Skip to content

[MONGOCRYPT-838] Switch the upload target bucket based on the project/patch status #1118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
vector-of-bool merged 1 commit into from
Feb 5, 2026
Merged

[MONGOCRYPT-838] Switch the upload target bucket based on the project/patch status #1118

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 55 additions & 61 deletions .evergreen/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,19 +80,17 @@ functions:
include: [./**]
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt.tar.gz'
content_type: '${content_type|application/x-gzip}'
Expand Down Expand Up @@ -138,10 +136,9 @@ functions:
include: [./**]
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${build_variant}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-distro-packages.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt-distro-packages.tar.gz'
content_type: '${content_type|application/x-gzip}'
Expand Down Expand Up @@ -224,10 +221,9 @@ functions:
"download tarball":
- command: s3.get
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${variant_name}/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
extract_to: all/${variant_name}

"setup packaging credentials":
Expand Down Expand Up @@ -323,11 +319,10 @@ functions:
- "*"
- command: s3.put
params:
aws_key: ${aws_key}
aws_secret: ${aws_secret}
role_arn: ${upload_arn}
local_file: release-files.tgz
remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
content_type: ${content_type|application/gzip}
display_name: Release Python files
Expand Down Expand Up @@ -358,7 +353,7 @@ functions:
script: |
set -o xtrace
# Download all the release files.
aws s3 cp --recursive s3://mciuploads/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/
aws s3 cp --recursive s3://${upload_bucket}/${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/ release/
# Combine releases into one directory.
ls -la release/
mkdir releases
Expand All @@ -373,11 +368,10 @@ functions:
- "*"
- command: s3.put
params:
aws_key: ${aws_key}
aws_secret: ${aws_secret}
role_arn: ${upload_arn}
local_file: release-files-all.tgz
remote_file: '${project}/python-release/${branch_name}/${libmongocrypt_s3_suffix}/${task_id}-${execution}-release-files-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
content_type: ${content_type|application/gzip}
display_name: Release Python files all
Expand Down Expand Up @@ -432,9 +426,8 @@ functions:
type: test
params:
display_name: Augmented SBOM
aws_key: ${aws_key}
aws_secret: ${aws_secret}
bucket: mciuploads
role_arn: ${upload_arn}
bucket: ${upload_bucket}
content_type: application/json
local_file: libmongocrypt/cyclonedx.augmented.sbom.json
permissions: public-read
Expand Down Expand Up @@ -636,19 +629,17 @@ tasks:
fi
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/java/${revision}/libmongocrypt-java.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt-java.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/java/${tag_upload_location}/libmongocrypt-java.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
optional: true
display_name: 'libmongocrypt-java-${tag_upload_location}.tar.gz'
Expand Down Expand Up @@ -831,50 +822,45 @@ tasks:
fi
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt-all.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/all/${branch_name}/${libmongocrypt_s3_suffix_copy}/libmongocrypt-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt-all.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/all/${tag_upload_location}/libmongocrypt-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for tagged release.
display_name: 'libmongocrypt-all-${tag_upload_location}.tar.gz'
local_file: 'libmongocrypt-all-${tag_upload_location}.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/all/latest/stable/libmongocrypt-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for stable release.
display_name: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz'
local_file: 'stable/libmongocrypt-all-${tag_upload_location}.tar.gz'
content_type: '${content_type|application/x-gzip}'
- command: s3.put
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/all/latest/unstable/libmongocrypt-all.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
optional: true # Do not fail task if `local_file` does not exist. `local_file` only exists for unstable release.
display_name: 'unstable/libmongocrypt-all-${tag_upload_location}.tar.gz'
Expand Down Expand Up @@ -927,10 +913,9 @@ tasks:
file: libmongocrypt/expansions.yml
- command: s3.get # Download Windows build.
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/windows-test/${branch_name}/${libmongocrypt_s3_suffix}/libmongocrypt.tar.gz'
bucket: mciuploads
bucket: ${upload_bucket}
extract_to: libmongocrypt_download
- command: shell.exec
params:
Expand All @@ -956,21 +941,19 @@ tasks:
# Documentation now refers to the GitHub release page, which includes the per-release tarball.
# The fixed URL upload is kept to avoid possibly breaking expectations. Consider removing in the future.
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: 'libmongocrypt/windows/latest_release/libmongocrypt${upload_suffix}.tar.gz'
display_name: (Deprecated) libmongocrypt${upload_suffix}.tar.gz
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt_upload.tar.gz'
content_type: 'application/x-gzip'
- command: s3.put # Upload tarball for GitHub Release.
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz'
display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.tar.gz
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt_upload.tar.gz'
content_type: 'application/x-gzip'
Expand All @@ -986,11 +969,10 @@ tasks:
args: --secret garasign_username=${garasign_username} --secret garasign_password=${garasign_password} +sign --file_to_sign=libmongocrypt_upload.tar.gz --output_file=libmongocrypt_upload.asc
- command: s3.put # Upload signature for GitHub Release.
params:
aws_key: '${aws_key}'
aws_secret: '${aws_secret}'
role_arn: ${upload_arn}
remote_file: '${project}/${build_variant}/${branch_name}/${revision}/${version_id}/libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc'
display_name: libmongocrypt-windows-x86_64-${libmongocrypt_release_version}.asc
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
local_file: 'libmongocrypt/libmongocrypt_upload.asc'
content_type: 'application/pgp-signature'
Expand All @@ -1013,11 +995,10 @@ tasks:
bash .evergreen/debian_package_build.sh --is-patch=${is_patch}
- command: s3.put
params:
aws_key: ${aws_key}
aws_secret: ${aws_secret}
role_arn: ${upload_arn}
local_file: deb.tar.gz
remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages.tar.gz
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
content_type: ${content_type|application/x-gzip}
display_name: "deb.tar.gz"
Expand All @@ -1038,11 +1019,10 @@ tasks:
bash .evergreen/debian_package_build.sh --arch=i386 --is-patch=${is_patch}
- command: s3.put
params:
aws_key: ${aws_key}
aws_secret: ${aws_secret}
role_arn: ${upload_arn}
local_file: deb.tar.gz
remote_file: libmongocrypt/${branch_name}/${revision}/${version_id}/${build_id}/${execution}/debian-packages-i386.tar.gz
bucket: mciuploads
bucket: ${upload_bucket}
permissions: public-read
content_type: ${content_type|application/x-gzip}
display_name: "deb.tar.gz"
Expand Down Expand Up @@ -1138,15 +1118,29 @@ pre:
REMOTE_SUFFIX_COPY="latest-${branch_name}"
fi

# If we are a non-patch build in the libmongocrypt-release project, we upload to a restricted
# CDN S3 bucket. Otherwise, we upload to a less restricted bucket for convenience. The corresponding
# role_arn_... values come from EVG project configuration variables stored on the EVG server
if test "${is_patch}" = 'true' || "${project_name}" != 'libmongocrypt-release'; then
upload_bucket='mciuploads'
upload_arn='${role_arn_for_mciuploads}'
else
upload_bucket='cdn-origin-libmongocrypt'
upload_arn='${role_arn_for_release}'
fi

PROJECT_DIRECTORY="$(pwd)"
echo "libmongocrypt_s3_suffix: $REMOTE_SUFFIX"
echo "libmongocrypt_s3_suffix_copy: $REMOTE_SUFFIX_COPY"
echo "project_directory: $PROJECT_DIRECTORY"
echo "Upload S3 bucket: $upload_bucket"

cat <<EOT > expansion.yml
libmongocrypt_s3_suffix: "$REMOTE_SUFFIX"
libmongocrypt_s3_suffix_copy: "$REMOTE_SUFFIX_COPY"
project_directory: "$PROJECT_DIRECTORY"
upload_bucket: "$upload_bucket"
upload_arn: "$upload_arn"
EOT
- command: expansions.update
params:
Expand Down