Rework the "sign" job

author Michał Kępień <michal@isc.org>

Wed, 22 Oct 2025 07:45:29 +0000 (09:45 +0200)

committer Andoni Duarte Pintado <andoni@isc.org>

Mon, 27 Oct 2025 17:34:53 +0000 (18:34 +0100)
author Michał Kępień <michal@isc.org>
Wed, 22 Oct 2025 07:45:29 +0000 (09:45 +0200)
committer Andoni Duarte Pintado <andoni@isc.org>
Mon, 27 Oct 2025 17:34:53 +0000 (18:34 +0100)
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml

index c680400c04bcadf5265d6b7494439e605ce35161..0645ce948d6bcd363b1511c4b1595c29bf3292cb 100644 (file)
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1620,44 +1620,29 @@ release:
  # Job signing the source tarballs in the release directory
  
  sign:
-  stage: release
-  tags:
-    - signer
-  script:
-    - export RELEASE_DIRECTORY="bind-${CI_COMMIT_TAG}-release"
-    - pushd "${RELEASE_DIRECTORY}"
-    - |
-      echo
-      cat > /tmp/sign-bind9.sh <<EOF
-      #!/bin/sh
-      {
-          for FILE in \$(find "${PWD}" -name "*.tar.xz" | sort); do
-              echo ">>> Signing \${FILE}..."
-              gpg2 --local-user "\${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "\${FILE}.asc" "\${FILE}"
-          done
-      } 2>&1 | tee "${CI_PROJECT_DIR}/signing.log"
-      EOF
-      chmod +x /tmp/sign-bind9.sh
-      echo -e "\e[31m*** Please sign the releases by following the instructions at:\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** ${SIGNING_HELP_URL}\e[0m"
-      echo -e "\e[31m*** \e[0m"
-      echo -e "\e[31m*** Sleeping until files in ${PWD} are signed... ⌛\e[0m"
-      while [ "$(find . -name "*.asc" -size +0 | sed "s|\.asc$||" | sort)" != "$(find . -name "*.tar.xz" | sort)" ]; do sleep 10; done
-    - popd
-    - tar --create --file="${RELEASE_DIRECTORY}.tar.gz" --gzip "${RELEASE_DIRECTORY}"
+  <<: *signer_ssh_job
+  before_script:
+    - export SOURCE_TARBALL="bind-${CI_COMMIT_TAG#v}.tar.xz"
+  variables:
+    RELEASE_DIRECTORY: bind-${CI_COMMIT_TAG}-release
+    SSH_SCRIPT_RUNNER_PRE: |-
+      ( umask 111 && cat "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}" > "/tmp/${CI_COMMIT_TAG}.bin" )
+    SSH_SCRIPT_CLIENT: |-
+      gpg2 --local-user "$${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "/tmp/${CI_COMMIT_TAG}.asc" "/tmp/${CI_COMMIT_TAG}.bin"
+    SSH_SCRIPT_RUNNER_POST: |-
+      cat "/tmp/${CI_COMMIT_TAG}.asc" > "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}.asc"
+      tar --create --file="${RELEASE_DIRECTORY}".tar.gz --gzip "${RELEASE_DIRECTORY}"
+      rm -f "/tmp/${CI_COMMIT_TAG}.bin" "/tmp/${CI_COMMIT_TAG}.asc"
    artifacts:
      paths:
-      - "*.tar.gz"
-      - signing.log
+      - bind-${CI_COMMIT_TAG}-release.tar.gz
+      - sign-${CI_COMMIT_TAG}.log
      expire_in: never
    needs:
      - job: release
        artifacts: true
    rules:
      - *rule_tag
-  when: manual
-  allow_failure: false
  
  # Job creating the release announcement MR in Printing Press
author	Michał Kępień <michal@isc.org>
	Wed, 22 Oct 2025 07:45:29 +0000 (09:45 +0200)
committer	Andoni Duarte Pintado <andoni@isc.org>
	Mon, 27 Oct 2025 17:34:53 +0000 (18:34 +0100)