ci: Make signing requirement explicit (#38995)

Instead of inferring whether to sign binaries, make it explicit, and fail rebuild jobs early if signing is required but cannot be accomplished.
2023-07-26 09:16:15 -06:00
parent 8bdfaf4ae5
commit 2c74b433aa
5 changed files with 53 additions and 9 deletions
--- a/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
+++ b/share/spack/gitlab/cloud_pipelines/.gitlab-ci.yml
@@ -67,6 +67,7 @@ default:
      variables:
        SPACK_PIPELINE_TYPE: "spack_protected_branch"
        SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}"
+        SPACK_REQUIRE_SIGNING: "True"
        AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
    - if: $CI_COMMIT_REF_NAME =~ /^releases\/v.*/
@@ -77,6 +78,7 @@ default:
        SPACK_COPY_BUILDCACHE: "s3://spack-binaries/${CI_COMMIT_REF_NAME}"
        SPACK_PRUNE_UNTOUCHED: "False"
        SPACK_PRUNE_UP_TO_DATE: "False"
+        SPACK_REQUIRE_SIGNING: "True"
        AWS_ACCESS_KEY_ID: ${PROTECTED_MIRRORS_AWS_ACCESS_KEY_ID}
        AWS_SECRET_ACCESS_KEY: ${PROTECTED_MIRRORS_AWS_SECRET_ACCESS_KEY}
    - if: $CI_COMMIT_TAG =~ /^develop-[\d]{4}-[\d]{2}-[\d]{2}$/ || $CI_COMMIT_TAG =~ /^v.*/
@@ -797,6 +799,7 @@ deprecated-ci-build:
      when: always
      variables:
        SPACK_PIPELINE_TYPE: "spack_protected_branch"
+        SPACK_REQUIRE_SIGNING: "True"
    - if: $CI_COMMIT_REF_NAME =~ /^pr[\d]+_.*$/
      # Pipelines on PR branches rebuild only what's missing, and do extra pruning
      when: always