mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-01-06 21:47:31 +00:00
Code Issues Releases Wiki Activity
Files
648fb0e46db7a91950b5d8f0cc2ed80601cb6eba
nomulus/release/cloudbuild-release.yaml
jianglai 648fb0e46d Update proxy deployment pipeline 
The pipeline is broken into two. The first one is to be triggered when the public repo is tagged. It then tags the private repo, builds and upload the builder and base images, and push a new commit to the release (merged repo). This pipeline also does text manipulation on several files in the release repo to ensure that the images uploaded in this pipeline is always used to reproducibly build the release repo at the same commit.

The second pipeline is then triggered by commit into the release repo, which builds, signs and uploads the proxy image.

Also updated the dependency lock files to use the latest plugins dependencies, which are uploaded to the GCS repo.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=244666211
2019-04-22 13:02:39 -04:00

93 lines
3.7 KiB
YAML
Raw Blame History

# To run the build locally, install cloud-build-local first.
# You will need access to a private registry, so be sure to install the docker
# credential helper.
# See: https://cloud.google.com/cloud-build/docs/build-debug-locally
# Then run:
# cloud-build-local --config=cloudbuild-release.yaml --dryrun=false \
# --substitutions TAG_NAME=[TAG] ..
#
# To manually trigger a build on GCB, run:
# gcloud builds submit --config cloudbuild-proxy.yaml --substitutions TAG_NAME=[TAG] ..
#
# To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
#
# This pipeline prepares a release. The pipeline should be run against the Nomulus public repo on
# GitHub. It builds the builder and base images, and hard codes the sha256 hashes of the resulting
# images in the merged code base (internal + public) , which is tagged and pushed into the release
# repo. Actual release artifacts are built from the release repo, ensuring reproducibility.
steps:
# Check the out internal repo.
- name: 'gcr.io/cloud-builders/gcloud'
args: ['source', 'repos', 'clone', 'nomulus-internal']
# Tag and push the internal repo.
- name: 'gcr.io/cloud-builders/git'
entrypoint: /bin/bash
args:
- -c
- |
git tag ${TAG_NAME} && git push origin ${TAG_NAME}
dir: 'nomulus-internal'
# Merge the repos.
- name: 'gcr.io/cloud-builders/git'
entrypoint: /bin/bash
args:
- -c
- |
shopt -s dotglob
rm -rf .git && rm -rf nomulus-internal/.git
cp -rf nomulus-internal/* .
rm -rf nomulus-internal
# Build the builder image and tag the proxy base image, to be uploaded later.
- name: 'gcr.io/cloud-builders/docker'
entrypoint: /bin/bash
args:
- -c
- |
docker build -t gcr.io/${PROJECT_ID}/builder:${TAG_NAME} .
docker tag gcr.io/${PROJECT_ID}/builder:${TAG_NAME} gcr.io/${PROJECT_ID}/builder:latest
docker pull gcr.io/distroless/java
docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:${TAG_NAME}
docker tag gcr.io/distroless/java gcr.io/${PROJECT_ID}/base:latest
docker push gcr.io/${PROJECT_ID}/base:latest
docker push gcr.io/${PROJECT_ID}/base:${TAG_NAME}
docker push gcr.io/${PROJECT_ID}/builder:latest
docker push gcr.io/${PROJECT_ID}/builder:${TAG_NAME}
dir: 'release/builder/'
# Do text replacement in the merged repo, hardcoding image hashes.
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: /bin/bash
args:
- -c
- |
builder_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/builder \
--format='get(digest)' --filter='tags = ${TAG_NAME}')
base_digest=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/base \
--format='get(digest)' --filter='tags = ${TAG_NAME}')
sed -i s%distroless/java%${PROJECT_ID}/base@$base_digest% gradle/proxy/Dockerfile
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-proxy.yaml
sed -i s/builder:latest/builder@$builder_digest/g release/cloudbuild-nomulus.yaml
sed -i s/GCP_PROJECT/${PROJECT_ID}/ java/google/registry/proxy/kubernetes/proxy-*.yaml
# Check out the release repo.
- name: 'gcr.io/cloud-builders/gcloud'
args: ['source', 'repos', 'clone', 'nomulus-release']
# Tag and check in the release repo.
- name: 'gcr.io/cloud-builders/git'
entrypoint: /bin/bash
args:
- -c
- |
cp -rf nomulus-release/.git .
rm -rf nomulus-release
git config --global user.name "Cloud Build"
git config --global user.email \
$(gcloud auth list --format='get(account)' --filter=active)
git add .
git commit -m "Release commit for tag ${TAG_NAME}"
git push origin master
git tag ${TAG_NAME}
git push origin ${TAG_NAME}
timeout: 3600s
options:
machineType: 'N1_HIGHCPU_8'
Reference in New Issue View Git Blame Copy Permalink