Backport from master (Weekly) in stable-2.541 for LTS 2.541.1

.github/ISSUE_TEMPLATE/1-lts-release-checklist.md

@@ -25,14 +25,13 @@ This role should rotate between LTS releases
     If the last release of the preceding LTS line is a security release, consider making the matching weekly release the [new LTS baseline](https://groups.google.com/g/jenkinsci-dev/c/ca7Lp0x6Kqs/m/QwHj66hZAgAJ).
     For example, 2.462.3 LTS and 2.479 were security releases and it is simpler to use 2.479 as baseline than 2.477.
 
-- [ ] Create or update release branch in [jenkinsci/jenkins](https://github.com/jenkinsci/jenkins), e.g. `stable-2.387`, use the [init-lts-line](https://github.com/jenkins-infra/release/blob/master/tools/init-lts-line) script or carry out the equivalent steps therein.
+- [ ] Create or update the release branches in all the repositories below, e.g. `stable-2.387` with the [init-lts-line](https://github.com/jenkins-infra/release/blob/master/tools/init-lts-line) script or carry out the equivalent steps therein. For more info, refer to [stable](https://github.com/jenkins-infra/release#stable).
+  - [ ] [jenkinsci/jenkins](https://github.com/jenkinsci/jenkins)
+  - [ ] [jenkinsci/packaging](https://github.com/jenkinsci/packaging)
+  - [ ] [jenkins-infra/release](https://github.com/jenkins-infra/release)
 
-- [ ] Create or update release branch in [jenkins-infra/release](https://github.com/jenkins-infra/release), e.g. `stable-2.387`. Strike out for initial release.
-  - [ ] Modify the `RELEASE_GIT_BRANCH` and `JENKINS_VERSION` values in the environment file (`profile.d/stable`) to match the release.
-  - [ ] Modify the `PACKAGING_GIT_BRANCH` value in the packaging script (`Jenkinsfile.d/core/package`) to match the release.
-  - For more info, refer to [stable](https://github.com/jenkins-infra/release#stable).
-
-- [ ] Create or update release branch in [jenkinsci/packaging](https://github.com/jenkinsci/packaging), e.g. `stable-2.387`. Strike out for new point release.
+- [ ] Check with the Jenkins Infrastructure team for backports on both repositories [jenkinsci/packaging](https://github.com/jenkinsci/packaging) and [jenkins-infra/release](https://github.com/jenkins-infra/release) as per https://github.com/jenkins-infra/release/blob/master/docs/releases.md#open-a-backporting-pr.
+  - A message in the Matrix channel `#jenkins-infra` mentioning this issue and this item is enough: they will own the backports
 
 - [ ] Create a pull request to update [bom](https://github.com/jenkinsci/bom) to the weekly version that will be the base of the release line (and strike this out for new point release).
       Assure that the [bom-weekly version number](https://github.com/jenkinsci/bom/blob/master/sample-plugin/pom.xml#L17) is already testing the base of the release line or a version newer than the base of the release line.

Jenkinsfile.d/core/package

@@ -62,11 +62,6 @@ pipeline {
       description: 'Enable Windows Packaging',
       name: 'WINDOWS_PACKAGING_ENABLED'
     )
-    booleanParam(
-      defaultValue: false,
-      description: 'Force bootstrap (cleanup + initialization from production) of the packages staging environment if data from previous staged build is present.',
-      name: 'FORCE_STAGING_BOOTSTRAP_PARAM'
-    )
     booleanParam(
       defaultValue: false,
       description: 'Select this checkbox if you want to disable promotion to production (e.g. only publish to staging).',
@@ -96,8 +91,9 @@ pipeline {
     AZURE_VAULT_CLIENT_SECRET = credentials('azure-vault-client-secret')
     AZURE_VAULT_TENANT_ID     = credentials('azure-vault-tenant-id')
     GPG_FILE                  = 'jenkins-release.gpg'
-    GPG_PASSPHRASE            = credentials('release-gpg-passphrase-2023')
-    PACKAGING_GIT_REPOSITORY  = 'git@github.com:jenkinsci/packaging.git'
+    GPG_PASSPHRASE            = credentials('release-gpg-passphrase-2026')
+    // Using HTTPS with no credentials - https://github.com/jenkins-infra/helpdesk/issues/4909 - need a GH app if rate limited or need to write things to git
+    PACKAGING_GIT_REPOSITORY  = 'https://github.com/jenkinsci/packaging.git'
     PACKAGING_GIT_BRANCH      = 'stable-2.541'
     SIGN_KEYSTORE_FILENAME    = 'jenkins.pfx'
     SIGN_STOREPASS            = credentials('signing-cert-pass-2023')
@@ -114,7 +110,6 @@ pipeline {
     BASE_BIN_DIR              = "${env.GET_JENKINS_IO_STAGING}/${env.BRANCH_NAME.replaceAll('\\.', '_').replaceAll('\\/', '_').replaceAll('\\:', '_')}"
     // Sanitize URL to avoid nested subdomains and other URL bad surprises: "feat/foo-stable:2.539" => "feat_foo-stable_2_539"
     BASE_PKG_DIR              = "${env.PKG_JENKINS_IO_STAGING}/${env.BRANCH_NAME.replaceAll('\\.', '_').replaceAll('\\/', '_').replaceAll('\\:', '_')}"
-    FORCE_STAGING_BOOTSTRAP   = "${params.containsKey("FORCE_STAGING_BOOTSTRAP_PARAM") ? params.FORCE_STAGING_BOOTSTRAP_PARAM : false}"
     ONLY_STAGING              = "${params.containsKey("ONLY_STAGING_PARAM") ? params.ONLY_STAGING_PARAM : false}"
     ONLY_PROMOTION            = "${params.containsKey("ONLY_PROMOTION_PARAM") ? params.ONLY_PROMOTION_PARAM : false}"
   }
@@ -149,7 +144,7 @@ pipeline {
           steps {
             checkout scm
             dir (WORKING_DIRECTORY) {
-              git branch: PACKAGING_GIT_BRANCH, credentialsId: 'release-key', url: PACKAGING_GIT_REPOSITORY
+              git branch: PACKAGING_GIT_BRANCH, url: PACKAGING_GIT_REPOSITORY
             }
 
             sh '''
@@ -176,20 +171,7 @@ pipeline {
         stage('Prepare package staging environment') {
           steps {
             sh '''
-              # Bootstrap (e.g. reset to production) all stagings for this branch if requested by the user or if missing a directory
-              if [ "${FORCE_STAGING_BOOTSTRAP}" = "true" ] || [ ! -d "${BASE_BIN_DIR}" ] || [ ! -d "${BASE_PKG_DIR}" ]
-              then
-                echo "Bootstrap (reset to production) of the staging environment for ${BASE_BIN_DIR} and ${BASE_PKG_DIR} directories..."
-                rm -rf "${BASE_BIN_DIR}" "${BASE_PKG_DIR}"
-                mkdir -p "${BASE_BIN_DIR}" "${BASE_PKG_DIR}"
-
-                # TODO: Initialize from production with symlinks?
-                # Initialize from production only for RPMs to get the history when rebuilding index (debian don't care)
-                rsync -avtz --chown=1000:1000 "${GET_JENKINS_IO_PRODUCTION}/rpm" "${BASE_BIN_DIR}/"
-
-                # Initialize from production as we need an initial package state. We don't sync old package index which are kept in production.
-                rsync -avtz --chown=1000:1000 --exclude="*-legacy/*" "${PKG_JENKINS_IO_PRODUCTION}/" "${BASE_PKG_DIR}/"
-              fi
+              ./utils/release.bash --prepareStaging
             '''
           }
         }
@@ -277,7 +259,7 @@ pipeline {
                     container('dotnet') {
                       checkout scm
                       dir (WORKING_DIRECTORY) {
-                        git branch: PACKAGING_GIT_BRANCH, credentialsId: 'release-key', url: PACKAGING_GIT_REPOSITORY
+                        git branch: PACKAGING_GIT_BRANCH, url: PACKAGING_GIT_REPOSITORY
 
                         unstash 'GPG'
                         unstash 'WAR'
@@ -343,24 +325,22 @@ pipeline {
       }
       environment {
         SSH_HOSTKEY_ARCHIVES_JENKINS_IO   = credentials('ssh-hostkey-archives.jenkins.io')
-        SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO = credentials('ssh-hostkey-pkg.origin.jenkins.io')
       }
       steps {
         sshagent(credentials: [
-          'pkgserver',
           'archives.jenkins.io',
         ]) {
           sh '''
               mkdir -m 700 -p "${HOME}/.ssh"
-          cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" "${SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
+          cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
           '''
           sh '''
             ./utils/release.bash --promotePackages
           '''
         }
       }
     }
-    stage('Invalidate Fastly Cache') {
+    stage('Invalidate Fastly Cache for pkg.jenkins.io') {
       when {
         environment name: 'ONLY_STAGING', value: 'false'
       }

Jenkinsfile.d/core/release

@@ -54,7 +54,7 @@ pipeline {
     AZURE_VAULT_CLIENT_ID         = credentials('azure-vault-client-id')
     AZURE_VAULT_CLIENT_SECRET     = credentials('azure-vault-client-secret')
     AZURE_VAULT_TENANT_ID         = credentials('azure-vault-tenant-id')
-    GPG_PASSPHRASE                = credentials('release-gpg-passphrase-2023')
+    GPG_PASSPHRASE                = credentials('release-gpg-passphrase-2026')
     GPG_FILE                      = 'jenkins-release.gpg'
     MAVEN_REPOSITORY_USERNAME     = credentials('maven-repository-username')
     MAVEN_REPOSITORY_PASSWORD     = credentials('maven-repository-password')

Jenkinsfile.d/infra-agents-health

@@ -15,6 +15,10 @@ pipeline {
     AZURE_VAULT_CLIENT_ID     = credentials('azure-vault-client-id')
     AZURE_VAULT_CLIENT_SECRET = credentials('azure-vault-client-secret')
     AZURE_VAULT_TENANT_ID     = credentials('azure-vault-tenant-id')
+    // Using HTTPS with no credentials - https://github.com/jenkins-infra/helpdesk/issues/4909 - need a GH app if rate limited or need to write things to git
+    PACKAGING_GIT_REPOSITORY  = 'https://github.com/jenkinsci/packaging.git'
+    PACKAGING_GIT_BRANCH      = 'master'
+    WORKING_DIRECTORY         = "release"
   }
 
   stages {
@@ -28,13 +32,15 @@ pipeline {
           }
           environment {
             SSH_HOSTKEY_ARCHIVES_JENKINS_IO = credentials('ssh-hostkey-archives.jenkins.io')
-            SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO = credentials('ssh-hostkey-pkg.origin.jenkins.io')
           }
           steps {
+            checkout scm
+
             // Ensure we can get the secondary git repository used for packaging
-            dir ('./release'){
-              git branch: 'master', credentialsId: 'release-key', url: 'git@github.com:jenkinsci/packaging.git'
+            dir (WORKING_DIRECTORY) {
+              git branch: PACKAGING_GIT_BRANCH, url: PACKAGING_GIT_REPOSITORY
             }
+
             // Ensure we can retrieve the Code Signing Certificate'
             sh '''
             utils/release.bash --downloadAzureKeyvaultSecret
@@ -56,9 +62,8 @@ pipeline {
             ]) {
               sh '''
               mkdir -m 700 -p "${HOME}/.ssh"
-              cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" "${SSH_HOSTKEY_PKG_ORIGIN_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
+              cat "${SSH_HOSTKEY_ARCHIVES_JENKINS_IO}" >> "${HOME}/.ssh/known_hosts"
               ssh -v mirrorsync@archives.jenkins.io whoami
-              ssh -v mirrorbrain@pkg.origin.jenkins.io whoami
               '''
             }
           }
@@ -95,6 +100,14 @@ pipeline {
             container('dotnet') {
                 powershell 'msbuild -version'
             }
+
+            container('dotnet') {
+              checkout scm
+              // Ensure we can get the secondary git repository used for packaging
+              dir (WORKING_DIRECTORY) {
+                git branch: PACKAGING_GIT_BRANCH, url: PACKAGING_GIT_REPOSITORY
+              }
+            }
           }
         }
       }

PodTemplates.d/package-windows.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   serviceAccountName: release-ci-jenkins-io-agents
   containers:
-  - image: jenkins/inbound-agent:3355.v388858a_47b_33-3-jdk21-nanoserver-1809
+  - image: jenkins/inbound-agent:3355.v388858a_47b_33-3-jdk21-nanoserver-ltsc2022
     imagePullPolicy: "IfNotPresent"
     name: "jnlp"
     env:
@@ -31,7 +31,7 @@ spec:
       - Start-Sleep -s 2147483 # We must be sure that the process used by the container doesn't stop before the Jenkins job and second is not greater than 2147483
     command:
       - "powershell.exe"
-    image: "mcr.microsoft.com/dotnet/framework/sdk:3.5"
+    image: "mcr.microsoft.com/dotnet/framework/sdk:3.5-windowsservercore-ltsc2022"
     imagePullPolicy: "IfNotPresent"
     name: "dotnet"
     resources:
@@ -45,13 +45,17 @@ spec:
       privileged: false
     tty: false
   nodeSelector:
-    kubernetes.azure.com/agentpool: w2019
+    kubernetes.azure.com/agentpool: w2022
     kubernetes.io/os: windows
   tolerations:
     - key: "os"
       operator: "Equal"
       value: "windows"
       effect: "NoSchedule"
+    - key: "version"
+      operator: "Equal"
+      value: "windows2022"
+      effect: "NoSchedule"
     - key: "jenkins"
       operator: "Equal"
       value: "release.ci.jenkins.io"

README.adoc

@@ -365,6 +365,8 @@ All steps need to be done twice: Once for weekly, once for LTS.
 
 ==== Staging (before release day)
 
+===== Maven Artifacts
+
 To stage the Maven artifacts, trigger the generic Release link:https://release.ci.jenkins.io/job/core/job/release/[job] from the appropriate branch like `security-stable-2.303.2`.
 
 To do that, follow these steps:
@@ -377,16 +379,35 @@ To do that, follow these steps:
 ... `MAVEN_REPOSITORY_NAME` set to `unused` as we already define it in the release profile file, which overrides the job parameter
 ... `VALIDATION_ENABLED` set to true if the validation stage should run
 
-==== Publishing (on release day)
+===== Packages
 
-. To create and publish packages, trigger the generic Packaging job link:https://release.ci.jenkins.io/job/core/job/package/[job] from the appropriate branch like `security-stable-2.303.2` with correct parameters
+. To create and stage packages (except Docker images), trigger the generic Packaging job link:https://release.ci.jenkins.io/job/core/job/package/[job] from the appropriate branch like `security-stable-2.303.2` with correct parameters
 .. `RELEASE_PROFILE` set to `security`
+.. `JENKINS_VERSION` set to `unused` same reason as before
 .. `RELEASE_GIT_BRANCH`  set to `unused` same reason as before
 .. `MAVEN_REPOSITORY_NAME` set to `unused` same reason as before
-.. `MAVEN_REPOSITORY_PRODUCTION_NAME` set to `unused`
+.. `MAVEN_REPOSITORY_PRODUCTION_NAME` set to `unused` same reason as before
+.. `MAVEN_STAGING_REPOSITORY_PROMOTION_ENABLED` set to false (manually done by publishing-tool in a parallel process)
+.. `GIT_STAGING_REPOSITORY_PROMOTION_ENABLED` set to false (manually merged by security team)
+.. `VALIDATION_ENABLED` set to true (we want a summary of what need to be done at the beginning)
+.. `WINDOWS_PACKAGING_ENABLED` set to true (we want to generate and stage Windows package along with other packages)
+.. `ONLY_STAGING_PARAM` set to true (we only want to stage, not publish)
+.. `ONLY_PROMOTION_PARAM` set to false (we only want to stage, not publish)
+
+==== Publishing (on release day)
+
+. To publish packages from staging, trigger the generic Packaging job link:https://release.ci.jenkins.io/job/core/job/package/[job] from the appropriate branch like `security-stable-2.303.2` with correct parameters
+.. `RELEASE_PROFILE` set to `security`
+.. `JENKINS_VERSION` set to `unused` same reason as before
+.. `RELEASE_GIT_BRANCH` set to `unused` same reason as before
+.. `MAVEN_REPOSITORY_NAME` set to `unused` same reason as before
+.. `MAVEN_REPOSITORY_PRODUCTION_NAME` set to `unused` same reason as before
 .. `MAVEN_STAGING_REPOSITORY_PROMOTION_ENABLED` set to false (manually done by publishing-tool in a parallel process)
 .. `GIT_STAGING_REPOSITORY_PROMOTION_ENABLED` set to false (manually merged by security team)
-.. `VALIDATION_ENABLED` set to true
+.. `VALIDATION_ENABLED` set to true (we want a summary of what need to be done at the beginning)
+.. `WINDOWS_PACKAGING_ENABLED` set to **false** (no package generation)
+.. `ONLY_STAGING_PARAM` set to **false** (we don't want to stage anything)
+.. `ONLY_PROMOTION_PARAM` set to **true** (we only want to publish)
 
 == Certificate
 

env/package.mk

@@ -1,6 +1,7 @@
 #
 # Environment definition for the packaging process
 #
+# Note: avoid double quotes in this file (make interpret them as literal characters)
 
 # where to put binary files
 export WARDIR=${BASE_BIN_DIR}/war${RELEASELINE}
@@ -17,3 +18,6 @@ export DEB_WEBDIR=${BASE_PKG_DIR}/debian${RELEASELINE}
 WEBSERVER=https://pkg.jenkins.io
 export RPM_URL=${WEBSERVER}/rpm${RELEASELINE}
 export DEB_URL=${WEBSERVER}/debian${RELEASELINE}
+
+# Exposed GPG public key
+export GPG_PUBLIC_KEY_FILENAME=jenkins.io-2026.key

profile.d/experimental

@@ -3,8 +3,8 @@ RELEASE_GIT_REPOSITORY=git@github.com:olblak/jenkins.git
 JENKINS_VERSION=latest
 GIT_EMAIL=66998184+jenkins-release-bot@users.noreply.github.com
 GIT_NAME="Jenkins Release Bot"
-GPG_KEYNAME="63667EE74BBA1F0A08A698725BA31D57EF5975CA"
-GPG_VAULT_NAME="jenkins-release-pgp-2023"
+GPG_KEYNAME="5E386EADB55F01504CAE8BCF7198F4B714ABFC68"
+GPG_VAULT_NAME="jenkins-release-pgp-2026"
 MAVEN_REPOSITORY_URL='https://repo.jenkins-ci.org'
 MAVEN_REPOSITORY_NAME=olblak-sandbox
 MAVEN_PUBLIC_JENKINS_REPOSITORY_MIRROR_URL='https://repo.jenkins-ci.org/public/'

profile.d/security

@@ -9,8 +9,8 @@ RELEASE_GIT_REPOSITORY=git@github.com:jenkinsci-cert/jenkins.git
 #
 GIT_EMAIL=66998184+jenkins-release-bot@users.noreply.github.com
 GIT_NAME="Jenkins Release Bot"
-GPG_KEYNAME="63667EE74BBA1F0A08A698725BA31D57EF5975CA"
-GPG_VAULT_NAME="jenkins-release-pgp-2023"
+GPG_KEYNAME="5E386EADB55F01504CAE8BCF7198F4B714ABFC68"
+GPG_VAULT_NAME="jenkins-release-pgp-2026"
 MAVEN_REPOSITORY_URL=https://repo.jenkins-ci.org
 MAVEN_PUBLIC_JENKINS_REPOSITORY_MIRROR_URL='https://repo.jenkins-ci.org/public/'
 SIGN_ALIAS=jenkins

profile.d/stable

@@ -6,8 +6,8 @@ RELEASE_GIT_BRANCH=stable-2.541
 RELEASE_GIT_REPOSITORY=git@github.com:jenkinsci/jenkins.git
 GIT_EMAIL=66998184+jenkins-release-bot@users.noreply.github.com
 GIT_NAME="Jenkins Release Bot"
-GPG_KEYNAME="63667EE74BBA1F0A08A698725BA31D57EF5975CA"
-GPG_VAULT_NAME="jenkins-release-pgp-2023"
+GPG_KEYNAME="5E386EADB55F01504CAE8BCF7198F4B714ABFC68"
+GPG_VAULT_NAME="jenkins-release-pgp-2026"
 MAVEN_REPOSITORY_URL='https://repo.jenkins-ci.org'
 MAVEN_REPOSITORY_NAME=releases
 MAVEN_PUBLIC_JENKINS_REPOSITORY_MIRROR_URL='https://repo.jenkins-ci.org/public/'

profile.d/stable-rc

@@ -6,8 +6,8 @@ RELEASE_GIT_BRANCH=master
 RELEASE_GIT_REPOSITORY=git@github.com:jenkinsci/jenkins.git
 GIT_EMAIL=66998184+jenkins-release-bot@users.noreply.github.com
 GIT_NAME="Jenkins Release Bot"
-GPG_KEYNAME="63667EE74BBA1F0A08A698725BA31D57EF5975CA"
-GPG_VAULT_NAME="jenkins-release-pgp-2023"
+GPG_KEYNAME="5E386EADB55F01504CAE8BCF7198F4B714ABFC68"
+GPG_VAULT_NAME="jenkins-release-pgp-2026"
 MAVEN_REPOSITORY_URL='https://repo.jenkins-ci.org'
 MAVEN_REPOSITORY_NAME=snapshots
 SIGN_ALIAS=jenkins
@@ -16,7 +16,7 @@ SIGN_ALIAS=jenkins
 # but instead looking at the value for metadata.versioning.latest from the maven-metadata.xml
 # this approach doesn't allow to use the same maven-repository than weekly releases.
 #
-JENKINS_VERSION=latest 
+JENKINS_VERSION=latest
 
 # Used by jenkinsci/packaging
 RELEASELINE=-stable-rc

profile.d/weekly

@@ -6,8 +6,8 @@ RELEASE_GIT_BRANCH=master
 RELEASE_GIT_REPOSITORY=git@github.com:jenkinsci/jenkins.git
 GIT_EMAIL=66998184+jenkins-release-bot@users.noreply.github.com
 GIT_NAME="Jenkins Release Bot"
-GPG_KEYNAME="63667EE74BBA1F0A08A698725BA31D57EF5975CA"
-GPG_VAULT_NAME="jenkins-release-pgp-2023"
+GPG_KEYNAME="5E386EADB55F01504CAE8BCF7198F4B714ABFC68"
+GPG_VAULT_NAME="jenkins-release-pgp-2026"
 MAVEN_REPOSITORY_URL='https://repo.jenkins-ci.org'
 MAVEN_REPOSITORY_NAME=releases
 MAVEN_PUBLIC_JENKINS_REPOSITORY_MIRROR_URL='https://repo.jenkins-ci.org/public/'