Commit 2c964100 authored by Kristian Klausen's avatar Kristian Klausen 🎉
Browse files

Commit the releases to a separate disconneted branch

We do a release every day so we end up with a lot of "release commits"
(noise) in the master branch, which we don't want.
parent 4cade873
......@@ -122,8 +122,8 @@ image:publish:secure:
script:
- /kaniko/executor
--whitelist-var-run="false"
--context $CI_PROJECT_DIR/ci/$GROUP
--dockerfile $CI_PROJECT_DIR/ci/$GROUP/Dockerfile
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
--destination archlinux/archlinux:$GROUP-$BUILD_VERSION
.test:
......@@ -177,6 +177,7 @@ release:
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
echo "Uploading ${group}.tar.xz.SHA256"
curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
mkdir ci/${group}
sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > ci/${group}/Dockerfile
package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" ci/${group}/Dockerfile
......@@ -185,13 +186,13 @@ release:
- >
curl -sSf --request POST
--header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
--form "branch=master"
--form "branch=releases"
--form "commit_message=Release ${BUILD_VERSION}"
--form "actions[][action]=update"
--form "actions[][file_path]=ci/base/Dockerfile"
--form "actions[][file_path]=Dockerfile.base"
--form "actions[][content]=<ci/base/Dockerfile"
--form "actions[][action]=update"
--form "actions[][file_path]=ci/base-devel/Dockerfile"
--form "actions[][file_path]=Dockerfile.base-devel"
--form "actions[][content]=<ci/base-devel/Dockerfile"
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
- |
......@@ -208,7 +209,7 @@ release:
# But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
echo "Creating release"
release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
--tag-name v${BUILD_VERSION} --ref "master" \
--tag-name v${BUILD_VERSION} --ref "releases" \
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
--assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
......
# We're using a multistage Docker build here in order to allow us to release a self-verifying
# Docker image when built on the official Docker infrastructure.
# They require us to verify the source integrity in some way while making sure that this is a
# reproducible build.
# See https://github.com/docker-library/official-images#image-build
# In order to achieve this, we externally host the rootfs archives and their checksums and then
# just download and verify it in the first stage of this Dockerfile.
# The second stage is for actually configuring the system a little bit.
# Some templating is done in order to allow us to easily build different configurations and to
# allow us to automate the releaes process.
FROM archlinux:latest AS verify
SHELL ["/bin/bash", "-c"]
RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" https://gitlab.archlinux.org/archlinux/archlinux-docker/-/package_files/57/download)" && \
sha256sum -c <<< "623ec2fe997137b2f54e01bcb44216232c92699404ed7e20b332f830b9dffd0e base-devel-20201025.0.7257.tar.xz" && \
mkdir /rootfs && \
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
FROM scratch AS root
COPY --from=verify /rootfs/ /
# manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
# update /etc/os-release
RUN ln -s /usr/lib/os-release /etc/os-release
# initialize the archlinux keyring, but discard any private key that may be shipped.
RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
ENV LANG=en_US.UTF-8
CMD ["/usr/bin/bash"]
# We're using a multistage Docker build here in order to allow us to release a self-verifying
# Docker image when built on the official Docker infrastructure.
# They require us to verify the source integrity in some way while making sure that this is a
# reproducible build.
# See https://github.com/docker-library/official-images#image-build
# In order to achieve this, we externally host the rootfs archives and their checksums and then
# just download and verify it in the first stage of this Dockerfile.
# The second stage is for actually configuring the system a little bit.
# Some templating is done in order to allow us to easily build different configurations and to
# allow us to automate the releaes process.
FROM archlinux:latest AS verify
SHELL ["/bin/bash", "-c"]
RUN ROOTFS="$(curl -OJL --continue-at - -w "%{filename_effective}" https://gitlab.archlinux.org/archlinux/archlinux-docker/-/package_files/55/download)" && \
sha256sum -c <<< "3b2e52d6bd701fb24e4a8128e015e9574ccfd196762e4dee63bc6f6edaa4c6d1 base-20201025.0.7257.tar.xz" && \
mkdir /rootfs && \
tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
FROM scratch AS root
COPY --from=verify /rootfs/ /
# manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
# update /etc/os-release
RUN ln -s /usr/lib/os-release /etc/os-release
# initialize the archlinux keyring, but discard any private key that may be shipped.
RUN pacman-key --init && pacman-key --populate archlinux && bash -c "rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pubring.gpg~,gnupg.S.}*"
ENV LANG=en_US.UTF-8
CMD ["/usr/bin/bash"]
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment