GenarrativeAI/Genarrative
5
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects Releases Wiki Activity

Add bootstrap secret flow to production Stdb builds
Some checks failed
CI / verify (push) Has been cancelled
Details

Browse Source
This commit is contained in:
kdletters
2026-05-08 22:52:11 +08:00
parent a1e5c2150c
commit cf9fb5ac40
5 changed files with 125 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
jenkins/Jenkinsfile.production-full-build-and-deploy
View File

@@ -21,6 +21,7 @@ pipeline {
string(name: 'BUILD_VERSION', defaultValue: '', description: '发布版本号,留空则使用 Jenkins BUILD_NUMBER')
booleanParam(name: 'RUN_NPM_CI', defaultValue: true, description: 'Web 构建前是否执行 npm ci')
string(name: 'NOTIFICATION_EMAILS', defaultValue: '', description: '本次运行追加通知邮箱;会与 Jenkins Secret Text 凭据 genarrative-notification-emails 合并发送')
string(name: 'MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID', defaultValue: '', description: '可选,透传给 Stdb module 构建的迁移 bootstrap secret 凭据 ID留空则由 Stdb 构建自动生成')
string(name: 'WEB_BUILD_JOB_NAME', defaultValue: 'Genarrative-Web-Build', description: 'Web 构建流水线作业名')
string(name: 'API_BUILD_JOB_NAME', defaultValue: 'Genarrative-Api-Build', description: 'API 构建流水线作业名')
string(name: 'STDB_BUILD_JOB_NAME', defaultValue: 'Genarrative-Stdb-Module-Build', description: 'Stdb 构建流水线作业名')
@@ -120,6 +121,7 @@ pipeline {
string(name: 'COMMIT_HASH', value: env.SOURCE_COMMIT),
string(name: 'BUILD_VERSION', value: env.EFFECTIVE_BUILD_VERSION),
string(name: 'NOTIFICATION_EMAILS', value: params.NOTIFICATION_EMAILS ?: ''),
string(name: 'MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID', value: params.MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID ?: ''),
string(name: 'DATABASE', value: params.DATABASE),
]
env.STDB_BUILD_NUMBER = stdbRun.number.toString()

67
jenkins/Jenkinsfile.production-stdb-module-build
View File

@@ -24,6 +24,7 @@ pipeline {
string(name: 'COMMIT_HASH', defaultValue: '', description: '可选,指定属于 SOURCE_BRANCH 的 Git commit')
string(name: 'BUILD_VERSION', defaultValue: '', description: '发布版本号,留空则使用 Jenkins BUILD_NUMBER')
string(name: 'NOTIFICATION_EMAILS', defaultValue: '', description: '本次运行追加通知邮箱;会与 Jenkins Secret Text 凭据 genarrative-notification-emails 合并发送')
string(name: 'MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID', defaultValue: '', description: '可选,复用既有迁移 bootstrap secret 的 Jenkins Secret Text 凭据 ID留空则本次构建自动生成')
booleanParam(name: 'PUBLISH_AFTER_BUILD', defaultValue: false, description: '构建成功后是否触发 Stdb module 发布')
string(name: 'DEPLOY_JOB_NAME', defaultValue: 'Genarrative-Stdb-Module-Publish', description: 'Stdb module 发布流水线作业名')
choice(name: 'DEPLOY_TARGET', choices: ['development', 'release'], description: 'PUBLISH_AFTER_BUILD=true 时的逻辑部署目标development 使用当前 Linux 开发/构建/开发部署 agent')
@@ -67,30 +68,32 @@ pipeline {
stage('Build Stdb Module') {
steps {
powershell '''
$ErrorActionPreference = 'Stop'
$workspaceTmp = if ($env:WORKSPACE_TMP) { $env:WORKSPACE_TMP } else { "$env:WORKSPACE@tmp" }
$env:CARGO_HOME = "$workspaceTmp/cargo-home"
$env:CARGO_TARGET_DIR = "$workspaceTmp/cargo-target/prod-release"
$env:SCCACHE_DIR = "$env:USERPROFILE/.cache/sccache-stdb-module"
$env:PATH = "$env:CARGO_HOME/bin;$env:PATH"
$gitBash = @(
$env:GENARRATIVE_BASH,
'C:/Program Files/Git/bin/bash.exe',
'C:/Program Files/Git/usr/bin/bash.exe',
'C:/msys64/usr/bin/bash.exe',
'bash'
) | Where-Object { $_ -and (($_ -eq 'bash') -or (Test-Path $_)) } | Select-Object -First 1
if (-not $gitBash) {
throw '[stdb-build] Windows 构建节点缺少 Git Bash无法执行仓库现有生产构建脚本。请先安装 Git for Windows并确保 bash 在 PATH 中。'
}
$env:GENARRATIVE_BASH = $gitBash
if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) {
throw '[stdb-build] 缺少 cargo。请先在 Windows 构建节点安装 Rust 工具链,并确保 cargo 在 PATH 中。'
}
# sccache 只是可选缓存PATH 中存在但不可执行时必须回退到 rustc。
script {
def buildStep = {
powershell '''
$ErrorActionPreference = 'Stop'
$workspaceTmp = if ($env:WORKSPACE_TMP) { $env:WORKSPACE_TMP } else { "$env:WORKSPACE@tmp" }
$env:CARGO_HOME = "$workspaceTmp/cargo-home"
$env:CARGO_TARGET_DIR = "$workspaceTmp/cargo-target/prod-release"
$env:SCCACHE_DIR = "$env:USERPROFILE/.cache/sccache-stdb-module"
$env:PATH = "$env:CARGO_HOME/bin;$env:PATH"
$gitBash = @(
$env:GENARRATIVE_BASH,
'C:/Program Files/Git/bin/bash.exe',
'C:/Program Files/Git/usr/bin/bash.exe',
'C:/msys64/usr/bin/bash.exe',
'bash'
) | Where-Object { $_ -and (($_ -eq 'bash') -or (Test-Path $_)) } | Select-Object -First 1
if (-not $gitBash) {
throw '[stdb-build] Windows 构建节点缺少 Git Bash无法执行仓库现有生产构建脚本。请先安装 Git for Windows并确保 bash 在 PATH 中。'
}
$env:GENARRATIVE_BASH = $gitBash
if (-not (Get-Command cargo -ErrorAction SilentlyContinue)) {
throw '[stdb-build] 缺少 cargo。请先在 Windows 构建节点安装 Rust 工具链,并确保 cargo 在 PATH 中。'
}
# sccache 只是可选缓存PATH 中存在但不可执行时必须回退到 rustc。
$sccacheCommand = Get-Command sccache -ErrorAction SilentlyContinue
$sccacheUsable = $false
$sccacheUsable = $false
if ($sccacheCommand) {
try {
& $sccacheCommand.Source --version | Out-Host
@@ -101,16 +104,28 @@ pipeline {
}
if (-not $sccacheUsable) {
Write-Host '[stdb-build] 未找到可用 sccache改用 rustc 直接构建。'
Remove-Item Env:RUSTC_WRAPPER -ErrorAction SilentlyContinue
Remove-Item Env:RUSTC_WRAPPER -ErrorAction SilentlyContinue
}
npm run build:production-release -- --component spacetime-module --name "$env:EFFECTIVE_BUILD_VERSION"
'''
}
npm run build:production-release -- --component spacetime-module --name "$env:EFFECTIVE_BUILD_VERSION"
'''
if (params.MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID?.trim()) {
withCredentials([
string(credentialsId: params.MIGRATION_BOOTSTRAP_SECRET_CREDENTIAL_ID.trim(), variable: 'GENARRATIVE_SPACETIME_MIGRATION_BOOTSTRAP_SECRET')
]) {
buildStep()
}
} else {
buildStep()
}
}
}
}
stage('Archive') {
steps {
archiveArtifacts artifacts: "build/${env.EFFECTIVE_BUILD_VERSION}/spacetime_module.wasm,build/${env.EFFECTIVE_BUILD_VERSION}/spacetime_module.wasm.sha256,build/${env.EFFECTIVE_BUILD_VERSION}/release-manifest.json", fingerprint: true
archiveArtifacts artifacts: "build/${env.EFFECTIVE_BUILD_VERSION}/migration-bootstrap-secret.txt", fingerprint: false
}
}