Add a "backport" pipeline for releasing older versions

I'd like to release an update to the 0.10 line but at the moment doing so would overwrite Tekton's latest release YAML with the older version. This PR updates the release pipeline and publish task specifically for releasing older versions of Pipelines without overwriting the latest release in our buckets. This PR adds a `releaseAsLatest` param to the pipeline and task which defaults to true. When overridden and set to "false" the pipeline will not tag any images as ":latest" or upload to the /latest directory of the releases bucket.
tektoncd · Mar 18, 2020 · c376874 · c376874
1 parent a10e779
commit c376874
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 14 deletions.
diff --git a/tekton/README.md b/tekton/README.md
@@ -121,6 +121,9 @@ To use [`tkn`](https://github.com/tektoncd/cli) to run the `publish-tekton-pipel
    # Double-check the git revision that is going to be used for the release:
    kubectl get pipelineresource/tekton-pipelines-git-vX-Y-Z -o=jsonpath="{'Target Revision: '}{.spec.params[?(@.name == 'revision')].value}{'\n'}"
 
+   # Execute the release pipeline.
+   # By default this will tag the release as Pipelines' latest. If you would like to prevent
+   # this from happening add --param=releaseAsLatest="false"
    tkn pipeline start \
 		--param=versionTag=${VERSION_TAG} \
 		--param=imageRegistry=${IMAGE_REGISTRY} \

diff --git a/tekton/publish.yaml b/tekton/publish.yaml
@@ -17,6 +17,9 @@ spec:
       description: TODO(#569) This is a hack to make it easy for folks to switch the registry being used by the many many image outputs
     - name: pathToProject
       description: The path to the folder in the go/src dir that contains the project, which is used by `ko` to name the resulting images
+    - name: releaseAsLatest
+      description: Whether to tag and publish this release as Pipelines' latest
+      default: "true"
   outputs:
     resources:
     - name: bucket
@@ -93,13 +96,12 @@ spec:
     - "/workspace/bucket"
     - "/workspace/output/"
 
-  - name: ensure-release-dirs-exist
+  - name: ensure-release-dir-exists
     image: busybox
     command: ["mkdir"]
     args:
     - "-p"
-    - "/workspace/output/bucket/latest/"
-    - "/workspace/output/bucket/previous/"
+    - "/workspace/output/bucket/previous/$(inputs.params.versionTag)/"
 
   - name: run-ko
     # FIXME(vdemeester) use a tagged version once 0.2 is released
@@ -145,26 +147,33 @@ spec:
       sed -i 's/devel/$(inputs.params.versionTag)/g' /workspace/go/src/github.com/tektoncd/pipeline/config/controller.yaml
       sed -i 's/devel/$(inputs.params.versionTag)/g' /workspace/go/src/github.com/tektoncd/pipeline/config/webhook.yaml
 
+      OUTPUT_BUCKET_RELEASE_DIR="/workspace/output/bucket/previous/$(inputs.params.versionTag)"
+
       # Publish images and create release.yaml
-      ko resolve --preserve-import-paths -t $(inputs.params.versionTag) -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > /workspace/output/bucket/latest/release.yaml
+      ko resolve --preserve-import-paths -t $(inputs.params.versionTag) -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > $OUTPUT_BUCKET_RELEASE_DIR/release.yaml
       # Publish images and create release.notags.yaml
       # This is useful if your container runtime doesn't support the `image-reference:tag@digest` notation
       # This is currently the case for `cri-o` (and most likely others)
-      ko resolve --preserve-import-paths -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > /workspace/output/bucket/latest/release.notags.yaml
+      ko resolve --preserve-import-paths -f /workspace/go/src/github.com/tektoncd/pipeline/config/ > $OUTPUT_BUCKET_RELEASE_DIR/release.notags.yaml
     volumeMounts:
       - name: gcp-secret
         mountPath: /secret
 
-  - name: copy-to-tagged-bucket
+  - name: copy-to-latest-bucket
     image: busybox
     workingDir: "/workspace/output/bucket"
     script: |
       #!/bin/sh
       set -ex
 
-      mkdir -p /workspace/output/bucket/previous/$(inputs.params.versionTag)/
-      cp /workspace/output/bucket/latest/release.yaml /workspace/output/bucket/previous/$(inputs.params.versionTag)/release.yaml
-      cp /workspace/output/bucket/latest/release.notags.yaml /workspace/output/bucket/previous/$(inputs.params.versionTag)/release.notags.yaml
+      if [[ "$(inputs.params.releaseAsLatest)" == "true" ]]
+      then
+        mkdir -p "/workspace/output/bucket/latest/"
+        OUTPUT_BUCKET_RELEASE_DIR="/workspace/output/bucket/previous/$(inputs.params.versionTag)"
+        OUTPUT_BUCKET_LATEST_DIR="/workspace/output/bucket/latest"
+        cp "$OUTPUT_BUCKET_RELEASE_DIR/release.yaml" "$OUTPUT_BUCKET_LATEST_DIR/release.yaml"
+        cp "$OUTPUT_BUCKET_RELEASE_DIR/release.notags.yaml" "$OUTPUT_BUCKET_LATEST_DIR/release.notags.yaml"
+      fi
 
   - name: tag-images
     image: google/cloud-sdk
@@ -185,7 +194,7 @@ spec:
         $(inputs.params.imageRegistry)/$(inputs.params.pathToProject)/$(outputs.resources.builtGcsFetcherImage.url):$(inputs.params.versionTag)
       )
       # Parse the built images from the release.yaml generated by ko
-      BUILT_IMAGES=( $(/workspace/go/src/github.com/tektoncd/pipeline/tekton/koparse/koparse.py --path /workspace/output/bucket/latest/release.yaml --base $(inputs.params.imageRegistry)/$(inputs.params.pathToProject) --images ${IMAGES[@]}) )
+      BUILT_IMAGES=( $(/workspace/go/src/github.com/tektoncd/pipeline/tekton/koparse/koparse.py --path /workspace/output/bucket/previous/$(inputs.params.versionTag)/release.yaml --base $(inputs.params.imageRegistry)/$(inputs.params.pathToProject) --images ${IMAGES[@]}) )
 
       # Auth with account credentials
       gcloud auth activate-service-account --key-file=/secret/release.json
@@ -196,13 +205,24 @@ spec:
         IMAGE_WITHOUT_SHA=${IMAGE%%@*}
         IMAGE_WITHOUT_SHA_AND_TAG=${IMAGE_WITHOUT_SHA%%:*}
         IMAGE_WITH_SHA=${IMAGE_WITHOUT_SHA_AND_TAG}@${IMAGE##*@}
-        gcloud -q container images add-tag ${IMAGE_WITH_SHA} ${IMAGE_WITHOUT_SHA_AND_TAG}:latest
+
+        if [[ "$(inputs.params.releaseAsLatest)" == "true" ]]
+        then
+          gcloud -q container images add-tag ${IMAGE_WITH_SHA} ${IMAGE_WITHOUT_SHA_AND_TAG}:latest
+        fi
+
         for REGION in "${REGIONS[@]}"
         do
-          for TAG in "latest" $(inputs.params.versionTag)
-          do
+          if [[ "$(inputs.params.releaseAsLatest)" == "true" ]]
+          then
+            for TAG in "latest" $(inputs.params.versionTag)
+            do
+              gcloud -q container images add-tag ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
+            done
+          else
+            TAG="$(inputs.params.versionTag)"
             gcloud -q container images add-tag ${IMAGE_WITH_SHA} ${REGION}.${IMAGE_WITHOUT_SHA_AND_TAG}:$TAG
-          done
+          fi
         done
       done
     volumeMounts:

diff --git a/tekton/release-pipeline.yaml b/tekton/release-pipeline.yaml
@@ -12,6 +12,9 @@ spec:
     default: gcr.io/tekton-releases
   - name: versionTag
     description: The X.Y.Z version that the artifacts should be tagged with
+  - name: releaseAsLatest
+    description: Whether to tag and publish this release as Pipelines' latest
+    default: "true"
   resources:
   - name: source-repo
     type: git
@@ -106,6 +109,8 @@ spec:
           value: $(params.versionTag)
         - name: imageRegistry
           value: $(params.imageRegistry)
+        - name: releaseAsLatest
+          value: $(params.releaseAsLatest)
       resources:
         inputs:
           - name: source