This repository was archived by the owner on Sep 30, 2024. It is now read-only.
Publish images from patch release branches#63379
Merged
Merged
Conversation
willdollman
commented
Jun 20, 2024
Strum355
reviewed
Jun 20, 2024
| push_prod=true | ||
| elif [[ "$BUILDKITE_BRANCH" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | ||
| # Patch release builds only need to be pushed to internal registries. | ||
| push_prod=false |
Contributor
There was a problem hiding this comment.
Would this situation have been previously handled by the elif case right below where push_prod=true is set?
Contributor
Author
There was a problem hiding this comment.
"$BUILDKITE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(\-rc\.[0-9]+)?$
That matches against tag rather than branch. I've haven't looked to see how that's set (presumably git tag?), but in my test buildkite run BUILDKITE_TAG="".
Strum355
approved these changes
Jun 20, 2024
willdollman
referenced
this pull request
Jul 22, 2024
In order to run nightly vulnerability scans of Sourcegraph releases, we need to publish a new set of images whenever the release branch is pushed to. Previously, this was implemented in https://github.com/sourcegraph/sourcegraph/pull/63379 but with RFC 795 the release branch format changed from 5.5.1234 to 5.5.x. This PR updates the regex to catch this new format. The end result of this is that whenever Buildkite runs on a branch matching `\d.\d.x`, it will push images to the `us.gcr.io/sourcegraph-dev/gitserver` registry with the tag `$branch-insiders`. I've also tagged this PR for backport as we want it on the current patch release branch 5.5.x :) <!-- PR description tips: https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e --> ## Test plan - Test buildkite run on branch `will-0.0.x` (with modified regex to match that branch) https://buildkite.com/sourcegraph/sourcegraph/builds/283608 <!-- REQUIRED; info at https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles --> ## Changelog <!-- OPTIONAL; info at https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c -->
sourcegraph-release-bot
referenced
this pull request
Jul 22, 2024
In order to run nightly vulnerability scans of Sourcegraph releases, we need to publish a new set of images whenever the release branch is pushed to. Previously, this was implemented in https://github.com/sourcegraph/sourcegraph/pull/63379 but with RFC 795 the release branch format changed from 5.5.1234 to 5.5.x. This PR updates the regex to catch this new format. The end result of this is that whenever Buildkite runs on a branch matching `\d.\d.x`, it will push images to the `us.gcr.io/sourcegraph-dev/gitserver` registry with the tag `$branch-insiders`. I've also tagged this PR for backport as we want it on the current patch release branch 5.5.x :) <!-- PR description tips: https://www.notion.so/sourcegraph/Write-a-good-pull-request-description-610a7fd3e613496eb76f450db5a49b6e --> ## Test plan - Test buildkite run on branch `will-0.0.x` (with modified regex to match that branch) https://buildkite.com/sourcegraph/sourcegraph/builds/283608 <!-- REQUIRED; info at https://docs-legacy.sourcegraph.com/dev/background-information/testing_principles --> ## Changelog <!-- OPTIONAL; info at https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c --> (cherry picked from commit b7242d2)
jdpleiness
referenced
this pull request
Jul 22, 2024
…63987) In order to run nightly vulnerability scans of Sourcegraph releases, we need to publish a new set of images whenever the release branch is pushed to. Previously, this was implemented in https://github.com/sourcegraph/sourcegraph/pull/63379 but with RFC 795 the release branch format changed from 5.5.1234 to 5.5.x. This PR updates the regex to catch this new format. The end result of this is that whenever Buildkite runs on a branch matching `\d.\d.x`, it will push images to the `us.gcr.io/sourcegraph-dev/gitserver` registry with the tag `$branch-insiders`. I've also tagged this PR for backport as we want it on the current patch release branch 5.5.x :) ## Test plan - Test buildkite run on branch `will-0.0.x` (with modified regex to match that branch) https://buildkite.com/sourcegraph/sourcegraph/builds/283608 ## Changelog <br> Backport b7242d2 from #63985 Co-authored-by: Will Dollman <will.dollman@sourcegraph.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We currently don't publish images from the new-style patch release branches like
5.4.5099, as this is all performed using the new release tooling.In order to improve the release process, we (Security) would like to run a daily scan of the current set of images built from the patch release branch. Currently we only scan images built from
main, but these slowly diverge from the patch release branch in the 2 week window between a monthly release and the patch release.To give a specific example, we currently have no easy/automated way to scan images from the
5.4.5099branch that a release will be cut from this afternoon until the release team run the internal release process.This PR updates the pipeline so that whenever a new commit is pushed to the patch release branch, it will publish a new set of images and include the tag
<branch>-insiders. Currently just pushing to us.gcr.io, but equally could push to dockerhub.Example of the jobfile for a matching branch after this PR:
bazel --bazelrc=/tmp/aspect-generated.bazelrc --bazelrc=.aspect/bazelrc/ci.sourcegraph.bazelrc run //cmd/batcheshelper:candidate_push --stamp --workspace_status_command=./dev/bazel_stamp_vars.sh -- --tag dc438648b0cc --tag dc438648b0cc_2024-06-20 --tag dc438648b0cc_279230 --tag will/5.4.9999-insiders --repository us.gcr.io/sourcegraph-dev/batcheshelper && echo -e '<tr><td>batcheshelper</td><td><code>us.gcr.io/sourcegraph-dev</code></td><td><code>dc438648b0cc</code>, <code>dc438648b0cc_2024-06-20</code>, <code>dc438648b0cc_279230</code>, <code>will/5.4.9999-insiders</code></td></tr>' >>./annotations/pushed_images.mdExample buildkite run where the pattern was updated to match this branch, and pushing non-candidate images was disabled.
This resolves one part of SEC-1734
Test plan
Changelog