From af17ba1f8e44c275557c3bcb123867bdb170bb5a Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 9 Oct 2024 07:53:29 +0200 Subject: [PATCH 01/10] feat: add slack hook and certificate handling --- Dockerfile | 14 ++++++++++---- README.md | 18 +++++++++++++----- docker-entrypoint.d/add_ca_certificate.sh | 23 +++++++++++++++++++++++ docker-entrypoint.sh | 11 +++++++++++ package.json | 1 + 5 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 docker-entrypoint.d/add_ca_certificate.sh create mode 100644 docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile index af79e18..76f88f4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,17 +18,23 @@ LABEL org.label-schema.maintainer="Voxpupuli Team " \ org.label-schema.schema-version="1.0" \ org.label-schema.dockerfile="/Dockerfile" -RUN apk update && apk upgrade \ - && apk add --no-cache --update git git-lfs openssh-client bash - COPY Dockerfile / +COPY docker-entrypoint.sh / +COPY docker-entrypoint.d /docker-entrypoint.d COPY --from=build /npm /npm +RUN apk update && apk upgrade \ + && apk add --no-cache --update git git-lfs openssh-client bash jq \ + && chmod +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh + # fix ENOGITREPO Not running from a git repository. RUN git config --global --add safe.directory '*' WORKDIR /data +ENV CERT_JSON="" ENV PATH="$PATH:/npm/node_modules/.bin" -ENTRYPOINT [ "semantic-release" ] +ENV NODE_OPTIONS="--use-openssl-ca" + +ENTRYPOINT [ "/docker-entrypoint.sh" ] CMD [ "--dry-run" ] diff --git a/README.md b/README.md index fb1c311..67c28f9 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,9 @@ plugins: assets: - 'CHANGELOG.md' + - path: '@intuit/semantic-release-slack' + fullReleaseNotes: true + verifyConditions: - '@semantic-release/changelog' - '@semantic-release/git' @@ -117,16 +120,21 @@ It requires, that you have: ```yaml --- release: - stage: release + stage: Release🚀 image: name: ghcr.io/voxpupuli/semantic-release:latest entrypoint: [""] # overwrite entrypoint - gitlab-ci quirk + pull_policy: + - always + - if-not-present + interruptible: true script: + - 'for f in /docker-entrypoint.d/*.sh; do echo "INFO: Running ${f}";"${f}";done' - semantic-release - only: - - master - - main - - production + rules: + - if: $CI_COMMIT_BRANCH == "master" + - if: $CI_COMMIT_BRANCH == "main" + - if: $CI_COMMIT_BRANCH == "production" ``` ### Running as local user diff --git a/docker-entrypoint.d/add_ca_certificate.sh b/docker-entrypoint.d/add_ca_certificate.sh new file mode 100644 index 0000000..b590d29 --- /dev/null +++ b/docker-entrypoint.d/add_ca_certificate.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +set -e + +# +# @summary If you somehow need own certificates inside the container. +# +# @example +# you want to run the slack webhook on a target with an internal ca certificate. +# export the CERT_JSON on container run and it should be imported with this script. +# it is expected that the certificate is a json hash of PEM certificates. +# +# {"certificates":{"root_ca":"-----BEGIN CERTIFICATE-----\n...","signing_ca":"-----BEGIN CERTIFICATE-----\n..."}} +# +if [ -n "${CERT_JSON}" ]; then + for key in $(echo "${CERT_JSON}" | jq -r '.certificates | keys[]'); do + cert=$(echo "${CERT_JSON}" | jq -r ".certificates[\"$key\"]") + printf "%s" "${cert}" > /usr/local/share/ca-certificates/${HOSTNAME}-${key}.pem + echo "INFO: imported ${key}" + done + + update-ca-certificates +fi diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100644 index 0000000..9313290 --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# bash is required to pass ENV vars with dots as sh cannot do this + +set -e + +for f in /docker-entrypoint.d/*.sh; do + echo "INFO: Running $f" + "$f" +done + +exec /npm/node_modules/.bin/semantic-release "$@" diff --git a/package.json b/package.json index 9b241a4..b26dfaa 100644 --- a/package.json +++ b/package.json @@ -16,6 +16,7 @@ "semantic-release-major-tag": "^0.3.2", "semantic-release-pypi": "^3.0.2", "semantic-release-replace-plugin": "^1.2.7", + "@intuit/semantic-release-slack": "1.0.11", "semantic-release": "^24.1.1" } } From 7351aec3665c65758ff9c9f3f889687d425a8c95 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Tue, 15 Oct 2024 15:58:55 +0200 Subject: [PATCH 02/10] feat: add rocketchat hook script --- Dockerfile | 9 +++++++- README.md | 39 ++++++++++++++++++++++++++++++++ package.json | 1 - scripts/notify-rocketchat.sh | 43 ++++++++++++++++++++++++++++++++++++ 4 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 scripts/notify-rocketchat.sh diff --git a/Dockerfile b/Dockerfile index 76f88f4..a7decee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,10 +21,11 @@ LABEL org.label-schema.maintainer="Voxpupuli Team " \ COPY Dockerfile / COPY docker-entrypoint.sh / COPY docker-entrypoint.d /docker-entrypoint.d +COPY scripts /scripts COPY --from=build /npm /npm RUN apk update && apk upgrade \ - && apk add --no-cache --update git git-lfs openssh-client bash jq \ + && apk add --no-cache --update git git-lfs openssh-client bash jq curl \ && chmod +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh # fix ENOGITREPO Not running from a git repository. @@ -36,5 +37,11 @@ ENV CERT_JSON="" ENV PATH="$PATH:/npm/node_modules/.bin" ENV NODE_OPTIONS="--use-openssl-ca" +# The CI_* are empty, because docker does not know about them on build time. +ENV ROCKETCHAT_EMOJI=":tada:" +ENV ROCKETCHAT_MESSAGE_TEXT="A new tag for the project ${CI_PROJECT_NAME} was created by ${CI_COMMIT_AUTHOR}." +ENV ROCKETCHAT_HOOK_URL="https://rocketchat.example.com/hooks/here_be_dragons" +ENV ROCKETCHAT_TAG_URL="${CI_PROJECT_URL}/-/tags" + ENTRYPOINT [ "/docker-entrypoint.sh" ] CMD [ "--dry-run" ] diff --git a/README.md b/README.md index 67c28f9..02d24d4 100644 --- a/README.md +++ b/README.md @@ -153,3 +153,42 @@ docker run -it --rm \ -v $PWD:/data \ ghcr.io/voxpupuli/semantic-release:latest ``` + +### Notifing RocketChat + +There is a helper script in the container, which can send some data over curl to RocketChat. + +#### .releaserc.yaml + +```yaml +--- +# ... +plugins: +# ... + - path: '@semantic-release/exec' + publishCmd: "/scripts/notify-rocketchat.sh v${nextRelease.version} '--insecure' 'debug'" +# ... + +``` + + +#### .gitlab-ci.yml + +```yaml +--- +release: +# ... + variables: + ROCKETCHAT_NOTIFY_TOKEN: "Some hidden CI Variable to not expose the token" + ROCKETCHAT_EMOJI: ":tada:" + ROCKETCHAT_MESSAGE_TEXT: "A new tag for the project $CI_PROJECT_NAME was created by $GITLAB_USER_NAME" + ROCKETCHAT_HOOK_URL: "https://rocketchat.example.com/hooks/$ROCKETCHAT_NOTIFY_TOKEN" + ROCKETCHAT_TAG_URL: "${CI_PROJECT_URL}/-/tags" +# ... +``` + +``` +15:07 🤖 bot-account: +A new tag for the project dummy-module was created by Jon Doe. +Release v1.2.3 +``` diff --git a/package.json b/package.json index b26dfaa..9b241a4 100644 --- a/package.json +++ b/package.json @@ -16,7 +16,6 @@ "semantic-release-major-tag": "^0.3.2", "semantic-release-pypi": "^3.0.2", "semantic-release-replace-plugin": "^1.2.7", - "@intuit/semantic-release-slack": "1.0.11", "semantic-release": "^24.1.1" } } diff --git a/scripts/notify-rocketchat.sh b/scripts/notify-rocketchat.sh new file mode 100644 index 0000000..d164a6e --- /dev/null +++ b/scripts/notify-rocketchat.sh @@ -0,0 +1,43 @@ +#!/bin/bash + +while getopts V:od flag +do + case "${flag}" in + V) VERSION=${OPTARG};; + o) OPTIONS=${OPTARG};; + d) DEBUG=1;; + esac +done + + +if [ "${DEBUG}" == 1 ]; then +echo "Version is: ${VERSION}" +echo "Options are: ${OPTIONS}" +echo "Payload is:" +echo "{ + \"emoji\": \"${ROCKETCHAT_EMOJI}\", + \"text\": \"${ROCKETCHAT_MESSAGE_TEXT}\", + \"attachments\": [ + { + \"title\": \"Release ${VERSION}\", + \"title_link\": \"${ROCKETCHAT_TAG_URL}/${VERSION}\" + } + ] + }" +fi + +if [ -n ${ROCKETCHAT_HOOK_URL} ]; then + curl \ + -X POST \ + -H 'Content-Type: application/json' \ + --data "{ + \"emoji\": \"${ROCKETCHAT_EMOJI}\", + \"text\": \"${ROCKETCHAT_MESSAGE_TEXT}\", + \"attachments\": [ + { + \"title\": \"Release ${VERSION}\", + \"title_link\": \"${ROCKETCHAT_TAG_URL}/${VERSION}\" + } + ] + }" ${OPTIONS} ${ROCKETCHAT_HOOK_URL} +fi From 6a685ae9e103ce2c0d2a8995d1c0c0379496f8eb Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Tue, 15 Oct 2024 15:59:55 +0200 Subject: [PATCH 03/10] fix: fix wrong parameters in docu --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 02d24d4..66a07a2 100644 --- a/README.md +++ b/README.md @@ -166,7 +166,7 @@ There is a helper script in the container, which can send some data over curl to plugins: # ... - path: '@semantic-release/exec' - publishCmd: "/scripts/notify-rocketchat.sh v${nextRelease.version} '--insecure' 'debug'" + publishCmd: "/scripts/notify-rocketchat.sh -V v${nextRelease.version} -o '--insecure' -d" # ... ``` From 9f73688a4144e9541a57809ad9a186dde993367f Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 13:33:31 +0200 Subject: [PATCH 04/10] feat: propper name vairable --- Dockerfile | 2 +- scripts/notify-rocketchat.sh | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index a7decee..8e7ff3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -41,7 +41,7 @@ ENV NODE_OPTIONS="--use-openssl-ca" ENV ROCKETCHAT_EMOJI=":tada:" ENV ROCKETCHAT_MESSAGE_TEXT="A new tag for the project ${CI_PROJECT_NAME} was created by ${CI_COMMIT_AUTHOR}." ENV ROCKETCHAT_HOOK_URL="https://rocketchat.example.com/hooks/here_be_dragons" -ENV ROCKETCHAT_TAG_URL="${CI_PROJECT_URL}/-/tags" +ENV ROCKETCHAT_TAGS_URL="${CI_PROJECT_URL}/-/tags" ENTRYPOINT [ "/docker-entrypoint.sh" ] CMD [ "--dry-run" ] diff --git a/scripts/notify-rocketchat.sh b/scripts/notify-rocketchat.sh index d164a6e..1294143 100644 --- a/scripts/notify-rocketchat.sh +++ b/scripts/notify-rocketchat.sh @@ -1,6 +1,6 @@ #!/bin/bash -while getopts V:od flag +while getopts V:o:d flag do case "${flag}" in V) VERSION=${OPTARG};; @@ -20,7 +20,7 @@ echo "{ \"attachments\": [ { \"title\": \"Release ${VERSION}\", - \"title_link\": \"${ROCKETCHAT_TAG_URL}/${VERSION}\" + \"title_link\": \"${ROCKETCHAT_TAGS_URL}/${VERSION}\" } ] }" @@ -36,7 +36,7 @@ if [ -n ${ROCKETCHAT_HOOK_URL} ]; then \"attachments\": [ { \"title\": \"Release ${VERSION}\", - \"title_link\": \"${ROCKETCHAT_TAG_URL}/${VERSION}\" + \"title_link\": \"${ROCKETCHAT_TAGS_URL}/${VERSION}\" } ] }" ${OPTIONS} ${ROCKETCHAT_HOOK_URL} From cab969317deacc941ddb8d06c68bf213b0f53ca3 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 13:33:56 +0200 Subject: [PATCH 05/10] doc: add how to use rocketchat and add certificates --- README.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 66a07a2..5b87080 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,21 @@ This container can be used to create project releases. It encapsulates [semantic ## Usage +### Variables + +The container has the following pre-defined enironment variables: + +| Variable | Default | +|-------------------------|---------| +| CERT_JSON | no default | +| PATH | `$PATH:/npm/node_modules/.bin` | +| NODE_OPTIONS | `--use-openssl-ca` | +| ROCKETCHAT_EMOJI | `:tada:` | +| ROCKETCHAT_MESSAGE_TEXT | `A new tag for the project ${CI_PROJECT_NAME} was created by ${CI_COMMIT_AUTHOR}.` | +| ROCKETCHAT_HOOK_URL | `https://rocketchat.example.com/hooks/here_be_dragons` | +| ROCKETCHAT_TAGS_URL | `${CI_PROJECT_URL}/-/tags` | + + ### Example `.releaserc.yaml` for a Gitlab project ```yaml @@ -157,6 +172,21 @@ docker run -it --rm \ ### Notifing RocketChat There is a helper script in the container, which can send some data over curl to RocketChat. +You need a RocketChat Hook link. + +#### script + +The script has the parameters `-V`, `-o` and `-d`. +- `-V` specifies the version which should be announced. +- `-o` can specify optional extra curl parameters. Like for example `--insecure`. +- `-d` turn on debug output. + +The script accesses the environment Variables: + +- `ROCKETCHAT_EMOJI` +- `ROCKETCHAT_MESSAGE_TEXT` +- `ROCKETCHAT_TAGS_URL` +- `ROCKETCHAT_HOOK_URL` #### .releaserc.yaml @@ -181,9 +211,9 @@ release: variables: ROCKETCHAT_NOTIFY_TOKEN: "Some hidden CI Variable to not expose the token" ROCKETCHAT_EMOJI: ":tada:" - ROCKETCHAT_MESSAGE_TEXT: "A new tag for the project $CI_PROJECT_NAME was created by $GITLAB_USER_NAME" - ROCKETCHAT_HOOK_URL: "https://rocketchat.example.com/hooks/$ROCKETCHAT_NOTIFY_TOKEN" - ROCKETCHAT_TAG_URL: "${CI_PROJECT_URL}/-/tags" + ROCKETCHAT_MESSAGE_TEXT: "A new tag for the project ${CI_PROJECT_NAME} was created by ${GITLAB_USER_NAME}" + ROCKETCHAT_HOOK_URL: "https://rocketchat.example.com/hooks/${ROCKETCHAT_NOTIFY_TOKEN}" + ROCKETCHAT_TAGS_URL: "${CI_PROJECT_URL}/-/tags" # ... ``` @@ -192,3 +222,20 @@ release: A new tag for the project dummy-module was created by Jon Doe. Release v1.2.3 ``` + +### Adding addional certificates to the container + +If you somehow need own certificates inside the container, you can add them over the entrypoint script. + +For example: you want to run the a webhook on a target with your own ca certificates. +Export the `CERT_JSON` and the container will import it on runtime. +It is expected that the certificates are a json hash of PEM certificates. +It is prefferable that the json is uglyfied into a onliner. + +You may add this as a CI Variable for your runners on Github/Gitlab. + +```json +{"certificates":{"root_ca":"-----BEGIN CERTIFICATE-----\n...","signing_ca":"-----BEGIN CERTIFICATE-----\n..."}} +``` + +For more details have a look at [docker-entrypoint.sh](docker-entrypoint.sh) and [docker-entrypoint.d](docker-entrypoint.d/). From b0aa38b648197cf5970f2c3a948629081c66edc3 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 15:07:28 +0200 Subject: [PATCH 06/10] Update README.md Co-authored-by: Tim Meusel --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 5b87080..946f8de 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,6 @@ The container has the following pre-defined enironment variables: | ROCKETCHAT_HOOK_URL | `https://rocketchat.example.com/hooks/here_be_dragons` | | ROCKETCHAT_TAGS_URL | `${CI_PROJECT_URL}/-/tags` | - ### Example `.releaserc.yaml` for a Gitlab project ```yaml From 3bafd5e20bf0290a4f9dbb906b661f4921a79589 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 15:07:36 +0200 Subject: [PATCH 07/10] Update README.md Co-authored-by: Tim Meusel --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 946f8de..9f7ca36 100644 --- a/README.md +++ b/README.md @@ -199,8 +199,6 @@ plugins: # ... ``` - - #### .gitlab-ci.yml ```yaml From c2e2f359c31705f58be743b90ca6f3ee6f77695a Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 15:26:12 +0200 Subject: [PATCH 08/10] doc: fix spelling and style Signed-off-by: Robert Waffen --- README.md | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9f7ca36..7d48b8d 100644 --- a/README.md +++ b/README.md @@ -6,13 +6,15 @@ ## Introduction -This container can be used to create project releases. It encapsulates [semantic-release](https://semantic-release.gitbook.io/semantic-release) and all necessary plugins. See [package.json](package.json) for details. This is a npm application running in an alpine container. +This container can be used to create project releases. +It encapsulates [semantic-release](https://semantic-release.gitbook.io/semantic-release) and all necessary plugins. +See [package.json](package.json) for details. This is a npm application running in an alpine container. ## Usage ### Variables -The container has the following pre-defined enironment variables: +The container has the following pre-defined environment variables: | Variable | Default | |-------------------------|---------| @@ -176,6 +178,7 @@ You need a RocketChat Hook link. #### script The script has the parameters `-V`, `-o` and `-d`. + - `-V` specifies the version which should be announced. - `-o` can specify optional extra curl parameters. Like for example `--insecure`. - `-d` turn on debug output. @@ -199,6 +202,7 @@ plugins: # ... ``` + #### .gitlab-ci.yml ```yaml @@ -214,20 +218,20 @@ release: # ... ``` -``` +```text 15:07 🤖 bot-account: A new tag for the project dummy-module was created by Jon Doe. Release v1.2.3 ``` -### Adding addional certificates to the container +### Adding additional certificates to the container If you somehow need own certificates inside the container, you can add them over the entrypoint script. For example: you want to run the a webhook on a target with your own ca certificates. Export the `CERT_JSON` and the container will import it on runtime. It is expected that the certificates are a json hash of PEM certificates. -It is prefferable that the json is uglyfied into a onliner. +It is preferable that the json is uglified into a onliner. You may add this as a CI Variable for your runners on Github/Gitlab. From 520232322a6fff370a1635b0ed7323f42280880d Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 15:26:28 +0200 Subject: [PATCH 09/10] feat: only generate json once Signed-off-by: Robert Waffen --- scripts/notify-rocketchat.sh | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) mode change 100644 => 100755 scripts/notify-rocketchat.sh diff --git a/scripts/notify-rocketchat.sh b/scripts/notify-rocketchat.sh old mode 100644 new mode 100755 index 1294143..a921434 --- a/scripts/notify-rocketchat.sh +++ b/scripts/notify-rocketchat.sh @@ -9,12 +9,7 @@ do esac done - -if [ "${DEBUG}" == 1 ]; then -echo "Version is: ${VERSION}" -echo "Options are: ${OPTIONS}" -echo "Payload is:" -echo "{ +payload="{ \"emoji\": \"${ROCKETCHAT_EMOJI}\", \"text\": \"${ROCKETCHAT_MESSAGE_TEXT}\", \"attachments\": [ @@ -24,20 +19,18 @@ echo "{ } ] }" + +if [ "${DEBUG}" == 1 ]; then +echo "Version is: ${VERSION}" +echo "Options are: ${OPTIONS}" +echo "Payload is:" +echo "${payload}" fi -if [ -n ${ROCKETCHAT_HOOK_URL} ]; then +if [[ -n ${ROCKETCHAT_HOOK_URL} ]]; then curl \ -X POST \ -H 'Content-Type: application/json' \ - --data "{ - \"emoji\": \"${ROCKETCHAT_EMOJI}\", - \"text\": \"${ROCKETCHAT_MESSAGE_TEXT}\", - \"attachments\": [ - { - \"title\": \"Release ${VERSION}\", - \"title_link\": \"${ROCKETCHAT_TAGS_URL}/${VERSION}\" - } - ] - }" ${OPTIONS} ${ROCKETCHAT_HOOK_URL} + --data ${payload} \ + ${OPTIONS} ${ROCKETCHAT_HOOK_URL} fi From 642eda090168974ae5af50ec08da5339a291e794 Mon Sep 17 00:00:00 2001 From: Robert Waffen Date: Wed, 16 Oct 2024 16:13:39 +0200 Subject: [PATCH 10/10] Update scripts/notify-rocketchat.sh Co-authored-by: Tim Meusel --- scripts/notify-rocketchat.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/notify-rocketchat.sh b/scripts/notify-rocketchat.sh index a921434..c567bbb 100755 --- a/scripts/notify-rocketchat.sh +++ b/scripts/notify-rocketchat.sh @@ -31,6 +31,6 @@ if [[ -n ${ROCKETCHAT_HOOK_URL} ]]; then curl \ -X POST \ -H 'Content-Type: application/json' \ - --data ${payload} \ + --data "${payload}" \ ${OPTIONS} ${ROCKETCHAT_HOOK_URL} fi