/
ci-credentials.sh
executable file
·116 lines (92 loc) · 3.62 KB
/
ci-credentials.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
#!/bin/bash
#------------------------------------------------------------------------
# A script to clone the Credentials repository and check that the required
# secrets are present and working.
#
#------------------------------------------------------------------------
# Utility methods
#
fatal()
{
echo "ci-credentials.sh: fatal: $1" 1>&2
exit 1
}
info()
{
echo "ci-credentials.sh: info: $1" 1>&2
}
#------------------------------------------------------------------------
# Check environment
#
if [ -z "${MAVEN_CENTRAL_USERNAME}" ]
then
fatal "MAVEN_CENTRAL_USERNAME is not defined"
fi
if [ -z "${MAVEN_CENTRAL_PASSWORD}" ]
then
fatal "MAVEN_CENTRAL_PASSWORD is not defined"
fi
if [ -z "${MAVEN_CENTRAL_STAGING_PROFILE_ID}" ]
then
fatal "MAVEN_CENTRAL_STAGING_PROFILE_ID is not defined"
fi
if [ -z "${MAVEN_CENTRAL_SIGNING_KEY_ID}" ]
then
fatal "MAVEN_CENTRAL_SIGNING_KEY_ID is not defined"
fi
if [ -z "${IRRADIA_GITHUB_ACCESS_TOKEN}" ]
then
fatal "IRRADIA_GITHUB_ACCESS_TOKEN is not defined"
fi
#------------------------------------------------------------------------
# Clone credentials repos
#
info "Cloning credentials"
git clone \
--depth 1 \
"https://${IRRADIA_GITHUB_ACCESS_TOKEN}@github.com/irradia/credentials" \
".ci/credentials" || fatal "Could not clone credentials"
#------------------------------------------------------------------------
# Import the PGP key for signing Central releases, and try to sign a test
# file to check that the key hasn't expired.
#
info "Importing GPG key"
gpg --import ".ci/credentials/irradia.asc" || fatal "Could not import GPG key"
info "Signing test file"
echo "Test" > hello.txt || fatal "Could not create test file"
gpg --sign -a hello.txt || fatal "Could not produce test signature"
#------------------------------------------------------------------------
# Download Brooklime if necessary.
#
BROOKLIME_URL="https://repo1.maven.org/maven2/com/io7m/brooklime/com.io7m.brooklime.cmdline/1.1.0/com.io7m.brooklime.cmdline-1.1.0-main.jar"
BROOKLIME_SHA256_EXPECTED="631bdfe895637e64a89aa25906b5b785f89337a805ce1d4118546298f99c0b39"
wget -O "brooklime.jar.tmp" "${BROOKLIME_URL}" || fatal "Could not download brooklime"
mv "brooklime.jar.tmp" "brooklime.jar" || fatal "Could not rename brooklime"
BROOKLIME_SHA256_RECEIVED=$(openssl sha256 "brooklime.jar" | awk '{print $NF}') || fatal "Could not checksum brooklime.jar"
if [ "${BROOKLIME_SHA256_EXPECTED}" != "${BROOKLIME_SHA256_RECEIVED}" ]
then
fatal "brooklime.jar checksum does not match.
Expected: ${BROOKLIME_SHA256_EXPECTED}
Received: ${BROOKLIME_SHA256_RECEIVED}"
fi
#------------------------------------------------------------------------
# Download changelog if necessary.
#
CHANGELOG_URL="https://repo1.maven.org/maven2/com/io7m/changelog/com.io7m.changelog.cmdline/4.1.0/com.io7m.changelog.cmdline-4.1.0-main.jar"
CHANGELOG_SHA256_EXPECTED="2a38beaea7c63349c1243dbee52d97a1d048578d1132dd1b509e2d8d37445033"
wget -O "changelog.jar.tmp" "${CHANGELOG_URL}" || fatal "Could not download changelog"
mv "changelog.jar.tmp" "changelog.jar" || fatal "Could not rename changelog"
CHANGELOG_SHA256_RECEIVED=$(openssl sha256 "changelog.jar" | awk '{print $NF}') || fatal "Could not checksum changelog.jar"
if [ "${CHANGELOG_SHA256_EXPECTED}" != "${CHANGELOG_SHA256_RECEIVED}" ]
then
fatal "changelog.jar checksum does not match.
Expected: ${CHANGELOG_SHA256_EXPECTED}
Received: ${CHANGELOG_SHA256_RECEIVED}"
fi
#------------------------------------------------------------------------
# Run local credentials hooks if present.
#
if [ -f .ci-local/credentials.sh ]
then
.ci-local/credentials.sh || fatal "local credentials hook failed"
fi