diff --git a/Makefile b/Makefile index 3bb721fc0c9..6501e375871 100644 --- a/Makefile +++ b/Makefile @@ -23,6 +23,7 @@ VERBOSE.MACRO = $${VERBOSE:-0} CHANNEL = development CLIENT_DIR = client COMMIT = $$( git rev-parse --short HEAD ) +DEPLOY_SCRIPT_PATH = not/a/real/path DIST_DIR = dist GOAMD64 = v1 GOPROXY = https://proxy.golang.org|direct @@ -37,6 +38,7 @@ NPM_INSTALL_FLAGS = $(NPM_FLAGS) --quiet --no-progress --ignore-engines\ --ignore-optional --ignore-platform --ignore-scripts RACE = 0 SIGN = 1 +SIGNER_API_KEY = not-a-real-key VERSION = v0.0.0 YARN = yarn @@ -60,6 +62,7 @@ BUILD_RELEASE_DEPS_1 = go-deps ENV = env\ CHANNEL='$(CHANNEL)'\ COMMIT='$(COMMIT)'\ + DEPLOY_SCRIPT_PATH='$(DEPLOY_SCRIPT_PATH)' \ DIST_DIR='$(DIST_DIR)'\ GO="$(GO.MACRO)"\ GOAMD64='$(GOAMD64)'\ @@ -72,6 +75,7 @@ ENV = env\ PATH="$${PWD}/bin:$$( "$(GO.MACRO)" env GOPATH )/bin:$${PATH}"\ RACE='$(RACE)'\ SIGN='$(SIGN)'\ + SIGNER_API_KEY='$(SIGNER_API_KEY)' \ NEXTAPI='$(NEXTAPI)'\ VERBOSE="$(VERBOSE.MACRO)"\ VERSION="$(VERSION)"\ diff --git a/bamboo-specs/release.yaml b/bamboo-specs/release.yaml index d6432c274c1..5ace236589a 100644 --- a/bamboo-specs/release.yaml +++ b/bamboo-specs/release.yaml @@ -91,6 +91,11 @@ 'tasks': - 'checkout': 'force-clean-build': true + - 'checkout': + 'repository': 'bamboo-deploy-publisher' + # The paths are always relative to the working directory. + 'path': 'bamboo-deploy-publisher' + 'force-clean-build': true - 'script': 'interpreter': 'SHELL' 'scripts': @@ -99,6 +104,9 @@ set -e -f -u -x + # Explicitly checkout the revision that we need. + git checkout "${bamboo.repository.revision.number}" + # Run the build with the specified channel. echo "${bamboo.gpgSecretKeyPart1}${bamboo.gpgSecretKeyPart2}"\ | awk '{ gsub(/\\n/, "\n"); print; }'\ @@ -107,6 +115,8 @@ make\ CHANNEL=${bamboo.channel}\ GPG_KEY_PASSPHRASE=${bamboo.gpgPassword}\ + DEPLOY_SCRIPT_PATH="./bamboo-deploy-publisher/deploy.sh"\ + SIGNER_API_KEY="${bamboo.adguardHomeWinSignerSecretApiKey}"\ FRONTEND_PREBUILT=1\ PARALLELISM=1\ VERBOSE=2\ diff --git a/bamboo-specs/test.yaml b/bamboo-specs/test.yaml index 26e0c5d3c07..29a8bae55f3 100644 --- a/bamboo-specs/test.yaml +++ b/bamboo-specs/test.yaml @@ -143,12 +143,6 @@ 'other': 'clean-working-dir': true 'tasks': - # TODO(e.burkov): Remove after test. - - 'checkout': - 'repository': 'bamboo-deploy-publisher' - # The paths are always relative to the working directory. - 'path': 'bamboo-deploy-publisher' - 'force-clean-build': true - 'checkout': 'force-clean-build': true - 'script': diff --git a/scripts/make/build-release.sh b/scripts/make/build-release.sh index dfa29e1c399..5f9494d31f7 100644 --- a/scripts/make/build-release.sh +++ b/scripts/make/build-release.sh @@ -83,11 +83,15 @@ if [ "$sign" -eq '1' ] then gpg_key_passphrase="${GPG_KEY_PASSPHRASE:?please set GPG_KEY_PASSPHRASE or unset SIGN}" gpg_key="${GPG_KEY:?please set GPG_KEY or unset SIGN}" + signer_api_key="${SIGNER_API_KEY:?please set SIGNER_API_KEY or unset SIGN}" + deploy_script_path="${DEPLOY_SCRIPT_PATH:?please set DEPLOY_SCRIPT_PATH or unset SIGN}" else gpg_key_passphrase='' gpg_key='' + signer_api_key='' + deploy_script_path='' fi -readonly gpg_key_passphrase gpg_key +readonly gpg_key_passphrase gpg_key signer_api_key deploy_script_path # The default distribution files directory is dist. dist="${DIST_DIR:-dist}" @@ -149,6 +153,50 @@ windows amd64 - - windows arm64 - -" readonly platforms +# Function sign signs the specified build as intended by the target operating +# system. +sign() { + # Only sign if needed. + if [ "$sign" -ne '1' ] + then + return + fi + + # Get the arguments. Here and below, use the "sign_" prefix for all + # variables local to function sign. + sign_os="$1" + sign_bin_path="$2" + + if [ "$sign_os" != 'windows' ] + then + gpg\ + --default-key "$gpg_key"\ + --detach-sig\ + --passphrase "$gpg_key_passphrase"\ + --pinentry-mode loopback\ + -q\ + "$sign_bin_path"\ + ; + + return + # TODO(e.burkov): Enable for all releases. + elif [ "$channel" != 'beta' ] + then + return + fi + + signed_bin_path="${sign_bin_path}.signed" + + env\ + INPUT_FILE="$sign_bin_path"\ + OUTPUT_FILE="$signed_bin_path"\ + SIGNER_API_KEY="$signer_api_key"\ + "$deploy_script_path" sign-executable\ + ; + + mv "$signed_bin_path" "$sign_bin_path" +} + # Function build builds the release for one platform. It builds a binary and an # archive. build() { @@ -189,17 +237,7 @@ build() { log "$build_output" - if [ "$sign" -eq '1' ] - then - gpg\ - --default-key "$gpg_key"\ - --detach-sig\ - --passphrase "$gpg_key_passphrase"\ - --pinentry-mode loopback\ - -q\ - "$build_output"\ - ; - fi + sign "$os" "$build_output" # Prepare the build directory for archiving. cp ./CHANGELOG.md ./LICENSE.txt ./README.md "$build_dir"