RubyGems - conjur-debify - Versions diffs - 3.0.3.pre.248 → 3.0.3.pre.1914 - Mend

conjur-debify 3.0.3.pre.248 → 3.0.3.pre.1914

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +2 -9
data/Dockerfile +2 -2
data/Jenkinsfile +31 -165
data/README.md +1 -1
data/VERSION +1 -1
data/distrib/secrets.yml +0 -2
data/features/package.feature +7 -7
data/image-tags +1 -4
data/lib/conjur/debify/action/publish.rb +34 -53
data/lib/conjur/debify.rb +315 -328
data/push-image.sh +2 -8
data/tag-image.sh +6 -0
metadata +4 -5
data/kics.config +0 -10
data/push-manifest.sh +0 -14

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dee5ebc68d4c02c548b5f419b373ade1fbfcaf0270333df348ba8ca3df15b1ea
-  data.tar.gz: cf726fa0b7bc1d818f8fac867fbdbdf0f23820f8c812065f283ab84a4f5ca9fe
+  metadata.gz: b361743dc7723ab21f23aa6b3192161d8a4ef64f175654db610f3a0c30390486
+  data.tar.gz: 70d7d42091e3a99882af0a649e36188eda5f1da138c149ae718978675b119bff
 SHA512:
-  metadata.gz: c942a9241ea475dc79bc7d89e3b66f0ab9d8d7f21a4d610b142869852328dadfe6bf008ff11666ca9a2d9a38961c1de77a1ed0326523ad06e08569d96b93ae65
-  data.tar.gz: 589b532b54bd9a5639d85f88da084e39e24affd765b6dfe9fe02907364c836d4f4a90cf1f513b5fdb048680af83ddac212e40ad2ac819039bfd40d866a0c7801
+  metadata.gz: 5156842479768b6005995b228589e61834bab51a19f553c1e602b59c0ef31d57419959622bad33754a76899d0bb6bb1f5323735447fcba73792ec8ced473defe
+  data.tar.gz: 1841a0b4ec0b5507593b7d8f38cdccc512e9f0b9b3a40fc8e94bba35bd5ef73024918a257a96d50ed0d09e4b7c98f6c021de7a53785e728748917a7930780c78

data/CHANGELOG.md CHANGED Viewed

@@ -1,11 +1,4 @@
 ## [3.0.3]
-### Added
-- Build arm64 image on separate agent with dedicated architecture
-- Upload artifacts for all packaged architectures to artifactory
-### Fixed
-- Fixed regressions introduced by incorrect linting fixes. Most significantly,
-  preventing the `VERSION` file from being included in release packages.
 ## [3.0.2]
 ### Changed
@@ -44,11 +37,11 @@
 - Refine bundler related steps in `debify package` flow: only `package.sh` file configures
   and invokes bundler. `Dockerfile.fpm` only copies files and adjusts folder structure.
-- Remove bundler 1.* support
+- Remove bundler 1.* support
 # 2.0.0
 ### Changed
-- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this
+- Debify now receives the flag `--output` as input to indicate the file type that it should package (e.g `rpm`). If this
   flag is not given, the default value is `deb`.
   [conjurinc/debify#56](https://github.com/conjurinc/debify/issues/56)

data/Dockerfile CHANGED Viewed

@@ -2,7 +2,7 @@ FROM ruby:3.2
 RUN apt-get update -qq && \
     apt-get upgrade -qqy && \
-    apt-get install --no-install-recommends -qqy \
+    apt-get install -qqy \
     apt-transport-https \
     ca-certificates \
     curl && \
@@ -10,7 +10,7 @@ RUN apt-get update -qq && \
     rm -rf /var/lib/apt/lists/*
 # Install Docker client tools
-ENV DOCKERVERSION=27.2.1
+ENV DOCKERVERSION=24.0.2
 RUN curl -fsSLO https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKERVERSION}.tgz \
   && tar xzvf docker-${DOCKERVERSION}.tgz --strip 1 \
                  -C /usr/local/bin docker/docker \

data/Jenkinsfile CHANGED Viewed

@@ -1,66 +1,24 @@
 #!/usr/bin/env groovy
-@Library("product-pipelines-shared-library") _
-def productName = 'Debify'
-def productTypeName = 'Conjur Internal'
 // Automated release, promotion and dependencies
 properties([
-  // Include the automated release parameters for the build
   release.addParams(),
-  // Dependencies of the project that should trigger builds
-  dependencies([])
+  dependencies(['cyberark/conjur-base-image'])
 ])
-// Performs release promotion.  No other stages will be run
 if (params.MODE == "PROMOTE") {
-  release.promote(params.VERSION_TO_PROMOTE) { infrapool, sourceVersion, targetVersion, assetDirectory ->
-    // Any assets from sourceVersion Github release are available in assetDirectory
-    // Any version number updates from sourceVersion to targetVersion occur here
-    // Any publishing of targetVersion artifacts occur here
-    // Anything added to assetDirectory will be attached to the Github Release
-    env.INFRAPOOL_PRODUCT_NAME = "${productName}"
-    env.INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
-    def scans = [:]
-    scans["AMD64"] = {
-      stage("Scan Docker image (AMD64 based)") {
-        runSecurityScans(infrapool,
-          image: "registry.tld/conjurinc/debify:${sourceVersion}-amd64",
-          buildMode: params.MODE,
-          branch: env.BRANCH_NAME,
-          architecure: 'linux/amd64')
-      }
-    }
-    scans["ARM64"] = {
-      stage("Scan Docker image (ARM64 based)") {
-        runSecurityScans(infrapool,
-          image: "registry.tld/conjurinc/debify:${sourceVersion}-arm64",
-          buildMode: params.MODE,
-          branch: env.BRANCH_NAME,
-          architecure: 'linux/arm64')
-      }
-    }
-    parallel(scans)
-    //Note: assetDirectory is on the infrapool agent, not the local Jenkins agent.
-    infrapool.agentSh './publish-rubygem.sh'
+  release.promote(params.VERSION_TO_PROMOTE) { sourceVersion, targetVersion, assetDirectory ->
+    sh './publish-rubygem.sh'
   }
-  release.copyEnterpriseRelease(params.VERSION_TO_PROMOTE)
   return
 }
 pipeline {
-  agent { label 'conjur-enterprise-common-agent' }
+  agent { label 'executor-v2' }
   options {
     timestamps()
-    buildDiscarder(logRotator(numToKeepStr: '30'))
+    buildDiscarder(logRotator(daysToKeepStr: '30'))
   }
   triggers {
@@ -68,16 +26,10 @@ pipeline {
   }
   environment {
-    // Sets the MODE to the specified or autocalculated value as appropriate
     MODE = release.canonicalizeMode()
-    // Values to direct scan results to the right place in DefectDojo
-    INFRAPOOL_PRODUCT_NAME = "${productName}"
-    INFRAPOOL_DD_PRODUCT_TYPE_NAME = "${productTypeName}"
   }
   stages {
-    // Aborts any builds triggered by another project that wouldn't include any changes
     stage ("Skip build if triggering job didn't create a release") {
       when {
         expression {
@@ -91,109 +43,34 @@ pipeline {
         }
       }
     }
-    stage('Get InfraPool ExecutorV2 Agent(s)') {
-      steps {
-        script {
-          // Request ExecutorV2 agents for 1 hour(s)
-          INFRAPOOL_EXECUTORV2_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2", quantity: 1, duration: 1)[0]
-          INFRAPOOL_EXECUTORV2ARM_AGENT_0 = getInfraPoolAgent.connected(type: "ExecutorV2ARM", quantity: 1, duration: 1)[0]
-        }
-      }
-    }
     stage('Prepare') {
-      parallel {
-        stage('Prepare AMD64') {
-          steps {
-            // Initialize VERSION file
-            updateVersion(INFRAPOOL_EXECUTORV2_AGENT_0, "CHANGELOG.md", "${BUILD_NUMBER}")
-          }
-        }
-        stage('Prepare ARM64') {
-          steps {
-            // Initialize VERSION file
-            updateVersion(INFRAPOOL_EXECUTORV2ARM_AGENT_0, "CHANGELOG.md", "${BUILD_NUMBER}")
-          }
-        }
-      }
-    }
-    stage('Build Docker image') {
-      parallel {
-        stage('Build AMD64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './build.sh'
-            }
-          }
-        }
-        stage('Build ARM64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './build.sh'
-            }
-          }
-        }
-      }
-    }
-    stage('Push Docker image') {
-      parallel {
-        stage('Push AMD64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-image.sh amd64'
-            }
-          }
-        }
-        stage('Push ARM64 image') {
-          steps {
-            script {
-              INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh './push-image.sh arm64'
-            }
-          }
-        }
+      steps {
+        // Initialize VERSION file
+        updateVersion("CHANGELOG.md", "${BUILD_NUMBER}")
       }
     }
-    stage('Push Docker manifest with multi-arch') {
+    stage('Build docker image') {
       steps {
-        script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './push-manifest.sh'
-        }
+        sh './build.sh'
       }
     }
     stage('Scan Docker image') {
       parallel {
-        stage('Scan Docker image (AMD64 based)') {
+        stage('Scan Docker image for fixable issues') {
           steps{
             script {
-              // Take the first value of the image-tags output
-              VERSION = INFRAPOOL_EXECUTORV2_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
             }
-            runSecurityScans(INFRAPOOL_EXECUTORV2_AGENT_0,
-              image: "registry.tld/conjurinc/debify:${VERSION}",
-              buildMode: MODE,
-              branch: env.BRANCH_NAME,
-              arch: "linux/amd64"
-            )
+            scanAndReport("debify:${VERSION}", "HIGH", false)
           }
         }
-        stage('Scan Docker image (ARM64 based)') {
+        stage('Scan Docker image for all issues') {
           steps{
             script {
-              // Take the first value of the image-tags output
-              VERSION = INFRAPOOL_EXECUTORV2ARM_AGENT_0.agentSh(returnStdout: true, script: './image-tags | cut -d" " -f1')
+              VERSION = sh(returnStdout: true, script: 'cat VERSION')
             }
-            runSecurityScans(INFRAPOOL_EXECUTORV2ARM_AGENT_0,
-              image: "registry.tld/conjurinc/debify:${VERSION}",
-              buildMode: MODE,
-              branch: env.BRANCH_NAME,
-              arch: "linux/arm64"
-            )
+            scanAndReport("debify:${VERSION}", "NONE", true)
           }
         }
       }
@@ -201,18 +78,21 @@ pipeline {
     stage('Run feature tests') {
       steps {
-        script {
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './test.sh'
-          INFRAPOOL_EXECUTORV2_AGENT_0.agentStash name: 'test-results', includes: 'features/reports/*.xml'
-        }
+        sh './test.sh'
       }
       post { always {
-        unstash 'test-results'
         junit 'features/reports/*.xml'
       }}
     }
-    stage('Release') {
+    stage('Push Docker image') {
+      steps {
+        sh './tag-image.sh'
+        sh './push-image.sh'
+      }
+    }
+    stage('Publish to RubyGems') {
       when {
         expression {
           MODE == "RELEASE"
@@ -220,31 +100,17 @@ pipeline {
       }
       steps {
-        script {
-          release(INFRAPOOL_EXECUTORV2_AGENT_0) { billOfMaterialsDirectory, assetDirectory ->
-            /* Publish release artifacts to all the appropriate locations
-               Copy any artifacts to assetDirectory on the infrapool node
-               to attach them to the Github release.
-               If your assets are on the infrapool node in the target
-               directory, use a copy like this:
-                  infrapool.agentSh "cp target/* ${assetDirectory}"
-               Note That this will fail if there are no assets, add :||
-               if you want the release to succeed with no assets.
-               If your assets are in target on the main Jenkins agent, use:
-                 infrapool.agentPut(from: 'target/', to: assetDirectory)
-            */
-            INFRAPOOL_EXECUTORV2_AGENT_0.agentSh './publish-rubygem.sh'
-            INFRAPOOL_EXECUTORV2_AGENT_0.agentSh "cp conjur-debify-*.gem release-assets/."
-          }
+        release {
+          sh './publish-rubygem.sh'
+          sh "cp conjur-debify-*.gem release-assets/."
         }
       }
     }
   }
   post {
     always {
-      releaseInfraPoolAgent()
+      cleanupAndNotify(currentBuild.currentResult)
     }
   }
 }

data/README.md CHANGED Viewed

@@ -116,7 +116,7 @@ COMMAND OPTIONS
     --additional-files=arg - Specify files to add to the FPM image that are not included from the git repo (default: none)
     -d, --dir=arg          - Set the current working directory (default: none)
     --dockerfile=arg       - Specify a custom Dockerfile.fpm (default: none)
-    -i, --image=arg        - Image name (default: cyberark/ubuntu-ruby-builder)
+    -i, --image=arg        - Image name (default: cyberark/phusion-ruby-fips)
     -o, --output=arg       - Set the output file type of the fpm command (e.g rpm) (default: none)
     -t, --image-tag=arg    - Image tag, e.g. 4.5-stable, 4.6-stable (default: latest)
     -v, --version=arg      - Specify the deb version; by default, it's read from the VERSION file (default: none)

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 3.0.3-~~248~~
1	+ 3.0.3-1914

data/distrib/secrets.yml CHANGED Viewed

@@ -1,4 +1,2 @@
-# This are used by summon, these are not hardcoded credentials
-#kics-scan disable=487f4be7-3fd9-4506-a07a-eae252180c08
 ARTIFACTORY_USER: !var ci/artifactory/users/jenkins/username
 ARTIFACTORY_PASSWORD: !var ci/artifactory/users/jenkins/password

data/features/package.feature CHANGED Viewed

@@ -8,16 +8,16 @@ Feature: Packaging
     And I successfully run `env DEBUG=true GLI_DEBUG=true debify package -d ../../example --output rpm  -v 0.0.1-suffix example  -- --post-install /distrib/postinstall.sh`
   Scenario: 'example' project can be packaged successfully
-    Then the output should match /conjur-example_0\.0\.1-suffix_(amd64|arm64)\.deb/
-    And the output should match /conjur-example-dev_0\.0\.1-suffix_(amd64|arm64)\.deb/
-    And the output should match /conjur-example-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/
-    And the output should match /conjur-example-dev-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/
+    Then the stdout should contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-dev_0.0.1-suffix_amd64.deb"
+    And the stdout should contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
+    And the stdout should contain "conjur-example-dev-0.0.1_suffix-1.x86_64.rpm"
   Scenario: 'clean' command will delete non-Git-managed files
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify clean -d ../../example --force`
-    And I cd to "../../example"
-    Then a file matching %r</conjur-example_0\.0\.1-suffix_(amd64|arm64)\.deb/> should not exist
-    And a file matching %r</conjur-example-0\.0\.1_suffix-1\.(x86_64|aarch64)\.rpm/> should not exist
+    And I successfully run `find ../../example`
+    Then the stdout from "find ../../example" should not contain "conjur-example_0.0.1-suffix_amd64.deb"
+    And the stdout from "find ../../example" should not contain "conjur-example-0.0.1_suffix-1.x86_64.rpm"
   Scenario: 'example' project can be published
     When I successfully run `env DEBUG=true GLI_DEBUG=true debify publish -v 0.0.1-suffix -d ../../example 5.0 example`

data/image-tags CHANGED Viewed

@@ -9,12 +9,9 @@ show_master_tags() {
 }
 show_branch_tags() {
-  VERSION=$(< VERSION)
-  docker run --rm debify:$VERSION config script > docker-debify
-  chmod +x docker-debify
   # tail and tr, to remove the grottiness from the detect-version
   # output
-  local version="$(DEBIFY_IMAGE=debify:$VERSION ./docker-debify detect-version | tail -1 | tr -d '\r')"
+  local version="$(DEBIFY_IMAGE=debify:$(<VERSION) ./docker-debify detect-version | tail -1 | tr -d '\r')"
   echo "$BRANCH_NAME $version"
 }

data/lib/conjur/debify/action/publish.rb CHANGED Viewed

@@ -1,9 +1,10 @@
 module Conjur::Debify
   module Action
     class Publish
       def detect_component
         branch = ENV['GIT_BRANCH'] || ENV['BRANCH_NAME'] || `git rev-parse --abbrev-ref HEAD`.strip
-        if %w[master origin/master].include?(branch)
+        if %w(master origin/master).include?(branch)
           'stable'
         else
           branch.gsub('/', '.')
@@ -11,7 +12,6 @@ module Conjur::Debify
       end
       attr_reader :distribution, :project_name, :cmd_options
       def initialize(distribution, project_name, cmd_options)
         @distribution = distribution
         @project_name = project_name
@@ -34,59 +34,44 @@ module Conjur::Debify
           art_user = ENV['ARTIFACTORY_USER']
           art_password = ENV['ARTIFACTORY_PASSWORD']
-          art_user, art_password = fetch_art_creds unless art_user && art_password
+          unless art_user && art_password
+            art_user, art_password = fetch_art_creds
+          end
-          # Publish AMD64 deb package
+          # Publish deb package
           component = cmd_options[:component] || detect_component
           deb_info = "#{distribution}/#{component}/amd64"
           package_name = "conjur-#{project_name}_#{version}_amd64.deb"
           publish_package(
-            publish_image:,
-            art_url:,
-            art_user:,
-            art_password:,
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
             art_repo: deb_art_repo,
-            package_name:,
-            dir:,
-            deb_info:
+            package_name: package_name,
+            dir: dir,
+            deb_info: deb_info
           )
-          # (Optional) Publish ARM64 deb package
-          unless Dir.glob('*_arm64.deb').empty?
-            deb_info = "#{distribution}/#{component}/arm64"
-            package_name = "conjur-#{project_name}_#{version}_arm64.deb"
-            publish_package(
-              publish_image:,
-              art_url:,
-              art_user:,
-              art_password:,
-              art_repo: deb_art_repo,
-              package_name:,
-              dir:,
-              deb_info:
-            )
-          end
           # Publish RPM package
           # The rpm builder replaces dashes with underscores in the version
           rpm_version = version.tr('-', '_')
-          package_name = "conjur-#{project_name}-#{rpm_version}-1.*.rpm"
+          package_name = "conjur-#{project_name}-#{rpm_version}-1.x86_64.rpm"
           rpm_art_repo = cmd_options['rpm-repo']
           publish_package(
-            publish_image:,
-            art_url:,
-            art_user:,
-            art_password:,
+            publish_image: publish_image,
+            art_url: art_url,
+            art_user: art_user,
+            art_password: art_password,
             art_repo: rpm_art_repo,
-            package_name:,
-            dir:
+            package_name: package_name,
+            dir: dir
           )
         end
       end
       def create_image
-        Docker::Image.build_from_dir File.expand_path('../../publish', File.dirname(__FILE__)), tag: 'debify-publish',
-                                     &DebugMixin::DOCKER
+        Docker::Image.build_from_dir File.expand_path('../../publish', File.dirname(__FILE__)), tag: "debify-publish", &DebugMixin::DOCKER
       end
       def fetch_art_creds
@@ -97,8 +82,8 @@ module Conjur::Debify
         conjur = Conjur::Authn.connect nil, noask: true
         account = Conjur.configuration.account
-        username_var = [account, 'variable', 'ci/artifactory/users/jenkins/username'].join(':')
-        password_var = [account, 'variable', 'ci/artifactory/users/jenkins/password'].join(':')
+        username_var = [account, "variable", "ci/artifactory/users/jenkins/username"].join(':')
+        password_var = [account, "variable", 'ci/artifactory/users/jenkins/password'].join(':')
         [conjur.resource(username_var).value, conjur.resource(password_var).value]
       end
@@ -114,24 +99,21 @@ module Conjur::Debify
       )
         cmd_args = [
-          'jfrog', 'rt', 'upload',
-          '--url', art_url,
-          '--user', art_user,
-          '--password', art_password
+          "jfrog", "rt", "upload",
+          "--url", art_url,
+          "--user", art_user,
+          "--password", art_password,
         ]
-        cmd_args += ['--deb', deb_info] if deb_info
+        cmd_args += ["--deb", deb_info] if deb_info
         cmd_args += [package_name, "#{art_repo}/"]
         options = {
           'Image' => publish_image.id,
           'Cmd' => cmd_args,
-          'HostConfig' => {
-            'Binds' => [
-              [dir, '/src'].join(':')
-            ]
-          },
-          'WorkingDir' => '/src'
+          'Binds' => [
+            [ dir, "/src" ].join(':')
+          ]
         }
         options['Privileged'] = true if Docker.version['Version'] >= '1.10.0'
@@ -141,15 +123,14 @@ module Conjur::Debify
       def publish(options)
         container = Docker::Container.create(options)
         begin
-          container.tap(&:start!).streaming_logs(follow: true, stdout: true, stderr: true) do |_stream, chunk|
-            puts "#{chunk}"
-          end
+          container.tap(&:start!).streaming_logs(follow: true, stdout: true, stderr: true) { |stream, chunk| puts "#{chunk}" }
           status = container.wait
-          raise 'Failed to publish package' unless status['StatusCode'] == 0
+          raise "Failed to publish package" unless status['StatusCode'] == 0
         ensure
           container.delete(force: true)
         end
       end
     end
   end
 end