Merge "Add a job to sign tarballs and wheels"

2016-07-21 20:21:31 +00:00 · 2016-07-21 20:21:31 +00:00 · 733478b6b4
commit 733478b6b4
parent 1cfb3f3f1a 63b56462bc
5 changed files with 88 additions and 2 deletions
--- a/jenkins/jobs/projects.yaml
+++ b/jenkins/jobs/projects.yaml
@ -2560,6 +2560,7 @@
          suffix: '-nv'
      - pypi-jobs
      - infra-publish-jobs
+      - '{name}-tarball-signing'

 - project:
    name: git-upstream
--- a/jenkins/jobs/signing-jobs.yaml
+++ b/jenkins/jobs/signing-jobs.yaml
@ -0,0 +1,21 @@
+- job-template:
+    name: '{name}-tarball-signing'
+    node: signing
+
+    builders:
+      - print-template-name:
+          template-name: "{template-name}"
+      - revoke-sudo
+      - gerrit-git-prep
+      - shell: |
+          /usr/local/jenkins/slave_scripts/tarball-signing.sh {name} \
+              {tarball-site}
+
+    publishers:
+      - scp:
+          site: '{tarball-site}'
+          files:
+            - target: 'tarballs/{name}/'
+              source: '*.asc'
+      - console-log
+
--- a/jenkins/scripts/tarball-signing.sh
+++ b/jenkins/scripts/tarball-signing.sh
@ -0,0 +1,46 @@
+#!/bin/bash -xe
+#
+# Copyright 2012 Hewlett-Packard Development Company, L.P.
+# Copyright 2013, 2016 OpenStack Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Retrieve python tarballs/wheels and make detached OpenPGP signatures.
+
+PROJECT=$1
+TARBALL_SITE=$2
+TAG=$(echo $ZUUL_REF | sed 's/^refs.tags.//')
+
+# Look in the setup.cfg to determine if a package name is specified, but
+# fall back on the project name if necessary. Also look in the setup.cfg
+# to see if this is a universal wheel or not
+DISTNAME=$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py --wheel \
+    || echo $PROJECT)
+TARBALL="$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py
+    --tarball || echo $PROJECT)-${TAG}.tar.gz"
+WHEEL="$(/usr/local/jenkins/slave_scripts/pypi-extract-name.py
+    --wheel || echo $PROJECT)-${TAG}-$(
+    /usr/local/jenkins/slave_scripts/pypi-extract-universal.py ||
+    true)-none-any.whl"
+
+rm -rf *.asc *.tar.gz *.whl
+
+curl --fail -o $TARBALL https://${TARBALL_SITE}/${PROJECT}/${TARBALL}
+file -b $TARBALL | grep gzip # Make sure we actually got a tarball
+gpg --armor --detach-sign $TARBALL
+
+# Wheels are not mandatory, so only sign if we have one
+if curl --fail -o $WHEEL https://${TARBALL_SITE}/${PROJECT}/${WHEEL}; then
+    file -b $WHEEL | grep -i zip # Make sure we actually got a wheel
+    gpg --armor --detach-sign $WHEEL
+fi
--- a/zuul/layout.yaml
+++ b/zuul/layout.yaml
@ -3365,11 +3365,29 @@ projects:
      - name: python-jobs
      - name: python34-jobs
      - name: python35-jobs-nv
-      - name: publish-to-pypi
    check:
      - gate-git-review-python34
+    pre-release:
+      - git-review-tarball:
+          - git-review-pypi-both-upload
    release:
      - git-review-infra-docs-tags-only
+      - git-review-tarball:
+        - git-review-tarball-signing
+        - git-review-pypi-both-upload:
+            - wheel-build-ubuntu-trusty-amd64-python2:
+              - wheel-release-trustyx64
+            - wheel-build-ubuntu-trusty-amd64-python3:
+              - wheel-release-trustyx64
+            - wheel-build-ubuntu-xenial-amd64-python2:
+              - wheel-release-xenialx64
+            - wheel-build-ubuntu-xenial-amd64-python3:
+              - wheel-release-xenialx64
+            - wheel-build-centos-7-amd64-python2:
+              - wheel-release-cent7x64
+            - wheel-build-centos-7-amd64-python3:
+              - wheel-release-cent7x64
+            - git-review-announce-release

  - name: openstack-infra/gitdm
    template:
--- a/zuul/openstack_functions.py
+++ b/zuul/openstack_functions.py
@ -52,7 +52,7 @@ def set_node_options(item, job, params):
    hook_re = r'^hook-(.*?)-(rtfd)$'
    wheel_re = r'^wheel-(build|release)-.*$'
    reprepro_re = r'^reprepro-(import|release)-.*$'
-    signing_re = r'^tag-releases$'
+    signing_re = r'^(.*-tarball-signing|tag-releases)$'
    # jobs run on the persistent proposal, release, signing, and wheel
    # build workers
    if (re.match(proposal_re, job.name) or