Skip to content

Commit acecff7

Browse files
kevinAlbskevinAlbs
authored
MONGOCRYPT-838 fix publish-packages tasks (#1137)
* add missing test * condition permissions and visibility There is no need to upload to mciuploads with private permissions. This prevents curator from accessing the mciuploads upload.
1 parent bd74ee7 commit acecff7

1 file changed

Lines changed: 43 additions & 37 deletions

File tree

.evergreen/config.yml

Lines changed: 43 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,8 @@ functions:
8484
skip_existing: true
8585
remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz'
8686
bucket: ${upload_bucket}
87-
permissions: private
88-
visibility: signed
87+
permissions: ${upload_permissions}
88+
visibility: ${upload_visibility}
8989
local_file: 'libmongocrypt.tar.gz'
9090
content_type: '${content_type|application/x-gzip}'
9191
- command: s3.put
@@ -94,8 +94,8 @@ functions:
9494
skip_existing: true
9595
remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt.tar.gz'
9696
bucket: ${upload_bucket}
97-
permissions: private
98-
visibility: signed
97+
permissions: ${upload_permissions}
98+
visibility: ${upload_visibility}
9999
local_file: 'libmongocrypt.tar.gz'
100100
content_type: '${content_type|application/x-gzip}'
101101

@@ -144,8 +144,8 @@ functions:
144144
skip_existing: true
145145
remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-distro-packages.tar.gz'
146146
bucket: ${upload_bucket}
147-
permissions: private
148-
visibility: signed
147+
permissions: ${upload_permissions}
148+
visibility: ${upload_visibility}
149149
local_file: 'libmongocrypt-distro-packages.tar.gz'
150150
content_type: '${content_type|application/x-gzip}'
151151
optional: true
@@ -335,8 +335,8 @@ functions:
335335
local_file: release-files.tgz
336336
remote_file: 'libmongocrypt/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz'
337337
bucket: ${upload_bucket}
338-
permissions: private
339-
visibility: signed
338+
permissions: ${upload_permissions}
339+
visibility: ${upload_visibility}
340340
content_type: ${content_type|application/gzip}
341341
display_name: Release Python files
342342

@@ -389,8 +389,8 @@ functions:
389389
remote_file: 'libmongocrypt/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files-all.tar.gz'
390390
# The merged results are placed in the CDN bucket for releases
391391
bucket: ${upload_bucket}
392-
permissions: private
393-
visibility: signed
392+
permissions: ${upload_permissions}
393+
visibility: ${upload_visibility}
394394
content_type: ${content_type|application/gzip}
395395
display_name: Release Python files all
396396
earthly:
@@ -446,8 +446,8 @@ functions:
446446
bucket: ${upload_bucket}
447447
content_type: application/json
448448
local_file: libmongocrypt/cyclonedx.augmented.sbom.json
449-
permissions: private
450-
visibility: signed
449+
permissions: ${upload_permissions}
450+
visibility: ${upload_visibility}
451451
remote_file: libmongocrypt/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/sbom/cyclonedx.augmented.sbom.json
452452

453453
tasks:
@@ -654,8 +654,8 @@ tasks:
654654
skip_existing: true
655655
remote_file: 'libmongocrypt/java/${revision}/libmongocrypt-java.tar.gz'
656656
bucket: ${upload_bucket}
657-
permissions: private
658-
visibility: signed
657+
permissions: ${upload_permissions}
658+
visibility: ${upload_visibility}
659659
local_file: 'libmongocrypt-java.tar.gz'
660660
content_type: '${content_type|application/x-gzip}'
661661
- command: s3.put
@@ -664,8 +664,8 @@ tasks:
664664
skip_existing: true
665665
remote_file: 'libmongocrypt/java/${tag_upload_location}/libmongocrypt-java.tar.gz'
666666
bucket: ${upload_bucket}
667-
permissions: private
668-
visibility: signed
667+
permissions: ${upload_permissions}
668+
visibility: ${upload_visibility}
669669
optional: true
670670
display_name: 'libmongocrypt-java-${tag_upload_location}.tar.gz'
671671
local_file: 'libmongocrypt-java-${tag_upload_location}.tar.gz'
@@ -851,8 +851,8 @@ tasks:
851851
skip_existing: true
852852
remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz'
853853
bucket: ${upload_bucket}
854-
permissions: private
855-
visibility: signed
854+
permissions: ${upload_permissions}
855+
visibility: ${upload_visibility}
856856
local_file: 'libmongocrypt-all.tar.gz'
857857
content_type: '${content_type|application/x-gzip}'
858858
- command: s3.put
@@ -861,8 +861,8 @@ tasks:
861861
skip_existing: true
862862
remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.tar.gz'
863863
bucket: ${upload_bucket}
864-
permissions: private
865-
visibility: signed
864+
permissions: ${upload_permissions}
865+
visibility: ${upload_visibility}
866866
local_file: 'libmongocrypt-all.tar.gz'
867867
content_type: '${content_type|application/x-gzip}'
868868
- command: s3.put
@@ -871,8 +871,8 @@ tasks:
871871
skip_existing: true
872872
remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.tar.gz'
873873
bucket: ${upload_bucket}
874-
permissions: private
875-
visibility: signed
874+
permissions: ${upload_permissions}
875+
visibility: ${upload_visibility}
876876
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release.
877877
display_name: 'libmongocrypt-all-${tag_upload_location}.tar.gz'
878878
local_file: 'libmongocrypt-all-${tag_upload_location}.tar.gz'
@@ -883,8 +883,8 @@ tasks:
883883
skip_existing: true
884884
remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.tar.gz'
885885
bucket: ${upload_bucket}
886-
permissions: private
887-
visibility: signed
886+
permissions: ${upload_permissions}
887+
visibility: ${upload_visibility}
888888
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release.
889889
display_name: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz'
890890
local_file: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz'
@@ -895,8 +895,8 @@ tasks:
895895
skip_existing: true
896896
remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.tar.gz'
897897
bucket: ${upload_bucket}
898-
permissions: private
899-
visibility: signed
898+
permissions: ${upload_permissions}
899+
visibility: ${upload_visibility}
900900
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release.
901901
display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz'
902902
local_file: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz'
@@ -981,8 +981,8 @@ tasks:
981981
remote_file: 'libmongocrypt/windows/latest_release/libmongocrypt${upload_suffix}.tar.gz'
982982
display_name: (Deprecated) libmongocrypt${upload_suffix}.tar.gz
983983
bucket: ${upload_bucket}
984-
permissions: private
985-
visibility: signed
984+
permissions: ${upload_permissions}
985+
visibility: ${upload_visibility}
986986
local_file: 'libmongocrypt_upload.tar.gz'
987987
content_type: 'application/x-gzip'
988988
- command: s3.put # Upload tarball for GitHub Release.
@@ -992,8 +992,8 @@ tasks:
992992
remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz'
993993
display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz
994994
bucket: ${upload_bucket}
995-
permissions: private
996-
visibility: signed
995+
permissions: ${upload_permissions}
996+
visibility: ${upload_visibility}
997997
local_file: 'libmongocrypt_upload.tar.gz'
998998
content_type: 'application/x-gzip'
999999
- command: shell.exec
@@ -1013,8 +1013,8 @@ tasks:
10131013
remote_file: 'libmongocrypt/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc'
10141014
display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc
10151015
bucket: ${upload_bucket}
1016-
permissions: private
1017-
visibility: signed
1016+
permissions: ${upload_permissions}
1017+
visibility: ${upload_visibility}
10181018
local_file: 'libmongocrypt/libmongocrypt_upload.asc'
10191019
content_type: 'application/pgp-signature'
10201020

@@ -1041,8 +1041,8 @@ tasks:
10411041
local_file: deb.tar.gz
10421042
remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages.tar.gz
10431043
bucket: ${upload_bucket}
1044-
permissions: private
1045-
visibility: signed
1044+
permissions: ${upload_permissions}
1045+
visibility: ${upload_visibility}
10461046
content_type: ${content_type|application/x-gzip}
10471047
display_name: "deb.tar.gz"
10481048
allowed_requesters:
@@ -1075,8 +1075,8 @@ tasks:
10751075
local_file: deb.tar.gz
10761076
remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages-i386.tar.gz
10771077
bucket: ${upload_bucket}
1078-
permissions: private
1079-
visibility: signed
1078+
permissions: ${upload_permissions}
1079+
visibility: ${upload_visibility}
10801080
content_type: ${content_type|application/x-gzip}
10811081
display_name: "deb.tar.gz"
10821082

@@ -1182,16 +1182,20 @@ pre:
11821182
# If we are a non-patch build in the libmongocrypt-release project, we upload to a restricted
11831183
# CDN S3 bucket. Otherwise, we upload to a less restricted bucket for convenience. The corresponding
11841184
# role_arn_... values come from EVG project configuration variables stored on the EVG server
1185-
if test "${is_patch}" = 'true' || "${project}" != 'libmongocrypt-release'; then
1185+
if test "${is_patch}" = 'true' || test "${project}" != 'libmongocrypt-release'; then
11861186
echo "Using upload bucket: mciuploads"
11871187
echo "Uploads will be available to download at https://mciuploads.s3.amazonaws.com/<remote_file>"
11881188
upload_bucket='mciuploads'
11891189
upload_arn='${role_arn_for_mciuploads}'
1190+
upload_permissions='public-read'
1191+
upload_visibility='public'
11901192
else
11911193
echo "Using upload bucket: cdn-origin-libmongocrypt"
11921194
echo "Uploads will be available to download at https://downloads.mongodb.org/<remote_file>"
11931195
upload_bucket='cdn-origin-libmongocrypt'
11941196
upload_arn='${role_arn_for_release}'
1197+
upload_permissions='private'
1198+
upload_visibility='signed'
11951199
fi
11961200
11971201
PROJECT_DIRECTORY="$(pwd)"
@@ -1206,6 +1210,8 @@ pre:
12061210
project_directory: "$PROJECT_DIRECTORY"
12071211
upload_bucket: "$upload_bucket"
12081212
upload_arn: "$upload_arn"
1213+
upload_permissions: "$upload_permissions"
1214+
upload_visibility: "$upload_visibility"
12091215
EOT
12101216
- command: expansions.update
12111217
params:

0 commit comments

Comments
 (0)