Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upload Rustup build artifacts to new S3 bucket #3909

Merged
merged 2 commits into from
Jul 9, 2024

Conversation

jdno
Copy link
Member

@jdno jdno commented Jun 25, 2024

We are implementing a new release process for Rustup, which changes slightly how build artifacts are uploaded. Going forward, every commit merged into master will produce a full set of release artifacts that will be stored in a new S3 bucket. The new bucket allows us to remove access for CI to the release bucket, which improves our security posture. And uploading every commit to master will make it easier to test new releases.

jdno added 2 commits June 20, 2024 11:03
We are refactoring the release process for Rustup, which includes a new
S3 bucket for build artifacts. In the new release process, every commit
to the default branch builds and uploads artifacts. When a new release
is cut, these pre-built artifacts get copied into the current S3 bucket
for further testing and distribution.

The artifacts are currently uploaded to both the old and new bucket to
maintain backwards compatibility while implementing the new process.
The GitHub Actions workflows that upload build artifacts to S3 have been
refactored to make use of OIDC to avoid long-lived authentication
tokens.
@jdno jdno requested a review from Mark-Simulacrum June 25, 2024 11:37
@jdno
Copy link
Member Author

jdno commented Jun 25, 2024

The tracking issue for the new release process and its work can be found here: rust-lang/simpleinfra#420

Copy link
Member

@rami3l rami3l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot!

Copy link
Contributor

@djc djc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

ci/actions-templates/linux-builds-template.yaml Outdated Show resolved Hide resolved
@jdno
Copy link
Member Author

jdno commented Jul 9, 2024

Can I merge this and then iterate on the configuration if there are any issues?

@djc
Copy link
Contributor

djc commented Jul 9, 2024

Can I merge this and then iterate on the configuration if there are any issues?

Sounds good to me!

@jdno jdno added this pull request to the merge queue Jul 9, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jul 9, 2024
@jdno
Copy link
Member Author

jdno commented Jul 9, 2024

Hm, the merge queue build failed trying to fetch a base image from rust-lang/rust. This looks like a fluke, so I'm just gonna try again and see what happens... 🤷‍♂️

@jdno jdno added this pull request to the merge queue Jul 9, 2024
Merged via the queue into rust-lang:master with commit 556f7ee Jul 9, 2024
27 checks passed
@jdno jdno deleted the rustup-builds-bucket branch July 9, 2024 11:13
jdno added a commit to jdno/rust-rustup that referenced this pull request Jul 9, 2024
In rust-lang#3909, new steps were added to the GitHub Actions workflows that
upload the build artifacts to a new S3 bucket. Authentication is done
using short-lived tokens that are provisioned using OIDC. This scheme
requires additional permissions[^1], which have been granted to the
workflows.

[^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
jdno added a commit to jdno/rust-rustup that referenced this pull request Jul 9, 2024
In rust-lang#3909, new steps were added to the GitHub Actions workflows that
upload the build artifacts to a new S3 bucket. Authentication is done
using short-lived tokens that are provisioned using OIDC. This scheme
requires additional permissions[^1], which have been granted to the
workflows.

[^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
github-merge-queue bot pushed a commit that referenced this pull request Jul 9, 2024
In #3909, new steps were added to the GitHub Actions workflows that
upload the build artifacts to a new S3 bucket. Authentication is done
using short-lived tokens that are provisioned using OIDC. This scheme
requires additional permissions[^1], which have been granted to the
workflows.

[^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
jdno added a commit to jdno/rust-rustup that referenced this pull request Jul 9, 2024
We added steps to the GitHub Actions workflows in rust-lang#3909 to upload the
build artifacts for the `master` branch as well as for the `stable`
branch. But the scripts that prepare the `deploy/` directory were not
set to run on `master`, causing the builds to fail.
jdno added a commit to jdno/rust-rustup that referenced this pull request Jul 9, 2024
We added steps to the GitHub Actions workflows in rust-lang#3909 to upload the
build artifacts for the `master` branch as well as for the `stable`
branch. But the scripts that prepare the `deploy/` directory were not
set to run on `master`, causing the builds to fail.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants