From: Michał Kępień <michal@isc.org>
Date: Wed, 22 Oct 2025 07:45:29 +0000 (+0200)
Subject: Rework the "sign" job
X-Git-Tag: v9.21.15~33^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=868887ac65657307644e19427a04f6f3560df9ea;p=thirdparty%2Fbind9.git

Rework the "sign" job

Adapt the "sign" job to use the YAML template for SSH-confirmed jobs.
Make the signing process user-agnostic.
---

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 710b86cac5f..123b4d1f0bb 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1667,44 +1667,29 @@ release:
 # Job signing the source tarballs in the release directory
 
 sign:
-  stage: release
-  tags:
-    - signer
-  script:
-    - export RELEASE_DIRECTORY="bind-${CI_COMMIT_TAG}-release"
-    - pushd "${RELEASE_DIRECTORY}"
-    - |
-      echo
-      cat > /tmp/sign-bind9.sh <<EOF
-      #!/bin/sh
-      {
-          for FILE in \$(find "${PWD}" -name "*.tar.xz" | sort); do
-              echo ">>> Signing \${FILE}..."
-              gpg2 --local-user "\${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "\${FILE}.asc" "\${FILE}"
-          done
-      } 2>&1 | tee "${CI_PROJECT_DIR}/signing.log"
-      EOF
-      chmod +x /tmp/sign-bind9.sh
-      echo -e "\e[31m*** Please sign the releases by following the instructions at:\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** ${SIGNING_HELP_URL}\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** Sleeping until files in ${PWD} are signed... â\e[0m"
-      while [ "$(find . -name "*.asc" -size +0 | sed "s|\.asc$||" | sort)" != "$(find . -name "*.tar.xz" | sort)" ]; do sleep 10; done
-    - popd
-    - tar --create --file="${RELEASE_DIRECTORY}.tar.gz" --gzip "${RELEASE_DIRECTORY}"
+  <<: *signer_ssh_job
+  before_script:
+    - export SOURCE_TARBALL="bind-${CI_COMMIT_TAG#v}.tar.xz"
+  variables:
+    RELEASE_DIRECTORY: bind-${CI_COMMIT_TAG}-release
+    SSH_SCRIPT_RUNNER_PRE: |-
+      ( umask 111 && cat "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}" > "/tmp/${CI_COMMIT_TAG}.bin" )
+    SSH_SCRIPT_CLIENT: |-
+      gpg2 --local-user "$${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "/tmp/${CI_COMMIT_TAG}.asc" "/tmp/${CI_COMMIT_TAG}.bin"
+    SSH_SCRIPT_RUNNER_POST: |-
+      cat "/tmp/${CI_COMMIT_TAG}.asc" > "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}.asc"
+      tar --create --file="${RELEASE_DIRECTORY}".tar.gz --gzip "${RELEASE_DIRECTORY}"
+      rm -f "/tmp/${CI_COMMIT_TAG}.bin" "/tmp/${CI_COMMIT_TAG}.asc"
   artifacts:
     paths:
-      - "*.tar.gz"
-      - signing.log
+      - bind-${CI_COMMIT_TAG}-release.tar.gz
+      - sign-${CI_COMMIT_TAG}.log
     expire_in: never
   needs:
     - job: release
       artifacts: true
   rules:
     - *rule_tag
-  when: manual
-  allow_failure: false
 
 # Job creating the release announcement MR in Printing Press
 
