From 63b10d9d22b94c038d4685cd68287f99037904e5 Mon Sep 17 00:00:00 2001
From: Jan Stastny <ststnjn@gmail.com>
Date: Mon, 27 May 2024 11:37:36 +0200
Subject: [PATCH] kie-issues#1250: prepare for release branch,gpg,svn (#1770)

* kie-issues#1250: prepare for release branch,gpg,svn

* change docker save command

Co-authored-by: Rodrigo Antunes <contato@rodrigoantunes.com.br>

* Update .ci/jenkins/Jenkinsfile.build-image

Co-authored-by: Rodrigo Antunes <contato@rodrigoantunes.com.br>

* fix DSL

---------

Co-authored-by: jstastny-cz <jan.stastny@ibm.com>
Co-authored-by: Rodrigo Antunes <contato@rodrigoantunes.com.br>
---
 .ci/jenkins/Jenkinsfile.build-image | 44 +++++++++++++++++++++++++++++
 .ci/jenkins/Jenkinsfile.deploy      |  6 +++-
 .ci/jenkins/dsl/jobs.groovy         |  8 ++++++
 3 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/.ci/jenkins/Jenkinsfile.build-image b/.ci/jenkins/Jenkinsfile.build-image
index 4a425f3cc..2d5845416 100644
--- a/.ci/jenkins/Jenkinsfile.build-image
+++ b/.ci/jenkins/Jenkinsfile.build-image
@@ -222,6 +222,31 @@ pipeline {
                 }
             }
         }
+        stage('Export, Sign and Archive Image and signature') {
+            when {
+                expression { return shouldExportAndGpgSign() }
+            }
+            steps {
+                script {
+                    def resultingFileName = "${getFinalImageName()}.tar.gz"
+                    def signatureFileName = "${resultingFileName}.asc"
+                    sh """
+                        docker pull ${getBuiltImageTag()}
+                        docker save ${getBuiltImageTag()} | gzip > ${resultingFileName}
+                    """
+                    release.gpgImportKeyFromFileWithPassword(getReleaseGpgSignKeyCredsId(), getReleaseGpgSignPassphraseCredsId())
+                    release.gpgSignFileDetachedSignatureWithPassword(resultingFileName, signatureFileName, getReleaseGpgSignPassphraseCredsId())
+                    release.svnUploadFileToRepository(getReleaseSvnRepository(), getReleaseSvnCredsId(), getReleaseVersion(), resultingFileName, signatureFileName)
+                }
+            }
+            post {
+                always {
+                    script {
+                        archiveArtifacts(artifacts: '**/*.tar.gz,**/*.tar.gz.asc', fingerprint: false, allowEmptyArchive: true)
+                    }
+                }
+            }
+        }
     }
     post {
         always {
@@ -372,6 +397,10 @@ boolean shouldDeployImage() {
     return params.DEPLOY_IMAGE
 }
 
+boolean shouldExportAndGpgSign() {
+    return params.EXPORT_AND_GPG_SIGN_IMAGE
+}
+
 String getBuildKogitoAppsRef() {
     return params.BUILD_KOGITO_APPS_REF
 }
@@ -427,3 +456,18 @@ String getTriggeringProjectName() {
     }
     return ""
 }
+String getReleaseGpgSignKeyCredsId() {
+    return env.RELEASE_GPG_SIGN_KEY_CREDS_ID
+}
+
+String getReleaseGpgSignPassphraseCredsId() {
+    return env.RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID
+}
+
+String getReleaseSvnRepository() {
+    return env.RELEASE_SVN_REPOSITORY
+}
+
+String getReleaseSvnCredsId() {
+    return env.RELEASE_SVN_CREDS_ID
+}
diff --git a/.ci/jenkins/Jenkinsfile.deploy b/.ci/jenkins/Jenkinsfile.deploy
index 2391a1ae8..8ee24f812 100644
--- a/.ci/jenkins/Jenkinsfile.deploy
+++ b/.ci/jenkins/Jenkinsfile.deploy
@@ -300,7 +300,7 @@ void createBuildAndTestStageClosure(String image) {
             buildParams.add(string(name: 'TESTS_KOGITO_EXAMPLES_URI', value: params.EXAMPLES_URI))
             buildParams.add(string(name: 'TESTS_KOGITO_EXAMPLES_REF', value: params.EXAMPLES_REF))
 
-            buildParams.add(booleanParam(name: 'DEPLOY_IMAGE', value: true))
+            buildParams.add(booleanParam(name: 'DEPLOY_IMAGE', value: isDeployImage()))
             buildParams.add(booleanParam(name: 'DEPLOY_IMAGE_USE_OPENSHIFT_REGISTRY', value: isDeployImageInOpenshiftRegistry()))
             buildParams.add(string(name: 'DEPLOY_IMAGE_REGISTRY_CREDENTIALS', value: getDeployImageRegistryCredentials()))
             buildParams.add(string(name: 'DEPLOY_IMAGE_REGISTRY', value: getDeployImageRegistry()))
@@ -354,6 +354,10 @@ List getTestFailedImages() {
 // Deploy image information
 ////////////////////////////////////////////////////////////////////////
 
+boolean isDeployImage() {
+    return !env.DISABLE_IMAGES_DEPLOY
+}
+
 boolean isDeployImageInOpenshiftRegistry() {
     return params.IMAGE_USE_OPENSHIFT_REGISTRY
 }
diff --git a/.ci/jenkins/dsl/jobs.groovy b/.ci/jenkins/dsl/jobs.groovy
index eb7535ff9..9f997b07e 100644
--- a/.ci/jenkins/dsl/jobs.groovy
+++ b/.ci/jenkins/dsl/jobs.groovy
@@ -115,6 +115,8 @@ void setupDeployJob(JobType jobType) {
         DEFAULT_STAGING_REPOSITORY: "${MAVEN_NEXUS_STAGING_PROFILE_URL}",
 
         QUARKUS_PLATFORM_NEXUS_URL: Utils.getMavenQuarkusPlatformRepositoryUrl(this),
+
+        DISABLE_IMAGES_DEPLOY: (jobType==JobType.NIGHTLY) ? true : Utils.isImagesDeployDisabled(this)
     ])
     if (Utils.hasBindingValue(this, 'CLOUD_IMAGES')) {
         jobParams.env.put('IMAGES_LIST', Utils.getBindingValue(this, 'CLOUD_IMAGES'))
@@ -167,6 +169,11 @@ void setupBuildImageJob(JobType jobType) {
 
         GIT_AUTHOR_CREDS_ID: "${GIT_AUTHOR_CREDENTIALS_ID}",
         GIT_AUTHOR_TOKEN_CREDS_ID: "${GIT_AUTHOR_TOKEN_CREDENTIALS_ID}",
+
+        RELEASE_GPG_SIGN_KEY_CREDS_ID: Utils.getReleaseGpgSignKeyCredentialsId(this),
+        RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID: Utils.getReleaseGpgSignPassphraseCredentialsId(this),
+        RELEASE_SVN_REPOSITORY: Utils.getReleaseSvnCredentialsId(this),
+        RELEASE_SVN_CREDS_ID: Utils.getReleaseSvnStagingRepository(this)
     ])
     KogitoJobTemplate.createPipelineJob(this, jobParams)?.with {
         logRotator {
@@ -202,6 +209,7 @@ void setupBuildImageJob(JobType jobType) {
             stringParam('DEPLOY_IMAGE_NAME_SUFFIX', '', 'Image name suffix to use to deploy images. In case you need to change the final image name, you can add a suffix to it.')
             stringParam('DEPLOY_IMAGE_TAG', '', 'Image tag to use to deploy images')
             booleanParam('DEPLOY_WITH_LATEST_TAG', false, 'Set to true if you want the deployed images to also be with the `latest` tag')
+            booleanParam('EXPORT_AND_GPG_SIGN_IMAGE', jobType == JobType.RELEASE, 'Set to true if should images be exported and signed.')
         }
     }
 }