From b30654ef227ef67b2b8aa836280341448f6edd0b Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Thu, 1 Sep 2022 16:08:55 +0200
Subject: [PATCH] ci-automation: Prepare release job

The old pipeline had a release job where mantle's plume release tool
was invoked to publish the cloud images.
Implement a release job in the new pipeline with the same goals and
eventually even more automation.
---
 ci-automation/release.sh | 107 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 ci-automation/release.sh

diff --git a/ci-automation/release.sh b/ci-automation/release.sh
new file mode 100644
index 0000000000..0ed3b6739c
--- /dev/null
+++ b/ci-automation/release.sh
@@ -0,0 +1,107 @@
+#!/bin/bash
+
+# Copyright (c) 2022 The Flatcar Maintainers.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# >>> This file is supposed to be SOURCED from the repository ROOT. <<<
+#
+# release_build() is currently called with no positional INPUT parameters but uses the signing env vars.
+
+# Release build automation stub.
+#   This script will release the image build from bincache to the cloud offers.
+#
+# PREREQUISITES:
+#
+#   1. SDK version and OS image version are recorded in sdk_container/.repo/manifests/version.txt
+#   2. Scripts repo version tag of OS image version to be built is available and checked out.
+#   3. Mantle container docker image reference is stored in sdk_container/.repo/manifests/mantle-container.
+#   4. Vendor image and torcx docker tarball + manifest to run tests for are available on buildcache
+#         ( images/[ARCH]/[FLATCAR_VERSION]/ )
+#   5. SDK container is either
+#       - available via ghcr.io/flatcar-linux/flatcar-sdk-[ARCH]:[VERSION] (official SDK release)
+#       OR
+#       - available via build cache server "/containers/[VERSION]/flatcar-sdk-[ARCH]-[VERSION].tar.gz"
+#         (dev SDK)
+#
+# INPUT:
+#
+#   (none)
+#
+# OPTIONAL INPUT:
+#
+#   1. SIGNER. Environment variable. Name of the owner of the artifact signing key.
+#        Defaults to nothing if not set - in such case, artifacts will not be signed.
+#        If provided, SIGNING_KEY environment variable should also be provided, otherwise this environment variable will be ignored.
+#
+#   2. SIGNING_KEY. Environment variable. The artifact signing key.
+#        Defaults to nothing if not set - in such case, artifacts will not be signed.
+#        If provided, SIGNER environment variable should also be provided, otherwise this environment variable will be ignored.
+#
+# OUTPUT:
+#
+#   1. The cloud images are published with mantle's plume and ore tools
+#   2. The AWS AMI text files are pushed to buildcache ( images/[ARCH]/[FLATCAR_VERSION]/ )
+#   3. "./ci-cleanup.sh" with commands to clean up temporary build resources,
+#        to be run after this step finishes / when this step is aborted.
+#   4. If signer key was passed, signatures of artifacts from point 1, pushed along to buildcache.
+#   5. DIGESTS of the artifacts from point 1, pushed to buildcache. If signer key was passed, armored ASCII files of the generated DIGESTS files too, pushed to buildcache.
+
+function release_build() {
+    # Run a subshell, so the traps, environment changes and global
+    # variables are not spilled into the caller.
+    (
+        set -euo pipefail
+
+        _release_build_impl "${@}"
+    )
+}
+
+function _inside_mantle() {
+  # Run a subshell for the same reasons as above
+  (
+    set -euo pipefail
+
+    source ci-automation/ci_automation_common.sh
+    source sdk_container/.repo/manifests/version.txt
+
+    # TODO: set up credentials
+    # TODO: run mantle pre-release and release for all platforms
+    # (needs changes in mantle to consume from buildcache via https)
+    # TODO: run ore for AWS marketplace upload
+  )
+}
+
+function _release_build_impl() {
+    source ci-automation/ci_automation_common.sh
+    source ci-automation/gpg_setup.sh
+    init_submodules
+
+    source sdk_container/.repo/manifests/version.txt
+    local sdk_version="${FLATCAR_SDK_VERSION}"
+    local docker_sdk_vernum="$(vernum_to_docker_image_version "${sdk_version}")"
+    local vernum="${FLATCAR_VERSION}"
+    local docker_vernum="$(vernum_to_docker_image_version "${vernum}")"
+
+    local container_name="flatcar-publish-${docker_vernum}"
+    local mantle_ref
+    mantle_ref=$(cat sdk_container/.repo/manifests/mantle-container)
+    # A job on each worker prunes old mantle images (docker image prune), no need to do it here
+    echo "docker rm -f '${container_name}'" >> ./ci-cleanup.sh
+
+    touch sdk_container/.env # This file should already contain the required credentials as env vars
+    docker run --pull always --rm --name="${container_name}" --net host \
+      -w /work -v "$PWD":/work "${mantle_ref}" bash -c "source ci-automation/release.sh; _inside_mantle"
+    # TODO: sign and copy resulting AMI text file to buildcache
+    # TODO: run CF template update
+    # TODO: publish SDK container image if not published yet (i.e., on new majors)
+    echo "===="
+    echo "Done, now you can copy the images to Origin"
+    echo "===="
+    # Future: trigger copy to Origin in a secure way
+    # Future: trigger update payload signing
+    # Future: trigger website update
+    # Future: trigger release email sending
+    # Future: trigger push to nebraska
+    # Future: trigger Origin symlink switch
+}