google-nomulus/release/cloudbuild-proxy.yaml

# To run the build locally, install cloud-build-local first.
# You will need access to a private registry, so be sure to install the docker
# credential helper.
# See: https://cloud.google.com/cloud-build/docs/build-debug-locally
# Then run:
# cloud-build-local --config=cloudbuild-proxy.yaml --dryrun=false --substitutions TAG_NAME=[TAG] ..
# This will create a docker image named gcr.io/[PROJECT_ID]/proxy:[TAG] locally.
# The PROJECT_ID is the current project name that gcloud uses.
#
# To manually trigger a build on GCB, run:
# gcloud builds submit --config cloudbuild-proxy.yaml --substitutions TAG_NAME=[TAG] ..
#
# To trigger a build automatically, follow the instructions below and add a trigger:
# https://cloud.google.com/cloud-build/docs/running-builds/automate-builds
steps:
# Set permissions correctly. Not sure why it is necessary, but it is.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  args: ['chown', '-R', 'root:root', '.']
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  args: ['chmod', '-R', '777', '.']
# Build the deploy jar.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  args:
  - './gradlew'
  - ':proxy:test'
  - ':proxy:deployJar'
  - '-x'
  - 'autoLintGradle'
  - '-PmavenUrl=gcs://domain-registry-maven-repository/maven'
  - '-PpluginsUrl=gcs://domain-registry-maven-repository/plugins'
  dir: 'gradle'
# Build the docker image.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  args: ['docker', 'build', '--tag', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}', '.']
  dir: 'gradle/proxy'
# Move config files to the working directory. This is necessary because of Spinnaker limitations.
# It will concantinate `location' and `path' in the artifact field to construct the artifact
# path, even though the artifact is always uploaded to the `location', and `path' can be a regular
# expression.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  entrypoint: /bin/bash
  args: ['-c', 'mv java/google/registry/proxy/kubernetes/* .']
# Push the image. We can't let Cloud Build's default processing do that for us
# because we need to push the image before we can sign it in the following
# step.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  args: ['docker', 'push', 'gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']
# Get the image hash and sign it.
- name: 'gcr.io/${PROJECT_ID}/builder:latest'
  entrypoint: /bin/bash
  args:
  - -c
  - >
    hash=$(gcloud container images list-tags gcr.io/${PROJECT_ID}/proxy \
      --format="get(digest)" --filter="tags = ${TAG_NAME}") && \
    gcloud --project=${PROJECT_ID} alpha container binauthz attestations \
      sign-and-create --artifact-url=gcr.io/${PROJECT_ID}/proxy@$hash \
      --attestor=build-attestor --attestor-project=${PROJECT_ID} \
      --keyversion-project=${PROJECT_ID} --keyversion-location=global \
      --keyversion-keyring=attestor-keys --keyversion-key=signing \
      --keyversion=1
# Images to upload to GCR. Even though the image has already been uploaded, we still include it
# here so that the GCB pubsub message contains it (for Spinnaker to consume).
images: ['gcr.io/${PROJECT_ID}/proxy:${TAG_NAME}']
# Config files to upload to GCS.
artifacts:
  objects:
    location: 'gs://${PROJECT_ID}-deploy/${TAG_NAME}'
    # This cannot be regexs because of how Spinnaker constructs artifact paths.
    paths:
    - 'proxy-deployment-alpha.yaml'
    - 'proxy-deployment-crash.yaml'
    - 'proxy-deployment-sandbox.yaml'
    - 'proxy-deployment-production.yaml'
    - 'proxy-deployment-crash-canary.yaml'
    - 'proxy-deployment-sandbox-canary.yaml'
    - 'proxy-deployment-production-canary.yaml'
    - 'proxy-service.yaml'
    - 'proxy-service-canary.yaml'
timeout: 3600s
options:
  machineType: 'N1_HIGHCPU_8'