Implement secure deployment concept

.gitlab-ci.yml

@@ -25,10 +25,9 @@ shfmt:
   before_script:
     - pacman -Syu --needed --noconfirm qemu-headless libisoburn
   script:
-    - echo "BUILD_DATE=$(date -I)" > build.env
-    - . build.env
-    - ./build-in-qemu.sh
-    - mv build.env output/
+    - echo "BUILD_VERSION=$(date +%Y.%m.%d)" > build.env
+    - export $(< build.env)
+    - ./build-host.sh
   after_script:
     - echo "image_size_megabytes{image=\"qcow2\"} $(du -m output/*cloudimg*qcow2)" > metrics.txt
     - echo "image_size_megabytes{image=\"libvirt\"} $(du -m output/*libvirt*box)" >> metrics.txt
@@ -36,38 +35,56 @@ shfmt:
   artifacts:
     reports:
       metrics: metrics.txt
+      dotenv: build.env
 
 build:
   extends: .build
   except:
     - master
 
-build:release:
+build:secure:
   extends: .build
   tags:
     - secure
   only:
     - master
+    - schedules
+    - tags
   artifacts:
     name: "output"
     paths:
       - "output/*"
     expire_in: 2d
 
+tag_release:
+  stage: publish
+  tags:
+    - secure
+  only:
+    refs:
+      - schedules
+    variables:
+      - $SCHEDULED_PUBLISH == "TRUE"
+  before_script:
+    - pacman -Syu --needed --noconfirm httpie
+  script:
+    - http --ignore-stdin "$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"
+        "JOB-TOKEN:$CI_JOB_TOKEN"
+        "name=v$BUILD_VERSION"
+        "tag_name=v$BUILD_VERSION"
+        "ref=$CI_COMMIT_SHA"
+
 publish:
   stage: publish
   tags:
     - secure
+  only:
+    - tags
   before_script:
     - pacman -Syu --needed --noconfirm vagrant
   script:
-    - . output/build.env
     - vagrant cloud auth login --token "${VAGRANT_API_TOKEN}"
     - vagrant cloud auth login --check
     - vagrant cloud box show archlinux/archlinux
-    - vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
-    - vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
-  only:
-    variables:
-      - $SCHEDULED_PUBLISH == "TRUE"
-  resource_group: vm-build
+    - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
+    - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f

README.md

@@ -2,11 +2,11 @@
 [![CI Status](https://gitlab.archlinux.org/archlinux/arch-boxes/badges/master/pipeline.svg)](https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipelines)
 
 - [Vagrant Cloud](https://app.vagrantup.com/archlinux/boxes/archlinux)
-- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:cloud-qemu)
+- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:secure)
 
-Arch-boxes provides automated builds of the Arch Linux releases for
-different providers and post-processors. Check the providers or post-processor sections if you want to know
-which are currently supported.
+Arch-boxes provides automated builds of the Arch Linux releases for different providers and
+post-processors. Check the providers or post-processor sections if you want to know which are
+currently supported.
 
 ## Dependencies
 You'll need the following dependencies:

build-in-qemu.sh → build-host.sh

 #!/bin/bash
-# build-in qemu.sh runs build.sh in a qemu VM running the latest Arch installer iso
+# build-host.sh runs build-inside-vm.sh in a qemu VM running the latest Arch installer iso
 #
 # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
 # errexit: "Exit immediately if [...] command exits with a non-zero status."
@@ -117,7 +117,7 @@ function main() {
   expect "# "
   send "mkfs.ext4 /dev/vda && mkdir /mnt/scratch-disk/ && mount /dev/vda /mnt/scratch-disk && cd /mnt/scratch-disk\n"
   expect "# "
-  send "cp -a /mnt/arch-boxes/{box.ovf,build.sh,http} .\n"
+  send "cp -a /mnt/arch-boxes/{box.ovf,build-inside-vm.sh,http} .\n"
   expect "# "
   send "mkdir pkg && mount --bind pkg /var/cache/pacman/pkg\n"
   expect "# "
@@ -131,7 +131,7 @@ function main() {
   expect "# "
 
   ## Start build and copy output to local disk
-  send "bash -x ./build.sh\n"
+  send "bash -x ./build-inside-vm.sh ${BUILD_VERSION}\n"
   expect "# " 240 # qemu-img convert can take a long time
   send "cp -r --preserve=mode,timestamps output /mnt/arch-boxes/tmp/$(basename "${TMPDIR}")/\n"
   expect "# " 60

build.sh → build-inside-vm.sh

 #!/bin/bash
-# build.sh builds the images (cloud image, vagrant boxes)
+# build-inside-vm.sh builds the images (cloud image, vagrant boxes)
 
 # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
 # errexit: "Exit immediately if [...] command exits with a non-zero status."
@@ -209,6 +209,7 @@ EOF
   rm Vagrantfile metadata.json packer-virtualbox.vmdk box.ovf
 }
 
+# ${1} - Optional build version. If not set, will generate a default based on date.
 function main() {
   if [ "$(id -u)" -ne 0 ]; then
     echo "root is required"
@@ -223,11 +224,16 @@ function main() {
   arch-chroot "${MOUNT}" grub-install --target=i386-pc "${LOOPDEV}"
   unmount_image
 
-  if [ -z "${BUILD_DATE:-}" ]; then
-    BUILD_DATE="$(date -I)"
+  local build_version
+  if [ -z "${1:-}" ]; then
+    build_version="$(date +%Y.%m.%d)"
+    echo "WARNING: BUILD_VERSION wasn't set!"
+    echo "Falling back to $build_version"
+  else
+    build_version="${1}"
   fi
-  create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${BUILD_DATE}.qcow2" cloud_image cloud_image_post
-  create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${BUILD_DATE}.box" vagrant_qemu vagrant_qemu_post
-  create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${BUILD_DATE}.box" vagrant_qemu vagrant_virtualbox_post
+  create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${build_version}.qcow2" cloud_image cloud_image_post
+  create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${build_version}.box" vagrant_qemu vagrant_qemu_post
+  create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${build_version}.box" vagrant_qemu vagrant_virtualbox_post
 }
-main
+main "$@"