[gnome-build-meta/alatiera/push-gbm-repo] Try 1, pushing runtimes to a repo

[Jordan Petridis <jpetridis src gnome org>]

commit f1a62b719648ebc28edb1cf83959b26181b6d287
Author: Jordan Petridis <jpetridis gnome org>
Date:   Wed Sep 5 18:21:14 2018 +0300

    Try 1, pushing runtimes to a repo
    
    FIXME: Proper commit message

 .gitlab-ci.yml | 39 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7201d35..0def8cd 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -6,10 +6,15 @@ variables:
   BST: "bst --config build.conf --log-file logs/build.log --colors"
   BST_SHA: '301a393cb6499b3f869d74827a9e8dc61b97d00e' #  1.1.7
   BST_EXTERNAL_SHA: '1622d57dfbde94f6cee84e1d8dfd430c86040251' # 0.3.1
+  BST_RELEASES_SERVER_ADDRESS: 'gbm.gnome.org'
   FLATPAK_BRANCH: master
 
 stages:
   - build
+  - publish_x86_64
+  - publish_i586
+  - publish_aarch64
+  - publish_arm
 
 
 # Store all the downloaded git and ostree repos in the cache.
@@ -37,9 +42,27 @@ before_script:
   # and flatpak to export the flatpak runtimes
   - dnf install -y flatpak
 
+  # install gpg to sign the ostree artifacts
+  - dnf install -y gpg
+
   # Ensure the log directory exists
   - mkdir -p logs
 
+  # Create ~/.ssh for storing keys
+  - mkdir -p ~/.ssh
+
+  # Private key stored as a protected variable that allows pushing to
+  # gbm.gnome.org
+  # FIXME: Protect the key
+  - |
+    if [ -z "${GITLAB_SSH_KEY" ]; then
+        echo >&2 "Private key for gbm.gnome.org is not available."
+    else
+        echo "${GITLAB_SSH_KEY}" > ~/.ssh/id_rsa
+        chmod 600 ~/.ssh/id_rsa
+        ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
+    fi
+
   # Setup certificate for pushing to the cache
   - |
     if [ -n "$GITLAB_CAS_PUSH_CERT" ]; then
@@ -63,6 +86,13 @@ before_script:
   dependencies: []
   script:
     - ${BST} -o arch "${ARCH}" build --track-all core.bst flatpak-runtimes.bst
+
+    # Clone the gbm OSTree repo locally
+    - ostree init --repo=repo --mode=archive-z2
+    - ostree remote add --repo=repo origin "https://${BST_RELEASES_SERVER_ADDRESS}/repo/"; --no-gpg-verify
+    - ostree pull --repo=repo origin --mirror
+
+    # Build the runtimes
     - |
       mkdir runtimes
 
@@ -71,7 +101,14 @@ before_script:
         flatpak build-export --arch="${ARCH}" --files=files repo/ "runtimes/${runtime}" "${FLATPAK_BRANCH}"
       done
 
-    # TODO: push the resulting runtime to sdk.gnome.org
+    # push the resulting runtimes to gbm.gnome.org
+    # FIXME: Only push from protected branches
+    - export OSTREE_PUSH_SHA='9aa82b67325786a810653155b952a17b7ccc436a'
+    - git clone https://github.com/ssssam/ostree-push.git
+    - git -C ostree-push/ checkout "${OSTREE_PUSH_SHA}"
+    # Trust the host key of the release server.
+    - ssh-keyscan "${BST_RELEASES_SERVER_ADDRESS}" >> ~/.ssh/known_hosts
+    - ostree-push/ostree-push --repo=repo ssh://gbm@"${BST_RELEASES_SERVER_ADDRESS}"
 
   # Store all the downloaded git and ostree repos in the distributed cache.
   # This saves us fetching them from the different repos and further afield