Implement secure deployment concept

0ecdad06 · Sven-Hendrik Haase · 4da01263 · 0ecdad06 · 0ecdad06 · 0ecdad06
Verified Commit 0ecdad06 authored Sep 26, 2020 by Sven-Hendrik Haase
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -25,10 +25,9 @@ shfmt:
  before_script:
    - pacman -Syu --needed --noconfirm qemu-headless libisoburn
  script:
-    - echo "BUILD_DATE=$(date -I)" > build.env
-    - . build.env
-    - ./build-in-qemu.sh
-    - mv build.env output/
+    - echo "BUILD_VERSION=$(date +%Y.%m.%d)" > build.env
+    - export $(< build.env)
+    - ./build-host.sh
  after_script:
    - echo "image_size_megabytes{image=\"qcow2\"} $(du -m output/*cloudimg*qcow2)" > metrics.txt
    - echo "image_size_megabytes{image=\"libvirt\"} $(du -m output/*libvirt*box)" >> metrics.txt
@@ -36,38 +35,56 @@ shfmt:
  artifacts:
    reports:
      metrics: metrics.txt
+      dotenv: build.env

 build:
  extends: .build
  except:
    - master

-build:release:
+build:secure:
  extends: .build
  tags:
    - secure
  only:
    - master
+    - schedules
+    - tags
  artifacts:
    name: "output"
    paths:
      - "output/*"
    expire_in: 2d

+tag_release:
+  stage: publish
+  tags:
+    - secure
+  only:
+    refs:
+      - schedules
+    variables:
+      - $SCHEDULED_PUBLISH == "TRUE"
+  before_script:
+    - pacman -Syu --needed --noconfirm httpie
+  script:
+    - http --ignore-stdin "$CI_API_V4_URL/projects/$CI_PROJECT_ID/releases"
+        "JOB-TOKEN:$CI_JOB_TOKEN"
+        "name=v$BUILD_VERSION"
+        "tag_name=v$BUILD_VERSION"
+        "ref=$CI_COMMIT_SHA"
+
 publish:
  stage: publish
  tags:
    - secure
+  only:
+    - tags
  before_script:
    - pacman -Syu --needed --noconfirm vagrant
  script:
-    - . output/build.env
    - vagrant cloud auth login --token "${VAGRANT_API_TOKEN}"
    - vagrant cloud auth login --check
    - vagrant cloud box show archlinux/archlinux
-    - vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
-    - vagrant cloud publish archlinux/archlinux "v${BUILD_DATE}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
-  only:
-    variables:
-      - $SCHEDULED_PUBLISH == "TRUE"
-  resource_group: vm-build
+    - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" libvirt output/Arch-Linux-x86_64-libvirt-*.box --release -f
+    - vagrant cloud publish archlinux/archlinux "v${BUILD_VERSION}" virtualbox output/Arch-Linux-x86_64-virtualbox-*.box --release -f
--- a/README.md
+++ b/README.md
@@ -2,11 +2,11 @@
 [![CI Status](https://gitlab.archlinux.org/archlinux/arch-boxes/badges/master/pipeline.svg)](https://gitlab.archlinux.org/archlinux/arch-boxes/-/pipelines)

 - [Vagrant Cloud](https://app.vagrantup.com/archlinux/boxes/archlinux)
- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:cloud-qemu)
+- [Download latest qcow2 image](https://gitlab.archlinux.org/archlinux/arch-boxes/-/jobs/artifacts/master/download?job=build:secure)

-Arch-boxes provides automated builds of the Arch Linux releases for
-different providers and post-processors. Check the providers or post-processor sections if you want to know
-which are currently supported.
+Arch-boxes provides automated builds of the Arch Linux releases for different providers and
+post-processors. Check the providers or post-processor sections if you want to know which are
+currently supported.

 ## Dependencies
 You'll need the following dependencies:

--- a/build-in-qemu.sh
+++ b/build-in-qemu.sh
 #!/bin/bash
-# build-in qemu.sh runs build.sh in a qemu VM running the latest Arch installer iso
+# build-host.sh runs build-inside-vm.sh in a qemu VM running the latest Arch installer iso
 #
 # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
 # errexit: "Exit immediately if [...] command exits with a non-zero status."
@@ -117,7 +117,7 @@ function main() {
  expect "# "
  send "mkfs.ext4 /dev/vda && mkdir /mnt/scratch-disk/ && mount /dev/vda /mnt/scratch-disk && cd /mnt/scratch-disk\n"
  expect "# "
-  send "cp -a /mnt/arch-boxes/{box.ovf,build.sh,http} .\n"
+  send "cp -a /mnt/arch-boxes/{box.ovf,build-inside-vm.sh,http} .\n"
  expect "# "
  send "mkdir pkg && mount --bind pkg /var/cache/pacman/pkg\n"
  expect "# "
@@ -131,7 +131,7 @@ function main() {
  expect "# "

  ## Start build and copy output to local disk
-  send "bash -x ./build.sh\n"
+  send "bash -x ./build-inside-vm.sh ${BUILD_VERSION}\n"
  expect "# " 240 # qemu-img convert can take a long time
  send "cp -r --preserve=mode,timestamps output /mnt/arch-boxes/tmp/$(basename "${TMPDIR}")/\n"
  expect "# " 60

--- a/build.sh
+++ b/build.sh
 #!/bin/bash
-# build.sh builds the images (cloud image, vagrant boxes)
+# build-inside-vm.sh builds the images (cloud image, vagrant boxes)

 # nounset: "Treat unset variables and parameters [...] as an error when performing parameter expansion."
 # errexit: "Exit immediately if [...] command exits with a non-zero status."
@@ -209,6 +209,7 @@ EOF
  rm Vagrantfile metadata.json packer-virtualbox.vmdk box.ovf
 }

+# ${1} - Optional build version. If not set, will generate a default based on date.
 function main() {
  if [ "$(id -u)" -ne 0 ]; then
    echo "root is required"
@@ -223,11 +224,16 @@ function main() {
  arch-chroot "${MOUNT}" grub-install --target=i386-pc "${LOOPDEV}"
  unmount_image

-  if [ -z "${BUILD_DATE:-}" ]; then
-    BUILD_DATE="$(date -I)"
+  local build_version
+  if [ -z "${1:-}" ]; then
+    build_version="$(date +%Y.%m.%d)"
+    echo "WARNING: BUILD_VERSION wasn't set!"
+    echo "Falling back to $build_version"
+  else
+    build_version="${1}"
  fi
-  create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${BUILD_DATE}.qcow2" cloud_image cloud_image_post
-  create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${BUILD_DATE}.box" vagrant_qemu vagrant_qemu_post
-  create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${BUILD_DATE}.box" vagrant_qemu vagrant_virtualbox_post
+  create_image "cloud-img.img" "Arch-Linux-x86_64-cloudimg-${build_version}.qcow2" cloud_image cloud_image_post
+  create_image "vagrant-qemu.img" "Arch-Linux-x86_64-libvirt-${build_version}.box" vagrant_qemu vagrant_qemu_post
+  create_image "vagrant-virtualbox.img" "Arch-Linux-x86_64-virtualbox-${build_version}.box" vagrant_qemu vagrant_virtualbox_post
 }
-main
+main "$@"