From 6fb53ae676c9c1966df85ffa59654b98ab4cce80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=90=D0=BB=D0=B5=D0=BA=D1=81=D0=B0=D0=BD=D0=B4=D1=8A?= =?UTF-8?q?=D1=80=20=D0=9A=D1=83=D1=80=D1=82=D0=B0=D0=BA=D0=BE=D0=B2?= Date: Mon, 27 May 2024 11:32:04 +0300 Subject: [PATCH] Enable pgp signing in Jenkinsfile --- Jenkinsfile | 38 +++++++++++++++++++++++++++++++------- repository/pom.xml | 26 ++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 7 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 9404c99b2a..c353aa5091 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -28,12 +28,26 @@ spec: - name: jnlp image: 'eclipsecbi/jenkins-jnlp-agent' volumeMounts: - - mountPath: /home/jenkins/.ssh - name: volume-known-hosts + - name: volume-known-hosts + mountPath: /home/jenkins/.ssh + - name: settings-xml + mountPath: /home/jenkins/.m2/settings.xml + subPath: settings.xml + readOnly: true + - name: m2-repo + mountPath: /home/jenkins/.m2/repository volumes: - - configMap: + - name: volume-known-hosts + configMap: name: known-hosts - name: volume-known-hosts + - name: settings-xml + secret: + secretName: m2-secret-dir + items: + - key: settings.xml + path: settings.xml + - name: m2-repo + emptyDir: {} """ } } @@ -43,6 +57,14 @@ spec: GITHUB_API_CREDENTIALS_ID = 'github-bot-token' } stages { + stage('initialize PGP') { + steps { + withCredentials([file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')]) { + sh 'gpg --batch --import "${KEYRING}"' + sh 'for fpr in $(gpg --list-keys --with-colons | awk -F: \'/fpr:/ {print $10}\' | sort -u); do echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; done' + } + } + } stage('Prepare-environment') { steps { container('container') { @@ -57,9 +79,11 @@ spec: stage('Build') { steps { container('container') { - withCredentials([string(credentialsId: "${GITHUB_API_CREDENTIALS_ID}", variable: 'GITHUB_API_TOKEN')]) { - wrap([$class: 'Xvnc', useXauthority: true]) { - sh """mvn clean verify -B -fae -Dtycho.disableP2Mirrors=true -Ddownload.cache.skip=true -Dmaven.test.error.ignore=true -Dmaven.test.failure.ignore=true -Psign -Dmaven.repo.local=$WORKSPACE/.m2/repository -Dgithub.api.token="${GITHUB_API_TOKEN}" """ + withCredentials([string(credentialsId: 'gpg-passphrase', variable: 'KEYRING_PASSPHRASE')]) { + withCredentials([string(credentialsId: "${GITHUB_API_CREDENTIALS_ID}", variable: 'GITHUB_API_TOKEN')]) { + wrap([$class: 'Xvnc', useXauthority: true]) { + sh """mvn clean verify -B -fae -Ddownload.cache.skip=true -Dmaven.test.error.ignore=true -Dmaven.test.failure.ignore=true -Psign -Dmaven.repo.local=$WORKSPACE/.m2/repository -Dgithub.api.token="${GITHUB_API_TOKEN}" -Dgpg.passphrase="${KEYRING_PASSPHRASE}" """ + } } } } diff --git a/repository/pom.xml b/repository/pom.xml index 4851fcd16a..c0c52c912e 100644 --- a/repository/pom.xml +++ b/repository/pom.xml @@ -41,4 +41,30 @@ + + + sign + + + + org.eclipse.tycho + tycho-gpg-plugin + ${tycho-version} + + + pgpsigner + + sign-p2-artifacts + + + 9BC06FC97ED4ED26 + true + + + + + + + +