[MONGOCRYPT-838] Upload build artifacts to a restricted bucket on release branch builds#1126
Conversation
This change replaces all references to the mciuploads bucket in the CI configuration file with a template expansion that conditionally refers to an alternate bucket in certain scenarios. This templating also sets the role_arn for S3 operations based on the same conditions.
|
Need to be addressed: Some scripts still download (via HTTP) from the |
I also expect the "publish packages" function also needs to update the URL. Possibly with an addition: if "${project}" = 'libmongocrypt-release'; then
package_url_prefix="https://downloads.mongodb.org"
else
package_url_prefix="https://mciuploads.s3.amazonaws.com"
fiThat runs on every mainline commit. So I expect that would need to be updated before cherry-picking to avoid failures in the publish-packages tasks. |
kevinAlbs
left a comment
kevinAlbs
left a comment
There was a problem hiding this comment.
LGTM with a comment removal.
| - command: s3.put | ||
| params: | ||
| role_arn: ${upload_arn} | ||
| # The upload of this component uses the less restricted bucket because it is only |
There was a problem hiding this comment.
Remove out-dated comment since this was updated to use ${upload_bucket}.
2 participants
Let's try this again. Refer: MONGOCRYPT-838
Summary
This changeset does the following:
permissions: privateandvisibility: signed.libmongocrypt-releaseor any build that is a patch, artifacts are transmitted in themciuploadsbucket using a less-restricted role for that bucket.libmongocrypt-releasecommit or tag builds, artifacts are transmitted and posted in thecnd-origin-libmongocryptbucket using a restricted role.