From 455039b388cc4f91e7e1c11c858113ae9e7b725a Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Fri, 1 May 2020 10:31:17 -0400 Subject: [PATCH] jobs: add bump-lockfile This job will implement lockfile bumping for testing-devel and next-devel: https://github.com/coreos/fedora-coreos-tracker/issues/293. The original plan for this functionality was to have it in config-bot: https://github.com/coreos/fedora-coreos-releng-automation/pull/48 But in the end, I think it's more natural to have it as a Jenkins job given that it does a lot of the same things as the pipeline/upstream CI jobs. So that way it looks and feels just like another job that runs cosa, and we get kola artifacts, we can re-use the shared library, it's easily inspectable, we can hook it to Slack, etc... --- jenkins/config/github-coreosbot.yaml | 15 +++++++ jobs/bump-lockfile.Jenkinsfile | 63 ++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 jenkins/config/github-coreosbot.yaml create mode 100644 jobs/bump-lockfile.Jenkinsfile diff --git a/jenkins/config/github-coreosbot.yaml b/jenkins/config/github-coreosbot.yaml new file mode 100644 index 000000000..7f55f4bd3 --- /dev/null +++ b/jenkins/config/github-coreosbot.yaml @@ -0,0 +1,15 @@ +credentials: + system: + domainCredentials: + - credentials: + - usernamePassword: + scope: GLOBAL + id: github-coreosbot-token + username: coreosbot + password: ${github-coreosbot-token/token} + description: GitHub coreosbot token + - string: + scope: GLOBAL + id: github-coreosbot-token-string + secret: ${github-coreosbot-token/token} + description: GitHub coreosbot token as a string diff --git a/jobs/bump-lockfile.Jenkinsfile b/jobs/bump-lockfile.Jenkinsfile new file mode 100644 index 000000000..ada5f9bdd --- /dev/null +++ b/jobs/bump-lockfile.Jenkinsfile @@ -0,0 +1,63 @@ +@Library('github.com/coreos/coreos-ci-lib@master') _ + +repo = "coreos/fedora-coreos-config" +branches = [ + "testing-devel", + "next-devel" +] +botCreds = "github-coreosbot-token" + +properties([ + pipelineTriggers([ + // we don't need to bump lockfiles any more often than daily + cron("H H * * *") + ]) +]) + +cosaPod { + parallel branches.collectEntries { branch -> [branch, { + shwrap("mkdir ${branch}") + dir(branch) { + stage("Fetch") { + shwrap("cosa init --branch ${branch} https://github.com/${repo}") + shwrap("cosa fetch --update-lockfile") + } + + if (shwrapRc("git -C src/config diff --exit-code") == 0) { + println("No changes") + return + } + + // sanity-check only base lockfiles were changed + shwrap(""" + # do this separately so set -e kicks in if it fails + files=\$(git -C src/config ls-files --modified --deleted) + for f in \${files}; do + if ! [[ \${f} =~ ^manifest-lock\\.[0-9a-z_]+\\.json ]]; then + echo "Unexpected modified file \${f}" + exit 1 + fi + done + """) + + stage("Build") { + shwrap("cosa build --strict") + } + + fcosKola(cosaDir: ".") + + // OK, it passed kola: just push to the branch. In the future, we might be + // fancier here; e.g. if tests fail, just open a PR, or if tests passed but a + // package was added or removed. + stage("Push") { + shwrap("git -C src/config commit -am 'lockfiles: bump to latest'") + withCredentials([usernamePassword(credentialsId: botCreds, + usernameVariable: 'GHUSER', + passwordVariable: 'GHTOKEN')]) { + // should gracefully handle race conditions here + sh("git -C src/config push https://${GHUSER}:${GHTOKEN}@github.com/${repo} ${branch}") + } + } + } + }] } +}