📂 update Red Hat specific files

securesign · Aug 28, 2023 · f9d7fd7 · f9d7fd7
1 parent 126474c
commit f9d7fd7
Show file tree

Hide file tree

Showing 3 changed files with 124 additions and 0 deletions.
diff --git a/OWNERS b/OWNERS
@@ -0,0 +1,11 @@
+# The OWNERS file is used by prow to automatically merge approved PRs.
+
+approvers:
+- lance
+- cooktheryan
+- lkatalin
+- sallom
+
+reviewers:
+- JasonPowr
+- tommyd450
diff --git a/redhat/overlays/cosign/Dockerfile b/redhat/overlays/cosign/Dockerfile
@@ -0,0 +1,19 @@
+#Build stage
+FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env
+WORKDIR /cosign
+COPY . .
+RUN make cosign
+
+#Install Cosign 
+FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+COPY --from=build-env /cosign/cosign /usr/local/bin/cosign
+RUN chown root:0 /usr/local/bin/cosign && chmod g+wx /usr/local/bin/cosign
+
+#Configure home directory
+ENV HOME=/home
+RUN chgrp -R 0 /${HOME} && chmod -R g=u /${HOME}
+
+WORKDIR ${HOME}
+
+# Makes sure the container stays running
+CMD ["tail", "-f", "/dev/null"]
diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+# Copyright 2023 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# The local git repo must have a remote "upstream" pointing
+# to upstream sigstore/cosign, and a remote "origin"
+# pointing to securesign/cosign
+
+# Synchs the release-next branch to either the upstream `main` branch
+# or a provided git-ref (typically an upstream release tag) and then triggers CI.
+#
+# NOTE: This requires a corresponding midstream branch to exist in the securesign fork
+#       with the same name as the upstream branch/ref, but prefixed with "midstream-".
+#
+# Usage: update-to-head.sh [<git-ref>]
+
+if [ "$#" -ne 1 ]; then
+    upstream_ref="main"
+    midstream_ref="main"
+    redhat_ref="release-next"
+else
+    upstream_ref=$1
+    midstream_ref="midstream-${upstream_ref}" # The overlays and patches for the given version
+    redhat_ref="redhat-${upstream_ref}" # The midstream repo with overlays and patches applied
+fi
+
+echo "Synchronizing ${redhat_ref} to upstream/${upstream_ref}..."
+
+set -e
+REPO_NAME=$(basename $(git rev-parse --show-toplevel))
+
+# Custom files
+custom_files=$(cat <<EOT | tr '\n' ' '
+redhat
+OWNERS
+EOT
+)
+redhat_files_msg=":open_file_folder: update Red Hat specific files"
+robot_trigger_msg=":robot: triggering CI on branch '${redhat_ref}' after synching from upstream/${upstream_ref}"
+
+# Reset release-next to upstream main or <git-ref>.
+git fetch upstream $upstream_ref
+if [[ "$upstream_ref" == "main" ]]; then
+  git checkout upstream/main -B ${redhat_ref}
+else
+  git checkout $upstream_ref -B ${redhat_ref}
+fi
+
+# Update redhat's main and take all needed files from there.
+git fetch origin $midstream_ref
+git checkout origin/$midstream_ref $custom_files
+
+# Apply midstream patches
+if [[ -d redhat/patches ]]; then
+  git apply redhat/patches/*
+fi
+
+git add . # Adds applied patches
+git add $custom_files # Adds custom files
+git commit -m "${redhat_files_msg}"
+
+# Push the release-next branch
+git push -f origin "${redhat_ref}"
+
+# Trigger CI
+# TODO: Set up openshift or github CI to run on release-next-ci
+git checkout "${redhat_ref}" -B "${redhat_ref}"-ci
+date > ci
+git add ci
+git commit -m "${robot_trigger_msg}"
+git push -f origin "${redhat_ref}-ci"
+
+if hash hub 2>/dev/null; then
+   # Test if there is already a sync PR in
+   COUNT=$(hub api -H "Accept: application/vnd.github.v3+json" repos/securesign/${REPO_NAME}/pulls --flat \
+    | grep -c "${robot_trigger_msg}") || true
+   if [ "$COUNT" = "0" ]; then
+      hub pull-request --no-edit -l "kind/sync-fork-to-upstream" -b securesign/${REPO_NAME}:${redhat_ref} -h securesign/${REPO_NAME}:${redhat_ref}-ci -m "${robot_trigger_msg}"
+   fi
+else
+   echo "hub (https://github.com/github/hub) is not installed, so you'll need to create a PR manually."
+fi