-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add publish snapshot script #41
Conversation
Signed-off-by: Marc Handalian <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mostly minor stuff. The "invalid signature" logic needs a fix, but feel free to do the easy fix there.
scripts/publish-snapshot.sh
Outdated
###### Information ############################################################################ | ||
# Name: publish-snapshot.sh | ||
# Language: Shell | ||
# | ||
# About: Deploy opensearch artifacts to a sonatype snapshot repository. | ||
# The given directory is intended to be the root directory of a maven repository containing ./org/opensearch artifacts. | ||
# This script will search POM files under ./org/opensearch. | ||
# If found, pom, jar, and signature files will be deployed to the org/opensearch namespace. | ||
# | ||
# Prerequisites: The given directory must be the parent directory of org/opensearch artifacts. | ||
# Environment variables must be set: | ||
# SONATYPE_ID/SONATYPE_PASSWORD - repository credentials | ||
# SNAPSHOT_HOST - repository host | ||
# | ||
# | ||
# Usage: ./publish-snapshot.sh <directory> | ||
# | ||
############################################################################################### |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to add the license header?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, will add it.
scripts/publish-snapshot.sh
Outdated
[ -z "${1:-}" ] && { | ||
echo "Usage: ($basename $0) dir" | ||
exit 1 | ||
} | ||
|
||
[ -z "${SONATYPE_ID}" ] && { | ||
echo "SONATYPE_ID is required" | ||
exit 1 | ||
} | ||
|
||
[ -z "${SONATYPE_PASSWORD}" ] && { | ||
echo "SONATYPE_PASSWORD is required" | ||
exit 1 | ||
} | ||
|
||
[ -z "${SNAPSHOT_HOST}" ] && { | ||
echo "SNAPSHOT_HOST is required" | ||
exit 1 | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend adding a usage
function that prints out all the usage information, including the meanings of positional parameters, required environment variables, etc. Implementing a -h
or --help
flag is often useful, too.
scripts/publish-snapshot.sh
Outdated
gpg --verify-files "${pomsig}" "${jarsig}" | ||
|
||
if [ $? -ne 0 ]; then | ||
echo "Invalid signature on artifacts, skipping ${pom}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need a continue
here.
Actually, it might be better to fail the whole script if any signature checks fail...otherwise it's hard to automatically verify that everything got uploaded correctly. I think I want a zero exit code to mean "everything was uploaded", not "everything that wasn't invalidated was uploaded".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Will update this to validate the signature on all artifacts before any are pushed so that we don't end up with partial uploads.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that is the case let's make sure we are executing this script one project at a time (that may have n artifacts to push) vs one execution to push multiple projects under org/opensearch.
Meaning CI execute this separately for each repo built.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add that in About
section of the script? This can be easily missed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated the About section
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian <[email protected]>
Signed-off-by: Marc Handalian [email protected]
Description
Add a simple publish script to push pre-built/signed artifacts to a sonatype nexus repository.
This is intended do be used with https://aws.oss.sonatype.org/content/repositories/snapshots.
The script takes in a directory that should contain org/opensearch projects to publish. It intentionally searches only for poms in this namespace and pushes only to a snapshot repository.
Tested with a local instance of nexus running at localhost:8081 and prebuilt/signed dummy artifacts.
note - this uses curl instead of the maven-deploy plugin to deploy. The maven-deploy plugin auto generates a timestamp for each artifact, but it does not deploy signature files. So that signatures match the artifact/pom names, any timestamp/build id should be appended during packaging.
Issues Resolved
Partial - #20
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.