blob: 81d1513c453769431e251ddbfee899c4d8c01c51 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#!/bin/bash
set -eu
# Only execute in the verify pipeline
[[ "$BUILDKITE_PIPELINE_NAME" =~ (verify|validate/(release|adhoc|canary)|habitat/build|habitat/test|docker/build|macos_universal_package)$ ]]
docker ps || true
# Get chef foundation version from the json file
CHEF_FOUNDATION_VERSION=$(cat .buildkite-platform.json | jq -r '.chef_foundation')
export CHEF_FOUNDATION_VERSION
echo "Chef Foundation Version: $CHEF_FOUNDATION_VERSION"
OMNIBUS_TOOLCHAIN_VERSION=$(cat .buildkite-platform.json | jq -r '.omnibus_toolchain')
export OMNIBUS_TOOLCHAIN_VERSION
echo "Omnibus Toolchain Version: $OMNIBUS_TOOLCHAIN_VERSION"
if [ $BUILDKITE_STEP_KEY == "build-windows-2019" ] && [[ "$BUILDKITE_ORGANIZATION_SLUG" =~ chef(-canary)?$ ]]
then
TOKEN=$(curl -sX PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600")
ROLE=$(curl -sH "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/)
RESPONSE=$(curl -sH "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE)
AWS_ACCESS_KEY_ID=$(echo $RESPONSE | jq -r '.AccessKeyId')
export AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY=$(echo $RESPONSE | jq -r '.SecretAccessKey')
export AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN=$(echo $RESPONSE | jq -r '.Token')
export AWS_SESSION_TOKEN
fi
# We've now seen cases where origin/main on the build hosts can get
# out of date. This causes us to build components unnecessarily.
# Fetching it here hopefully will prevent this situation.
echo "Fetching origin/main"
git fetch origin main
# DEBUGGING FOR RELENG
# Fetch the git tags to see if that addresses the weird smart build behavior for Habitat
git fetch --tags --force
# Rebase onto current main to ensure this PR is closer to what happens when it's merged.
# Only do this if it's actually a branch (i.e. a PR or a manually created build), not a
# post-merge CI run of main.
if [[ "$BUILDKITE_BRANCH" != "main" ]]; then
git config user.email "you@example.com" # these are needed for the rebase attempt
git config user.name "Your Name"
main=$(git show-ref -s --abbrev origin/main)
pr_head=$(git show-ref -s --abbrev HEAD)
github="https://github.com/chef/chef/commit/"
if git rebase origin/main >/dev/null; then
buildkite-agent annotate --style success --context "rebase-pr-branch-${main}" \
"Rebased onto main ([${main}](${github}${main}))."
else
git rebase --abort
buildkite-agent annotate --style warning --context "rebase-pr-branch-${main}" \
"Couldn't rebase onto main ([${main}](${github}${main})), building PR HEAD ([${pr_head}](${github}${pr_head}))."
fi
fi
# Only if on chef-canary or chef org
if [[ ! "$BUILDKITE_STEP_KEY" =~ ^test.* ]] && [[ $BUILDKITE_ORGANIZATION_SLUG != "chef-oss" ]]; then
export VAULT_ADDR="https://vault.ps.chef.co"
export VAULT_TOKEN=$(vault login -method=aws -path=aws/private-cd -token-only header_value=vault.ps.chef.co role=ci)
if [[ ! $BUILDKITE_LABEL =~ macOS|mac_os_x ]]; then
lita_password=$(aws ssm get-parameter --name "artifactory-lita-password" --with-decryption --query Parameter.Value --output text)
export ARTIFACTORY_API_KEY=$(echo -n "lita:${lita_password}" | base64)
fi
export ARTIFACTORY_PASSWORD=$(vault kv get -field password account/static/artifactory/buildkite)
# Only if on RPM-based Linux distros
if [[ "$BUILDKITE_LABEL" =~ rhel|sles|centos ]]; then
export RPM_SIGNING_KEY=$(vault kv get -field packages_at_chef_io account/static/packages/signing_certs)
fi
fi
|
