From: David Galloway Date: Wed, 20 Aug 2025 21:45:14 +0000 (-0400) Subject: ceph-source-dist: Support for ceph-release-pipeline X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=6f3b6d5d87a2be6ba7721d458a37a9382fca1b4f;p=ceph-build.git ceph-source-dist: Support for ceph-release-pipeline Again, the changes needed here are: - For a Release Build, we are building a tarball based off a version commit that has been created by the ceph-tag job then pushed to ceph-releases.git. So instead of taking the BRANCH from an upstream Jenkins job, we're reading the version commit SHA1 from the sha1.txt file that ceph-tag wrote then checking /that/ out and building the tarball from it. So some var writing and reading was shuffled around. - We do not want this job to support checking out from ceph-private.git or ceph-releases.git directly. Instead, if ceph-release-pipeline passed RELEASE_BUILD=true, only then can you clone from those private repos. So we override CEPH_REPO and set chacra_url to the chacra instance that doesn't automatically prune repos (chacra.ceph.com). Signed-off-by: David Galloway --- diff --git a/ceph-source-dist/build/Jenkinsfile b/ceph-source-dist/build/Jenkinsfile index 6928918db..d31a33e0d 100644 --- a/ceph-source-dist/build/Jenkinsfile +++ b/ceph-source-dist/build/Jenkinsfile @@ -14,25 +14,35 @@ pipeline { } else { checkout_ref = env.BRANCH } - } - checkout scmGit( - branches: [[name: checkout_ref]], - userRemoteConfigs: [[ - url: env.CEPH_REPO, - credentialsId: 'jenkins-build' - ]], - extensions: [ - [$class: 'CleanBeforeCheckout'], - [ - $class: 'CloneOption', - shallow: true, - depth: 100, - timeout: 90 - ], - ], - ) - script { - sh 'git fetch --tags https://github.com/ceph/ceph.git' + + // Rewrite repo + ref if RELEASE_BUILD=true. + // RELEASE_BUILD is intentionally undefinable as a ceph-source-dist parameter but instead + // defined by ceph-release-pipeline so that only that job may clone from ceph-releases.git. + def repoUrl = params.RELEASE_BUILD ? 'git@github.com:ceph/ceph-releases.git' : env.CEPH_REPO + env.checkout_ref = params.RELEASE_BUILD ? "v${params.VERSION}" : env.BRANCH + env.CEPH_REPO = repoUrl + + checkout scmGit( + branches: [[name: checkout_ref]], + userRemoteConfigs: [[ + url: env.CEPH_REPO, + credentialsId: 'jenkins-build' + ]], + extensions: [ + [$class: 'CleanBeforeCheckout'], + [ + $class: 'CloneOption', + shallow: true, + depth: 100, + timeout: 90 + ] + ] + ) + + // No need to fetch tags if this is a release build + if (!params.RELEASE_BUILD?.toBoolean()) { + sh 'git fetch --tags https://github.com/ceph/ceph.git' + } } } } @@ -69,7 +79,24 @@ pipeline { ln ceph-$ceph_version_tarball.$extension dist/ echo "SHA1=$(git rev-parse HEAD)" > dist/sha1 - echo "BRANCH=${BRANCH}" > dist/branch + + if [ "${RELEASE_BUILD:-}" = "true" ]; then + # For security, the following vars are written to dist/other_envvars to be passed + # to ceph-dev-pipeline instead of via parameters. + # ceph-dev-pipeline does not offer ceph-releases.git as an option for CEPH_REPO, + # and we don't want RELEASE_BUILD to be settable by the user to avoid being able + # clone from ceph-releases.git. + if [ "${RELEASE_TYPE}" = "PRIVATE" ]; then + echo "CEPH_REPO=https://github.com/ceph/ceph-private" > dist/other_envvars + else + echo "CEPH_REPO=https://github.com/ceph/ceph-releases" > dist/other_envvars + fi + echo "RELEASE_BUILD=true" >> dist/other_envvars + echo "chacra_url=https://chacra.ceph.com/" >> dist/other_envvars + echo "BRANCH=${BRANCH}-release" > dist/branch + else + echo "BRANCH=${BRANCH}" > dist/branch + fi mv dist .. '''