Change the S3 release index file generator
What does this MR do?
Changes the S3 release index file generator to a shared tool (https://gitlab.com/gitlab-org/ci-cd/runner-tools/release-index-generator). This additionally implements GPG signing when proper variables are prepared for the project.
Why was this MR needed?
-
We're using the same S3 release approach in at least three projects now: here, in Autoscaler driver and in newly created AWS Fargate driver. Each of the projects implements the scripting around preparing the index and checksums files from scratch. This is the first step to centralize this and remove duplications.
-
Since we have an official GPG key for signing, let's sign the S3 release and follow the best practices. Thanks to this users will be able to confirm that the downloaded binary/ZIP/package is the one that our CI Pipeline have generated (of course as far as they trust our signing key).
Are there points in the code the reviewer needs to double check?
Please note that the GPG signing is controlled by the presence of specific environment variables. And because we're defining them in this project as protected ones, the S3 releases of development branches will have no signed checksums files. As well as they don't have signed DEB/RPM packages right now.
Signing is done only for master and tagged releases.
Does this MR meet the acceptance criteria?
-
Documentation created/updated -
Added tests for this feature/bug -
In case of conflicts with master- branch was rebased
What are the relevant issue numbers?
Related to #6293
Closes #1787 (closed)