From f8feaedc7ce75ad5524fab105d0b6d7dc178f9fc Mon Sep 17 00:00:00 2001
From: Fatih Degirmenci <fatih.degirmenci@est.tech>
Date: Sat, 11 Jul 2020 12:55:52 +0000
Subject: [PATCH] Keep tarball and release properties for release

The installer file created by the package role can not be scanned by
JFrog XRAY due to it being an incompatible artifact type. In order for
the artifact to be scanned, it needs to be in one of the supported
formats.

This change updates package role to keep the tarball if the packaging
is run by release job in order to make scanning of artifacts possible.

In addition to keeping the tarball around, release job records release
metadata in release.properties file. This file is needed to be included
in tarball and installer file in order to make the traceability better.

Please note that both of these operations take effect if the release
metadata file /tmp/release.properties exists. This file is only created
by release job on Jenkins and does not exist for manual builds so there
is not change for manual packaging.

Change-Id: I3189806fc7a45b63328dc7236c94119f2ee9e295
---
 playbooks/roles/package/files/build.sh        | 10 +++-
 playbooks/roles/package/tasks/main.yaml       | 12 ++++
 .../roles/package/tasks/record-shas.yaml      | 60 +++++++++++++++++++
 3 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 playbooks/roles/package/tasks/record-shas.yaml

diff --git a/playbooks/roles/package/files/build.sh b/playbooks/roles/package/files/build.sh
index c28264d..fa801b8 100755
--- a/playbooks/roles/package/files/build.sh
+++ b/playbooks/roles/package/files/build.sh
@@ -48,7 +48,13 @@ rm -rf "$OFFLINE_PKG_FOLDER"
 cat /tmp/decompress.sh "$OFFLINE_PKG_FILE" > "$OFFLINE_INSTALLER_FILE"
 chmod +x "$OFFLINE_INSTALLER_FILE"
 
-# remove intermediate offline pkg file
-rm -rf "$OFFLINE_PKG_FILE"
+# NOTE (fdegir): if the packaging is run by release job, that job stored release
+# metadata in release.properties file. If this file exists, we need to keep tarball
+# as that must be uploaded for further delivery. The reason for this is that the
+# installer can not be scanned by XRAY
+if [[ ! -f "/tmp/release.properties" ]]; then
+  # remove intermediate offline pkg file
+  rm -rf "$OFFLINE_PKG_FILE"
+fi
 
 # vim: set ts=2 sw=2 expandtab:
diff --git a/playbooks/roles/package/tasks/main.yaml b/playbooks/roles/package/tasks/main.yaml
index a1296b1..8b025b1 100644
--- a/playbooks/roles/package/tasks/main.yaml
+++ b/playbooks/roles/package/tasks/main.yaml
@@ -75,6 +75,18 @@
     - {src: "install.sh", dest: "{{ offline_pkg_folder }}/install.sh"}
     - {src: "decompress.sh", dest: "/tmp/decompress.sh"}
 
+# check if the packaging is run by release job by looking at /tmp/release.properties
+- name: Check if /tmp/release.properties file exists
+  stat:
+    path: /tmp/release.properties
+  register: release_properties
+
+# record repo shas in release.properties file if it exists and
+# copy release.properties to tarball
+- name: Record engine repo SHAs in release.properties
+  include_tasks: record-shas.yaml
+  when: release_properties.stat.exists
+
 # create tarball
 - name: Create engine installer file
   script: build.sh
diff --git a/playbooks/roles/package/tasks/record-shas.yaml b/playbooks/roles/package/tasks/record-shas.yaml
new file mode 100644
index 0000000..36501bd
--- /dev/null
+++ b/playbooks/roles/package/tasks/record-shas.yaml
@@ -0,0 +1,60 @@
+---
+# ============LICENSE_START=======================================================
+#  Copyright (C) 2019 The Nordix Foundation. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+# NOTE (fdegir): ansible-lint complains due to using command module for
+# getting git sha and it is suppressed since it is not possible to get
+# sha using ansible git module
+- name: Fetch commit shas of repos
+  command: git rev-parse HEAD  # noqa 303
+  register: commit_shas
+  with_items:
+    - engine-kubernetes
+    - engine-kubespray
+    - engine-heat
+    - engine-bifrost
+    - engine
+  args:
+    chdir: "/tmp/autorelease/git/{{ item }}"
+  changed_when: false
+
+- name: Populate dictionary to map repos to shas
+  set_fact:
+    repos_shas: "{{ repos_shas|default({}) | combine( {item.item | upper | replace('-', '_') + '_SHA': item.stdout} ) }}"
+  with_items: "{{ commit_shas.results }}"
+
+- name: Log repos and shas to console
+  debug:
+    msg: "{{ item.key }}={{ item.value }}"
+  with_dict: "{{ repos_shas }}"
+
+- name: Record git SHAs to /tmp/release.properties file
+  lineinfile:
+    path: /tmp/release.properties
+    state: present
+    create: true
+    line: "{{ item.key }}={{ item.value }}"
+  with_dict: "{{ repos_shas }}"
+
+- name: Copy /tmp/release.properties into offline package
+  copy:
+    src: /tmp/release.properties
+    dest: "{{ offline_pkg_folder }}/release.properties"
+    force: true
+
+# vim: set ts=2 sw=2 expandtab:
-- 
2.25.1