Add the "publish-private" job

Add a new SSH-confirmed GitLab CI job that publishes a previously staged
release to a destination that is not a well-known URL.  The details of
what specifically this entails are controlled by the staging
environment.

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d67e8da3c7853c6ba4e67392e15719c8d6cda316..2db0c47ab0580b584a50dc72fa64469198a3d49a 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1714,6 +1714,26 @@ staging:
   rules:
     - if: '$CI_COMMIT_TAG != null'
 
+# Job copying a staged release to a secret location
+
+publish-private:
+  <<: *signer_ssh_job
+  variables:
+    SSH_SCRIPT_CLIENT: |-
+      ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish-private ${CI_COMMIT_TAG}"
+    SSH_SCRIPT_RUNNER_POST: |-
+      awk '/^Public Use URL:/ {print $$NF}' "/tmp/${CI_JOB_NAME}.log" > "url-${CI_COMMIT_TAG}.txt"
+  artifacts:
+    paths:
+      - publish-private-${CI_COMMIT_TAG}.log
+      - url-${CI_COMMIT_TAG}.txt
+    expire_in: "1 month"
+  needs:
+    - job: staging
+      artifacts: false
+  rules:
+    - if: '$CI_COMMIT_TAG != null && ($CI_COMMIT_TAG =~ /-S/ || $RELEASE_TYPE == "security")'
+
 # Job creating the release announcement MR in Printing Press
 
 prepare-release-announcement: