diff options
author | Scott Wittenburg <scott.wittenburg@kitware.com> | 2022-05-26 08:31:22 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-05-26 08:31:22 -0600 |
commit | 85e13260cf2fc969daaf9bf6589b5a07255e074f (patch) | |
tree | 0895782445393065e0d77a6cd8c261da3193f3f9 /.gitattributes | |
parent | b5a519fa51cbdb38f5609c0c66ba7283d1888540 (diff) | |
download | spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.gz spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.bz2 spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.xz spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.zip |
ci: Support secure binary signing on protected pipelines (#30753)
This PR supports the creation of securely signed binaries built from spack
develop as well as release branches and tags. Specifically:
- remove internal pr mirror url generation logic in favor of buildcache destination
on command line
- with a single mirror url specified in the spack.yaml, this makes it clearer where
binaries from various pipelines are pushed
- designate some tags as reserved: ['public', 'protected', 'notary']
- these tags are stripped from all jobs by default and provisioned internally
based on pipeline type
- update gitlab ci yaml to include pipelines on more protected branches than just
develop (so include releases and tags)
- binaries from all protected pipelines are pushed into mirrors including the
branch name so releases, tags, and develop binaries are kept separate
- update rebuild jobs running on protected pipelines to run on special runners
provisioned with an intermediate signing key
- protected rebuild jobs no longer use "SPACK_SIGNING_KEY" env var to
obtain signing key (in fact, final signing key is nowhere available to rebuild jobs)
- these intermediate signatures are verified at the end of each pipeline by a new
signing job to ensure binaries were produced by a protected pipeline
- optionallly schedule a signing/notary job at the end of the pipeline to sign all
packges in the mirror
- add signing-job-attributes to gitlab-ci section of spack environment to allow
configuration
- signing job runs on special runner (separate from protected rebuild runners)
provisioned with public intermediate key and secret signing key
Diffstat (limited to '.gitattributes')
0 files changed, 0 insertions, 0 deletions