diff --git a/.ci/jenkins/Jenkinsfile.deploy b/.ci/jenkins/Jenkinsfile.deploy index 694df3e6d29..20b20701bb1 100644 --- a/.ci/jenkins/Jenkinsfile.deploy +++ b/.ci/jenkins/Jenkinsfile.deploy @@ -127,29 +127,22 @@ pipeline { .withProperty('maven.test.failure.ignore', true) .skipTests(params.SKIP_TESTS) - if (isRelease()) { - withCredentials([file(credentialsId: 'asf-release-gpg-signing-key', variable: 'SIGNING_KEY')]) { - withCredentials([file(credentialsId: 'asf-release-gpg-signing-key-password', variable: 'SIGNING_KEY_PASSWORD')]) { - // copy the key to singkey.gpg file in *plain text* so we can import it - sh ("cat \"${SIGNING_KEY}\" > \"${WORKSPACE}\"/signkey.gpg") - // Please do not remove list keys command. When gpg is run for the first time, it may initialize some internals. - sh ('gpg --list-keys') - sh ("gpg --batch --pinentry-mode=loopback --passphrase \"${SIGNING_KEY_PASSWORD}\" --import \"${WORKSPACE}\"/signkey.gpg") - sh ("rm \"${WORKSPACE}\"/signkey.gpg") + def Closure mavenRunClosure = { + configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) { + mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy") + } + } + if (isRelease()) { + release.gpgImportKeyFromFileWithPassword(getReleaseGpgSignKeyCredsId(), getReleaseGpgSignPassphraseCredsId()) + withCredentials([string(credentialsId: getReleaseGpgSignPassphraseCredsId(), variable: 'SIGNING_KEY_PASSWORD')]) { mavenCommand.withProperty('gpg.passphrase', SIGNING_KEY_PASSWORD) .withProfiles(['apache-release']) - // If there are passwords, this needs to be duplicated within the withCredentials block. - configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) { - mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy") - } + mavenRunClosure() } - } } else { - configFileProvider([configFile(fileId: env.MAVEN_SETTINGS_CONFIG_FILE_ID, variable: 'MAVEN_SETTINGS_FILE')]) { - mavenCommand.withSettingsXmlFile(MAVEN_SETTINGS_FILE).run("clean $installOrDeploy") - } + mavenRunClosure() } } } @@ -302,4 +295,12 @@ MavenCommand getMavenCommand(String directory = '') { boolean isMainStream() { return env.DROOLS_STREAM == 'main' -} \ No newline at end of file +} + +String getReleaseGpgSignKeyCredsId() { + return env.RELEASE_GPG_SIGN_KEY_CREDS_ID +} + +String getReleaseGpgSignPassphraseCredsId() { + return env.RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID +} diff --git a/.ci/jenkins/config/branch.yaml b/.ci/jenkins/config/branch.yaml index c8c52dde9a3..9d0a8fd67fd 100644 --- a/.ci/jenkins/config/branch.yaml +++ b/.ci/jenkins/config/branch.yaml @@ -94,6 +94,11 @@ cloud: registry: quay.io namespace: tradisso latest_git_branch: main +release: + gpg: + sign: + key-credentials-id: 'asf-release-gpg-signing-key' + passphrase-credentials-id: 'asf-release-gpg-signing-key-passphrase' jenkins: email_creds_id: DROOLS_CI_NOTIFICATION_EMAILS agent: diff --git a/.ci/jenkins/dsl/jobs.groovy b/.ci/jenkins/dsl/jobs.groovy index 9de7fa8698f..5e92426421d 100644 --- a/.ci/jenkins/dsl/jobs.groovy +++ b/.ci/jenkins/dsl/jobs.groovy @@ -322,6 +322,9 @@ void setupDeployJob(JobType jobType) { MAVEN_REPO_CREDS_ID: "${MAVEN_ARTIFACTS_UPLOAD_REPOSITORY_CREDS_ID}", DROOLS_STREAM: Utils.getStream(this), + + RELEASE_GPG_SIGN_KEY_CREDS_ID: Utils.getReleaseGpgSignKeyCredentialsId(this), + RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID: Utils.getReleaseGpgSignPassphraseCredentialsId(this) ]) KogitoJobTemplate.createPipelineJob(this, jobParams)?.with { parameters {