upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 13:20:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Prevent unscheduled release publication

Browse source 
The "publish" job has no dependencies on other jobs, so nothing prevents
it from being accidentally started before the scheduled publication
date.  Although publication still requires confirmation via an SSH
connection to a dedicated, locked-down runner, performing that action
prematurely may have drastic consequences.  Therefore, it is worth
implementing additional safeguards.

Add an extra check to the "publish" job to ensure it can only be run on
the scheduled publication day.  In exceptional circumstances, this check
can be overridden by setting the FORCE_PUBLICATION CI variable to any
non-empty value.

(cherry picked from commit ce977f53b9)
This commit is contained in:
Michał Kępień 2026-03-25 18:09:02 +01:00
parent 3d2af75b98
commit 1b6527b2c8
No known key found for this signature in database
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitlab-ci.yml
View file

@ -1842,6 +1842,10 @@ publish-private:
publish:
<<: *signer_ssh_job
before_script:
- TODAY="$(date +%Y-%m-%d)"
- SCHEDULED_PUBLICATION="$(curl -m 5 -s "https://gitlab.isc.org/isc-projects/bind9-qa/-/raw/main/releng/metadata.json" | jq -r ".schedule.public")"
- if [ -z "${FORCE_PUBLICATION}" ] && [ "${TODAY}" != "${SCHEDULED_PUBLICATION}" ]; then echo "Unscheduled publication denied; publication is scheduled for ${SCHEDULED_PUBLICATION}"; exit 1; fi
variables:
SSH_SCRIPT_CLIENT: |-
ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"