Change auth method in releasepy: remove shared token and use Jenkins …

…API tokens (#1201)

Commit changes:

* Remove the existing token 
* Change the authentication model to use per-user Jekins API tokens: 41d75d8
* Implement --auth for release.py
* Use --auth from releasepy in nightly/releasepy jobs
* Add osrfbuild permission to call -debbuilder and brew_release
* Include basic python metadata files

* Corresponding developers documentation update: gazebosim/docs#538

Signed-off-by: Jose Luis Rivero <[email protected]>

check_releasepy.bash

@@ -1,6 +1,7 @@
 #!/bin/bash -e
 
 export _RELEASEPY_DEBUG=1
+
 test_dir=$(mktemp -d)
 export _RELEASEPY_TEST_RELEASE_REPO="${test_dir}/test-release"
 mkdir -p ${_RELEASEPY_TEST_RELEASE_REPO}/{focal,jammy,ubuntu}/debian
@@ -25,7 +26,8 @@ exec_releasepy_test()
     ./release.py \
       --dry-run \
       --no-sanity-checks \
-    gz-foo 1.2.3 token ${test_params}
+      --auth user:fake \
+    gz-foo 1.2.3 ${test_params}
 }
 
 exec_ignition_releasepy_test()
@@ -35,7 +37,8 @@ exec_ignition_releasepy_test()
     ./release.py \
       --dry-run \
       --no-sanity-checks \
-    ign-foo 1.2.3 token ${test_params}
+      --auth user:fake \
+    ign-foo 1.2.3 ${test_params}
 }
 
 exec_ignition_gazebo_releasepy_test()
@@ -45,7 +48,8 @@ exec_ignition_gazebo_releasepy_test()
     ./release.py \
       --dry-run \
       --no-sanity-checks \
-    ign-gazebo 1.2.3 token ${test_params}
+      --auth user:fake \
+    ign-gazebo 1.2.3 ${test_params}
 }
 
 exec_releasepy_with_real_gz()
@@ -54,9 +58,10 @@ exec_releasepy_with_real_gz()
     ./release.py \
       --dry-run \
       --no-sanity-checks \
+      --auth user:fake \
       --source-repo-uri http://github.com/gazebosim/gz-common \
       --source-repo-existing-ref http://github.com/gazebosim/gz-common/foo-tag \
-    "${gz_pkg}" "${major_version}.x.y" token
+    "${gz_pkg}" "${major_version}.x.y"
 }
 
 expect_job_run()

jenkins-scripts/dsl/_configs_/OSRFCredentials.groovy

@@ -13,8 +13,8 @@ class OSRFCredentials
         credentialsBinding {
           crendentials_list.each { credential_keyword ->
             if (credential_keyword == 'OSRFBUILD_GITHUB_TOKEN') {
-                usernamePassword('OSRFBUILD_USER',
-                                 'OSRFBUILD_TOKEN',
+                usernamePassword('OSRFBUILD_GITHUB_USER',
+                                 'OSRFBUILD_GITHUB_TOKEN',
                                  'github-osrfbuild-apitoken')
             } else if (credential_keyword == 'OSRFBUILD_JENKINS_TOKEN') {
                 usernamePassword('OSRFBUILD_JENKINS_USER',

jenkins-scripts/dsl/_configs_/OSRFLinuxBackportPkg.groovy

@@ -4,7 +4,6 @@ import javaposse.jobdsl.dsl.Job
 
 /*
   -> OSRFLinuxBase
-  -> GenericRemoteToken
 
   Implements:
     - priorioty 300
@@ -24,7 +23,6 @@ class OSRFLinuxBackportPkg
   static void create(Job job)
   {
     OSRFLinuxBase.create(job)
-    GenericRemoteToken.create(job)
 
     job.with
     {

jenkins-scripts/dsl/_configs_/OSRFLinuxBuildPkg.groovy

@@ -2,10 +2,10 @@ package _configs_
 
 import javaposse.jobdsl.dsl.Job
 import _configs_.Globals
+import _configs_.OSRFCredentials
 
 /*
   -> OSRFLinuxBuildPkgBase
-  -> GenericRemoteToken
 
   Implements:
     - priority 100
@@ -28,7 +28,7 @@ class OSRFLinuxBuildPkg
   static void create(Job job, Map default_params = [:])
   {
     OSRFLinuxBuildPkgBase.create(job)
-    GenericRemoteToken.create(job)
+    OSRFCredentials.allowOsrfbuildToRunTheBuild(job)
 
     job.with
     {

jenkins-scripts/dsl/_configs_/OSRFReleasepy.groovy

@@ -9,6 +9,7 @@ class OSRFReleasepy
   {
     // Base class for the job
     OSRFUNIXBase.create(job)
+    OSRFCredentials.setOSRFCrendentials(job, ['OSRFBUILD_JENKINS_TOKEN'])
 
     job.with
     {
@@ -58,8 +59,6 @@ class OSRFReleasepy
 
         shell("""\
             #!/bin/bash -xe
-            set +x # keep password secret
-            PASS=\$(cat \$HOME/build_pass)
 
             dry_run_str=""
             if \$DRY_RUN; then
@@ -72,10 +71,11 @@ class OSRFReleasepy
             fi
 
             echo "releasing \${n} (from branch \${src_branch})"
-              python3 ./scripts/release.py \${dry_run_str} "\${PACKAGE}" "\${VERSION}" "\${PASS}" \${extra_osrf_repo} \
+              python3 ./scripts/release.py \${dry_run_str} "\${PACKAGE}" "\${VERSION}" \${extra_osrf_repo} \
+                      --auth "\${OSRFBUILD_JENKINS_USER}:\${OSRFBUILD_JENKINS_TOKEN}" \
                       --source-tarball-uri \${SOURCE_TARBALL_URI} \
                       --release-repo-branch \${RELEASE_REPO_BRANCH} \
-                      --upload-to-repo \${UPLOAD_TO_REPO} > log
+                      --upload-to-repo \${UPLOAD_TO_REPO}
             echo " - done"
             """.stripIndent())
       }

jenkins-scripts/dsl/_configs_/OSRFSourceCreation.groovy

@@ -57,7 +57,6 @@ class OSRFSourceCreation
   static void create(Job job, Map default_params = [:], Map default_hidden_params = [:])
   {
     OSRFLinuxBuildPkgBase.create(job)
-    GenericRemoteToken.create(job)
     OSRFSourceCreation.addParameters(job, default_params)
 
     def pkg_sources_dir="pkgs"

jenkins-scripts/dsl/brew_release.dsl

@@ -51,7 +51,7 @@ void include_common_params(Job job)
 // 1. BREW pull request SHA updater
 def release_job = job("generic-release-homebrew_pull_request_updater")
 OSRFUNIXBase.create(release_job)
-GenericRemoteToken.create(release_job)
+OSRFCredentials.allowOsrfbuildToRunTheBuild(release_job)
 
 include_common_params(release_job)
 release_job.with
@@ -131,8 +131,6 @@ OSRFBrewCompilationAnyGitHub.create(bottle_job_builder,
                                     DISABLE_TESTS,
                                     NO_SUPPORTED_BRANCHES,
                                     DISABLE_GITHUB_INTEGRATION)
-GenericRemoteToken.create(bottle_job_builder)
-
 bottle_job_builder.with
 {
    wrappers {
@@ -247,7 +245,6 @@ bottle_job_builder.with
 // 4. BREW bottle hash update
 def bottle_job_hash_updater = job(bottle_hash_updater_job_name)
 OSRFUNIXBase.create(bottle_job_hash_updater)
-GenericRemoteToken.create(bottle_job_hash_updater)
 
 include_common_params(bottle_job_hash_updater)
 bottle_job_hash_updater.with

jenkins-scripts/dsl/gazebo_ros_pkgs.dsl

@@ -260,7 +260,6 @@ bloom_debbuild_jobs.each { bloom_pkg ->
 
   // Use the linux install as base
   OSRFLinuxBuildPkgBase.create(build_pkg_job)
-  GenericRemoteToken.create(build_pkg_job)
 
   build_pkg_job.with
   {

jenkins-scripts/dsl/ignition_collection.dsl

@@ -148,6 +148,7 @@ nightly_collection = gz_collections_yaml.collections
 
 def nightly_scheduler_job = job("ignition-${gz_nightly}-nightly-scheduler")
 OSRFUNIXBase.create(nightly_scheduler_job)
+OSRFCredentials.setOSRFCrendentials(nightly_scheduler_job, ['OSRFBUILD_JENKINS_TOKEN'])
 
 nightly_scheduler_job.with
 {
@@ -190,8 +191,6 @@ nightly_scheduler_job.with
   steps {
     shell("""\
           #!/bin/bash -xe
-          set +x # keep password secret
-          PASS=\$(cat \$HOME/build_pass)
 
           dry_run_str=""
           if \$DRY_RUN; then
@@ -240,7 +239,11 @@ nightly_scheduler_job.with
               fi
 
               echo "releasing \${n} (from branch \${src_branch})"
-              python3 ./scripts/release.py \${dry_run_str} "\${n}" nightly "\${PASS}" --release-repo-branch main --nightly-src-branch \${src_branch} --upload-to-repo nightly > log || echo "MARK_AS_UNSTABLE"
+              python3 ./scripts/release.py \${dry_run_str} "\${n}" nightly \
+                      --auth "\${OSRFBUILD_JENKINS_USER}:\${OSRFBUILD_JENKINS_TOKEN}" \
+                      --release-repo-branch main \
+                      --nightly-src-branch \${src_branch} \
+                      --upload-to-repo nightly
               echo " - done"
           done
 

jenkins-scripts/dsl/ros_gz_bridge.dsl

@@ -28,7 +28,6 @@ bridge_packages.each { pkg ->
 
   // Use the linux install as base
   OSRFLinuxBuildPkgBase.create(build_pkg_job)
-  GenericRemoteToken.create(build_pkg_job)
 
   build_pkg_job.with
   {

jenkins-scripts/dsl/test.dsl

@@ -153,12 +153,12 @@ test_credentials_token_job.with
           echo " + Testing OSRFBUILD_GITHUB_TOKEN ability to push into the fork osrfbuild/homebrew-simulation"
           echo "   (out of the test is the ability to create pull requests into osrf/homebrew-simulation)"
           rm -fr homebrew-simulation
-          git clone https://github.com/\${OSRFBUILD_USER}/homebrew-simulation.git
+          git clone https://github.com/\${OSRFBUILD_GITHUB_USER}/homebrew-simulation.git
           cd homebrew-simulation
-          git config user.name \${OSRFBUILD_USER} --replace-all
-          git config user.email "\${OSRFBUILD_USER}@openrobotics.org" --replace-all
+          git config user.name \${OSRFBUILD_GITHUB_USER} --replace-all
+          git config user.email "\${OSRFBUILD_GITHUB_USER}@openrobotics.org" --replace-all
           set +x
-          git config url."https://osrfbuild:\${OSRFBUILD_TOKEN}@github.com/osrfbuild/homebrew-simulation.git".InsteadOf https://github.com/osrfbuild/homebrew-simulation.git
+          git config url."https://osrfbuild:\${OSRFBUILD_GITHUB_TOKEN}@github.com/osrfbuild/homebrew-simulation.git".InsteadOf https://github.com/osrfbuild/homebrew-simulation.git
           set -x
           GIT_TERMINAL_PROMPT=0 git push -u origin master --dry-run
           """.stripIndent())

pyproject.toml

@@ -0,0 +1,5 @@
+[build-system]
+build-backend = 'setuptools.build_meta'
+requires = [
+    'setuptools',
+]