"
fi
}
# Creates an index of the files contained in folder $1 in Markdown format.
function create_index_md() {
# First, add the release notes
get_release_page
# Then, add the list of files
echo
echo "## Index of files"
echo
for f in $1/*.sha256; do # just list the sha256 ones
local filename=$(basename $f .sha256);
echo " - [${filename}](${filename}) [[SHA-256](${filename}.sha256)] [[SIG](${filename}.sig)]"
done
}
# Creates an index of the files contained in folder $1 in HTML format.
function create_index_html() {
create_index_md "${@}" | pandoc -f markdown -t html
}
# Deploy a release candidate to Google Cloud Storage.
# It requires to have gsutil installed. You can force the path to gsutil
# by setting the GSUTIL environment variable.
# This methods expects the following arguments:
# $1..$n files generated by package_build
function release_to_gcs() {
local artifact_dir="$1"
local release_name="$(get_release_name)"
local rc="$(get_release_candidate)"
if [ -n "${release_name}" ]; then
local release_path="${release_name}/release"
if [ -n "${rc}" ]; then
release_path="${release_name}/rc${rc}"
fi
create_index_html "${artifact_dir}" > "${artifact_dir}/index.html"
gsutil -m cp -a public-read "${artifact_dir}/**" "gs://bazel/${release_path}"
fi
}
function ensure_gpg_secret_key_imported() {
if ! gpg --list-secret-keys | grep "${APT_GPG_KEY_ID}" > /dev/null; then
keyfile=$(mktemp --tmpdir)
chmod 0600 "${keyfile}"
gsutil cat "gs://bazel-encrypted-secrets/release-key.gpg.enc" | \
gcloud kms decrypt --location "global" --keyring "buildkite" --key "bazel-release-key" --plaintext-file "-" --ciphertext-file "${keyfile}"
gpg --allow-secret-key-import --import "${keyfile}"
rm -f "${keyfile}"
fi
# Make sure we use stronger digest algorithm。
# We use reprepro to generate the debian repository,
# but there's no way to pass flags to gpg using reprepro, so writting it into
# ~/.gnupg/gpg.conf
if ! grep "digest-algo sha256" ~/.gnupg/gpg.conf > /dev/null; then
echo "digest-algo sha256" >> ~/.gnupg/gpg.conf
fi
}
function create_apt_repository() {
mkdir conf
cat > conf/distributions <<EOF
Origin: Bazel Authors
Label: Bazel
Codename: stable
Architectures: amd64 source
Components: jdk1.8
Description: Bazel APT Repository
DebOverride: override.stable
DscOverride: override.stable
SignWith: ${APT_GPG_KEY_ID}
Origin: Bazel Authors
Label: Bazel
Codename: testing
Architectures: amd64 source
Components: jdk1.8
Description: Bazel APT Repository
DebOverride: override.testing
DscOverride: override.testing
SignWith: ${APT_GPG_KEY_ID}
EOF
cat > conf/options <<EOF
verbose
ask-passphrase
basedir .
EOF
# TODO(#2264): this is a quick workaround #2256, figure out a correct fix.
cat > conf/override.stable <<EOF
bazel Section contrib/devel
bazel Priority optional
EOF
cat > conf/override.testing <<EOF
bazel Section contrib/devel
bazel Priority optional
EOF
ensure_gpg_secret_key_imported
local distribution="$1"
local deb_pkg_name="$2"
local deb_dsc_name="$3"
debsign -k "${APT_GPG_KEY_ID}" "${deb_dsc_name}"
reprepro -C jdk1.8 includedeb "${distribution}" "${deb_pkg_name}"
reprepro -C jdk1.8 includedsc "${distribution}" "${deb_dsc_name}"
gsutil -m cp -a public-read -r dists pool "gs://bazel-apt"
}
function release_to_apt() {
local artifact_dir="$1"
local release_name="$(get_release_name)"
local rc="$(get_release_candidate)"
if [ -n "${release_name}" ]; then
local release_label="$(get_full_release_name)"
local deb_pkg_name="${release_name}/bazel_${release_label}-linux-x86_64.deb"
local deb_dsc_name="${release_name}/bazel_${release_label}.dsc"
local deb_tar_name="${release_name}/bazel_${release_label}.tar.gz"
pushd "${artifact_dir}"
if [ -n "${rc}" ]; then
create_apt_repository testing "${deb_pkg_name}" "${deb_dsc_name}"
else
create_apt_repository stable "${deb_pkg_name}" "${deb_dsc_name}"
fi
popd
fi
}
# A wrapper around the release deployment methods.
function deploy_release() {
local release_label="$(get_full_release_name)"
local release_name="$(get_release_name)"
if [[ ! -d $1 ]]; then
echo "Usage: deploy_release ARTIFACT_DIR"
exit 1
fi
artifact_dir="$1"
if [[ -z $release_name ]]; then
echo "Could not get the release name - are you in a release branch directory?"
exit 1
fi
ensure_gpg_secret_key_imported
rm -f "${artifact_dir}"/*.{sha256,sig}
for file in "${artifact_dir}"/*; do
(cd "${artifact_dir}" && sha256sum "$(basename "${file}")" > "${file}.sha256")
gpg --no-tty --detach-sign -u "${APT_GPG_KEY_ID}" "${file}"
done
apt_working_dir="$(mktemp -d --tmpdir)"
echo "apt_working_dir = ${apt_working_dir}"
mkdir "${apt_working_dir}/${release_name}"
cp "${artifact_dir}/bazel_${release_label}-linux-x86_64.deb" "${apt_working_dir}/${release_name}"
cp "${artifact_dir}/bazel_${release_label}.dsc" "${apt_working_dir}/${release_name}"
cp "${artifact_dir}/bazel_${release_label}.tar.gz" "${apt_working_dir}/${release_name}"
release_to_apt "${apt_working_dir}"
gcs_working_dir="$(mktemp -d --tmpdir)"
echo "gcs_working_dir = ${gcs_working_dir}"
cp "${artifact_dir}"/* "${gcs_working_dir}"
release_to_gcs "${gcs_working_dir}"
github_working_dir="$(mktemp -d --tmpdir)"
echo "github_working_dir = ${github_working_dir}"
cp "${artifact_dir}"/* "${github_working_dir}"
rm -f "${github_working_dir}/bazel_${release_label}"*.{deb,dsc,tar.gz}
release_to_github "${github_working_dir}"
}
|
