RUBY-2269 use docker for release builds

This commit works with the bundler rake tasks that output built gem to pkg subdir.
mongodb · Jun 15, 2020 · 992b027 · 992b027
1 parent c9c34ea
commit 992b027
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 0 deletions.
diff --git a/release.sh b/release.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+set -e
+
+NAME=mongo
+RELEASE_NAME=mongo-ruby-driver-release
+VERSION_REQUIRE=mongo/version
+VERSION_CONSTANT_NAME=Mongo::VERSION
+
+if ! test -f gem-private_key.pem; then
+  echo "gem-private_key.pem missing - cannot release" 1>&2
+  exit 1
+fi
+
+VERSION=`ruby -Ilib -r$VERSION_REQUIRE -e "puts $VERSION_CONSTANT_NAME"`
+
+echo "Releasing $NAME $VERSION"
+echo
+
+for variant in mri; do
+  docker build -f release/$variant/Dockerfile -t $RELEASE_NAME-$variant .
+
+  docker kill $RELEASE_NAME-$variant || true
+  docker container rm $RELEASE_NAME-$variant || true
+
+  docker run -d --name $RELEASE_NAME-$variant -it $RELEASE_NAME-$variant
+
+  docker exec $RELEASE_NAME-$variant /app/release/$variant/build.sh
+
+  if test $variant = jruby; then
+    docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION-java.gem .
+  else
+    docker cp $RELEASE_NAME-$variant:/app/pkg/$NAME-$VERSION.gem .
+  fi
+
+  docker kill $RELEASE_NAME-$variant
+done
+
+echo
+echo Built: $NAME-$VERSION.gem
+#echo Built: $NAME-$VERSION-java.gem
+echo
+
+git tag -a v$VERSION -m "Tagging release: $VERSION"
+git push origin v$VERSION
+
+gem push $NAME-$VERSION.gem
+#gem push $NAME-$VERSION-java.gem
diff --git a/release/mri/Dockerfile b/release/mri/Dockerfile
@@ -0,0 +1,10 @@
+FROM debian:10
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+  apt-get -y install git ruby-bundler make gcc ruby-dev
+
+WORKDIR /app
+
+COPY . .
diff --git a/release/mri/build.sh b/release/mri/build.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -e
+
+rm -f *.lock
+rm -f *.gem pkg/*.gem
+bundle install --without=test
+# Uses bundler gem tasks, outputs the built gem file to pkg subdir.
+rake build
+/app/release/verify-signature.sh pkg/*.gem
diff --git a/release/verify-signature.sh b/release/verify-signature.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -ex
+
+gem="$1"
+if test -z "$gem"; then
+  echo "Usage: `basename $0` /path/to/built.gem" 1>&2
+  exit 1
+fi
+
+gem cert --add gem-public_cert.pem
+gem install -P HighSecurity $gem
+
+exit
+
+# The verification below does not work.
+# https://github.com/rubygems/rubygems/issues/3680
+
+# https://docs.ruby-lang.org/en/2.7.0/Gem/Security.html
+
+tar xf $gem
+
+# Grab the public key from the gemspec
+
+gem spec $gem cert_chain | \
+  ruby -ryaml -e 'puts YAML.load(STDIN)' > actual_public_key.crt
+
+for file in data.tar.gz metadata.tar.gz; do
+  # Generate a SHA1 hash of the data.tar.gz
+
+  openssl dgst -sha1 < $file > actual.hash
+
+  # Verify the signature
+
+  openssl rsautl -verify -inkey actual_public_key.crt -certin \
+    -in $file.sig > signed.hash
+
+  # Compare your hash to the verified hash
+
+  diff -s actual.hash signed.hash
+done