}
stage("builder container") {
environment {
- CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
+ // Use quay-int.front cred if cve-pipeline, otherwise default to quay.ceph.io cred
+ CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
DOCKER_HUB_CREDS = credentials('dgalloway-docker-hub')
}
when {
expression { env.CI_CONTAINER == 'true' && container_distros.contains(env.DIST) }
}
environment {
- CONTAINER_REPO_CREDS = credentials('quay-ceph-io-ceph-ci')
+ CONTAINER_REPO_CREDS = credentials("${env.JOB_NAME == 'cve-pipeline' ? 'quay-int-login' : 'quay-ceph-io-ceph-ci'}")
}
steps {
script { doContainerStage() }
--- /dev/null
+- job:
+ name: cve-pipeline
+ properties:
+ - authorization:
+ inheritance-strategy: none
+ GROUP:ceph*security:
+ - job-read
+ - job-discover
+ - job-build
+ - job-cancel
+ - job-configure
+ - job-workspace
+ - run-replay
+ - run-update
+ - run-delete
+ - scm-tag
+ description: |
+ This Jenkins pipeline is only used to develop CVE fixes. Its differences are:
+ - The job itself is not public-facing. It does not inherit the RBAC under https://jenkins.ceph.com/manage/configureSecurity/
+ - ceph-dev-pipeline pushes to the internal/private pulp instance instead of a public chacra instance
+ project-type: pipeline
+ quiet-period: 1
+ concurrent: true
+ pipeline-scm:
+ scm:
+ - git:
+ url: https://github.com/ceph/ceph-build
+ branches:
+ - ${{CEPH_BUILD_BRANCH}}
+ shallow-clone: true
+ submodule:
+ disable: true
+ wipe-workspace: true
+ script-path: ceph-dev-pipeline/build/Jenkinsfile
+ lightweight-checkout: true
+ do-not-fetch-tags: true
+
+ parameters:
+ - string:
+ name: BRANCH
+ description: "The branch from ceph-private.git to build"
+ default: main
+
+ - choice:
+ name: SHA1
+ description: "Intentionally blank. ceph-dev-pipeline requires this"
+ choices:
+ - ''
+
+ - choice:
+ name: CEPH_REPO
+ choices:
+ - git@github.com:ceph/ceph-private.git
+
+ - string:
+ name: DISTROS
+ description: "A list of distros to build for. Available options are: centos9, noble, jammy, bookworm, trixie"
+ default: "noble centos9 bookworm trixie"
+
+ - string:
+ name: ARCHS
+ description: "A list of architectures to build for. Available options are: x86_64, and arm64"
+ default: "x86_64 arm64"
+
+ - bool:
+ name: CI_COMPILE
+ description: "Whether to compile and build packages"
+ default: true
+
+ - bool:
+ name: THROWAWAY
+ description: "DO NOT UNCHECK. This will push to a chacra node publicly!"
+ default: true
+
+ - bool:
+ name: PULP_UPLOAD
+ description: "If you want packages, this must be true. We do not push to chacra for CVE builds."
+ default: true
+
+ - choice:
+ name: FLAVORS
+ choices:
+ - default
+
+ - bool:
+ name: CI_CONTAINER
+ description: "Whether to build and push container images"
+ default: true
+
+ - string:
+ name: CONTAINER_REPO_HOSTNAME
+ description: "FQDN of container repo server (e.g. 'quay.io')"
+ default: "quay-int.front.sepia.ceph.com"
+
+ - string:
+ name: CONTAINER_REPO_ORGANIZATION
+ description: "Name of container repo organization (e.g. 'ceph-ci')"
+ default: "ceph-ci"
+
+ - bool:
+ name: DWZ
+ description: "Use dwz to make debuginfo packages smaller"
+ default: false
+
+ - bool:
+ name: SCCACHE
+ description: "Use sccache to speed up compilation"
+ default: true
+
+ - string:
+ name: SETUP_BUILD_ID
+ description: "Reuse the source distribution from this cve-source-dist build instead of creating a new one"
+ default: ""
+
+ - choice:
+ name: SETUP_JOB
+ choices:
+ - cve-source-dist
+
+ - string:
+ name: CEPH_BUILD_BRANCH
+ description: "Use the Jenkinsfile from this ceph-build branch"
+ default: main
+
+ wrappers:
+ - build-name:
+ name: "#${{BUILD_NUMBER}} ${{BRANCH}}, ${{VERSION}}"
+
--- /dev/null
+- job:
+ name: cve-source-dist
+ description: This job is only called from https://jenkins.ceph.com/job/cve-pipeline. The entire job and its artifacts are only visible to the ceph/security Github Team.
+ project-type: pipeline
+ concurrent: true
+ pipeline-scm:
+ scm:
+ - git:
+ url: https://github.com/ceph/ceph-build
+ branches:
+ - ${{CEPH_BUILD_BRANCH}}
+ shallow-clone: true
+ submodule:
+ disable: true
+ wipe-workspace: true
+ script-path: ceph-source-dist/build/Jenkinsfile
+ lightweight-checkout: true
+ do-not-fetch-tags: true
+ properties:
+ - build-discarder:
+ days-to-keep: -1
+ num-to-keep: 100
+ artifact-days-to-keep: -1
+ artifact-num-to-keep: 50
+ - copyartifact:
+ projects: cve-pipeline
+ - authorization:
+ inheritance-strategy: none
+ GROUP:ceph*security:
+ - job-read
+ - job-discover
+ - job-build
+ - job-cancel
+ - job-configure
+ - job-workspace
+ - run-replay
+ - run-update
+ - run-delete
+ - scm-tag
+
+ parameters:
+ - choice:
+ name: CEPH_REPO
+ choices:
+ - git@github.com:ceph/ceph-private.git
+
+ - string:
+ name: BRANCH
+ description: "The Ceph branch to build"
+
+ - string:
+ name: SHA1
+ description: "The specific commit to build"
+
+ - string:
+ name: CEPH_BUILD_BRANCH
+ description: "Use the Jenkinsfile from this ceph-build branch"
+ default: main
+
+ scm:
+ - git:
+ url: ${{CEPH_REPO}}
+ # Use the SSH key attached to the ceph-jenkins GitHub account.
+ credentials-id: "jenkins-build"
+ branches:
+ - $BRANCH
+ timeout: 20
+ skip-tag: true
+ wipe-workspace: true
+
+ wrappers:
+ - inject-passwords:
+ global: true
+ mask-password-params: true
+ - credentials-binding:
+ - text:
+ credential-id: shaman-api-key
+ variable: SHAMAN_API_KEY