Publish images from patch release branches (#63379)

willdollman · web-flow · commit e24226a7640f · 2024-06-20T15:46:37.000+01:00
We currently don't publish images from the new-style patch release branches like `5.4.5099`, as this is all performed using the new release tooling. In order to improve the release process, we (Security) would like to run a daily scan of the current set of images built from the patch release branch. Currently we only scan images built from `main`, but these slowly diverge from the patch release branch in the 2 week window between a monthly release and the patch release. To give a specific example, we currently have no easy/automated way to scan images from the `5.4.5099` branch that a release will be cut from this afternoon until the release team run the internal release process. This PR updates the pipeline so that whenever a new commit is pushed to the patch release branch, it will publish a new set of images and include the tag `<branch>-insiders`. Currently just pushing to us.gcr.io, but equally could push to dockerhub. Example of the jobfile for a matching branch after this PR: `bazel --bazelrc=/tmp/aspect-generated.bazelrc --bazelrc=.aspect/bazelrc/ci.sourcegraph.bazelrc run //cmd/batcheshelper:candidate_push --stamp --workspace_status_command=./dev/bazel_stamp_vars.sh -- --tag dc43864 --tag dc438648b0cc_2024-06-20 --tag dc438648b0cc_279230 --tag will/5.4.9999-insiders --repository us.gcr.io/sourcegraph-dev/batcheshelper && echo -e '<tr><td>batcheshelper</td><td><code>us.gcr.io/sourcegraph-dev</code></td><td><code>dc438648b0cc</code>, <code>dc438648b0cc_2024-06-20</code>, <code>dc438648b0cc_279230</code>, <code>will/5.4.9999-insiders</code></td></tr>' >>./annotations/pushed_images.md` [Example buildkite run](https://buildkite.com/sourcegraph/sourcegraph/builds/279230#_) where the pattern was updated to match this branch, and pushing non-candidate images was disabled. This resolves one part of [SEC-1734](https://linear.app/sourcegraph/issue/SEC-1734/scan-images-from-patch-release-branches)  ## Test plan - Manual testing of buildkite pipeline  ## Changelog
diff --git a/dev/ci/push_all.sh b/dev/ci/push_all.sh
@@ -6,7 +6,7 @@ echo "~~~ :aspect: :stethoscope: Agent Health check"
 /etc/aspect/workflows/bin/agent_health_check
 
 aspectRC="/tmp/aspect-generated.bazelrc"
-rosetta bazelrc > "$aspectRC"
+rosetta bazelrc >"$aspectRC"
 bazelrc=(--bazelrc="$aspectRC" --bazelrc=.aspect/bazelrc/ci.sourcegraph.bazelrc)
 
 function preview_tags() {
@@ -77,7 +77,7 @@ prod_registries=(
 )
 
 if [ -n "${ADDITIONAL_PROD_REGISTRIES}" ]; then
-  IFS=' ' read -r -a registries <<< "$ADDITIONAL_PROD_REGISTRIES"
+  IFS=' ' read -r -a registries <<<"$ADDITIONAL_PROD_REGISTRIES"
   prod_registries+=("${registries[@]}")
 fi
 
@@ -104,7 +104,7 @@ elif [[ "$BUILDKITE_BRANCH" =~ ^main$ ]] || [[ "$BUILDKITE_BRANCH" =~ ^docker-im
   dev_tags+=("insiders")
   prod_tags+=("insiders")
   push_prod=true
-elif [[ "$BUILDKITE_BRANCH" =~ ^main-dry-run/.*  ]]; then
+elif [[ "$BUILDKITE_BRANCH" =~ ^main-dry-run/.* ]]; then
   # We only push on internal registries on a main-dry-run.
   dev_tags+=("insiders")
   prod_tags+=("insiders")
@@ -119,6 +119,10 @@ elif [[ "$BUILDKITE_BRANCH" =~ ^[0-9]+\.[0-9]+$ ]]; then
   # format introduced by https://github.com/sourcegraph/sourcegraph/pull/48050
   # by release branch deployments.
   push_prod=true
+elif [[ "$BUILDKITE_BRANCH" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  # Patch release builds only need to be pushed to internal registries.
+  push_prod=false
+  dev_tags+=("$BUILDKITE_BRANCH-insiders")
 elif [[ "$BUILDKITE_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(\-rc\.[0-9]+)?$ ]]; then
   # ok: v5.1.0
   # ok: v5.1.0-rc.5
@@ -141,11 +145,10 @@ if [ -n "$CANDIDATE_ONLY" ]; then
   push_prod=false
 fi
 
-
 # Posting the preamble for image pushes.
-echo -e "### ${BUILDKITE_LABEL}" > ./annotations/pushed_images.md
+echo -e "### ${BUILDKITE_LABEL}" >./annotations/pushed_images.md
 echo -e "<details><summary>Click to expand table</summary><table>\n" >>./annotations/pushed_images.md
-echo -e "<tr><th>Name</th><th>Registry</th><th>Tags</th></tr>\n" >> ./annotations/pushed_images.md
+echo -e "<tr><th>Name</th><th>Registry</th><th>Tags</th></tr>\n" >>./annotations/pushed_images.md
 
 preview_tags "${dev_registries[*]}" "${dev_tags[*]}"
 if $push_prod; then
diff --git a/dev/ci/runtype/runtype.go b/dev/ci/runtype/runtype.go
@@ -23,10 +23,11 @@ const (
 
 	// Release branches
 
-	TaggedRelease     // semver-tagged release
-	ReleaseBranch     // release branch build
-	BextReleaseBranch // browser extension release build
-	VsceReleaseBranch // vs code extension release build
+	TaggedRelease      // semver-tagged release
+	ReleaseBranch      // release branch build
+	PatchReleaseBranch // patch release branch build
+	BextReleaseBranch  // browser extension release build
+	VsceReleaseBranch  // vs code extension release build
 
 	InternalRelease // Internal release
 	PromoteRelease  // Public release
@@ -138,6 +139,11 @@ func (t RunType) Matcher() *RunTypeMatcher {
 			Branch:       `^[0-9]+\.[0-9]+$`,
 			BranchRegexp: true,
 		}
+	case PatchReleaseBranch:
+		return &RunTypeMatcher{
+			Branch:       `^[0-9]+\.[0-9]+\.[0-9]+$`,
+			BranchRegexp: true,
+		}
 	case BextReleaseBranch:
 		return &RunTypeMatcher{
 			Branch:      "bext/release",
