From d719449ed1400362c6de2f1da5fc5db616495a8e Mon Sep 17 00:00:00 2001
From: Andreas Jaeger <aj@suse.com>
Date: Fri, 16 Feb 2018 09:06:32 +0100
Subject: [PATCH] Rework base-publish-static jobs using protected

The new protected attribute means that only jobs in the same repo can
inherit from it. Use that on base-publish-static and move the secrets
from the inherited job to it now, it's now safe to have them here.

Since the secrets need to be available to the post-job and are not
available to post-jobs of inheried jobs, use a common post job for all
of these. Move static-special.yaml to static.yaml and set the location
for the publish location for the single previous user of static.yaml.

Change-Id: I3d749adf242eb87895ad10b6f9c4d12859882ac9
---
 playbooks/publish/static-special.yaml | 20 ----------------
 playbooks/publish/static.yaml         |  2 +-
 zuul.d/jobs.yaml                      | 33 ++++++++-------------------
 3 files changed, 10 insertions(+), 45 deletions(-)
 delete mode 100644 playbooks/publish/static-special.yaml

diff --git a/playbooks/publish/static-special.yaml b/playbooks/publish/static-special.yaml
deleted file mode 100644
index 2b1bbad8b8..0000000000
--- a/playbooks/publish/static-special.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-- hosts: all
-  roles:
-    - fetch-tox-output
-    - role: fetch-sphinx-output
-      sphinx_output_src: "src/{{ zuul.project.canonical_name }}/doc/build/html/"
-      zuul_executor_dest: "{{ zuul.executor.work_root }}/artifacts"
-      when: zuul_success | bool
-
-- hosts: localhost
-  roles:
-    - add-fileserver
-
-- hosts: "{{ fileserver.fqdn }}"
-  gather_facts: False
-  tasks:
-    - name: Upload docs to static site
-      synchronize:
-        src: "{{ zuul.executor.work_root }}/artifacts/"
-        dest: "{{ fileserver.path }}/{{ static_target }}/"
-      when: zuul_success | bool
diff --git a/playbooks/publish/static.yaml b/playbooks/publish/static.yaml
index 328e53dacd..2b1bbad8b8 100644
--- a/playbooks/publish/static.yaml
+++ b/playbooks/publish/static.yaml
@@ -16,5 +16,5 @@
     - name: Upload docs to static site
       synchronize:
         src: "{{ zuul.executor.work_root }}/artifacts/"
-        dest: "{{ fileserver.path }}/{{ zuul.project.short_name }}/"
+        dest: "{{ fileserver.path }}/{{ static_target }}/"
       when: zuul_success | bool
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 721a165f93..3f4ae0625a 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -589,10 +589,18 @@
 - job:
     name: base-publish-static
     abstract: true
+    protected: true
     description: |
       Base job for jobs that publish content to static.openstack.org.
+
+      Jobs need to set the variable ``static_target`` for site to
+      publish to.
     pre-run: playbooks/sphinx/pre.yaml
     run: playbooks/sphinx/run.yaml
+    post-run: playbooks/publish/static.yaml
+    secrets:
+      - name: fileserver
+        secret: static_ssh_key
 
 - job:
     name: publish-static
@@ -601,12 +609,9 @@
       Publish content to static.openstack.org to
       /srv/static/{{ zuul.project.short_name }}
     final: true
-    post-run: playbooks/publish/static.yaml
     vars:
+      static_target: "{{ zuul.project.short_name }}"
       sphinx_python: python3
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-governance-sigs
@@ -614,14 +619,10 @@
     description: |
       Publish content to static.openstack.org to /srv/static/sigs
     final: true
-    post-run: playbooks/publish/static-special.yaml
     allowed-projects:
       - openstack/governance-sigs
     vars:
       static_target: sigs
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-governance-tc
@@ -629,15 +630,11 @@
     description: |
       Publish content to static.openstack.org to /srv/static/tc
     final: true
-    post-run: playbooks/publish/static-special.yaml
     allowed-projects:
       - openstack/governance
     vars:
       static_target: tc
       sphinx_python: python3
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-governance-uc
@@ -645,14 +642,10 @@
     description: |
       Publish content to static.openstack.org to /srv/static/uc
     final: true
-    post-run: playbooks/publish/static-special.yaml
     allowed-projects:
       - openstack/governance-uc
     vars:
       static_target: uc
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-governance-website
@@ -660,14 +653,10 @@
     description: |
       Publish content to static.openstack.org to /srv/static/governance
     final: true
-    post-run: playbooks/publish/static-special.yaml
     allowed-projects:
       - openstack/governance-website
     vars:
       static_target: governance
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-security
@@ -675,14 +664,10 @@
     description: |
       Publish content to static.openstack.org to /srv/static/security
     final: true
-    post-run: playbooks/publish/static-special.yaml
     allowed-projects:
       - openstack/ossa
     vars:
       static_target: security
-    secrets:
-      - name: fileserver
-        secret: static_ssh_key
 
 - job:
     name: publish-openstack-manuals-base