SONAR-23970 Add conditions to CI

Author: davividal

.cirrus.star

@@ -1,5 +1,8 @@
 load("github.com/SonarSource/cirrus-modules@v3", "load_features")
 load("cirrus", "env", "fs", "yaml")
+load(".cirrus/tasks.star", "build_tasks")
+
 
 def main(ctx):
-    return yaml.dumps(load_features(ctx)) + fs.read(".cirrus/tasks.yml")
+    tasks = build_tasks(ctx)
+    return yaml.dumps(load_features(ctx)) + tasks

.cirrus/package.sh

@@ -6,17 +6,33 @@ set -xeuo pipefail
 : "${BUILD_NUMBER:?}"
 : "${CIRRUS_BASE_BRANCH:=}"
 
-[[ -n "${CIRRUS_BASE_BRANCH}" ]] && TARGET_BRANCH="${CIRRUS_BASE_BRANCH}" || TARGET_BRANCH="${CIRRUS_BRANCH}"
+if [[ -n "${CIRRUS_BASE_BRANCH}" ]]; then
+    TARGET_BRANCH="${CIRRUS_BASE_BRANCH}"
+else
+    TARGET_BRANCH="${CIRRUS_BRANCH}"
+fi
 
 PREVIOUS_RELEASE=$(gh api "/repos/{owner}/{repo}/releases" --jq "[.[] | select(.target_commitish==\"${TARGET_BRANCH}\")][1].tag_name")
 
-[[ -z "${PREVIOUS_RELEASE}" ]] && CHARTS=("charts/sonarqube-dce" "charts/sonarqube") || CHARTS=$(ct list-changed --since "${PREVIOUS_RELEASE}" --target-branch "${TARGET_BRANCH}")
+if [[ -z "${PREVIOUS_RELEASE}" ]]; then
+    CHARTS=("charts/sonarqube-dce" "charts/sonarqube")
+else
+    # shellcheck disable=SC2178  # This will output a string, we will use it only in the for-loop, which will split it
+    CHARTS=$(ct list-changed --since "${PREVIOUS_RELEASE}" --target-branch "${TARGET_BRANCH}")
+fi
+
+# If there is a $1 argument, and it is contained in the CHARTS array, then we will only package that chart
+ARG_CHART_NAME=${1:+charts/$1}
+if [[ -n "${ARG_CHART_NAME}" ]] && [[ "${CHARTS[*]}" =~ ${ARG_CHART_NAME} ]]; then
+    CHARTS=("${ARG_CHART_NAME}")
+fi
 
 BUILD_METADATA="-${BUILD_NUMBER}"
 [[ ${CIRRUS_RELEASE:-} != "" ]] && BUILD_METADATA=""
 
 echo "${CHARTS[@]}"
 
+# shellcheck disable=SC2068  # Because ct list-changed will return a string, we want the potential split here
 for chart in ${CHARTS[@]}; do
     _original_version=$(yq '.version' "${chart}"/Chart.yaml)
     _new_version="${_original_version}${BUILD_METADATA}"

.cirrus/sign_chart.sh

@@ -1,13 +1,38 @@
-#!/bin/sh
+#!/bin/bash
 
 set -euo pipefail
 
-echo $SONARSOURCE_SIGN_KEY_PASSPHRASE | gpg --batch --yes --passphrase-fd 0 --import /tmp/key
+: "${SONARSOURCE_SIGN_KEY:?}"
+: "${SONARSOURCE_SIGN_KEY_ID:?}"
+: "${SONARSOURCE_SIGN_KEY_PASSPHRASE:?}"
+: "${CIRRUS_WORKING_DIR:?}"
 
-CURRENT_DIR=$(pwd)
+# If there is a $1 argument, treat it as the chart to sign by looking for $1*.tgz* files
+# Otherwise, look for all *.tgz* files in the working directory
+CHART_TO_SIGN=${1:-}
+NAME_GLOB="*.tgz*"
+if [[ -n "${CHART_TO_SIGN}" ]]; then
+    NAME_GLOB="${CHART_TO_SIGN}-[0-9]*.tgz*"
+fi
 
-for chart in $(find $CIRRUS_WORKING_DIR -maxdepth 1 -name "*.tgz*" -type f -exec basename "{}" ";"); do
-    cd $CIRRUS_WORKING_DIR
-    echo $SONARSOURCE_SIGN_KEY_PASSPHRASE | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --output $chart.asc --detach-sig $chart
-    cd $CURRENT_DIR
-done
+find_charts=$(find "${CIRRUS_WORKING_DIR}" -maxdepth 1 -name "${NAME_GLOB}" -type f -exec basename "{}" ";" || exit 1)
+
+CHART_TO_SIGN=()
+while IFS= read -r chart; do
+    CHART_TO_SIGN+=("${chart}")
+done <<< "${find_charts}"
+
+if [[ ${#CHART_TO_SIGN[@]} -eq 0 ]]; then
+    echo "No charts found to sign."
+    exit 1
+fi
+
+# Debugging: Print the charts to be signed
+echo "Charts to sign: ${CHART_TO_SIGN[*]}"
+
+echo "${SONARSOURCE_SIGN_KEY_PASSPHRASE}" | gpg --batch --yes --passphrase-fd 0 --import /tmp/key
+
+for chart in "${CHART_TO_SIGN[@]}"; do
+    echo "Signing ${chart}"
+    echo "${SONARSOURCE_SIGN_KEY_PASSPHRASE}" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --output "${chart}.asc" --detach-sig "${chart}"
+done

.cirrus/tasks.star

@@ -0,0 +1,10 @@
+load("cirrus", "fs")
+
+
+def build_tasks(ctx):
+    tasks_env = fs.read(".cirrus/tasks_env.yml")
+    tasks_templates = fs.read(".cirrus/tasks_templates.yml")
+    tasks = fs.read(".cirrus/tasks.yml")
+    tasks += fs.read(".cirrus/tasks_sonarqube.yml")
+    tasks += fs.read(".cirrus/tasks_sonarqube_dce.yml")
+    return tasks_env + tasks_templates + tasks

.cirrus/tasks.yml

@@ -1,144 +1,6 @@
-env:
-### Shared variables
-  NIGHTLY_CRON: 'nightly-cron'
-  DOCKER_USERNAME: VAULT[development/kv/data/docker/sonardockerrw data.username]
-  DOCKER_PASSWORD: VAULT[development/kv/data/docker/sonardockerrw data.access_token_rwd]
-  KUBE_VERSION: 1.32.0
-  DOCKER_GCLOUD_SA_KEY: VAULT[development/team/sonarqube/kv/data/gcp-marketplace-registry-staging data.key]
-  GCLOUD_REGISTRY: gcr.io/sonarqube-marketplace-provider # This is the staging registry
-  GCLOUD_PRODUCT_NAME: sonarqube-dce-staging # This is the staging product name
-  GCLOUD_TAG: 10.8.1
-  ROSA_OPENSHIFT_URL: VAULT[development/team/sonarqube/kv/data/rosa-openshift data.url]
-  ROSA_OPENSHIFT_USER: VAULT[development/team/sonarqube/kv/data/rosa-dev data.username]
-  ROSA_OPENSHIFT_PASSWORD: VAULT[development/team/sonarqube/kv/data/rosa-dev data.password]
-
-
-
-except_nightly_cron: &EXCEPT_ON_NIGHTLY_CRON
-  only_if: $CIRRUS_CRON != $NIGHTLY_CRON
-
-except_external_pr_or_cron: &EXCEPT_ON_PR_OR_CRON
-  only_if: $CIRRUS_PRERELEASE != "true" && $CIRRUS_PR == "" && $CIRRUS_CRON != $NIGHTLY_CRON
-
-only_on_non_release_draft_template: &ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
-  only_if: $CIRRUS_PRERELEASE != "true"
-
-docker_build_container_template: &CONTAINER_TEMPLATE
-  dockerfile: .cirrus/Dockerfile
-  docker_arguments:
-      CIRRUS_AWS_ACCOUNT: ${CIRRUS_AWS_ACCOUNT}
-  cluster_name: ${CIRRUS_CLUSTER_NAME}
-  builder_role: cirrus-builder
-  builder_image: docker-builder-v*
-  builder_instance_type: t2.small
-  region: eu-central-1
-  namespace: default
-  cpu: 1
-  memory: 1Gb
-
-container_template: &STD_CONTAINER_TEMPLATE
-  image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j11-latest
-  cluster_name: ${CIRRUS_CLUSTER_NAME}
-  region: eu-central-1
-  namespace: default
-  cpu: 1
-  memory: 1Gb
-
-vm_instance_template: &VM_TEMPLATE
-  image: docker-builder-v*
-  type: t2.xlarge
-  region: eu-central-1
-  cpu: 4
-  memory: 16Gb
-
-clone_script_template: &CLONE_SCRIPT_TEMPLATE
-  clone_script: |
-    if [ -z "$CIRRUS_PR" ]; then
-      git clone --recursive --branch=$CIRRUS_BRANCH https://github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
-      git reset --hard $CIRRUS_CHANGE_IN_REPO
-    else
-      git clone --recursive https://github.com/${CIRRUS_REPO_FULL_NAME}.git $CIRRUS_WORKING_DIR
-      git fetch origin pull/$CIRRUS_PR/head:pull/$CIRRUS_PR
-      git reset --hard $CIRRUS_CHANGE_IN_REPO
-    fi
-
-build_gcp_app_template: &BUILD_GCP_APP_TEMPLATE
-  ec2_instance:
-    <<: *VM_TEMPLATE
-  login_to_gcr_script:
-    - export DOCKER_GCLOUD_PASSWORD=$(echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d)
-    - docker login -u _json_key -p "$DOCKER_GCLOUD_PASSWORD" https://${GCLOUD_REGISTRY}
-  install_helm_script:
-    - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3
-    - chmod 700 get_helm.sh
-    - ./get_helm.sh
-  helm_dependency_build_script:
-    - ./.cirrus/build_chart_dependencies.sh charts/sonarqube-dce
-  tag_and_promote_script:
-    - export CURRENT_MINOR_VERSION=$(echo ${GCLOUD_TAG} | cut -d '.' -f 1,2)
-    - docker build -f google-cloud-marketplace-k8s-app/Dockerfile --build-arg REGISTRY=${GCLOUD_REGISTRY} --build-arg TAG=${GCLOUD_TAG} --tag ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION} .
-    - docker tag ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION} ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${GCLOUD_TAG}
-    - docker push ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${GCLOUD_TAG}
-    - docker push ${GCLOUD_REGISTRY}/${GCLOUD_PRODUCT_NAME}/deployer:${CURRENT_MINOR_VERSION}
-
-build_gcp_staging_app_task:
-  <<: *BUILD_GCP_APP_TEMPLATE
-  only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $TRIGGER == "PUSH_PROD_DEPLOYER" || $BRANCH == "master"
-  env:
-    GCLOUD_PRODUCT_NAME: sonarqube-dce-staging
-
-verify_gcp_app_template: &VERIFY_GCP_APP_TEMPLATE
-  only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $BRANCH == "master"
-  env:
-    BASE_FOLDER: "/root/.gcp/cache"
-    PATH: "${BASE_FOLDER}:${BASE_FOLDER}/google-cloud-sdk/bin:${PATH}"
-    KUBE_CONFIG: "/tmp/kubeconfig"
-    KUBECONFIG: "${KUBE_CONFIG}"
-    HOME: "/tmp"
-    GCLOUD_CLI_VERSION: 495.0.0
-    MPDEV_VERSION: 0.12.4
-  gcp_cache:
-    folder: ${BASE_FOLDER}
-    fingerprint_script: echo "${GCLOUD_CLI_VERSION}+${MPDEV_VERSION}"
-    populate_script: 
-      - ./.cirrus/setup.sh
-  ec2_instance:
-    <<: *VM_TEMPLATE
-  login_script:
-    - echo ${DOCKER_GCLOUD_SA_KEY} | base64 -d > /tmp/key.json
-    - gcloud auth activate-service-account cirrusciservice@sonarqube-marketplace-provider.iam.gserviceaccount.com --key-file /tmp/key.json --project=sonarqube-marketplace-provider
-    - gcloud auth configure-docker gcr.io --quiet
-    - gcloud container clusters get-credentials sonarqube-marketplace-staging-standard --zone=europe-west1-b --project=sonarqube-marketplace-provider
-  verify_script:
-    - kubectl get pods
-    - mpdev verify --deployer=$GCLOUD_REGISTRY/$GCLOUD_PRODUCT_NAME/deployer:$GCLOUD_TAG --wait_timeout=1200 --parameters='{"name":"${GCLOUD_PRODUCT_NAME}-cirrus-test", "namespace":"test-cirrus","ApplicationNodes.jwtSecret":"dZ0EB0KxnF++nr5+4vfTCaun/eWbv6gOoXodiAMqcFo=", "postgresql.enabled":true, "jdbcOverwrite.enabled":false }'
-  depends_on:
-    - build_gcp_staging_app
-
-verify_gcp_staging_app_task:
-  <<: *VERIFY_GCP_APP_TEMPLATE
-  only_if: $TRIGGER == "PUSH_STAGING_DEPLOYER" || $TRIGGER == "PUSH_PROD_DEPLOYER" || $BRANCH == "master"
-  env:
-    GCLOUD_PRODUCT_NAME: sonarqube-dce-staging
-  depends_on:
-    - build_gcp_staging_app
-
-chart_static_compatibility_test_task:
-  <<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
-  timeout_in: 30m
-  eks_container:
-    <<: *CONTAINER_TEMPLATE
-    cpu: 1
-    memory: 1Gb
-  <<: *CLONE_SCRIPT_TEMPLATE
-  script:
-    - ./.cirrus/build_chart_dependencies.sh charts/sonarqube
-    - ./.cirrus/unit_helm_compatibility_test.sh sonarqube
-    - ./.cirrus/build_chart_dependencies.sh charts/sonarqube-dce
-    - ./.cirrus/unit_helm_compatibility_test.sh sonarqube-dce
-
 chart_fixture_test_task:
   <<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
+  skip: "!changesInclude('charts/**/*', '.cirrus/*')"
   timeout_in: 30m
   eks_container:
     <<: *CONTAINER_TEMPLATE
@@ -153,6 +15,7 @@ chart_fixture_test_task:
 
 chart_testing_on_kind_task:
   <<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
+  skip: "!changesInclude('charts/**/*', '.cirrus/*')"
   timeout_in: 1h
   ec2_instance:
     <<: *VM_TEMPLATE
@@ -162,7 +25,7 @@ chart_testing_on_kind_task:
     - kind create cluster
     - kubectl cluster-info --context kind-kind
     - kubectl get nodes
-    - kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f - 
+    - kubectl create namespace test --dry-run=client -o yaml | kubectl apply -f -
     - kubectl create secret docker-registry pullsecret --namespace test --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f -
   script:
     - ct lint --config test.yaml --all
@@ -173,124 +36,3 @@ chart_testing_on_kind_task:
     - ah lint
   depends_on:
     - chart_static_compatibility_test
-
-chart_testing_on_openshift_task:
-  <<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
-  timeout_in: 1h
-  eks_container:
-    <<: *CONTAINER_TEMPLATE
-    cpu: 2
-    memory: 4Gb
-  authenticate_to_openshift_script:
-    - ./.cirrus/openshift_auth.sh
-  matrix:
-    - name: chart_testing_on_openshift_sonarqube
-      env:
-        - VERIFYING_CHART: sonarqube
-    - name: chart_testing_on_openshift_sonarqube_dce
-      env:
-        - VERIFYING_CHART: sonarqube-dce
-  setup_script:
-    - oc new-project "${VERIFYING_CHART}" --display-name="Test Project" --description="This is a test project for testing ${VERIFYING_CHART} from Cirrus" || oc project "${VERIFYING_CHART}"
-    - kubectl create secret docker-registry pullsecret --namespace "${VERIFYING_CHART}" --docker-username=${DOCKER_USERNAME} --docker-password=${DOCKER_PASSWORD} --dry-run=client -o yaml | kubectl apply -f -
-    - ./.cirrus/build_chart_dependencies.sh charts/"${VERIFYING_CHART}"
-    - chart-verifier version
-  script:
-    - mkdir -p "$(pwd)/report-${VERIFYING_CHART}"
-    - chart-verifier verify charts/"${VERIFYING_CHART}" --helm-install-timeout 20m -F charts/"${VERIFYING_CHART}"/openshift-verifier/values.yaml -n "${VERIFYING_CHART}" --openshift-version 4.16 > "$(pwd)/report-${VERIFYING_CHART}/report.yaml"
-  verifier_report_artifacts:
-    path: "report-*/*.yaml"
-  check_violations_script:
-    - cat "report-${VERIFYING_CHART}/report.yaml" | ./.cirrus/verify_openshift.sh
-  always:
-    cleanup_script:
-      - oc delete project "${VERIFYING_CHART}"
-  depends_on:
-    - chart_static_compatibility_test
-
-chart_packaging_task:
-  <<: *ONLY_ON_NON_RELEASE_DRAFT_TEMPLATE
-  timeout_in: 15m
-  eks_container:
-    <<: *CONTAINER_TEMPLATE
-    cpu: 2
-    memory: 1Gb
-  <<: *CLONE_SCRIPT_TEMPLATE
-  environment_cache:
-    folder: ${CIRRUS_WORKING_DIR}/*.tgz*
-    fingerprint_script: echo $CIRRUS_BUILD_ID
-  env:
-    GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-releases token]
-    SONARSOURCE_SIGN_KEY: VAULT[development/kv/data/sign data.key]
-    SONARSOURCE_SIGN_KEY_ID: VAULT[development/kv/data/sign data.key_id]
-    SONARSOURCE_SIGN_KEY_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
-  key_file:
-    path: /tmp/key
-    variable_name: SONARSOURCE_SIGN_KEY
-  script:
-    - source cirrus-env BUILD
-    - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
-    - helm repo add bitnami-pre2022 https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
-    - helm repo update
-    - ./.cirrus/package.sh
-    - ./.cirrus/sign_chart.sh
-  depends_on:
-    - chart_testing_on_kind
-    - chart_testing_on_openshift_sonarqube
-    - chart_testing_on_openshift_sonarqube_dce
-
-push_to_repox_task:
-  <<: *EXCEPT_ON_PR_OR_CRON
-  timeout_in: 15m
-  eks_container:
-    <<: *STD_CONTAINER_TEMPLATE
-    cpu: 1
-    memory: 1Gb
-  <<: *CLONE_SCRIPT_TEMPLATE
-  environment_cache:
-    folder: ${CIRRUS_WORKING_DIR}/*.tgz*
-    fingerprint_script: echo $CIRRUS_BUILD_ID
-  env:
-    ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
-    ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
-  script:
-    - source cirrus-env ""
-    - ./.cirrus/upload_chart.sh
-  depends_on:
-    - chart_packaging
-
-trigger_release_task:
-  timeout_in: 15m
-  eks_container:
-    <<: *STD_CONTAINER_TEMPLATE
-    cpu: 1
-    memory: 1Gb
-  only_if: $CIRRUS_PRERELEASE != "true" && $CIRRUS_RELEASE != ""
-  <<: *CLONE_SCRIPT_TEMPLATE
-  stateful: 'true'
-  environment_cache:
-    folder: ${CIRRUS_WORKING_DIR}/*.tgz*
-    fingerprint_script: echo $CIRRUS_BUILD_ID
-  env:
-    GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-releases token]
-    SLACK_TOKEN: VAULT[development/kv/data/slack data.token]
-  gh_action_script: |
-    source cirrus-env RELEASE
-    CHARTS=$(find $CIRRUS_WORKING_DIR -maxdepth 1 -name "*.tgz*" -type f -exec basename "{}" ";")
-    [[ "x$CHARTS" == "x" ]] && exit 0
-    gh workflow run release.yml -f version=$CIRRUS_TAG -f buildNumber=$BUILD_NUMBER
-  depends_on:
-    - chart_packaging
-    - push_to_repox
-  on_failure:
-    slack_notification_script:
-      - ./.cirrus/slack-notification.sh
-
-release_gcp_prod_app_task:
-  <<: *BUILD_GCP_APP_TEMPLATE
-  only_if: $TRIGGER == "PUSH_PROD_DEPLOYER"
-  env:
-    GCLOUD_REGISTRY: gcr.io/sonarsource-public
-    GCLOUD_PRODUCT_NAME: official-sonarqube-data-center-edition
-  depends_on:
-    - verify_gcp_staging_app