summaryrefslogtreecommitdiff
path: root/.gitattributes
diff options
context:
space:
mode:
authorScott Wittenburg <scott.wittenburg@kitware.com>2022-05-26 08:31:22 -0600
committerGitHub <noreply@github.com>2022-05-26 08:31:22 -0600
commit85e13260cf2fc969daaf9bf6589b5a07255e074f (patch)
tree0895782445393065e0d77a6cd8c261da3193f3f9 /.gitattributes
parentb5a519fa51cbdb38f5609c0c66ba7283d1888540 (diff)
downloadspack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.gz
spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.bz2
spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.tar.xz
spack-85e13260cf2fc969daaf9bf6589b5a07255e074f.zip
ci: Support secure binary signing on protected pipelines (#30753)
This PR supports the creation of securely signed binaries built from spack develop as well as release branches and tags. Specifically: - remove internal pr mirror url generation logic in favor of buildcache destination on command line - with a single mirror url specified in the spack.yaml, this makes it clearer where binaries from various pipelines are pushed - designate some tags as reserved: ['public', 'protected', 'notary'] - these tags are stripped from all jobs by default and provisioned internally based on pipeline type - update gitlab ci yaml to include pipelines on more protected branches than just develop (so include releases and tags) - binaries from all protected pipelines are pushed into mirrors including the branch name so releases, tags, and develop binaries are kept separate - update rebuild jobs running on protected pipelines to run on special runners provisioned with an intermediate signing key - protected rebuild jobs no longer use "SPACK_SIGNING_KEY" env var to obtain signing key (in fact, final signing key is nowhere available to rebuild jobs) - these intermediate signatures are verified at the end of each pipeline by a new signing job to ensure binaries were produced by a protected pipeline - optionallly schedule a signing/notary job at the end of the pipeline to sign all packges in the mirror - add signing-job-attributes to gitlab-ci section of spack environment to allow configuration - signing job runs on special runner (separate from protected rebuild runners) provisioned with public intermediate key and secret signing key
Diffstat (limited to '.gitattributes')
0 files changed, 0 insertions, 0 deletions