conjur-debify 3.0.3.pre.216 → 3.0.3.pre.1914

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a67cda7bff727c277d5265ce52db2bff433d1037f00127c89f0d3741cb4fd301
-  data.tar.gz: 44fcf54fc677d908deed4a07bad5d4c2a7275a3e0e659db5538c0dce42f9de5d
+  metadata.gz: b361743dc7723ab21f23aa6b3192161d8a4ef64f175654db610f3a0c30390486
+  data.tar.gz: 70d7d42091e3a99882af0a649e36188eda5f1da138c149ae718978675b119bff
 SHA512:
-  metadata.gz: 9675f380f690a261d7c9f1cd76045600745f92dc4ad1388b9f462ebb3c5ed36a1d11ad3c5be937a40ee3afbc9f595557d6f74ed91e0cb0c044f2153b0543df9e
-  data.tar.gz: 05767c19f4e97a04c71da31c2a8d0e7079a2b979b19a48779ce625e8351b6c8a44066362ee939b579c03058177f21a6eda0ad59379728e56b33cf9000a13d6b9
+  metadata.gz: 5156842479768b6005995b228589e61834bab51a19f553c1e602b59c0ef31d57419959622bad33754a76899d0bb6bb1f5323735447fcba73792ec8ced473defe
+  data.tar.gz: 1841a0b4ec0b5507593b7d8f38cdccc512e9f0b9b3a40fc8e94bba35bd5ef73024918a257a96d50ed0d09e4b7c98f6c021de7a53785e728748917a7930780c78

data/CHANGELOG.md

@@ -1,11 +1,4 @@
 ## [3.0.3]
-### Added
-- Build arm64 image on separate agent with dedicated architecture
-- Upload artifacts for all packaged architectures to artifactory
-
-### Fixed
-- Fixed regressions introduced by incorrect linting fixes. Most significantly,
-  preventing the `VERSION` file from being included in release packages.
 
 ## [3.0.2]
 ### Changed
@@ -44,11 +37,11 @@
 
 - Refine bundler related steps in `debify package` flow: only `package.sh` file configures
   and invokes bundler. `Dockerfile.fpm` only copies files and adjusts folder structure.
-- Remove bundler 1.* support
+- Remove bundler 1.* support 
 
 # 2.0.0
 ### Changed
-- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this
+- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this 
   flag is not given, the default value is `deb`.
   [conjurinc/debify#56](https://github.com/conjurinc/debify/issues/56)
 

data/Dockerfile

@@ -10,7 +10,7 @@ RUN apt-get update -qq && \
     rm -rf /var/lib/apt/lists/*
 
 # Install Docker client tools
-ENV DOCKERVERSION=27.0.3
+ENV DOCKERVERSION=24.0.2
 RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
   && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
                  -C /usr/local/bin docker/docker \

data/Jenkinsfile

@@ -1,66 +1,24 @@
 #!/usr/bin/env groovy
 
-@Library("product-pipelines-shared-library") _
-
-def productName = 'Debify'
-def productTypeName = 'Conjur Internal'
-
 // Automated release, promotion and dependencies
 properties([
-  // Include the automated release parameters for the build
   release.addParams(),
-  // Dependencies of the project that should trigger builds
-  dependencies([])
+  dependencies(['cyberark/conjur-base-image'])
 ])
 
-// Performs release promotion.  No other stages will be run
 if (params.MODE == "PROMOTE") {
-  release.promote(params.VERSION_TO_PROMOTE) { infrapool, sourceVersion, targetVersion, assetDirectory ->
-    // Any assets from sourceVersion Github release are available in assetDirectory
-    // Any version number updates from sourceVersion to targetVersion occur here
-    // Any publishing of targetVersion artifacts occur here
-    // Anything added to assetDirectory will be attached to the Github Release
-
-    env.INFRAPOOL_PRODUCT_NAME = "${productName}"
-    env.INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
-
-    def scans = [:]
-
-    scans["AMD64"] = {
-      stage("Scan Docker image (AMD64 based)") {
-        runSecurityScans(infrapool,
-          image: "registry.tld/conjurinc/debify:${sourceVersion}-amd64",
-          buildMode: params.MODE,
-          branch: env.BRANCH_NAME,
-          architecure: 'linux/amd64')
-      }
-    }
-
-    scans["ARM64"] = {
-      stage("Scan Docker image (ARM64 based)") {
-        runSecurityScans(infrapool,
-          image: "registry.tld/conjurinc/debify:${sourceVersion}-arm64",
-          buildMode: params.MODE,
-          branch: env.BRANCH_NAME,
-          architecure: 'linux/arm64')
-      }
-    }
-
-    parallel(scans)
-
-    //Note: assetDirectory is on the infrapool agent, not the local Jenkins agent.
-    infrapool.agentSh './publish-rubygem.sh'
+  release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
+    sh './publish-rubygem.sh'
   }
-  release.copyEnterpriseRelease(params.VERSION_TO_PROMOTE)
   return
 }
 
 pipeline {
-  agent { label 'conjur-enterprise-common-agent' }
+  agent { label 'executor-v2' }
 
   options {
     timestamps()
-    buildDiscarder(logRotator(numToKeepStr: '30'))
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
   }
 
   triggers {
@@ -68,16 +26,10 @@ pipeline {
   }
 
   environment {
-    // Sets the MODE to the specified or autocalculated value as appropriate
     MODE = release.canonicalizeMode()
-
-    // Values to direct scan results to the right place in DefectDojo
-    INFRAPOOL_PRODUCT_NAME = "${productName}"
-    INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
   }
 
   stages {
-    // Aborts any builds triggered by another project that wouldn't include any changes
     stage ("Skip build if triggering job didn't create a release") {
       when {
         expression {
@@ -91,109 +43,34 @@ pipeline {
         }
       }
     }
-
-    stage('Get InfraPool ExecutorV2 Agent(s)') {
-      steps {
-        script {
-          // Request ExecutorV2 agents for 1 hour(s)
-          INFRAPOOL_EXECUTORV2_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2", quantity: 1, duration: 1)[0]
-          INFRAPOOL_EXECUTORV2ARM_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2ARM", quantity: 1, duration: 1)[0]
-        }
-      }
-    }
-
     stage('Prepare') {
-      parallel {
-        stage('Prepare AMD64') {
-          steps {
-            // Initialize VERSION file
-            updateVersion(INFRAPOOL_EXECUTORV2_AGENT_0, "CHANGELOG.md", "${BUILD_NUMBER}")
-          }
-        }
-
-        stage('Prepare ARM64') {
-          steps {
-            // Initialize VERSION file
-            updateVersion(INFRAPOOL_EXECUTORV2ARM_AGENT_0, "CHANGELOG.md", "${BUILD_NUMBER}")
-          }
-        }
-      }
-    }
-
-    stage('Build Docker image') {
-      parallel {
-        stage('Build AMD64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './build.sh'
-            }
-          }
-        }
-
-        stage('Build ARM64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './build.sh'
-            }
-          }
-        }
-      }
-    }
-    stage('Push Docker image') {
-      parallel {
-        stage('Push AMD64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-image.sh amd64'
-            }
-          }
-        }
-
-        stage('Push ARM64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './push-image.sh arm64'
-            }
-          }
-        }
+      steps {
+        // Initialize VERSION file
+        updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
       }
     }
-
-    stage('Push Docker manifest with multi-arch') {
+    stage('Build docker image') {
       steps {
-        script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-manifest.sh'
-        }
+        sh './build.sh'
       }
     }
+
     stage('Scan Docker image') {
       parallel {
-        stage('Scan Docker image (AMD64 based)') {
+        stage('Scan Docker image for fixable issues') {
           steps{
             script {
-              // Take the first value of the image-tags output
-              VERSION = INFRAPOOL_EXECUTORV2_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
             }
-            runSecurityScans(INFRAPOOL_EXECUTORV2_AGENT_0,
-              image: "registry.tld/conjurinc/debify:${VERSION}",
-              buildMode: MODE,
-              branch: env.BRANCH_NAME,
-              arch: "linux/amd64"
-            )
+            scanAndReport("debify:${VERSION}", "HIGH", false)
           }
         }
-        stage('Scan Docker image (ARM64 based)') {
+        stage('Scan Docker image for all issues') {
           steps{
             script {
-              // Take the first value of the image-tags output
-              VERSION = INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
             }
-            runSecurityScans(INFRAPOOL_EXECUTORV2ARM_AGENT_0,
-              image: "registry.tld/conjurinc/debify:${VERSION}",
-              buildMode: MODE,
-              branch: env.BRANCH_NAME,
-              arch: "linux/arm64"
-            )
+            scanAndReport("debify:${VERSION}", "NONE", true)
           }
         }
       }
@@ -201,18 +78,21 @@ pipeline {
 
     stage('Run feature tests') {
       steps {
-        script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './test.sh'
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'test-results', includes: 'features/reports/*.xml'
-        }
+        sh './test.sh'
       }
       post { always {
-        unstash 'test-results'
         junit 'features/reports/*.xml'
       }}
     }
 
-    stage('Release') {
+    stage('Push Docker image') {
+      steps {
+        sh './tag-image.sh'
+        sh './push-image.sh'
+      }
+    }
+
+    stage('Publish to RubyGems') {
       when {
         expression {
           MODE == "RELEASE"
@@ -220,31 +100,17 @@ pipeline {
       }
 
       steps {
-        script {
-          release(INFRAPOOL_EXECUTORV2_AGENT_0) { billOfMaterialsDirectory, assetDirectory ->
-            /* Publish release artifacts to all the appropriate locations
-               Copy any artifacts to assetDirectory on the infrapool node
-               to attach them to the Github release.
-
-               If your assets are on the infrapool node in the target
-               directory, use a copy like this:
-                  infrapool.agentSh "cp target/* ${assetDirectory}"
-               Note That this will fail if there are no assets, add :||
-               if you want the release to succeed with no assets.
-
-               If your assets are in target on the main Jenkins agent, use:
-                 infrapool.agentPut(from: 'target/', to: assetDirectory)
-            */
-            INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './publish-rubygem.sh'
-            INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "cp conjur-debify-*.gem release-assets/."
-          }
+        release {
+          sh './publish-rubygem.sh'
+          sh "cp conjur-debify-*.gem release-assets/."
         }
       }
     }
   }
+
   post {
     always {
-      releaseInfraPoolAgent()
+      cleanupAndNotify(currentBuild.currentResult)
     }
   }
 }

data/README.md

@@ -116,7 +116,7 @@ COMMAND OPTIONS
     --additional-files=arg - Specify files to add to the FPM image that are not included from the git repo (default: none)
     -d, --dir=arg          - Set the current working directory (default: none)
     --dockerfile=arg       - Specify a custom Dockerfile.fpm (default: none)
-    -i, --image=arg        - Image name (default: cyberark/ubuntu-ruby-builder)
+    -i, --image=arg        - Image name (default: cyberark/phusion-ruby-fips)
     -o, --output=arg       - Set the output file type of the fpm command (e.g rpm) (default: none)
     -t, --image-tag=arg    - Image tag, e.g. 4.5-stable, 4.6-stable (default: latest)
     -v, --version=arg      - Specify the deb version; by default, it's read from the VERSION file (default: none)

data/VERSION

@@ -1 +1 @@
-3.0.3-216
+3.0.3-1914

data/features/package.feature

@@ -8,16 +8,16 @@ Feature: Packaging
     And I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example --output rpm  -v 0.0.1-suffix example  -- --post-install /distrib/postinstall.sh`
 
   Scenario: 'example' project can be packaged successfully
-    Then the output should match /conjur-example_0\.0\.1-suffix_(amd64|arm64)\.deb/
-    And the output should match /conjur-example-dev_0\.0\.1-suffix_(amd64|arm64)\.deb/
-    And the output should match /conjur-example-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/
-    And the output should match /conjur-example-dev-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/
+    Then the stdout should contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-dev_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+    And the stdout should contain "conjur-example-dev-0.0.1_suffix-1.x86_64.rpm"
 
   Scenario: 'clean' command will delete non-Git-managed files
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify clean -d ../../example --force`
-    And I cd to "../../example"
-    Then a file matching %r</conjur-example_0\.0\.1-suffix_(amd64|arm64)\.deb/> should not exist
-    And a file matching %r</conjur-example-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/> should not exist
+    And I successfully run `find ../../example`
+    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout from "find ../../example" should not contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
 
   Scenario: 'example' project can be published
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 5.0 example`

data/image-tags

@@ -9,12 +9,9 @@ show_master_tags() {
 }
 
 show_branch_tags() {
-  VERSION=$(< VERSION)
-  docker run --rm debify:$VERSION config script > docker-debify
-  chmod +x docker-debify
   # tail and tr, to remove the grottiness from the detect-version
   # output
-  local version="$(DEBIFY_IMAGE=debify:$VERSION ./docker-debify detect-version | tail -1 | tr -d '\r')"
+  local version="$(DEBIFY_IMAGE=debify:$(<VERSION) ./docker-debify detect-version | tail -1 | tr -d '\r')"
   
   echo "$BRANCH_NAME $version"
 }

data/lib/conjur/debify/action/publish.rb

@@ -1,9 +1,10 @@
 module Conjur::Debify
   module Action
     class Publish
+
       def detect_component
         branch = ENV['GIT_BRANCH'] || ENV['BRANCH_NAME'] || `git rev-parse --abbrev-ref HEAD`.strip
-        if %w[master origin/master].include?(branch)
+        if %w(master origin/master).include?(branch)
           'stable'
         else
           branch.gsub('/', '.')
@@ -11,7 +12,6 @@ module Conjur::Debify
       end
 
       attr_reader :distribution, :project_name, :cmd_options
-
       def initialize(distribution, project_name, cmd_options)
         @distribution = distribution
         @project_name = project_name
@@ -34,59 +34,44 @@ module Conjur::Debify
 
           art_user = ENV['ARTIFACTORY_USER']
           art_password = ENV['ARTIFACTORY_PASSWORD']
-          art_user, art_password = fetch_art_creds unless art_user && art_password
+          unless art_user && art_password
+            art_user, art_password = fetch_art_creds
+          end
 
-          # Publish AMD64 deb package
+          # Publish deb package
           component = cmd_options[:component] || detect_component
           deb_info = "#{distribution}/#{component}/amd64"
           package_name = "conjur-#{project_name}_#{version}_amd64.deb"
           publish_package(
-            publish_image:,
-            art_url:,
-            art_user:,
-            art_password:,
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
             art_repo: deb_art_repo,
-            package_name:,
-            dir:,
-            deb_info:
+            package_name: package_name,
+            dir: dir,
+            deb_info: deb_info
           )
 
-          # (Optional) Publish ARM64 deb package
-          unless Dir.glob('*_arm64.deb').empty?
-            deb_info = "#{distribution}/#{component}/arm64"
-            package_name = "conjur-#{project_name}_#{version}_arm64.deb"
-            publish_package(
-              publish_image:,
-              art_url:,
-              art_user:,
-              art_password:,
-              art_repo: deb_art_repo,
-              package_name:,
-              dir:,
-              deb_info:
-            )
-          end
-
           # Publish RPM package
           # The rpm builder replaces dashes with underscores in the version
           rpm_version = version.tr('-', '_')
-          package_name = "conjur-#{project_name}-#{rpm_version}-1.*.rpm"
+          package_name = "conjur-#{project_name}-#{rpm_version}-1.x86_64.rpm"
           rpm_art_repo = cmd_options['rpm-repo']
           publish_package(
-            publish_image:,
-            art_url:,
-            art_user:,
-            art_password:,
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
             art_repo: rpm_art_repo,
-            package_name:,
-            dir:
+            package_name: package_name,
+            dir: dir
           )
         end
       end
 
       def create_image
-        Docker::Image.build_from_dir File.expand_path('../../publish', File.dirname(__FILE__)), tag: 'debify-publish',
-                                     &DebugMixin::DOCKER
+        Docker::Image.build_from_dir File.expand_path('../../publish', File.dirname(__FILE__)), tag: "debify-publish", &DebugMixin::DOCKER
       end
 
       def fetch_art_creds
@@ -97,8 +82,8 @@ module Conjur::Debify
         conjur = Conjur::Authn.connect nil, noask: true
 
         account = Conjur.configuration.account
-        username_var = [account, 'variable', 'ci/artifactory/users/jenkins/username'].join(':')
-        password_var = [account, 'variable', 'ci/artifactory/users/jenkins/password'].join(':')
+        username_var = [account, "variable", "ci/artifactory/users/jenkins/username"].join(':')
+        password_var = [account, "variable", 'ci/artifactory/users/jenkins/password'].join(':')
         [conjur.resource(username_var).value, conjur.resource(password_var).value]
       end
 
@@ -114,24 +99,21 @@ module Conjur::Debify
       )
 
         cmd_args = [
-          'jfrog', 'rt', 'upload',
-          '--url', art_url,
-          '--user', art_user,
-          '--password', art_password
+          "jfrog", "rt", "upload",
+          "--url", art_url,
+          "--user", art_user,
+          "--password", art_password,
         ]
 
-        cmd_args += ['--deb', deb_info] if deb_info
+        cmd_args += ["--deb", deb_info] if deb_info
         cmd_args += [package_name, "#{art_repo}/"]
 
         options = {
           'Image' => publish_image.id,
           'Cmd' => cmd_args,
-          'HostConfig' => {
-            'Binds' => [
-              [dir, '/src'].join(':')
-            ]
-          },
-          'WorkingDir' => '/src'
+          'Binds' => [
+            [ dir, "/src" ].join(':')
+          ]
         }
         options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
 
@@ -141,15 +123,14 @@ module Conjur::Debify
       def publish(options)
         container = Docker::Container.create(options)
         begin
-          container.tap(&:start!).streaming_logs(follow: true, stdout: true, stderr: true) do |_stream, chunk|
-            puts "#{chunk}"
-          end
+          container.tap(&:start!).streaming_logs(follow: true, stdout: true, stderr: true) { |stream, chunk| puts "#{chunk}" }
           status = container.wait
-          raise 'Failed to publish package' unless status['StatusCode'] == 0
+          raise "Failed to publish package" unless status['StatusCode'] == 0
         ensure
           container.delete(force: true)
         end
       end
+
     end
   end
 end