Add travis pipeline publishing to maven central via oss.sonatype.org

cronicc · cronicc · commit 43e7eb86a53b · 2020-06-07T06:45:03.000Z
* Add docker container with all build and gpg sign prerequisites * Update pom.xml with metadata (groupId, artifactId, name, description, licenses, developers, scm, issueManagement sections) * Add sonatype repository information * Add build-extras profile generating sources.jar and javadoc.jar * Add sign profile signing bundle components with infrastructure@zensystem.io gpg maven subkey * Any tag signed by a release engineer in format $SEMVER-SNAPSHOT will be deployed to https://oss.sonatype.org/content/repositories/snapshots * Any tag signed by a release engineer in format $SEMVER will be deployed to https://oss.sonatype.org/service/local/staging/deploy/maven2 and pushed to https://repo1.maven.org/maven2/io/horizen/zendoo-sc-cryptolib * Git tag and pom.xml project.version have to match for deployment to work
diff --git a/.travis.settings.xml b/.travis.settings.xml
diff --git a/.travis.yml b/.travis.yml
@@ -1,15 +1,22 @@
 os: linux
-dist: xenial
-language: java
+dist: bionic
+language: generic
 addons:
   apt:
     packages:
-      - ant
       - libxml-xpath-perl
 services:
   - docker
 
+env:
+  global:
+    - CONTAINER_JAVA_VER="openjdk-8-jdk=8u252-b09-1~16.04"
+    - CONTAINER_RUST_VER="1.41.0"
+
 script: >-
-  source ci/check_tag.sh &&
-  docker build -t zencash/zendoo-sc-cryptolib-builder ./ci &&
-  docker run --rm -v "$(pwd):/build" -e LOCAL_USER_ID="$(id -u)" -e LOCAL_GRP_ID="$(id -g)" -e PUBLISH -e PACKAGECLOUD_TOKEN zencash/zendoo-sc-cryptolib-builder /build/ci/start_ci.sh
+  source ci/setup_env.sh &&
+  docker build --pull --no-cache -t zencash/zendoo-sc-cryptolib-builder ./ci &&
+  bash -c "docker run --rm -v $(pwd):/build -v ${HOME}/key.asc:/key.asc --tmpfs /tmp:uid=$(id -u),gid=$(id -g),exec,mode=1777 \
+    --tmpfs /run:uid=$(id -u),gid=$(id -g),exec,mode=1777 -e LOCAL_USER_ID=$(id -u) -e LOCAL_GRP_ID=$(id -g) \
+    $(env | grep -E '^CONTAINER_' | sed -n '/^[^\t]/s/=.*//p' | sed '/^$/d' | sed 's/^/-e /g' | tr '\n' ' ') \
+    zencash/zendoo-sc-cryptolib-builder /build/ci/start_ci.sh"
diff --git a/ci/.dockerignore b/ci/.dockerignore
@@ -1,2 +1,2 @@
 *
-!entrypoint.sh
+!entrypoint*
diff --git a/ci/Dockerfile b/ci/Dockerfile
@@ -2,14 +2,53 @@ FROM ubuntu:16.04
 
 MAINTAINER infrastructure@zensystem.io
 
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+SHELL ["/bin/bash", "-c"]
+
+COPY entrypoint.sh entrypoint_setup_gpg.sh /usr/local/bin/
 
 # Get Ubuntu packages
-RUN export DEBIAN_FRONTEND=noninteractive \
+RUN set -eux && export GOSU_VERSION=1.12 && export DEBIAN_FRONTEND=noninteractive \
     && apt-get update \
-    && apt-get install -y --no-install-recommends build-essential curl \
-       gcc-mingw-w64-x86-64 gosu maven openjdk-8-jdk=8u252-b09-1~16.04 \
-    && chmod +x /usr/local/bin/entrypoint.sh \
+    && apt-get install -y --no-install-recommends build-essential ca-certificates curl dirmngr \
+       gcc-mingw-w64-x86-64 gnupg2 gnupg-curl wget; \
+# save list of currently installed packages for later so we can clean up
+    savedAptMark="$(apt-mark showmanual)"; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends ca-certificates wget; \
+    if ! command -v gpg; then \
+      apt-get install -y --no-install-recommends gnupg2 dirmngr; \
+    elif gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
+# "This package provides support for HKPS keyservers." (GnuPG 1.x only)
+      apt-get install -y --no-install-recommends gnupg-curl; \
+    fi; \
+    rm -rf /var/lib/apt/lists/*; \
+    \
+    dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+    wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+    wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+    \
+# verify the signature
+    export GNUPGHOME="$(mktemp -d)"; \
+    gpg2 --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 || \
+    gpg2 --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 || \
+    gpg2 --batch --keyserver hkp://ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 || \
+    gpg2 --batch --keyserver pgp.mit.edu --recv-key B42F6819007F00F88E364FD4036A9C25BF357DD4 || \
+    gpg2 --batch --keyserver keyserver.pgp.com --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 || \
+    gpg2 --batch --keyserver pgp.key-server.io --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg2 --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+    command -v gpgconf && gpgconf --kill all || :; \
+    rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+    \
+# clean up fetch dependencies
+    apt-mark auto '.*' > /dev/null; \
+    [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    \
+    chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+    gosu --version; \
+    gosu nobody true \
+    && chmod +x /usr/local/bin/{entrypoint.sh,entrypoint_setup_gpg.sh} \
     && apt-get -y clean \
     && apt-get -y autoclean \
     && rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*.deb
diff --git a/ci/build_jar.sh b/ci/build_jar.sh
@@ -1,23 +1,25 @@
 #!/bin/bash
 
-set -eo pipefail
+set -euo pipefail
 
 cargo clean
 
 cargo build -j$(($(nproc)+1)) --release --target=x86_64-pc-windows-gnu
 cargo build -j$(($(nproc)+1)) --release --target=x86_64-unknown-linux-gnu
 
-
 mkdir -p jni/src/main/resources/native/linux64
 cp target/x86_64-unknown-linux-gnu/release/libzendoo_sc.so jni/src/main/resources/native/linux64/libzendoo_sc.so
 
 mkdir -p jni/src/main/resources/native/windows64
 cp target/x86_64-pc-windows-gnu/release/zendoo_sc.dll jni/src/main/resources/native/windows64/zendoo_sc.dll
 
 cd jni
-mvn clean package
-
-if [ "$PUBLISH" = "true" ]; then
-  echo "Deploying package to maven repository."
-  mvn deploy
+echo "Building jar"
+mvn clean package -P !build-extras -DskipTests=true -Dmaven.javadoc.skip=true -B
+echo "Testing jar"
+mvn test -P !build-extras -B
+
+if [ "$CONTAINER_PUBLISH" = "true" ]; then
+  echo "Deploying bundle to maven repository"
+  mvn deploy -P sign,build-extras --settings ../ci/mvn_settings.xml -B
 fi
diff --git a/ci/check_tag.sh b/ci/check_tag.sh
diff --git a/ci/devtools/lint_pom.xml.sh b/ci/devtools/lint_pom.xml.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+CONTENT="$(xmllint --format --encode UTF-8 jni/pom.xml)"
+echo "${CONTENT}" > jni/pom.xml
+
+SETTINGS_CONTENT="$(xmllint --format --encode UTF-8 ci/mvn_settings.xml)"
+echo "${SETTINGS_CONTENT}" > ci/mvn_settings.xml
diff --git a/ci/entrypoint.sh b/ci/entrypoint.sh
@@ -1,5 +1,11 @@
 #!/bin/bash
-set -e
+set -euo pipefail
+
+# check required vars are set
+if [ -z "${CONTAINER_JAVA_VER+x}" ] && [ -z "${CONTAINER_RUST_VER+x}" ]; then
+  echo "CONTAINER_JAVA_VER and CONTAINER_RUST_VER environment variables need to be set!"
+  exit 1
+fi
 
 # Add local zenbuilder user
 # Either use LOCAL_USER_ID:LOCAL_GRP_ID if set via environment
@@ -22,20 +28,33 @@ echo "Starting with UID/GID: $LOCAL_UID:$LOCAL_GID"
 
 export HOME=/home/zenbuilder
 
-# Fix ownership recursively
-chown -RH zenbuilder:zenbuilder /build
+# Get Java $CONTAINER_JAVA_VER
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y "$CONTAINER_JAVA_VER" maven
+apt-get -y clean
+apt-get -y autoclean
+rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*.deb
 
-# Get Rust
-curl https://sh.rustup.rs -sSf | gosu zenbuilder bash -s -- -y
+# Get Rust $CONTAINER_RUST_VER
+curl https://sh.rustup.rs -sSf | gosu zenbuilder bash -s -- --default-toolchain none -y
 gosu zenbuilder echo 'source $HOME/.cargo/env' >> $HOME/.bashrc
 export PATH="/home/zenbuilder/.cargo/bin:${PATH}"
+gosu zenbuilder rustup toolchain install "$CONTAINER_RUST_VER"
+gosu zenbuilder rustup target add --toolchain "$CONTAINER_RUST_VER" x86_64-pc-windows-gnu
+# fix "error: could not compile `api`." "/usr/bin/ld: unrecognized option '--nxcompat'"
+# https://github.com/rust-lang/rust/issues/32859#issuecomment-284308455
+# appears to be fixed in rust 1.42.0
+gosu zenbuilder cat << EOF > $HOME/.cargo/config
+[target.x86_64-pc-windows-gnu]
+linker = "$(which x86_64-w64-mingw32-gcc)"
+EOF
+
+# Print version information
+gosu zenbuilder java -version
+gosu zenbuilder rustc --version
 
+# Fix ownership recursively
+chown -RH zenbuilder:zenbuilder /build
 
-# Set Rust
-gosu zenbuilder /home/zenbuilder/.cargo/bin/rustup target add x86_64-pc-windows-gnu
-
-#Add maven settings
-gosu zenbuilder bash -c "mkdir -p $HOME/.m2 && cp /build/.travis.settings.xml $HOME/.m2/settings.xml"
-
-exec gosu zenbuilder "$@"
+exec gosu zenbuilder /usr/local/bin//entrypoint_setup_gpg.sh "$@"
 
diff --git a/ci/entrypoint_setup_gpg.sh b/ci/entrypoint_setup_gpg.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [ "${CONTAINER_PUBLISH}" = "true" ]; then
+  export GNUPGHOME="$(mktemp -d 2>/dev/null || mktemp -d -t 'GNUPGHOME')"
+  # gpg: setting pinentry mode 'loopback' failed: Not supported https://www.fluidkeys.com/tweak-gpg-2.1.11/
+  echo "allow-loopback-pinentry" > "${GNUPGHOME}"/gpg-agent.conf
+  gpg2 --batch --fast-import /key.asc
+fi
+
+exec "$@"
diff --git a/ci/mvn_settings.xml b/ci/mvn_settings.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings>
+  <servers>
+    <server>
+      <id>ossrh</id>
+      <username>${env.CONTAINER_OSSRH_JIRA_USERNAME}</username>
+      <password>${env.CONTAINER_OSSRH_JIRA_PASSWORD}</password>
+    </server>
+  </servers>
+  <profiles>
+    <profile>
+      <id>ossrh</id>
+      <activation>
+        <activeByDefault>true</activeByDefault>
+      </activation>
+      <properties>
+        <gpg.executable>gpg2</gpg.executable>
+        <gpg.keyname>${env.CONTAINER_GPG_KEY_NAME}</gpg.keyname>
+        <gpg.passphrase>${env.CONTAINER_GPG_PASSPHRASE}</gpg.passphrase>
+      </properties>
+    </profile>
+  </profiles>
+</settings>
diff --git a/ci/setup_env.sh b/ci/setup_env.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+set -eo pipefail
+
+pom_version="$(xpath -q -e '/project/version/text()' jni/pom.xml)"
+
+echo "TRAVIS_TAG: $TRAVIS_TAG"
+echo "jni/pom.xml version: $pom_version"
+
+export CONTAINER_PUBLISH="false"
+# empty key.asc file in case we're not signing
+touch "${HOME}/key.asc"
+
+if [ ! -z "${TRAVIS_TAG}" ]; then
+  export GNUPGHOME="$(mktemp -d 2>/dev/null || mktemp -d -t 'GNUPGHOME')"
+  echo "Tagged build, fetching maintainer keys."
+    gpg -v --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys $MAINTAINER_KEYS ||
+    gpg -v --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys $MAINTAINER_KEYS ||
+    gpg -v --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys $MAINTAINER_KEYS
+  if git verify-tag -v "${TRAVIS_TAG}"; then
+    echo "Valid signed tag"
+    if [ "${TRAVIS_TAG}" != "${pom_version}" ]; then
+       echo "Aborting, tag differs from the pom file."
+       exit 1
+    else
+      export CONTAINER_PUBLISH="true"
+      echo "Fetching gpg signing keys."
+      curl -sLH "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3.raw" "$MAVEN_KEY_ARCHIVE_URL" |
+        openssl enc -d -aes-256-cbc -md sha256 -pass pass:$MAVEN_KEY_ARCHIVE_PASSWORD |
+        tar -xzf- -C "${HOME}"
+    fi
+  fi
+fi
+
+# unset credentials if not publishing
+if [ "${CONTAINER_PUBLISH}" = "false" ]; then
+  export CONTAINER_OSSRH_JIRA_USERNAME=""
+  export CONTAINER_OSSRH_JIRA_PASSWORD=""
+  export CONTAINER_GPG_KEY_NAME=""
+  export CONTAINER_GPG_PASSPHRASE=""
+  unset CONTAINER_OSSRH_JIRA_USERNAME
+  unset CONTAINER_OSSRH_JIRA_PASSWORD
+  unset CONTAINER_GPG_KEY_NAME
+  unset CONTAINER_GPG_PASSPHRASE
+fi
+
+# unset credentials after use
+export GITHUB_TOKEN=""
+export MAVEN_KEY_ARCHIVE_URL=""
+export MAVEN_KEY_ARCHIVE_PASSWORD=""
+unset GITHUB_TOKEN
+unset MAVEN_KEY_ARCHIVE_URL
+unset MAVEN_KEY_ARCHIVE_PASSWORD
+
+set +eo pipefail
diff --git a/jni/pom.xml b/jni/pom.xml
diff --git a/sample.pom.xml b/sample.pom.xml

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`*`
`2`		`-!entrypoint.sh`
	`2`	`+!entrypoint*`