blob: fe5659ca1fb90baaf81771431e64fefa1151f76a [file] [log] [blame]
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package relui
import (
"archive/tar"
"bytes"
"compress/gzip"
"context"
"crypto/sha256"
"fmt"
"io"
"io/fs"
"math/rand"
"net/http"
"path"
"strings"
"sync"
"time"
"cloud.google.com/go/storage"
"github.com/google/go-cmp/cmp"
"golang.org/x/build/buildlet"
"golang.org/x/build/dashboard"
"golang.org/x/build/internal/gcsfs"
"golang.org/x/build/internal/releasetargets"
"golang.org/x/build/internal/relui/db"
"golang.org/x/build/internal/task"
"golang.org/x/build/internal/workflow"
wf "golang.org/x/build/internal/workflow"
"golang.org/x/net/context/ctxhttp"
)
// DefinitionHolder holds workflow definitions.
type DefinitionHolder struct {
mu sync.Mutex
definitions map[string]*wf.Definition
}
// NewDefinitionHolder creates a new DefinitionHolder,
// initialized with a sample "echo" wf.
func NewDefinitionHolder() *DefinitionHolder {
return &DefinitionHolder{definitions: map[string]*wf.Definition{
"echo": newEchoWorkflow(),
}}
}
// Definition returns the initialized wf.Definition registered
// for a given name.
func (h *DefinitionHolder) Definition(name string) *wf.Definition {
h.mu.Lock()
defer h.mu.Unlock()
return h.definitions[name]
}
// RegisterDefinition registers a definition with a name.
// If a definition with the same name already exists, RegisterDefinition panics.
func (h *DefinitionHolder) RegisterDefinition(name string, d *wf.Definition) {
h.mu.Lock()
defer h.mu.Unlock()
if _, exist := h.definitions[name]; exist {
panic("relui: multiple registrations for " + name)
}
h.definitions[name] = d
}
// Definitions returns the names of all registered definitions.
func (h *DefinitionHolder) Definitions() map[string]*wf.Definition {
h.mu.Lock()
defer h.mu.Unlock()
defs := make(map[string]*wf.Definition)
for k, v := range h.definitions {
defs[k] = v
}
return defs
}
// RegisterCommunicationDefinitions registers workflow definitions
// involving mailing announcements and posting tweets onto h.
//
// This is superseded by RegisterReleaseWorkflows and will be removed
// after some time, when we confirm there's no need for separate workflows.
func RegisterCommunicationDefinitions(h *DefinitionHolder, tasks task.CommunicationTasks) {
{
wd := wf.New()
v1 := wf.Param(wd, wf.ParamDef[string]{
Name: "Version",
Doc: `Version is the Go version that has been released.
The version string must use the same format as Go tags.`,
Example: "go1.18.2",
})
v2 := wf.Param(wd, wf.ParamDef[string]{
Name: "Secondary Version",
Doc: `Secondary Version is an older Go version that was also released.`,
Example: "go1.17.10",
})
securitySummary := wf.Param(wd, securitySummaryParameter)
securityFixes := wf.Param(wd, securityFixesParameter)
coordinators := wf.Param(wd, releaseCoordinators)
sentMail := wf.Task3(wd, "mail-announcement", tasks.AnnounceRelease, wf.Slice(v1, v2), securityFixes, coordinators)
announcementURL := wf.Task1(wd, "await-announcement", tasks.AwaitAnnounceMail, sentMail)
tweetURL := wf.Task3(wd, "post-tweet", tasks.TweetRelease, wf.Slice(v1, v2), securitySummary, announcementURL)
wf.Output(wd, "AnnouncementURL", announcementURL)
wf.Output(wd, "TweetURL", tweetURL)
h.RegisterDefinition("announce-and-tweet-double-minor", wd)
}
{
wd := wf.New()
v := wf.Param(wd, wf.ParamDef[string]{
Name: "Version",
Doc: `Version is the Go version that has been released.
The version string must use the same format as Go tags.`,
Example: "go1.19beta1",
})
coordinators := wf.Param(wd, releaseCoordinators)
sentMail := wf.Task3(wd, "mail-announcement", tasks.AnnounceRelease, wf.Slice(v), wf.Slice[string](), coordinators)
announcementURL := wf.Task1(wd, "await-announcement", tasks.AwaitAnnounceMail, sentMail)
tweetURL := wf.Task3(wd, "post-tweet", tasks.TweetRelease, wf.Slice(v), wf.Const(""), announcementURL)
wf.Output(wd, "AnnouncementURL", announcementURL)
wf.Output(wd, "TweetURL", tweetURL)
h.RegisterDefinition("announce-and-tweet-single", wd)
}
}
// Release parameter definitions.
var (
targetDateParam = wf.ParamDef[task.Date]{
Name: "Target Release Date",
ParamType: wf.ParamType[task.Date]{
HTMLElement: "input",
HTMLInputType: "date",
},
Doc: `Target Release Date is the date on which the release is scheduled.
It must be three to seven days after the pre-announcement as documented in the security policy.`,
}
securityPreAnnParam = wf.ParamDef[string]{
Name: "Security Content",
ParamType: workflow.ParamType[string]{
HTMLElement: "select",
HTMLSelectOptions: []string{
"the standard library",
"the toolchain",
"the standard library and the toolchain",
},
},
Doc: `Security Content is the security content to be included in the release pre-announcement.
It must not reveal details beyond what's allowed by the security policy.`,
}
securitySummaryParameter = wf.ParamDef[string]{
Name: "Security Summary (optional)",
Doc: `Security Summary is an optional sentence describing security fixes included in this release.
It shows up in the release tweet.
The empty string means there are no security fixes to highlight.
Past examples:
• "Includes a security fix for crypto/tls (CVE-2021-34558)."
• "Includes a security fix for the Wasm port (CVE-2021-38297)."
• "Includes security fixes for encoding/pem (CVE-2022-24675), crypto/elliptic (CVE-2022-28327), crypto/x509 (CVE-2022-27536)."`,
}
securityFixesParameter = wf.ParamDef[[]string]{
Name: "Security Fixes (optional)",
ParamType: wf.SliceLong,
Doc: `Security Fixes is a list of descriptions, one for each distinct security fix included in this release, in Markdown format.
It shows up in the announcement mail.
The empty list means there are no security fixes included.
Past examples:
• "encoding/pem: fix stack overflow in Decode
A large (more than 5 MB) PEM input can cause a stack overflow in Decode,
leading the program to crash.
Thanks to Juho Nurminen of Mattermost who reported the error.
This is CVE-2022-24675 and Go issue https://go.dev/issue/51853."
• "crypto/elliptic: tolerate all oversized scalars in generic P-256
A crafted scalar input longer than 32 bytes can cause P256().ScalarMult
or P256().ScalarBaseMult to panic. Indirect uses through crypto/ecdsa and
crypto/tls are unaffected. amd64, arm64, ppc64le, and s390x are unaffected.
This was discovered thanks to a Project Wycheproof test vector.
This is CVE-2022-28327 and Go issue https://go.dev/issue/52075."`,
Example: `encoding/pem: fix stack overflow in Decode
A large (more than 5 MB) PEM input can cause a stack overflow in Decode,
leading the program to crash.
Thanks to Juho Nurminen of Mattermost who reported the error.
This is CVE-2022-24675 and Go issue https://go.dev/issue/51853.`,
}
releaseCoordinators = wf.ParamDef[[]string]{
Name: "Release Coordinator Usernames (optional)",
ParamType: wf.SliceShort,
Doc: `Release Coordinator Usernames is an optional list of the coordinators of the release.
Their first names will be included at the end of the release announcement, and CLs will be mailed to them.`,
Example: "heschi",
}
)
// newEchoWorkflow returns a runnable wf.Definition for
// development.
func newEchoWorkflow() *wf.Definition {
wd := wf.New()
wf.Output(wd, "greeting", wf.Task1(wd, "greeting", echo, wf.Param(wd, wf.ParamDef[string]{Name: "greeting"})))
wf.Output(wd, "farewell", wf.Task1(wd, "farewell", echo, wf.Param(wd, wf.ParamDef[string]{Name: "farewell"})))
return wd
}
func echo(ctx *wf.TaskContext, arg string) (string, error) {
ctx.Printf("echo(%v, %q)", ctx, arg)
return arg, nil
}
func checkTaskApproved(ctx *wf.TaskContext, p db.PGDBTX) (bool, error) {
q := db.New(p)
t, err := q.Task(ctx, db.TaskParams{
Name: ctx.TaskName,
WorkflowID: ctx.WorkflowID,
})
if !t.ReadyForApproval {
_, err := q.UpdateTaskReadyForApproval(ctx, db.UpdateTaskReadyForApprovalParams{
ReadyForApproval: true,
Name: ctx.TaskName,
WorkflowID: ctx.WorkflowID,
})
if err != nil {
return false, err
}
}
return t.ApprovedAt.Valid, err
}
// ApproveActionDep returns a function for defining approval Actions.
//
// ApproveActionDep takes a single *pgxpool.Pool argument, which is
// used to query the database to determine if a task has been marked
// approved.
//
// ApproveActionDep marks the task as requiring approval in the
// database once the task is started. This can be used to show an
// "approve" control in the UI.
//
// waitAction := wf.ActionN(wd, "Wait for Approval", ApproveActionDep(db), wf.After(someDependency))
func ApproveActionDep(p db.PGDBTX) func(*wf.TaskContext) error {
return func(ctx *wf.TaskContext) error {
_, err := task.AwaitCondition(ctx, 5*time.Second, func() (int, bool, error) {
done, err := checkTaskApproved(ctx, p)
return 0, done, err
})
return err
}
}
// RegisterReleaseWorkflows registers workflows for issuing Go releases.
func RegisterReleaseWorkflows(ctx context.Context, h *DefinitionHolder, build *BuildReleaseTasks, milestone *task.MilestoneTasks, version *task.VersionTasks, comm task.CommunicationTasks) error {
// Register prod release workflows both with, and without comm tasks at the end.
// TODO(go.dev/issue/53537): Simplify after more experience.
if err := registerProdReleaseWorkflows(ctx, h, build, milestone, version, comm, true, ""); err != nil {
return err
}
if err := registerProdReleaseWorkflows(ctx, h, build, milestone, version, comm, false, "[without comms] "); err != nil {
return err
}
// Register pre-announcement workflows.
currentMajor, err := version.GetCurrentMajor(ctx)
if err != nil {
return err
}
releases := []struct {
kinds []task.ReleaseKind
name string
}{
{[]task.ReleaseKind{task.KindCurrentMinor, task.KindPrevMinor}, fmt.Sprintf("next minor release for Go 1.%d and 1.%d", currentMajor, currentMajor-1)},
{[]task.ReleaseKind{task.KindCurrentMinor}, fmt.Sprintf("next minor release for Go 1.%d", currentMajor)},
{[]task.ReleaseKind{task.KindPrevMinor}, fmt.Sprintf("next minor release for Go 1.%d", currentMajor-1)},
}
for _, r := range releases {
wd := wf.New()
versions := wf.Task1(wd, "Get next versions", version.GetNextVersions, wf.Const(r.kinds))
targetDate := wf.Param(wd, targetDateParam)
securityContent := wf.Param(wd, securityPreAnnParam)
coordinators := wf.Param(wd, releaseCoordinators)
sentMail := wf.Task4(wd, "mail-pre-announcement", comm.PreAnnounceRelease, versions, targetDate, securityContent, coordinators)
wf.Output(wd, "Pre-announcement URL", wf.Task1(wd, "await-pre-announcement", comm.AwaitAnnounceMail, sentMail))
h.RegisterDefinition("pre-announce "+r.name, wd)
}
// Register dry-run release workflows.
wd := wf.New()
if err := addBuildAndTestOnlyWorkflow(wd, version, build, currentMajor+1, task.KindBeta); err != nil {
return err
}
h.RegisterDefinition(fmt.Sprintf("dry-run (test and build only): Go 1.%d next beta", currentMajor+1), wd)
return nil
}
func registerProdReleaseWorkflows(ctx context.Context, h *DefinitionHolder, build *BuildReleaseTasks, milestone *task.MilestoneTasks, version *task.VersionTasks, comm task.CommunicationTasks, mergeCommTasks bool, definitionPrefix string) error {
currentMajor, err := version.GetCurrentMajor(ctx)
if err != nil {
return err
}
releases := []struct {
kind task.ReleaseKind
major int
suffix string
}{
{task.KindMajor, currentMajor + 1, "final"},
{task.KindRC, currentMajor + 1, "next RC"},
{task.KindBeta, currentMajor + 1, "next beta"},
{task.KindCurrentMinor, currentMajor, "next minor"},
{task.KindPrevMinor, currentMajor - 1, "next minor"},
}
for _, r := range releases {
wd := wf.New()
coordinators := wf.Param(wd, releaseCoordinators)
versionPublished := addSingleReleaseWorkflow(build, milestone, version, wd, r.major, r.kind, coordinators)
if mergeCommTasks {
securitySummary := wf.Const("")
securityFixes := wf.Slice[string]()
if r.kind == task.KindCurrentMinor || r.kind == task.KindPrevMinor {
securitySummary = wf.Param(wd, securitySummaryParameter)
securityFixes = wf.Param(wd, securityFixesParameter)
}
addCommTasks(wd, build, comm, wf.Slice(versionPublished), securitySummary, securityFixes, coordinators)
}
h.RegisterDefinition(definitionPrefix+fmt.Sprintf("Go 1.%d %s", r.major, r.suffix), wd)
}
wd, err := createMinorReleaseWorkflow(build, milestone, version, comm, mergeCommTasks, currentMajor-1, currentMajor)
if err != nil {
return err
}
h.RegisterDefinition(definitionPrefix+fmt.Sprintf("Minor releases for Go 1.%d and 1.%d", currentMajor-1, currentMajor), wd)
return nil
}
func addBuildAndTestOnlyWorkflow(wd *wf.Definition, version *task.VersionTasks, build *BuildReleaseTasks, major int, kind task.ReleaseKind) error {
nextVersion := wf.Task1(wd, "Get next version", version.GetNextVersion, wf.Const(kind))
branch := fmt.Sprintf("release-branch.go1.%d", major)
if kind == task.KindBeta {
branch = "master"
}
branchVal := wf.Const(branch)
source := wf.Task3(wd, "Build source archive", build.buildSource, branchVal, wf.Const(""), nextVersion)
artifacts := build.addBuildTasks(wd, major, nextVersion, source, true)
wf.Output(wd, "Artifacts", artifacts)
return nil
}
func createMinorReleaseWorkflow(build *BuildReleaseTasks, milestone *task.MilestoneTasks, version *task.VersionTasks, comm task.CommunicationTasks, mergeCommTasks bool, prevMajor, currentMajor int) (*wf.Definition, error) {
wd := wf.New()
coordinators := wf.Param(wd, releaseCoordinators)
v1Published := addSingleReleaseWorkflow(build, milestone, version, wd.Sub(fmt.Sprintf("Go 1.%d", currentMajor)), currentMajor, task.KindCurrentMinor, coordinators)
v2Published := addSingleReleaseWorkflow(build, milestone, version, wd.Sub(fmt.Sprintf("Go 1.%d", prevMajor)), prevMajor, task.KindPrevMinor, coordinators)
if mergeCommTasks {
securitySummary := wf.Param(wd, securitySummaryParameter)
securityFixes := wf.Param(wd, securityFixesParameter)
addCommTasks(wd, build, comm, wf.Slice(v1Published, v2Published), securitySummary, securityFixes, coordinators)
}
return wd, nil
}
func addCommTasks(
wd *wf.Definition, build *BuildReleaseTasks, comm task.CommunicationTasks,
versions wf.Value[[]string], securitySummary wf.Value[string], securityFixes, coordinators wf.Value[[]string],
) {
okayToAnnounceAndTweet := wf.Action0(wd, "Wait to Announce", build.ApproveAction, wf.After(versions))
// Announce that a new Go release has been published.
sentMail := wf.Task3(wd, "mail-announcement", comm.AnnounceRelease, versions, securityFixes, coordinators, wf.After(okayToAnnounceAndTweet))
announcementURL := wf.Task1(wd, "await-announcement", comm.AwaitAnnounceMail, sentMail)
tweetURL := wf.Task3(wd, "post-tweet", comm.TweetRelease, versions, securitySummary, announcementURL, wf.After(okayToAnnounceAndTweet))
wf.Output(wd, "Announcement URL", announcementURL)
wf.Output(wd, "Tweet URL", tweetURL)
}
func addSingleReleaseWorkflow(
build *BuildReleaseTasks, milestone *task.MilestoneTasks, version *task.VersionTasks,
wd *wf.Definition, major int, kind task.ReleaseKind, coordinators wf.Value[[]string],
) (versionPublished wf.Value[string]) {
kindVal := wf.Const(kind)
branch := fmt.Sprintf("release-branch.go1.%d", major)
if kind == task.KindBeta {
branch = "master"
}
branchVal := wf.Const(branch)
startingHead := wf.Task1(wd, "Read starting branch head", version.ReadBranchHead, branchVal)
// Select version, check milestones.
nextVersion := wf.Task1(wd, "Get next version", version.GetNextVersion, kindVal)
milestones := wf.Task2(wd, "Pick milestones", milestone.FetchMilestones, nextVersion, kindVal)
checked := wf.Action3(wd, "Check blocking issues", milestone.CheckBlockers, milestones, nextVersion, kindVal)
startSigner := wf.Task1(wd, "Start signing command", build.startSigningCommand, nextVersion)
wf.Output(wd, "Signing command", startSigner)
securityRef := wf.Param(wd, wf.ParamDef[string]{Name: "Ref from the private repository to build from (optional)"})
source := wf.Task3(wd, "Build source archive", build.buildSource, startingHead, securityRef, nextVersion, wf.After(checked))
// Build, test, and sign release.
signedAndTestedArtifacts := build.addBuildTasks(wd, major, nextVersion, source, false)
okayToTagAndPublish := wf.Action0(wd, "Wait for Release Coordinator Approval", build.ApproveAction, wf.After(signedAndTestedArtifacts))
dlcl := wf.Task3(wd, "Mail DL CL", version.MailDLCL, wf.Slice(nextVersion), coordinators, wf.Const(false), wf.After(okayToTagAndPublish))
dlclCommit := wf.Task2(wd, "Wait for DL CL", version.AwaitCL, dlcl, wf.Const(""))
wf.Output(wd, "Download CL submitted", dlclCommit)
// Tag version and upload to CDN/website.
// If we're releasing a beta from master, tagging is easy; we just tag the
// commit we started from. Otherwise, we're going to submit a VERSION CL,
// and we need to make sure that that CL is submitted on top of the same
// state we built from. For security releases that state may not have
// been public when we started, but it should be now.
tagCommit := startingHead
if branch != "master" {
publishingHead := wf.Task3(wd, "Check branch state matches source archive", build.checkSourceMatch, branchVal, nextVersion, source, wf.After(okayToTagAndPublish))
versionCL := wf.Task3(wd, "Mail version CL", version.CreateAutoSubmitVersionCL, branchVal, coordinators, nextVersion, wf.After(publishingHead))
tagCommit = wf.Task2(wd, "Wait for version CL submission", version.AwaitCL, versionCL, publishingHead)
}
tagged := wf.Action2(wd, "Tag version", version.TagRelease, nextVersion, tagCommit, wf.After(okayToTagAndPublish))
uploaded := wf.Action1(wd, "Upload artifacts to CDN", build.uploadArtifacts, signedAndTestedArtifacts, wf.After(tagged))
pushed := wf.Action3(wd, "Push issues", milestone.PushIssues, milestones, nextVersion, kindVal, wf.After(tagged))
versionPublished = wf.Task2(wd, "Publish to website", build.publishArtifacts, nextVersion, signedAndTestedArtifacts, wf.After(uploaded, pushed))
wf.Output(wd, "Released version", versionPublished)
return versionPublished
}
// addBuildTasks registers tasks to build, test, and sign the release onto wd.
// It returns the output from the last task, a slice of signed and tested artifacts.
func (tasks *BuildReleaseTasks) addBuildTasks(wd *wf.Definition, major int, version wf.Value[string], source wf.Value[artifact], skipSigning bool) wf.Value[[]artifact] {
targets := releasetargets.TargetsForGo1Point(major)
skipTests := wf.Param(wd, wf.ParamDef[[]string]{Name: "Targets to skip testing (or 'all') (optional)", ParamType: wf.SliceShort})
// Artifact file paths.
artifacts := []wf.Value[artifact]{source}
var darwinTargets []*releasetargets.Target
var testsPassed []wf.Dependency
for _, target := range targets {
targetVal := wf.Const(target)
wd := wd.Sub(target.Name)
// Build release artifacts for the platform.
bin := wf.Task2(wd, "Build binary archive", tasks.buildBinary, targetVal, source)
switch target.GOOS {
case "windows":
zip := wf.Task2(wd, "Convert to .zip", tasks.convertToZip, targetVal, bin)
msi := wf.Task2(wd, "Build MSI", tasks.buildMSI, targetVal, bin)
artifacts = append(artifacts, msi, zip)
case "darwin":
artifacts = append(artifacts, bin)
darwinTargets = append(darwinTargets, target)
default:
artifacts = append(artifacts, bin)
}
if target.BuildOnly {
continue
}
short := wf.Action4(wd, "Run short tests", tasks.runTests, targetVal, wf.Const(dashboard.Builders[target.Builder]), skipTests, bin)
testsPassed = append(testsPassed, short)
if target.LongTestBuilder != "" {
long := wf.Action4(wd, "Run long tests", tasks.runTests, targetVal, wf.Const(dashboard.Builders[target.Builder]), skipTests, bin)
testsPassed = append(testsPassed, long)
}
}
var advisoryResults []wf.Value[tryBotResult]
for _, bc := range advisoryTryBots(major) {
result := wf.Task3(wd, "Run advisory TryBot "+bc.Name, tasks.runAdvisoryTryBot, wf.Const(bc), skipTests, source)
advisoryResults = append(advisoryResults, result)
}
tryBotsApproved := wf.Action1(wd, "Approve any TryBot failures", tasks.checkAdvisoryTrybots, wf.Slice(advisoryResults...))
if skipSigning {
builtAndTested := wf.Task1(wd, "Wait for artifacts and tests", func(ctx *wf.TaskContext, artifacts []artifact) ([]artifact, error) {
return artifacts, nil
}, wf.Slice(artifacts...), wf.After(tryBotsApproved), wf.After(testsPassed...))
return builtAndTested
}
stagedArtifacts := wf.Task2(wd, "Stage artifacts for signing", tasks.copyToStaging, version, wf.Slice(artifacts...))
signedArtifacts := wf.Task3(wd, "Wait for signed artifacts", tasks.awaitSigned, version, wf.Const(darwinTargets), stagedArtifacts)
signedAndTested := wf.Task1(wd, "Wait for signing and tests", func(ctx *wf.TaskContext, artifacts []artifact) ([]artifact, error) {
return artifacts, nil
}, signedArtifacts, wf.After(tryBotsApproved), wf.After(testsPassed...))
return signedAndTested
}
func advisoryTryBots(major int) []*dashboard.BuildConfig {
usedBuilders := map[string]bool{}
for _, t := range releasetargets.TargetsForGo1Point(major) {
usedBuilders[t.Builder] = true
usedBuilders[t.LongTestBuilder] = true
}
var extras []*dashboard.BuildConfig
for name, bc := range dashboard.Builders {
if usedBuilders[name] {
continue
}
if !bc.BuildsRepoPostSubmit("go", fmt.Sprintf("release-branch.go1.%d", major), "") {
continue
}
if !bc.IsVM() && !bc.IsContainer() {
continue
}
extras = append(extras, bc)
}
return extras
}
// BuildReleaseTasks serves as an adapter to the various build tasks in the task package.
type BuildReleaseTasks struct {
GerritClient task.GerritClient
GerritHTTPClient *http.Client
GerritURL string
PrivateGerritURL string
GCSClient *storage.Client
ScratchURL, ServingURL string
DownloadURL string
PublishFile func(*task.WebsiteFile) error
CreateBuildlet func(context.Context, string) (buildlet.RemoteClient, error)
ApproveAction func(*wf.TaskContext) error
}
func (b *BuildReleaseTasks) buildSource(ctx *wf.TaskContext, revision, securityRevision, version string) (artifact, error) {
return b.runBuildStep(ctx, nil, nil, artifact{}, "src.tar.gz", func(_ *task.BuildletStep, _ io.Reader, w io.Writer) error {
if securityRevision != "" {
return task.WriteSourceArchive(ctx, b.GerritHTTPClient, b.PrivateGerritURL, securityRevision, version, w)
}
return task.WriteSourceArchive(ctx, b.GerritHTTPClient, b.GerritURL, revision, version, w)
})
}
func (b *BuildReleaseTasks) checkSourceMatch(ctx *wf.TaskContext, branch, version string, source artifact) (head string, _ error) {
head, err := b.GerritClient.ReadBranchHead(ctx, "go", branch)
if err != nil {
return "", err
}
_, err = b.runBuildStep(ctx, nil, nil, source, "", func(_ *task.BuildletStep, r io.Reader, _ io.Writer) error {
branchArchive := &bytes.Buffer{}
if err := task.WriteSourceArchive(ctx, b.GerritHTTPClient, b.GerritURL, head, version, branchArchive); err != nil {
return err
}
branchHashes, err := tarballHashes(branchArchive)
if err != nil {
return fmt.Errorf("hashing branch tarball: %v", err)
}
archiveHashes, err := tarballHashes(r)
if err != nil {
return fmt.Errorf("hashing archive tarball: %v", err)
}
if diff := cmp.Diff(branchHashes, archiveHashes); diff != "" {
return fmt.Errorf("branch state doesn't match source archive (-branch, +archive):\n%v", diff)
}
return nil
})
return head, err
}
func tarballHashes(r io.Reader) (map[string]string, error) {
gzr, err := gzip.NewReader(r)
if err != nil {
return nil, err
}
defer gzr.Close()
tr := tar.NewReader(gzr)
hashes := map[string]string{}
for {
header, err := tr.Next()
if err == io.EOF {
break
} else if err != nil {
return nil, fmt.Errorf("reading tar header: %v", err)
}
h := sha256.New()
if _, err := io.CopyN(h, tr, header.Size); err != nil {
return nil, fmt.Errorf("reading file %q: %v", header.Name, err)
}
hashes[header.Name] = fmt.Sprintf("%X", h.Sum(nil))
}
return hashes, nil
}
func (b *BuildReleaseTasks) buildBinary(ctx *wf.TaskContext, target *releasetargets.Target, source artifact) (artifact, error) {
build := dashboard.Builders[target.Builder]
return b.runBuildStep(ctx, target, build, source, "tar.gz", func(bs *task.BuildletStep, r io.Reader, w io.Writer) error {
return bs.BuildBinary(ctx, r, w)
})
}
func (b *BuildReleaseTasks) buildMSI(ctx *wf.TaskContext, target *releasetargets.Target, binary artifact) (artifact, error) {
build := dashboard.Builders[target.Builder]
return b.runBuildStep(ctx, target, build, binary, "msi", func(bs *task.BuildletStep, r io.Reader, w io.Writer) error {
return bs.BuildMSI(ctx, r, w)
})
}
func (b *BuildReleaseTasks) convertToZip(ctx *wf.TaskContext, target *releasetargets.Target, binary artifact) (artifact, error) {
return b.runBuildStep(ctx, target, nil, binary, "zip", func(_ *task.BuildletStep, r io.Reader, w io.Writer) error {
return task.ConvertTGZToZIP(r, w)
})
}
func (b *BuildReleaseTasks) runTests(ctx *wf.TaskContext, target *releasetargets.Target, build *dashboard.BuildConfig, skipTests []string, binary artifact) error {
for _, skip := range skipTests {
if skip == "all" || target.Name == skip {
ctx.Printf("Skipping test")
return nil
}
}
_, err := b.runBuildStep(ctx, target, build, binary, "", func(bs *task.BuildletStep, r io.Reader, _ io.Writer) error {
return bs.TestTarget(ctx, r)
})
return err
}
type tryBotResult struct {
Name string
Passed bool
}
func (b *BuildReleaseTasks) runAdvisoryTryBot(ctx *wf.TaskContext, bc *dashboard.BuildConfig, skipTests []string, source artifact) (tryBotResult, error) {
for _, skip := range skipTests {
if skip == "all" || bc.Name == skip {
ctx.Printf("Skipping test")
return tryBotResult{bc.Name, true}, nil
}
}
passed := false
_, err := b.runBuildStep(ctx, nil, bc, source, "", func(bs *task.BuildletStep, r io.Reader, w io.Writer) error {
var err error
passed, err = bs.RunTryBot(ctx, r)
return err
})
return tryBotResult{bc.Name, passed}, err
}
func (b *BuildReleaseTasks) checkAdvisoryTrybots(ctx *wf.TaskContext, results []tryBotResult) error {
var fails []string
for _, r := range results {
if !r.Passed {
fails = append(fails, r.Name)
}
}
if len(fails) == 0 {
return nil
}
ctx.Printf("Some advisory TryBots failed. Check their logs and approve this task if it's okay:\n%v", strings.Join(fails, "\n"))
return b.ApproveAction(ctx)
}
// runBuildStep is a convenience function that manages resources a build step might need.
// If target and build config are specified, a BuildletStep will be passed to f.
// If inputName is specified, it will be opened and passed as a Reader to f.
// If outputSuffix is specified, a unique filename will be generated based off
// it (and the target name, if any), the file will be opened and passed as a
// Writer to f, and an artifact representing it will be returned as the result.
func (b *BuildReleaseTasks) runBuildStep(
ctx *wf.TaskContext,
target *releasetargets.Target,
build *dashboard.BuildConfig,
input artifact,
outputSuffix string,
f func(*task.BuildletStep, io.Reader, io.Writer) error,
) (artifact, error) {
var step *task.BuildletStep
if build != nil {
ctx.Printf("Creating buildlet %v.", build.Name)
client, err := b.CreateBuildlet(ctx, build.Name)
if err != nil {
return artifact{}, err
}
defer client.Close()
w := &task.LogWriter{Logger: ctx}
go w.Run(ctx)
step = &task.BuildletStep{
Target: target,
Buildlet: client,
BuildConfig: build,
LogWriter: w,
}
ctx.Printf("Buildlet ready.")
}
scratchFS, err := gcsfs.FromURL(ctx, b.GCSClient, b.ScratchURL)
if err != nil {
return artifact{}, err
}
var in io.ReadCloser
if input.ScratchPath != "" {
in, err = scratchFS.Open(input.ScratchPath)
if err != nil {
return artifact{}, err
}
defer in.Close()
}
var out io.WriteCloser
var scratchPath string
hash := sha256.New()
size := &sizeWriter{}
var multiOut io.Writer
if outputSuffix != "" {
scratchName := outputSuffix
if target != nil {
scratchName = target.Name + "." + outputSuffix
}
scratchPath = fmt.Sprintf("%v/%v-%v", ctx.WorkflowID.String(), scratchName, rand.Int63())
out, err = gcsfs.Create(scratchFS, scratchPath)
if err != nil {
return artifact{}, err
}
defer out.Close()
multiOut = io.MultiWriter(out, hash, size)
}
// Hide in's Close method from the task, which may assert it to Closer.
nopIn := io.NopCloser(in)
if err := f(step, nopIn, multiOut); err != nil {
return artifact{}, err
}
if step != nil {
if err := step.Buildlet.Close(); err != nil {
return artifact{}, err
}
}
if in != nil {
if err := in.Close(); err != nil {
return artifact{}, err
}
}
if out != nil {
if err := out.Close(); err != nil {
return artifact{}, err
}
}
return artifact{
Target: target,
ScratchPath: scratchPath,
Suffix: outputSuffix,
SHA256: fmt.Sprintf("%x", string(hash.Sum([]byte(nil)))),
Size: size.size,
}, nil
}
// An artifact represents a file as it moves through the release process. Most
// files will appear on go.dev/dl eventually.
type artifact struct {
// The target platform of this artifact, or nil for source.
Target *releasetargets.Target
// The scratch path of this artifact within the scratch directory.
// <workflow-id>/<filename>-<random-number>
ScratchPath string
// The path within the scratch directory the artifact was staged to for the
// signing process.
// <workflow-id>/signing/<go version>/<filename>
StagingPath string
// The path within the scratch directory the artifact can be found at
// after the signing process. For files not modified by the signing
// process, the staging path, or for those that are
// <workflow-id>/signing/<go version>/signed/<filename>
SignedPath string
// The contents of the GPG signature for this artifact (.asc file).
GPGSignature string
// The filename suffix of the artifact, e.g. "tar.gz" or "src.tar.gz",
// combined with the version and Target name to produce Filename.
Suffix string
// The final Filename of this artifact as it will be downloaded.
Filename string
SHA256 string
Size int
}
type sizeWriter struct {
size int
}
func (w *sizeWriter) Write(p []byte) (n int, err error) {
w.size += len(p)
return len(p), nil
}
func (tasks *BuildReleaseTasks) startSigningCommand(ctx *wf.TaskContext, version string) (string, error) {
args := fmt.Sprintf("--relui_staging=%q", tasks.ScratchURL+"/"+signingStagingDir(ctx, version))
ctx.Printf("run signer with " + args)
return args, nil
}
func (tasks *BuildReleaseTasks) copyToStaging(ctx *wf.TaskContext, version string, artifacts []artifact) ([]artifact, error) {
scratchFS, err := gcsfs.FromURL(ctx, tasks.GCSClient, tasks.ScratchURL)
if err != nil {
return nil, err
}
var stagedArtifacts []artifact
for _, a := range artifacts {
staged := a
if a.Target != nil {
staged.Filename = version + "." + a.Target.Name + "." + a.Suffix
} else {
staged.Filename = version + "." + a.Suffix
}
staged.StagingPath = path.Join(signingStagingDir(ctx, version), staged.Filename)
stagedArtifacts = append(stagedArtifacts, staged)
in, err := scratchFS.Open(a.ScratchPath)
if err != nil {
return nil, err
}
out, err := gcsfs.Create(scratchFS, staged.StagingPath)
if err != nil {
return nil, err
}
if _, err := io.Copy(out, in); err != nil {
return nil, err
}
if err := in.Close(); err != nil {
return nil, err
}
if err := out.Close(); err != nil {
return nil, err
}
}
if err := gcsfs.WriteFile(scratchFS, path.Join(signingStagingDir(ctx, version), "ready"), []byte("ready")); err != nil {
return nil, err
}
return stagedArtifacts, nil
}
func signingStagingDir(ctx *wf.TaskContext, version string) string {
return path.Join(ctx.WorkflowID.String(), "signing", version)
}
// awaitSigned waits for all of artifacts to be signed, plus the pkgs for
// darwinTargets.
func (tasks *BuildReleaseTasks) awaitSigned(ctx *wf.TaskContext, version string, darwinTargets []*releasetargets.Target, artifacts []artifact) ([]artifact, error) {
// .pkg artifacts are created by the signing process. Create placeholders,
// to be filled out once the files exist.
for _, t := range darwinTargets {
artifacts = append(artifacts, artifact{
Target: t,
Suffix: "pkg",
Filename: version + "." + t.Name + ".pkg",
Size: -1,
})
}
scratchFS, err := gcsfs.FromURL(ctx, tasks.GCSClient, tasks.ScratchURL)
if err != nil {
return nil, err
}
todo := map[artifact]bool{}
for _, a := range artifacts {
todo[a] = true
}
var signedArtifacts []artifact
check := func() ([]artifact, bool, error) {
for a := range todo {
signed, ok, err := readSignedArtifact(ctx, scratchFS, version, a)
if err != nil {
return nil, false, err
}
if !ok {
continue
}
signedArtifacts = append(signedArtifacts, signed)
delete(todo, a)
}
return signedArtifacts, len(todo) == 0, nil
}
return task.AwaitCondition(ctx, 30*time.Second, check)
}
func readSignedArtifact(ctx *wf.TaskContext, scratchFS fs.FS, version string, a artifact) (_ artifact, ok bool, _ error) {
// Our signing process has somewhat uneven behavior. In general, for things
// that contain their own signature, such as MSIs and .pkgs, we don't
// produce a GPG signature, just the new file. On macOS, tars can be signed
// too, but we GPG sign them anyway.
modifiedBySigning := false
hasGPG := false
suffix := func(suffix string) bool { return a.Suffix == suffix }
switch {
case suffix("src.tar.gz"):
hasGPG = true
case a.Target.GOOS == "darwin" && suffix("tar.gz"):
modifiedBySigning = true
hasGPG = true
case a.Target.GOOS == "darwin" && suffix("pkg"):
modifiedBySigning = true
case suffix("tar.gz"):
hasGPG = true
case suffix("msi"):
modifiedBySigning = true
case suffix("zip"):
// For reasons unclear, we don't sign zip files.
default:
return artifact{}, false, fmt.Errorf("unhandled file type %q", a.Suffix)
}
signed := artifact{
Target: a.Target,
Filename: a.Filename,
Suffix: a.Suffix,
}
stagingDir := signingStagingDir(ctx, version)
if modifiedBySigning {
signed.SignedPath = stagingDir + "/signed/" + a.Filename
} else {
signed.SignedPath = stagingDir + "/" + a.Filename
}
fi, err := fs.Stat(scratchFS, signed.SignedPath)
if err != nil {
return artifact{}, false, nil
}
if modifiedBySigning {
hash, err := fs.ReadFile(scratchFS, stagingDir+"/signed/"+a.Filename+".sha256")
if err != nil {
return artifact{}, false, nil
}
signed.Size = int(fi.Size())
signed.SHA256 = string(hash)
} else {
signed.SHA256 = a.SHA256
signed.Size = a.Size
}
if hasGPG {
sig, err := fs.ReadFile(scratchFS, stagingDir+"/signed/"+a.Filename+".asc")
if err != nil {
return artifact{}, false, nil
}
signed.GPGSignature = string(sig)
}
return signed, true, nil
}
func (tasks *BuildReleaseTasks) uploadArtifacts(ctx *wf.TaskContext, artifacts []artifact) error {
scratchFS, err := gcsfs.FromURL(ctx, tasks.GCSClient, tasks.ScratchURL)
if err != nil {
return err
}
servingFS, err := gcsfs.FromURL(ctx, tasks.GCSClient, tasks.ServingURL)
if err != nil {
return err
}
todo := map[artifact]bool{}
for _, a := range artifacts {
if err := uploadArtifact(scratchFS, servingFS, a); err != nil {
return err
}
todo[a] = true
}
check := func() (int, bool, error) {
for _, a := range artifacts {
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
defer cancel()
resp, err := ctxhttp.Head(ctx, http.DefaultClient, tasks.DownloadURL+"/"+a.Filename)
if err != nil && err != context.DeadlineExceeded {
return 0, false, err
}
resp.Body.Close()
cancel()
if resp.StatusCode == http.StatusOK {
delete(todo, a)
}
}
return 0, len(todo) == 0, nil
}
_, err = task.AwaitCondition(ctx, 30*time.Second, check)
return err
}
func uploadArtifact(scratchFS, servingFS fs.FS, a artifact) error {
in, err := scratchFS.Open(a.SignedPath)
if err != nil {
return err
}
defer in.Close()
out, err := gcsfs.Create(servingFS, a.Filename)
if err != nil {
return err
}
defer out.Close()
if _, err := io.Copy(out, in); err != nil {
return err
}
if err := out.Close(); err != nil {
return err
}
if err := gcsfs.WriteFile(servingFS, a.Filename+".sha256", []byte(a.SHA256)); err != nil {
return err
}
if a.GPGSignature != "" {
if err := gcsfs.WriteFile(servingFS, a.Filename+".asc", []byte(a.GPGSignature)); err != nil {
return err
}
}
return nil
}
// publishArtifacts publishes artifacts for version (typically so they appear at https://go.dev/dl/).
// It returns version, the Go version that has been successfully published.
//
// The version string uses the same format as Go tags. For example, "go1.19rc1".
func (tasks *BuildReleaseTasks) publishArtifacts(ctx *wf.TaskContext, version string, artifacts []artifact) (publishedVersion string, _ error) {
for _, a := range artifacts {
f := &task.WebsiteFile{
Filename: a.Filename,
Version: version,
ChecksumSHA256: a.SHA256,
Size: int64(a.Size),
}
if a.Target != nil {
f.OS = a.Target.GOOS
f.Arch = a.Target.GOARCH
if a.Target.GOARCH == "arm" {
f.Arch = "armv6l"
}
}
switch a.Suffix {
case "src.tar.gz":
f.Kind = "source"
case "tar.gz", "zip":
f.Kind = "archive"
case "msi", "pkg":
f.Kind = "installer"
}
if err := tasks.PublishFile(f); err != nil {
return "", err
}
}
ctx.Printf("Published %v artifacts for %v", len(artifacts), version)
return version, nil
}