From ae7b9384fa47cf1314d2693346a6e3fff5b7700a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 1/5] Fix building EVN & -S Cloudsmith packages Setting "artifacts: false" for the dependency on the "publish-private" job prevents the url-*.txt files produced by that job from being pulled from GitLab when the jobs that build EVN & -S Cloudsmith packages are run, effectively breaking the latter. Fix by making these jobs depend on the artifacts of the "publish-private" job. (cherry picked from commit b36f17238b5a4e00828aeffa39b03a89cfd9a257) --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7270322afe..c80040bfaa 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2068,7 +2068,7 @@ publish: <<: *manual_release_job_qa needs: - job: publish-private - artifacts: false + artifacts: true script: - > "${CI_PROJECT_DIR}"/bind9-qa/releng/update_rpms.py build --service "${SERVICE}" --version "${CI_COMMIT_TAG}" --base-url "$(cat "url-${CI_COMMIT_TAG}.txt")" From d99835fffbf082f63f6fd0c083a18d4b8151903b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 2/5] Extend artifact lifetime for Cloudsmith build jobs The commit.txt file produced by each Cloudsmith build job is required to run the corresponding publication job. Therefore, the artifact lifetime for the former must be long enough to prevent the file from expiring before the publication job is run. Set the lifetime of the artifacts created by Cloudsmith build jobs to one month to ensure that the publication jobs can access them. (cherry picked from commit ce09f8d0f8fc9053ac4806f2231ee9625a9ed473) --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c80040bfaa..f59a1774a6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2090,6 +2090,7 @@ rpms-cloudsmith-build: artifacts: paths: - commit.txt + expire_in: "1 month" rpms-cloudsmith-build-private: <<: *rpm_build_job_private @@ -2100,6 +2101,7 @@ rpms-cloudsmith-build-private: artifacts: paths: - commit.txt + expire_in: "1 month" # Publish Cloudsmith packages From 0f86eafac76ab57ecde60578caec6559c75654c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 3/5] Tighten dependencies for tag-related jobs The "merge-tag" and "update-stable-tag" jobs currently use the "manual_release_job_qa" YAML anchor, which makes them depend on the "staging" job. Meanwhile, both of these jobs require the tag they were created for to be public for them to work. While this is harmless, as these jobs will simply fail if they are run too early, it still makes sense for them to depend on the "publish" job instead, if only to reduce confusion in the pipeline view. Adjust the "needs" key for the "merge-tag" and "update-stable-tag" jobs accordingly. (cherry picked from commit 722290dce6d2caca8cf5615b5c3fa52ea500f1a1) --- .gitlab-ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f59a1774a6..cee1bbacec 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2241,6 +2241,10 @@ merge-tag: <<: *manual_release_job_qa variables: GIT_DEPTH: 100 + needs: + # TODO: if necessary, update job name after pushing tags from within CI is implemented + - job: publish + artifacts: false script: - > "$CI_PROJECT_DIR"/bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG" @@ -2255,6 +2259,10 @@ update-stable-tag: <<: *manual_release_job_qa variables: GIT_DEPTH: 1 + needs: + # TODO: if necessary, update job name after pushing tags from within CI is implemented + - job: publish + artifacts: false script: - > "$CI_PROJECT_DIR"/bind9-qa/releng/update_stable_tag.py --tag "$CI_COMMIT_TAG" From 9eea72e0d0537aebc41f673b31cad0777a2c6d2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 4/5] Prevent unscheduled release publication The "publish" job has no dependencies on other jobs, so nothing prevents it from being accidentally started before the scheduled publication date. Although publication still requires confirmation via an SSH connection to a dedicated, locked-down runner, performing that action prematurely may have drastic consequences. Therefore, it is worth implementing additional safeguards. Add an extra check to the "publish" job to ensure it can only be run on the scheduled publication day. In exceptional circumstances, this check can be overridden by setting the FORCE_PUBLICATION CI variable to any non-empty value. (cherry picked from commit ce977f53b923072759a09f389d75de103e70c7e5) --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cee1bbacec..f491fbec06 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2027,6 +2027,10 @@ publish-private: publish: <<: *signer_ssh_job + before_script: + - TODAY="$(date +%Y-%m-%d)" + - SCHEDULED_PUBLICATION="$(curl -m 5 -s "https://gitlab.isc.org/isc-projects/bind9-qa/-/raw/main/releng/metadata.json" | jq -r ".schedule.public")" + - if [ -z "${FORCE_PUBLICATION}" ] && [ "${TODAY}" != "${SCHEDULED_PUBLICATION}" ]; then echo "Unscheduled publication denied; publication is scheduled for ${SCHEDULED_PUBLICATION}"; exit 1; fi variables: SSH_SCRIPT_CLIENT: |- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}" From d23180e3257a3fe8ca539969e7bb94cbcc8f5f53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 5/5] Fix distros token deletion in CI Clone the BIND 9 QA repository before invoking a script in it. (cherry picked from commit 2ffae8e52a8dc6134a4364b374651e5abb9c908b) --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f491fbec06..8da287009e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2035,6 +2035,7 @@ publish: SSH_SCRIPT_CLIENT: |- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}" after_script: + - *git_clone_bind9-qa - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi artifacts: paths: