ci: deploy snapshots using GitHub actions in conjunction with Buildki…

…te (#3067)
elastic · Mar 23, 2023 · f75ffdd · f75ffdd
1 parent c9019e6
commit f75ffdd
Show file tree

Hide file tree

Showing 7 changed files with 196 additions and 1 deletion.
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+##  This script prepares the Vault context and required tooling
+##  for the release and snapshot pipelines.
+##
+##  NOTE: *_SECRET or *_TOKEN env variables are masked, hence if you'd like to avoid any
+##        surprises please use the suffix _SECRET or _TOKEN for those values that contain
+##        any sensitive data. Buildkite can mask those values automatically
+
+set -eo pipefail
+
+echo "--- Prepare vault context :vault:"
+VAULT_ROLE_ID_SECRET=$(vault read -field=role-id secret/ci/elastic-apm-agent-java/internal-ci-approle)
+export VAULT_ROLE_ID_SECRET
+
+VAULT_SECRET_ID_SECRET=$(vault read -field=secret-id secret/ci/elastic-apm-agent-java/internal-ci-approle)
+export VAULT_SECRET_ID_SECRET
+
+VAULT_ADDR=$(vault read -field=vault-url secret/ci/elastic-apm-agent-java/internal-ci-approle)
+export VAULT_ADDR
+
+# Delete the vault specific accessing the ci vault
+PREVIOUS_VAULT_TOKEN=$VAULT_TOKEN
+export PREVIOUS_VAULT_TOKEN
+unset VAULT_TOKEN
+
+echo "--- Prepare a secure temp :closed_lock_with_key:"
+# Prepare a secure temp folder not shared between other jobs to store the key ring
+export TMP_WORKSPACE=/tmp/secured
+export KEY_FILE=$TMP_WORKSPACE"/private.key"
+
+# Secure home for our keyring
+export GNUPGHOME=$TMP_WORKSPACE"/keyring"
+mkdir -p $GNUPGHOME
+chmod -R 700 $TMP_WORKSPACE
+
+echo "--- Prepare keys context :key:"
+VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id="$VAULT_ROLE_ID_SECRET" secret_id="$VAULT_SECRET_ID_SECRET")
+export VAULT_TOKEN
+
+# Nexus credentials
+SERVER_USERNAME=$(vault read -field username secret/release/nexus)
+export SERVER_USERNAME
+SERVER_PASSWORD=$(vault read -field password secret/release/nexus)
+export SERVER_PASSWORD
+
+# Signing keys
+vault read -field=key secret/release/signing >$KEY_FILE
+KEYPASS_SECRET=$(vault read -field=passphrase secret/release/signing)
+export KEYPASS_SECRET
+export KEY_ID_SECRET=D88E42B4
+
+# Import the key into the keyring
+echo "$KEYPASS_SECRET" | gpg --batch --import "$KEY_FILE"
+
+echo "--- Configure git context :git:"
+# Configure the committer since the maven release requires to push changes to GitHub
+# This will help with the SLSA requirements.
+git config --global user.email "[email protected]"
+git config --global user.name "apmmachine"
+
+echo "--- Install JDK17 :java:"
+# JDK version is defined in two different locations, here and .github/workflows/maven-goal/action.yml
+JAVA_URL=https://jvm-catalog.elastic.co/jdk
+JAVA_HOME=$(pwd)/.openjdk17
+JAVA_PKG="$JAVA_URL/latest_openjdk_17_linux.tar.gz"
+curl -L --output /tmp/jdk.tar.gz "$JAVA_PKG"
+mkdir -p "$JAVA_HOME"
+tar --extract --file /tmp/jdk.tar.gz --directory "$JAVA_HOME" --strip-components 1
+
+export JAVA_HOME
+PATH=$JAVA_HOME/bin:$PATH
+export PATH
+
+java -version || true
diff --git a/.buildkite/snapshot.yml b/.buildkite/snapshot.yml
@@ -0,0 +1,14 @@
+agents:
+  provider: "gcp"
+
+steps:
+  - label: "Run the snapshot"
+    key: "release"
+    commands: .ci/snapshot.sh
+    artifact_paths:
+      - "snapshot.txt"
+      - "**/target/*"
+
+notify:
+  - slack: "#apm-agent-java"
+    if: 'build.state != "passed"'
diff --git a/.ci/snapshot-settings.xml b/.ci/snapshot-settings.xml
@@ -0,0 +1,30 @@
+<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
+    <pluginGroups>
+        <pluginGroup>org.apache.maven.plugins</pluginGroup>
+        <pluginGroup>org.codehaus.mojo</pluginGroup>
+    </pluginGroups>
+    <servers>
+        <server>
+            <id>sonatype-nexus-snapshots</id>
+            <username>${env.SERVER_USERNAME}</username>
+            <password>${env.SERVER_PASSWORD}</password>
+        </server>
+        <server>
+            <id>sonatype-nexus-staging</id>
+            <username>${env.SERVER_USERNAME}</username>
+            <password>${env.SERVER_PASSWORD}</password>
+        </server>
+    </servers>
+    <profiles>
+        <profile>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <properties>
+                <!-- this env variable is defined in .buildkite/hooks/pre-command -->
+                <gpg.passphrase>${env.KEYPASS_SECRET}</gpg.passphrase>
+            </properties>
+        </profile>
+    </profiles>
+</settings>
diff --git a/.ci/snapshot.sh b/.ci/snapshot.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+##  This script runs the snapshot given the different environment variables
+##    dry_run
+##
+##  It relies on the .buildkite/hooks/pre-command so the Vault and other tooling
+##  are prepared automatically by buildkite.
+##
+
+set -eo pipefail
+
+# Make sure we delete this folder before leaving even in case of failure
+clean_up () {
+  ARG=$?
+  export VAULT_TOKEN=$PREVIOUS_VAULT_TOKEN
+  echo "--- Deleting tmp workspace"
+  rm -rf $TMP_WORKSPACE
+  exit $ARG
+}
+trap clean_up EXIT
+
+echo "--- Debug JDK installation :coffee:"
+echo $JAVA_HOME
+echo $PATH
+java -version
+
+set +x
+echo "--- Deploy the snapshot :package:"
+if [[ "$dry_run" == "true" ]] ; then
+  echo './mvnw -V -s .ci/snapshot-settings.xml -Pgpg clean deploy -DskipTests --batch-mode'
+else
+  ./mvnw -V -s .ci/snapshot-settings.xml -Pgpg clean deploy -DskipTests --batch-mode | tee snapshot.txt
+fi
diff --git a/.github/workflows/maven-goal/action.yml b/.github/workflows/maven-goal/action.yml
@@ -7,7 +7,7 @@ inputs:
   java-version:
     description: 'Java version'
     required: true
-    default: '17'
+    default: '17'  # NOTE: This version is also defined in .buildkite/hooks/pre-command
   distribution:
     description: 'Java distribution'
     required: true

diff --git a/.github/workflows/opentelemetry.yml b/.github/workflows/opentelemetry.yml
@@ -6,6 +6,8 @@ on:
     workflows:
       - main
       - test-reporter
+      - snapshot
+      - Snapshoty
       - updatecli
     types: [completed]
 

diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
@@ -0,0 +1,43 @@
+---
+name: snapshot
+
+on:
+  push:
+    branches:
+      - "main"
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: If set, run a dry-run snapshot
+        default: false
+        type: boolean
+
+jobs:
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+
+    steps:
+      - id: buildkite
+        name: Run Deploy
+        uses: elastic/apm-pipeline-library/.github/actions/buildkite@current
+        with:
+          vaultUrl: ${{ secrets.VAULT_ADDR }}
+          vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
+          vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
+          pipeline: apm-agent-java-snapshot
+          waitFor: false
+          printBuildLogs: false
+          buildEnvVars: |
+            dry_run=${{ inputs.dry_run || 'false' }}
+
+      - if: ${{ failure() }}
+        uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
+        with:
+          url: ${{ secrets.VAULT_ADDR }}
+          roleId: ${{ secrets.VAULT_ROLE_ID }}
+          secretId: ${{ secrets.VAULT_SECRET_ID }}
+          channel: "#apm-agent-java"
+          message: |
+            :ghost: [${{ github.repository }}] Snapshot *${{ github.ref_name }}* didn't get triggered in Buildkite.
+            Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)