-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.gitlab-ci-common.yml
More file actions
78 lines (70 loc) · 3 KB
/
.gitlab-ci-common.yml
File metadata and controls
78 lines (70 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# --- Reusable Setup Logic ---
.setup_env: &setup_env
- echo "Waiting for Docker daemon..."
- until docker info > /dev/null 2>&1; do sleep 1; done
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
- export COSIGN_PRIVATE_KEY=$(cat .secure_files/cosign.key)
- echo "Logging in to $CI_REGISTRY..."
- echo $CI_REGISTRY_PASSWORD | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
# --- Reusable crane install steps ---
.install-crane:
script:
- curl -fsSL -o /tmp/crane.tgz https://github.com/google/go-containerregistry/releases/latest/download/go-containerregistry_Linux_x86_64.tar.gz
- tar -xzf /tmp/crane.tgz -C /tmp crane
- install -m 0755 /tmp/crane /usr/local/bin/crane
.bluebuild-job-template:
interruptible: true
tags:
- saas-linux-2xlarge-amd64
image:
name: ghcr.io/blue-build/cli
entrypoint: [""]
services:
- docker:dind
variables:
DOCKER_HOST: tcp://docker:2376
DOCKER_TLS_CERTDIR: /certs
DOCKER_TLS_VERIFY: 1
DOCKER_CERT_PATH: $DOCKER_TLS_CERTDIR/client
S3_ENDPOINT_URL: "https://eu-1.cdn77-storage.com"
before_script:
- *setup_env
# --- Reusable ISO build/upload job (Tag/Release Only) ---
.iso-job-template:
extends: .bluebuild-job-template
stage: iso
rules:
# This ensures the ISO is ONLY built when you push a Git tag (e.g., v2026.03)
- if: $CI_COMMIT_TAG
before_script:
- !reference [.bluebuild-job-template, before_script]
- echo "Installing AWS CLI..."
- dnf install -y awscli2
script:
# 1. Parse the Version from the Git Tag
- echo "Pipeline triggered by Git tag $CI_COMMIT_TAG"
- export RELEASE_VERSION="${CI_COMMIT_TAG#v}"
- export RELEASE_ISO="${ISO_NAME%.iso}-${RELEASE_VERSION}.iso"
- echo "Building release ISO $RELEASE_ISO..."
# 2. Build ISO directly with the versioned name
- bluebuild generate-iso --secure-boot-url https://gitlab.com/origami-linux/images/-/raw/main/MOK.der --enrollment-password origami --iso-name $RELEASE_ISO image $IMAGE_NAME
# 3. Generate SHA256
- sha256sum $RELEASE_ISO | tee $RELEASE_ISO.sha256
# 4. Upload the versioned ISO + checksum directly to S3
- export AWS_ACCESS_KEY_ID=$S3_ACCESS_KEY
- export AWS_SECRET_ACCESS_KEY=$S3_SECRET_KEY
- aws s3 cp $RELEASE_ISO s3://origami-linux/$RELEASE_ISO --endpoint-url $S3_ENDPOINT_URL
- aws s3 cp $RELEASE_ISO.sha256 s3://origami-linux/$RELEASE_ISO.sha256 --endpoint-url $S3_ENDPOINT_URL
# 5. Purge CDN for the new versioned file
# (Useful if you ever need to re-run the pipeline to hotfix the same version tag)
- |
curl -X POST "https://api.cdn77.com/v3/cdn/$CDN_ID/job/purge/paths" \
-H "Authorization: Bearer $CDN77_API_KEY" \
-H "Content-Type: application/json" \
-d "{\"paths\": [\"/$RELEASE_ISO\", \"/$RELEASE_ISO.sha256\"]}"
artifacts:
name: "origami-iso-$CI_COMMIT_TAG-checksums"
when: always
expire_in: 2 years
paths:
- "*.sha256"