diff --git a/.expeditor/build.habitat.yml b/.expeditor/build.habitat.yml new file mode 100644 index 0000000..5c7e6ed --- /dev/null +++ b/.expeditor/build.habitat.yml @@ -0,0 +1,12 @@ +--- +env: + HAB_REFRESH_CHANNEL: "LTS-2024" + +origin: chef + +expeditor: + defaults: + buildkite: + retry: + automatic: + limit: 1 diff --git a/.expeditor/buildkite/artifact.habitat.test.ps1 b/.expeditor/buildkite/artifact.habitat.test.ps1 new file mode 100644 index 0000000..b63683b --- /dev/null +++ b/.expeditor/buildkite/artifact.habitat.test.ps1 @@ -0,0 +1,84 @@ +#!/usr/bin/env powershell + +#Requires -Version 5 +# https://stackoverflow.com/questions/9948517 +# TODO: Set-StrictMode -Version Latest +$PSDefaultParameterValues['*:ErrorAction']='Stop' +$ErrorActionPreference = 'Stop' +$env:HAB_ORIGIN = 'ci' +$env:CHEF_LICENSE = 'accept-no-persist' +$env:HAB_LICENSE = 'accept-no-persist' +$Plan = 'chef-vault' + +Write-Host "--- system details" +$Properties = 'Caption', 'CSName', 'Version', 'BuildType', 'OSArchitecture' +Get-CimInstance Win32_OperatingSystem | Select-Object $Properties | Format-Table -AutoSize + +Write-Host "--- Installing the version of Habitat required" + +function Stop-HabProcess { + $habProcess = Get-Process hab -ErrorAction SilentlyContinue + if ($habProcess) { + Write-Host "Stopping hab process..." + Stop-Process -Name hab -Force + } +} + +function Install-Habitat { + Write-Host "Downloading and installing Habitat..." + Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1')) +} + +try { + hab --version +} +catch { + Set-ExecutionPolicy Bypass -Scope Process -Force + + Stop-HabProcess + + # Remove the existing hab.exe if it exists and if you have permissions + $habPath = "C:\ProgramData\Habitat\hab.exe" + if (Test-Path $habPath) { + Write-Host "Attempting to remove existing hab.exe..." + Remove-Item $habPath -Force -ErrorAction SilentlyContinue + if (Test-Path $habPath) { + Write-Host "Failed to remove hab.exe, re-running script with elevated permissions." + Start-Process powershell -Verb runAs -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" + exit + } + } + + Install-Habitat +} +finally { + Write-Host ":habicat: I think I have the version I need to build." +} + + +Write-Host "--- Generating fake origin key" +hab origin key generate $env:HAB_ORIGIN + +Write-Host "--- Building $Plan" +$project_root = "$(git rev-parse --show-toplevel)" +Set-Location $project_root + +$env:DO_CHECK=$true; hab pkg build . + +. $project_root/results/last_build.ps1 + +Write-Host "--- Installing $pkg_ident/$pkg_artifact" +hab pkg install -b $project_root/results/$pkg_artifact + +Write-Host "+++ Testing $Plan" + +Push-Location $project_root + +try { + $scriptPath = Join-Path $project_root "habitat/tests/test.ps1" + & $scriptPath $pkg_ident +} +finally { + # Ensure we always return to the original directory + Pop-Location +} diff --git a/.expeditor/buildkite/artifact.habitat.test.sh b/.expeditor/buildkite/artifact.habitat.test.sh new file mode 100755 index 0000000..2233bd8 --- /dev/null +++ b/.expeditor/buildkite/artifact.habitat.test.sh @@ -0,0 +1,70 @@ +#!/usr/bin/env bash + +set -eo pipefail + +export HAB_ORIGIN='ci' +export PLAN='chef-vault' +export CHEF_LICENSE="accept-no-persist" +export HAB_LICENSE="accept-no-persist" + +echo "--- checking if git is installed" +if ! command -v git &> /dev/null; then + echo "Git is not installed. Installing Git..." + sudo yum install -y git +else + echo "Git is already installed." + git --version +fi + +echo "--- add an exception for this directory since detected dubious ownership in repository at /workdir" +git config --global --add safe.directory /workdir + +echo "--- git status for this workdir" +git status + +echo "--- ruby version" +ruby -v + +export project_root="$(git rev-parse --show-toplevel)" +echo "The value for project_root is: $project_root" + +export HAB_NONINTERACTIVE=true +export HAB_NOCOLORING=true +export HAB_STUDIO_SECRET_HAB_NONINTERACTIVE=true + +echo "--- system details" +uname -a + +echo "--- Installing Habitat" +id -a +curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | bash + +echo "--- :key: Generating fake origin key" +hab origin key generate "$HAB_ORIGIN" + + +echo "--- Building $PLAN" +cd "$project_root" +DO_CHECK=true hab pkg build . + +echo "--- Sourcing 'results/last_build.sh'" +if [ -f ./results/last_build.env ]; then + cat ./results/last_build.env + . ./results/last_build.env + export pkg_artifact +fi + +echo "+++ Installing ${pkg_ident:?is undefined}" +echo "++++" +echo $project_root +echo "+++" +hab pkg install -b "${project_root:?is undefined}/results/${pkg_artifact:?is undefined}" + +echo "+++ Testing $PLAN" + +PATH="$(hab pkg path ci/chef-vault)/bin:$PATH" +export PATH +echo "PATH is $PATH" + +echo "--- :mag_right: Testing $PLAN" +"${project_root}/habitat/tests/test.sh" "$pkg_ident" diff --git a/.expeditor/config.yml b/.expeditor/config.yml index e5b8b05..d3b6dad 100644 --- a/.expeditor/config.yml +++ b/.expeditor/config.yml @@ -3,17 +3,15 @@ # Slack channel in Chef Software slack to send notifications about build failures, etc slack: - notify_channel: chef-infra-notify + notify_channel: chef-ws-notify # This publish is triggered by the `built_in:publish_rubygems` artifact_action. rubygems: - chef-vault -release_branches: - - workstation-LTS: - version_constraint: 4.* - - main: - version_constraint: 4.* +artifact_channels: + - unstable + - chef-dke-lts2024 github: # This deletes the GitHub PR branch after successfully merged into the release branch @@ -27,6 +25,10 @@ github: major_bump_labels: - "Expeditor: Bump Version Major" +release_branches: + - main: + version_constraint: 4.* + changelog: rollup_header: Changes not yet released to rubygems.org @@ -46,12 +48,35 @@ subscriptions: - "Expeditor: Skip All" - built_in:build_gem: only_if: built_in:bump_version + - trigger_pipeline:habitat/build: + only_if: built_in:bump_version + ignore_labels: + - "Expeditor: Skip Habitat" + - "Expeditor: Skip All" + - workload: project_promoted:{{agent_id}}:* actions: - built_in:rollover_changelog + + # Subscribe to the promotion of the unstable channel to stable(chef-dke-lts2024) + - workload: project_promoted:{{agent_id}}:unstable:* + actions: + - built_in:promote_habitat_packages - built_in:publish_rubygems pipelines: - verify: description: Pull Request validation tests - public: true + - habitat/build: + env: + - HAB_NONINTERACTIVE: "true" + - HAB_NOCOLORING: "true" + - HAB_STUDIO_SECRET_HAB_NONINTERACTIVE: "true" + - habitat/test: + description: Execute tests against the habitat artifact + definition: .expeditor/habitat-test.pipeline.yml + env: + - HAB_NONINTERACTIVE: "true" + - HAB_NOCOLORING: "true" + - HAB_STUDIO_SECRET_HAB_NONINTERACTIVE: "true" + trigger: pull_request \ No newline at end of file diff --git a/.expeditor/habitat-test.pipeline.yml b/.expeditor/habitat-test.pipeline.yml new file mode 100644 index 0000000..f85d2a3 --- /dev/null +++ b/.expeditor/habitat-test.pipeline.yml @@ -0,0 +1,36 @@ +--- +expeditor: + defaults: + buildkite: + timeout_in_minutes: 30 + env: + HAB_REFRESH_CHANNEL: "LTS-2024" + retry: + automatic: + limit: 1 + +steps: + + - label: ":linux: Validate Habitat Builds of Chef-vault" + commands: + - .expeditor/buildkite/artifact.habitat.test.sh + expeditor: + executor: + docker: + image: ruby:3.1 + privileged: true + + - label: ":windows: Validate Habitat Builds of Chef-vault" + commands: + - .expeditor/buildkite/artifact.habitat.test.ps1 + expeditor: + executor: + docker: + host_os: windows + shell: ["powershell", "-Command"] + image: rubydistros/windows-2019:3.1 + user: 'NT AUTHORITY\SYSTEM' + environment: + - FORCE_FFI_YAJL=ext + - EXPIRE_CACHE=true + - CHEF_LICENSE=accept-no-persist \ No newline at end of file diff --git a/.expeditor/run_windows_tests.ps1 b/.expeditor/run_windows_tests.ps1 index 3cce207..2f80a4b 100644 --- a/.expeditor/run_windows_tests.ps1 +++ b/.expeditor/run_windows_tests.ps1 @@ -18,4 +18,4 @@ If ($lastexitcode -ne 0) { Exit $lastexitcode } Write-Output "--- Bundle Execute" bundle exec rake -If ($lastexitcode -ne 0) { Exit $lastexitcode } \ No newline at end of file +If ($lastexitcode -ne 0) { Exit $lastexitcode } diff --git a/CHANGELOG.md b/CHANGELOG.md index 47fb5f4..43484ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,16 +1,20 @@ # chef-vault Change Log - -## [v4.1.13](https://github.com/chef/chef-vault/tree/v4.1.13) (2024-09-25) + +## [v0.1.2](https://github.com/chef/chef-vault/tree/v0.1.2) (2025-01-06) #### Merged Pull Requests -- CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611)) +- Empty commit to test pipelines [#427](https://github.com/chef/chef-vault/pull/427) ([nikhil2611](https://github.com/nikhil2611)) ### Changes not yet released to rubygems.org #### Merged Pull Requests +- Empty commit to test pipelines [#427](https://github.com/chef/chef-vault/pull/427) ([nikhil2611](https://github.com/nikhil2611)) +- Adding pipelines to trigger pipeline automatically [#426](https://github.com/chef/chef-vault/pull/426) ([nikhil2611](https://github.com/nikhil2611)) +- Removed the manually created pipelines and added the channels [#425](https://github.com/chef/chef-vault/pull/425) ([nikhil2611](https://github.com/nikhil2611)) +- Test commit for pipeline testing [#424](https://github.com/chef/chef-vault/pull/424) ([ashiqueps](https://github.com/ashiqueps)) - CHEF-3710-chef-vault warning message includes sensitive info [#414](https://github.com/chef/chef-vault/pull/414) ([nikhil2611](https://github.com/nikhil2611)) - Integrating with sonarQube [#406](https://github.com/chef/chef-vault/pull/406) ([nikhil2611](https://github.com/nikhil2611)) diff --git a/Gemfile b/Gemfile index c8defbb..75b5b37 100644 --- a/Gemfile +++ b/Gemfile @@ -5,6 +5,7 @@ gemspec group :development do gem "chefstyle" gem "rake" + gem "appbundler" if Gem::Version.new(RUBY_VERSION) < Gem::Version.new("3.0.0") gem "contracts", "~> 0.16.1" # pin until we drop ruby < 2.7 gem "chef-zero" diff --git a/habitat/plan.ps1 b/habitat/plan.ps1 new file mode 100644 index 0000000..1c3a7fd --- /dev/null +++ b/habitat/plan.ps1 @@ -0,0 +1,91 @@ +$ErrorActionPreference = "Stop" +$PSDefaultParameterValues['*:ErrorAction']='Stop' + +$pkg_name="chef-vault" +$pkg_origin="chef" +$pkg_version=$(Get-Content "$PLAN_CONTEXT/../VERSION") +$pkg_maintainer="The Chef Maintainers " + +$pkg_deps=@( + "chef/ruby31-plus-devkit" + "core/git" +) +$pkg_bin_dirs=@("bin" + "vendor/bin") +$project_root= (Resolve-Path "$PLAN_CONTEXT/../").Path + +function pkg_version { + Get-Content "$SRC_PATH/VERSION" +} + +function Invoke-Before { + Set-PkgVersion +} +function Invoke-SetupEnvironment { + Push-RuntimeEnv -IsPath GEM_PATH "$pkg_prefix/vendor" + + Set-RuntimeEnv APPBUNDLER_ALLOW_RVM "true" # prevent appbundler from clearing out the carefully constructed runtime GEM_PATH + Set-RuntimeEnv FORCE_FFI_YAJL "ext" + Set-RuntimeEnv LANG "en_US.UTF-8" + Set-RuntimeEnv LC_CTYPE "en_US.UTF-8" +} + +function Invoke-Build { + try { + $env:Path += ";c:\\Program Files\\Git\\bin" + Push-Location $project_root + $env:GEM_HOME = "$HAB_CACHE_SRC_PATH/$pkg_dirname/vendor" + + Write-BuildLine " ** Configuring bundler for this build environment" + bundle config --local without integration deploy maintenance + bundle config --local jobs 4 + bundle config --local retry 5 + bundle config --local silence_root_warning 1 + Write-BuildLine " ** Using bundler to retrieve the Ruby dependencies" + bundle install + + gem build chef-vault.gemspec + Write-BuildLine " ** Using gem to install" + gem install chef-vault*.gem --no-document + + If ($lastexitcode -ne 0) { Exit $lastexitcode } + } finally { + Pop-Location + } +} + +function Invoke-Install { + Write-BuildLine "** Copy built & cached gems to install directory" + Copy-Item -Path "$HAB_CACHE_SRC_PATH/$pkg_dirname/*" -Destination $pkg_prefix -Recurse -Force -Exclude @("gem_make.out", "mkmf.log", "Makefile", + "*/latest", "latest", + "*/JSON-Schema-Test-Suite", "JSON-Schema-Test-Suite") + + try { + Push-Location $pkg_prefix + bundle config --local gemfile $project_root/Gemfile + Write-BuildLine "** generating binstubs for chef-vault with precise version pins" + Write-BuildLine "** generating binstubs for chef-vault with precise version pins $project_root $pkg_prefix/bin " + Invoke-Expression -Command "appbundler.bat $project_root $pkg_prefix/bin chef-vault" + If ($lastexitcode -ne 0) { Exit $lastexitcode } + Write-BuildLine " ** Running the chef-vault project's 'rake install' to install the path-based gems so they look like any other installed gem." + + If ($lastexitcode -ne 0) { Exit $lastexitcode } + } finally { + Pop-Location + } +} + +function Invoke-After { + # We don't need the cache of downloaded .gem files ... + Remove-Item $pkg_prefix/vendor/cache -Recurse -Force + # We don't need the gem docs. + Remove-Item $pkg_prefix/vendor/doc -Recurse -Force + # We don't need to ship the test suites for every gem dependency, + # only inspec's for package verification. + Get-ChildItem $pkg_prefix/vendor/gems -Filter "spec" -Directory -Recurse -Depth 1 ` + | Where-Object -FilterScript { $_.FullName -notlike "*chef-vault*" } ` + | Remove-Item -Recurse -Force + # Remove the byproducts of compiling gems with extensions + Get-ChildItem $pkg_prefix/vendor/gems -Include @("gem_make.out", "mkmf.log", "Makefile") -File -Recurse ` + | Remove-Item -Force +} \ No newline at end of file diff --git a/habitat/plan.sh b/habitat/plan.sh new file mode 100644 index 0000000..2d83e23 --- /dev/null +++ b/habitat/plan.sh @@ -0,0 +1,93 @@ +ruby_pkg="core/ruby3_1" +pkg_name="chef-vault" +pkg_origin="chef" +pkg_maintainer="The Chef Maintainers " +pkg_description="Gem that allows you to encrypt a Chef Data Bag Item using the public keys of a list of chef nodes. This allows only those chef nodes to decrypt the encrypted values." +pkg_license=('Apache-2.0') +pkg_bin_dirs=( + bin +) +pkg_build_deps=( + core/make + core/bash + core/gcc + core/libarchive +) +pkg_deps=(${ruby_pkg} core/coreutils core/git) + +pkg_svc_user=root + +do_setup_environment() { + build_line 'Setting GEM_HOME="$pkg_prefix/vendor"' + export GEM_HOME="$pkg_prefix/vendor" + + build_line "Setting GEM_PATH=$GEM_HOME" + export GEM_PATH="$GEM_HOME" +} + +pkg_version() { + cat "$SRC_PATH/VERSION" +} + +do_before() { + update_pkg_version +} + +do_unpack() { + mkdir -pv "$HAB_CACHE_SRC_PATH/$pkg_dirname" + cp -RT "$PLAN_CONTEXT"/.. "$HAB_CACHE_SRC_PATH/$pkg_dirname/" +} + +do_build() { + + export GEM_HOME="$pkg_prefix/vendor" + + build_line "Setting GEM_PATH=$GEM_HOME" + export GEM_PATH="$GEM_HOME" + bundle config --local without integration deploy maintenance + bundle config --local jobs 4 + bundle config --local retry 5 + bundle config --local silence_root_warning 1 + bundle install + gem build chef-vault.gemspec +} + +do_install() { + export GEM_HOME="$pkg_prefix/vendor" + + build_line "Setting GEM_PATH=$GEM_HOME" + export GEM_PATH="$GEM_HOME" + gem install chef-vault-*.gem --no-document + wrap_ruby_chef_vault + set_runtime_env "GEM_PATH" "${pkg_prefix}/vendor" +} + +wrap_ruby_chef_vault() { + local bin="$pkg_prefix/bin/chef-vault" + local real_bin="$GEM_HOME/gems/chef-vault-${pkg_version}/bin/chef-vault" + wrap_bin_with_ruby "$bin" "$real_bin" +} + +wrap_bin_with_ruby() { + local bin="$1" + local real_bin="$2" + build_line "Adding wrapper $bin to $real_bin" + cat < "$bin" +#!$(pkg_path_for core/bash)/bin/bash +set -e + +# Set binary path that allows chef-vault to use non-Hab pkg binaries +export PATH="/sbin:/usr/sbin:/usr/local/sbin:/usr/local/bin:/usr/bin:/bin:\$PATH" + +# Set Ruby paths defined from 'do_setup_environment()' +export GEM_HOME="$pkg_prefix/vendor" +export GEM_PATH="$GEM_PATH" + +exec $(pkg_path_for ${ruby_pkg})/bin/ruby $real_bin \$@ +EOF + chmod -v 755 "$bin" +} + +do_strip() { + return 0 +} diff --git a/habitat/tests/test.ps1 b/habitat/tests/test.ps1 new file mode 100644 index 0000000..07ecf03 --- /dev/null +++ b/habitat/tests/test.ps1 @@ -0,0 +1,22 @@ +param ( + [Parameter()] + [string]$PackageIdentifier = $(throw "Usage: test.ps1 [test_pkg_ident] e.g. test.ps1 ci/user-windows/1.0.0/20190812103929") +) + + +Write-Host "--- :fire: Smokish test" +# Pester the Package +$help_message=hab pkg exec "${pkg_ident}" -- chef-vault -h +$original_message="Usage: chef-vault" + +Write-Host "Checking the help message of the package" +Write-Host "Expected: $original_message" +Write-Host "Actual: $help_message" +if ($help_message -like "*$original_message*") +{ + Write "Chef-vault is working fine" +} +else { + Write-Error "chef-vault binary doesn't return the correct usage message " + throw "Chef-vault windows pipeline not working for hab pkg" +} diff --git a/habitat/tests/test.sh b/habitat/tests/test.sh new file mode 100755 index 0000000..30c7348 --- /dev/null +++ b/habitat/tests/test.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +set -euo pipefail + +project_root="$(git rev-parse --show-toplevel)" +pkg_ident="$1" + +# print error message followed by usage and exit +error () { + local message="$1" + + echo -e "\nERROR: ${message}\n" >&2 + + exit 1 +} + +[[ -n "$pkg_ident" ]] || error 'no hab package identity provided' + +package_version=$(awk -F / '{print $3}' <<<"$pkg_ident") + +cd "${project_root}" + +echo "--- :mag_right: Testing ${pkg_ident} executables" +help_message=$(hab pkg exec "${pkg_ident}" -- chef-vault -h) +original_help="Usage: chef-vault" +[[ $help_message =~ $original_help ]] || error "chef-vault help command is not as expected"