From 5f6ca62c5f0a36c38bd7d447e42cc9fe782e3042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 1/5] Fix building EVN & -S Cloudsmith packages Setting "artifacts: false" for the dependency on the "publish-private" job prevents the url-*.txt files produced by that job from being pulled from GitLab when the jobs that build EVN & -S Cloudsmith packages are run, effectively breaking the latter. Fix by making these jobs depend on the artifacts of the "publish-private" job. (cherry picked from commit b36f17238b5a4e00828aeffa39b03a89cfd9a257) --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 44beeab8dc..47563afaf4 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1883,7 +1883,7 @@ publish: <<: *manual_release_job_qa needs: - job: publish-private - artifacts: false + artifacts: true script: - > "${CI_PROJECT_DIR}"/bind9-qa/releng/update_rpms.py build --service "${SERVICE}" --version "${CI_COMMIT_TAG}" --base-url "$(cat "url-${CI_COMMIT_TAG}.txt")" From 4398c74b7f5a278450c7d9df6477af185fde2f2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 2/5] Extend artifact lifetime for Cloudsmith build jobs The commit.txt file produced by each Cloudsmith build job is required to run the corresponding publication job. Therefore, the artifact lifetime for the former must be long enough to prevent the file from expiring before the publication job is run. Set the lifetime of the artifacts created by Cloudsmith build jobs to one month to ensure that the publication jobs can access them. (cherry picked from commit ce09f8d0f8fc9053ac4806f2231ee9625a9ed473) --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 47563afaf4..b80eb5e592 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1905,6 +1905,7 @@ rpms-cloudsmith-build: artifacts: paths: - commit.txt + expire_in: "1 month" rpms-cloudsmith-build-private: <<: *rpm_build_job_private @@ -1915,6 +1916,7 @@ rpms-cloudsmith-build-private: artifacts: paths: - commit.txt + expire_in: "1 month" # Publish Cloudsmith packages From 3d2af75b98426e3d9c0b5e51f590523953180bee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 3/5] Tighten dependencies for the "merge-tag" job The "merge-tag" job currently uses the "manual_release_job_qa" YAML anchor, which makes it depend on the "staging" job. Meanwhile, this job requires the tag it was created for to be public for it to work. While this is harmless, as this job will simply fail if it is run too early, it still makes sense for it to depend on the "publish" job instead, if only to reduce confusion in the pipeline view. Adjust the "needs" key for the "merge-tag" job accordingly. (cherry picked from commit 722290dce6d2caca8cf5615b5c3fa52ea500f1a1) --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b80eb5e592..d107606df7 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2056,6 +2056,10 @@ merge-tag: <<: *manual_release_job_qa variables: GIT_DEPTH: 100 + needs: + # TODO: if necessary, update job name after pushing tags from within CI is implemented + - job: publish + artifacts: false script: - > "$CI_PROJECT_DIR"/bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG" From 1b6527b2c8adc7b9581afa09402a90f664e5b2ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 4/5] Prevent unscheduled release publication The "publish" job has no dependencies on other jobs, so nothing prevents it from being accidentally started before the scheduled publication date. Although publication still requires confirmation via an SSH connection to a dedicated, locked-down runner, performing that action prematurely may have drastic consequences. Therefore, it is worth implementing additional safeguards. Add an extra check to the "publish" job to ensure it can only be run on the scheduled publication day. In exceptional circumstances, this check can be overridden by setting the FORCE_PUBLICATION CI variable to any non-empty value. (cherry picked from commit ce977f53b923072759a09f389d75de103e70c7e5) --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d107606df7..64303b050e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1842,6 +1842,10 @@ publish-private: publish: <<: *signer_ssh_job + before_script: + - TODAY="$(date +%Y-%m-%d)" + - SCHEDULED_PUBLICATION="$(curl -m 5 -s "https://gitlab.isc.org/isc-projects/bind9-qa/-/raw/main/releng/metadata.json" | jq -r ".schedule.public")" + - if [ -z "${FORCE_PUBLICATION}" ] && [ "${TODAY}" != "${SCHEDULED_PUBLICATION}" ]; then echo "Unscheduled publication denied; publication is scheduled for ${SCHEDULED_PUBLICATION}"; exit 1; fi variables: SSH_SCRIPT_CLIENT: |- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}" From a1402c60911f75bfd3adef2950a962120bbccedc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Wed, 25 Mar 2026 18:09:02 +0100 Subject: [PATCH 5/5] Fix distros token deletion in CI Clone the BIND 9 QA repository before invoking a script in it. (cherry picked from commit 2ffae8e52a8dc6134a4364b374651e5abb9c908b) --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 64303b050e..04876401df 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1850,6 +1850,7 @@ publish: SSH_SCRIPT_CLIENT: |- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}" after_script: + - *git_clone_bind9-qa - if [ "${CI_JOB_STATUS}" = "success" ]; then "$CI_PROJECT_DIR"/bind9-qa/releng/manage_distros_token.py delete; fi artifacts: paths: