[MONGOCRYPT-838] Upload build artifacts to a restricted bucket on release branch builds#1126
Conversation
This change replaces all references to the mciuploads bucket in the CI configuration file with a template expansion that conditionally refers to an alternate bucket in certain scenarios. This templating also sets the role_arn for S3 operations based on the same conditions.
|
Need to be addressed: Some scripts still download (via HTTP) from the |
I also expect the "publish packages" function also needs to update the URL. Possibly with an addition: if "${project}" = 'libmongocrypt-release'; then
package_url_prefix="https://downloads.mongodb.org"
else
package_url_prefix="https://mciuploads.s3.amazonaws.com"
fiThat runs on every mainline commit. So I expect that would need to be updated before cherry-picking to avoid failures in the publish-packages tasks. |
kevinAlbs
left a comment
kevinAlbs
left a comment
There was a problem hiding this comment.
LGTM with a comment removal.
Quoting DEVPROD-20712: > please write all artifacts to "s3://cdn-origin-libmongocrypt/libmongocrypt/"
kevinAlbs
left a comment
kevinAlbs
left a comment
There was a problem hiding this comment.
To test before merging, I temporarily set the libmongocrypt-release Evergreen project to test a branch (MONGOCRYPT-838) with that PR to test the upload to the restricted bucket. With the added commits, the new upload appears to work.
2 participants
Let's try this again. Refer: MONGOCRYPT-838
Summary
This changeset does the following:
permissions: privateandvisibility: signed.libmongocrypt-releaseor any build that is a patch, artifacts are transmitted in themciuploadsbucket using a less-restricted role for that bucket.libmongocrypt-releasecommit or tag builds, artifacts are transmitted and posted in thecnd-origin-libmongocryptbucket using a restricted role.