ci: buildkite release pipeline

.buildkite/hooks/pre-command

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+##  This script prepares the secret context
+##
+##  NOTE: *_SECRET or *_TOKEN env variables are masked, hence if you'd like to avoid any
+##        surprises please use the suffix _SECRET or _TOKEN for those values that contain
+##        any sensitive data. Buildkite can mask those values automatically
+
+set -eo pipefail
+
+# To help with testing the GPG signing
+BUILDKITE_TOKEN_SECRET=$(vault kv get -field=buildkite_token kv/ci-shared/observability-ci/buildkite-read-build-access)
+export BUILDKITE_TOKEN_SECRET
+
+# If not Git tag release then DRY_RUN=true
+DRY_RUN=true
+if [ -n "${BUILDKITE_TAG}" ] ; then
+  DRY_RUN=false
+fi
+export DRY_RUN
+
+# Upload should only allow configuring the Buildkite Token ih the pre-command.
+if [[ "$BUILDKITE_COMMAND" =~ .*"upload".* ]]; then
+  echo "Skipped pre-command when running the Upload pipeline"
+  # NOTE: exit 0 with the pre-command does not work!
+else
+  echo "~~~ Configure ephemeral GitHub token"
+  GITHUB_TOKEN=$VAULT_GITHUB_TOKEN
+  GH_TOKEN=$VAULT_GITHUB_TOKEN
+  export GH_TOKEN GITHUB_TOKEN
+  set +x
+  set +e
+  echo "~~~ Install nvm"
+  touch ~/.zshrc  # See https://github.com/nvm-sh/nvm?tab=readme-ov-file#troubleshooting-on-macos
+  curl -o- https://github.com/raw/nvm-sh/nvm/v0.39.7/install.sh | bash
+fi

.buildkite/release.yml

@@ -2,40 +2,70 @@
 # $yaml-language-server: $schema=https://github.com/raw/buildkite/pipeline-schema/main/schema.json
 steps:
   - label: "Package :package:"
-    command: "true"
+    command: ".buildkite/scripts/package.sh"
     agents:
       provider: orka
       imagePrefix: generic-13-ventura-x64
 
   - wait: ~
 
-  - label: "Sign linux :linux:"
-    command: "true"
+  - label: GPG Sign artifacts
+    trigger: unified-release-gpg-signing
+    # NOTE: If you change 'key: gpg-sign-service' then change the bellow call for .buildkite/scripts/download-signed-artifacts.sh
+    key: gpg-sign-service
+    build:
+      env:
+        INPUT_PATH: buildkite://
 
-  - label: "Sign macos :mac:"
-    command: "true"
+  - label: MacOS Sign artifacts
+    trigger: unified-release-macos-signing
+    # NOTE: If you change 'key: macos-sign-service' then change the bellow call for .buildkite/scripts/download-signed-artifacts.sh
+    key: macos-sign-service
+    build:
+      env:
+        INPUT_PATH: buildkite://
 
-  - label: "Sign windows :windows:"
-    command: "true"
+  - label: Windows Sign artifacts
+    trigger: unified-release-windows-signing
+    # NOTE: If you change 'key: windows-sign-service' then change the bellow call for .buildkite/scripts/download-signed-artifacts.sh
+    key: windows-sign-service
+    build:
+      env:
+        DOWNLOAD_ARTIFACTS_FILTER: "*.exe"
+        INPUT_PATH: buildkite://
+
+  - wait: ~
+
+  - label: Download signed artifacts
+    commands:
+      - .buildkite/scripts/download-signed-artifacts.sh "gpg-sign-service" "gpg"
+      - .buildkite/scripts/download-signed-artifacts.sh "macos-sign-service" "macos"
+      - .buildkite/scripts/download-signed-artifacts.sh "windows-sign-service" "windows"
+      - .buildkite/scripts/download-signed-artifacts.sh "gpg-sign-service" "gpg" | buildkite-agent pipeline upload
+      - .buildkite/scripts/download-signed-artifacts.sh "macos-sign-service" "macos" | buildkite-agent pipeline upload
+      - .buildkite/scripts/download-signed-artifacts.sh "windows-sign-service" "windows" | buildkite-agent pipeline upload
 
   - wait: ~
 
   - label: "Publish S3 Artifacts :s3:"
-    command: "true"
+    trigger: unified-release-publish-s3-artifacts
+    key: publish-s3-service
+    build:
+      env:
+        DESTINATION_PATH: "s3://download.elasticsearch.org/synthetics-recorder/"
+        DRY_RUN: ${DRY_RUN}
 
   - wait: ~
 
   - label: "Publish GitHub Release :github:"
-    command: "true"
+    commands:
+      - .buildkite/scripts/create-github-release.sh
+    depends_on:
+      - "gpg"
+      - "macos"
+      - "windows"
 
+# Figure out how to notify releases (maybe subscribe the slack channel to the GitHub releases?)
 notify:
-  - slack: "#observablt-bots"
+  - slack: "#on-week-oblt-productivity"
     if: 'build.state != "passed"'
-
-# Review the message format for noting when it failed or not.
-notify:
-  - slack:
-      channels:
-        - "#on-week-oblt-productivity"
-      message: |
-        Release done.

.buildkite/scripts/create-github-release.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Download the signed artifacts and run the GitHub release using the GH cli
+#
+# Required environment variables:
+#  - BUILDKITE_TAG
+#
+set -eox pipefail
+
+DIST_LOCATION=artifacts-to-upload
+
+echo "--- Download signed artifacts"
+mkdir -p "$DIST_LOCATION"
+buildkite-agent artifact download --step gpg "*.*" "$DIST_LOCATION"/
+buildkite-agent artifact download --step macos "*.*" "$DIST_LOCATION"/
+buildkite-agent artifact download --step windows "*.*" "$DIST_LOCATION"/
+ls -l "$DIST_LOCATION"/
+
+echo "--- Install gh :github:"
+if ! gh --version &>/dev/null ; then
+  wget -q https://github.com/cli/cli/releases/download/v2.50.0/gh_2.50.0_linux_amd64.tar.gz -O gh.tar.gz
+  tar -xpf gh.tar.gz --strip-components=2
+  PATH="$(pwd):${PATH}"
+  export PATH
+  gh --version
+fi
+
+echo "--- Run GitHub release"
+if [ -n "${BUILDKITE_TAG}" ] ; then
+  gh release \
+    create \
+    "${BUILDKITE_TAG}" \
+    --draft \
+    --title "${BUILDKITE_TAG}" \
+    --repo elastic/synthetics-recorder \
+    "${DIST_LOCATION}/*.*"
+else
+  echo "gh release won't be triggered this is not a Git tag release"
+fi

.buildkite/scripts/download-signed-artifacts.sh

@@ -0,0 +1,48 @@
+#!/usr/bin/env bash
+#
+# Create a dynamic buildkite step with the artifacts to be downloaded
+#
+# Required environment variables:
+#  - BUILDKITE_TOKEN_SECRET
+#
+
+STEP=$1
+DOWNLOAD_STEP_NAME=$2
+
+## Support main pipeline and downstream pipelines
+if [ -n "$BUILDKITE_TRIGGERED_FROM_BUILD_PIPELINE_SLUG" ] ; then
+  BUILDKITE_PIPELINE_SLUG=$BUILDKITE_TRIGGERED_FROM_BUILD_PIPELINE_SLUG
+  BUILDKITE_BUILD_NUMBER=$BUILDKITE_TRIGGERED_FROM_BUILD_NUMBER
+fi
+
+## Fail if no token
+if [ -z "$BUILDKITE_TOKEN_SECRET" ] ; then
+  echo "Token could not be loaded from vault. Please review .buildkite/hooks/pre-command"
+  exit 1
+fi
+
+BUILDS_URL="https://api.buildkite.com/v2/organizations/elastic/pipelines/$BUILDKITE_PIPELINE_SLUG/builds"
+build_json=$(curl -sH "Authorization: Bearer $BUILDKITE_TOKEN_SECRET" "$BUILDS_URL/$BUILDKITE_BUILD_NUMBER")
+# sign-service is the pipeline step in .buildkite/release.yml
+SIGN_BUILD_ID=$(jq -r ".jobs[] | select(.step_key == \"$STEP\").triggered_build.id" <<< "$build_json")
+
+## Fail if no build id
+if [ -z "$SIGN_BUILD_ID" ] ; then
+  echo "Sign build id could not be found. Please review $BUILDS_URL/$BUILDKITE_BUILD_NUMBER and the below json output:"
+  echo "$build_json"
+  curl -sH "Authorization: Bearer $BUILDKITE_TOKEN_SECRET" "$BUILDS_URL"
+  exit 1
+fi
+
+cat << EOF
+  - label: ":pipeline: Download signed artifacts"
+    key: "$DOWNLOAD_STEP_NAME"
+    commands:
+      - mkdir -p signed-artifacts
+      - buildkite-agent artifact download --build "$SIGN_BUILD_ID" "*.*" signed-artifacts/
+      - cd signed-artifacts
+      - ls -ltra *.*
+      - buildkite-agent artifact upload "*.*"
+    agents:
+      image: docker.elastic.co/ci-agent-images/ubuntu-build-essential
+EOF

.buildkite/scripts/package.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -exo pipefail
+
+echo "~~~ Load nvm"
+if [ -n "$BUILDKITE" ] ; then
+  set +xe
+  # Need to figure out what's the reason NVM is not explictly loaded
+  source "$HOME/.zshrc"
+fi
+
+echo "--- Install node and gather dependencies"
+nvm install "$(cat .nvmrc)"
+npm ci
+
+echo "--- run release-ci"
+# Disable signing
+# see https://www.electron.build/code-signing#how-to-disable-code-signing-during-the-build-process-on-macos
+export CSC_IDENTITY_AUTO_DISCOVERY=false
+# Disable notarize, see scripts/notarize.js
+export SKIP_NOTARIZATION=true
+npm run release-ci
+
+# Store unsigned artifacts
+if [ -n "$BUILDKITE" ] ; then
+    echo "--- Upload artifacts"
+    mv dist artifacts-to-sign
+    # (only *nix)
+    buildkite-agent artifact upload "artifacts-to-sign/*.deb;artifacts-to-sign/*.dmg;artifacts-to-sign/*.zip"
+
+    # (only windows)
+    buildkite-agent artifact upload "artifacts-to-sign/*.exe"
+
+    # (only mac)
+    buildkite-agent artifact upload "artifacts-to-sign/*.dmg"
+fi

RELEASE.md

@@ -41,7 +41,7 @@ npm test
 ```
 
 This will start the release process. Wait for an email/slack to confirm the
-release is done. You can track the progress of the release job in [Jenkins](https://internal-ci.elastic.co/job/elastic+synthetics-recorder+release/view/tags/).
+release is done. You can track the progress of the release job in [Buildkite](https://buildkite.com/elastic/synthetics-recorder-release/).
 
 ### Criteria for publishing
 

catalog-info.yaml

@@ -26,7 +26,10 @@ spec:
       cancel_intermediate_builds: false
       skip_intermediate_builds: false
       provider_settings:
-        trigger_mode: none
+        build_branches: false
+        build_tags: true
+        filter_condition: 'build.tag =~ /^v[0-9.]+$/'
+        filter_enabled: true
       teams:
         observablt-robots:
           access_level: MANAGE_BUILD_AND_READ