Prevent unscheduled release publication

The "publish" job has no dependencies on other jobs, so nothing prevents
it from being accidentally started before the scheduled publication
date.  Although publication still requires confirmation via an SSH
connection to a dedicated, locked-down runner, performing that action
prematurely may have drastic consequences.  Therefore, it is worth
implementing additional safeguards.

Add an extra check to the "publish" job to ensure it can only be run on
the scheduled publication day.  In exceptional circumstances, this check
can be overridden by setting the FORCE_PUBLICATION CI variable to any
non-empty value.

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3262946e4e3e5a4bf923ab6ac805f05d11f913e7..f2e6d52061add58f602cc89f073c989f52e6cddc 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1947,6 +1947,10 @@ publish-private:
 
 publish:
   <<: *signer_ssh_job
+  before_script:
+    - TODAY="$(date +%Y-%m-%d)"
+    - SCHEDULED_PUBLICATION="$(curl -m 5 -s "https://gitlab.isc.org/isc-projects/bind9-qa/-/raw/main/releng/metadata.json" | jq -r ".schedule.public")"
+    - if [ -z "${FORCE_PUBLICATION}" ] && [ "${TODAY}" != "${SCHEDULED_PUBLICATION}" ]; then echo "Unscheduled publication denied; publication is scheduled for ${SCHEDULED_PUBLICATION}"; exit 1; fi
   variables:
     SSH_SCRIPT_CLIENT: |-
       ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"