github.phpd.cn/thought-machine/please@v12.2.0+incompatible/build_defs/signing.build_defs

github.phpd.cn/thought-machine/please@v12.2.0+incompatible/build_defs/signing.build_defs (about)

     1  """Build rules for signing releases using GPG."""
     2  subinclude('//build_defs:fpm')
     3  
     4  
     5  def signed_fpm_deb(name, version, package_name=None, files=None, dirs=None, links=None,
     6                     post_cmds=None, visibility=None):
     7      """Creates a signed deb using FPM.
     8  
     9      All arguments are passed through to fpm_deb.
    10  
    11      This will create two rules, one with the expected name that is the deb, and one with
    12      a _signed suffix that contains the detached .asc file.
    13      """
    14      package_name = package_name or name
    15      deb_rule = fpm_deb(
    16          name = name,
    17          package_name = package_name,
    18          version = version,
    19          files = files,
    20          dirs = dirs,
    21          links = links,
    22          post_cmds = post_cmds,
    23          visibility = visibility,
    24      )
    25      return detached_signature(
    26          name = name,
    27          src = deb_rule,
    28          out = '%s_%s_%s.deb.asc' % (package_name, version, CONFIG.ARCH),
    29          visibility = visibility,
    30          labels = ['deb_asc', 'manual'],
    31      )
    32  
    33  
    34  def signed_tarball(name, srcs, out, subdir, visibility=None):
    35      """Creates a signed tarball.
    36  
    37      All arguments are passed through to tarball.
    38  
    39      This will create two rules, one with the expected name that is the tarball, and one with
    40      a _signed suffix that contains the detached .asc file.
    41      """
    42      tar_rule = tarball(
    43          name = name,
    44          srcs = srcs,
    45          out = out,
    46          subdir = subdir,
    47          visibility = visibility,
    48      )
    49      return detached_signature(
    50          name = name,
    51          src = tar_rule,
    52          out = out + '.asc',
    53          visibility = visibility,
    54          labels = ['tar_asc', 'manual'],
    55      )
    56  
    57  
    58  def detached_signature(name, src, out, labels=None, deps=None, visibility=None):
    59      """Creates an ASCII-armored detached signature of a single file.
    60  
    61      Note that you need to supply the passphrase for this to work. The best way to keep it from
    62      being logged is to pass it as an environment variable:
    63        PLZ_OVERRIDES=buildenv.gpg_password:54321 plz build //...
    64      or presumably getting your CI system to inject the password when needed.
    65  
    66      Args:
    67        name (str): Name of the rule.
    68        src (str): Input file or rule. If a rule, it must have only a single output.
    69        out (str): Name of output signature file.
    70        labels (list): Labels to apply to this rule.
    71        deps (list): Dependencies.
    72        visibility (list): Visibility of the rule.
    73      """
    74      return genrule(
    75          name = name + '_signed',
    76          srcs = [src],
    77          outs = [out],
    78          tools = ['//tools/release_signer'],
    79          secrets = ['~/.keys/plz.gpg.asc'],
    80          cmd = '$TOOL -i $SRCS -k $SECRETS',
    81          deps = deps,
    82          visibility = visibility,
    83          labels = ['asc'] + (labels or []),
    84      )