Create and push rust-lang/rust tags for new stable releases

We could consider expanding this to beta's as well (or even nightly), but for
now this matches what the normal release process does well enough. It also won't
currently do anything in production (we need to configure the
PROMOTE_RELEASE_REPOSITORY with push credentials and PROMOTE_RELEASE_PUSH_TAGS),
but will still exercise the tag creation, which is good.

Code is intended to be somewhat extensible so that we can add Cargo tagging
pretty easily.

Author: Mark-Simulacrum

Cargo.lock

@@ -22,6 +22,8 @@ rayon = "1.4.0"
 sha2 = "0.10"
 hex = "0.4.2"
 pgp = "0.8"
+rsa = "0.6"
+base64 = "0.13"
 chrono = "0.4.19"
 git2 = "0.14"
 tempfile = "3.1.0"

Cargo.toml

@@ -1,3 +1,4 @@
+use crate::github::Github;
 use crate::Context;
 use anyhow::{Context as _, Error};
 use std::env::VarError;
@@ -103,6 +104,28 @@ pub(crate) struct Config {
     /// Whether to skip invalidating the CloudFront distributions. This is useful when running the
     /// release process locally, without access to the production AWS account.
     pub(crate) skip_cloudfront_invalidations: bool,
+
+    /// Where to tag stable rustc releases.
+    ///
+    /// This repository should have content write permissions with the github
+    /// app configuration.
+    ///
+    /// Should be a org/repo code, e.g., rust-lang/rust.
+    pub(crate) rustc_tag_repository: Option<String>,
+
+    /// This is a github app private key, used for the release steps which
+    /// require action on GitHub (e.g., kicking off a new thanks GHA build,
+    /// opening pull requests against the blog for dev releases, promoting
+    /// branches). Not all of this is implemented yet but it's all going to use
+    /// tokens retrieved from the github app here.
+    ///
+    /// Currently this isn't really exercised in CI, but that might change in
+    /// the future with a github app scoped to a 'fake' org or something like
+    /// that.
+    pub(crate) github_app_key: Option<String>,
+
+    /// The app ID associated with the private key being passed.
+    pub(crate) github_app_id: Option<u32>,
 }
 
 impl Config {
@@ -127,8 +150,19 @@ impl Config {
             storage_class: default_env("UPLOAD_STORAGE_CLASS", "INTELLIGENT_TIERING".into())?,
             upload_dir: require_env("UPLOAD_DIR")?,
             wip_recompress: bool_env("WIP_RECOMPRESS")?,
+            rustc_tag_repository: maybe_env("RUSTC_TAG_REPOSITORY")?,
+            github_app_key: maybe_env("GITHUB_APP_KEY")?,
+            github_app_id: maybe_env("GITHUB_APP_ID")?,
         })
     }
+
+    pub(crate) fn github(&self) -> Option<Github> {
+        if let (Some(key), Some(id)) = (&self.github_app_key, self.github_app_id) {
+            Some(Github::new(key, id))
+        } else {
+            None
+        }
+    }
 }
 
 fn maybe_env<R>(name: &str) -> Result<Option<R>, Error>

src/config.rs

@@ -0,0 +1,235 @@
+use anyhow::Context;
+use curl::easy::Easy;
+use rsa::pkcs1::DecodeRsaPrivateKey;
+use sha2::Digest;
+use std::time::SystemTime;
+
+pub(crate) struct Github {
+    key: rsa::RsaPrivateKey,
+    id: u32,
+    client: Easy,
+}
+
+pub(crate) struct RepositoryClient<'a> {
+    github: &'a mut Github,
+    repo: String,
+    token: String,
+}
+
+impl Github {
+    pub(crate) fn new(key: &str, id: u32) -> Github {
+        Github {
+            key: rsa::RsaPrivateKey::from_pkcs1_pem(key).unwrap(),
+            id,
+            client: Easy::new(),
+        }
+    }
+
+    fn jwt(&self) -> String {
+        let now = SystemTime::now()
+            .duration_since(SystemTime::UNIX_EPOCH)
+            .unwrap()
+            .as_secs();
+        let payload = serde_json::json! {{
+            "iat": now - 10,
+            "exp": now + 60,
+            "iss": self.id,
+        }};
+        let header = r#"{"alg":"RS256","typ":"JWT"}"#;
+        let payload = serde_json::to_string(&payload).unwrap();
+
+        let encoding = base64::URL_SAFE_NO_PAD;
+        let signature = self
+            .key
+            .sign(
+                rsa::padding::PaddingScheme::PKCS1v15Sign {
+                    hash: Some(rsa::hash::Hash::SHA2_256),
+                },
+                &sha2::Sha256::new()
+                    .chain_update(format!(
+                        "{}.{}",
+                        base64::encode_config(&header, encoding),
+                        base64::encode_config(&payload, encoding),
+                    ))
+                    .finalize(),
+            )
+            .unwrap();
+        format!(
+            "{}.{}.{}",
+            base64::encode_config(&header, encoding),
+            base64::encode_config(&payload, encoding),
+            base64::encode_config(&signature, encoding),
+        )
+    }
+
+    fn start_jwt_request(&mut self) -> anyhow::Result<()> {
+        self.client.reset();
+        let mut headers = curl::easy::List::new();
+        headers.append(&format!("Authorization: Bearer {}", self.jwt()))?;
+        self.client.http_headers(headers)?;
+        Ok(())
+    }
+
+    pub(crate) fn token(&mut self, repository: &str) -> anyhow::Result<RepositoryClient<'_>> {
+        self.start_jwt_request()?;
+        self.client.get(true)?;
+        self.client.url(&format!(
+            "https://api.github.com/repos/{}/installation",
+            repository
+        ))?;
+        #[derive(serde::Deserialize)]
+        struct InstallationResponse {
+            id: u32,
+        }
+        let installation_id = send_request::<InstallationResponse>(&mut self.client)?.id;
+
+        self.start_jwt_request()?;
+        self.client.post(true)?;
+        self.client.url(&format!(
+            "https://api.github.com/app/installations/{installation_id}/access_tokens"
+        ))?;
+        #[derive(serde::Deserialize)]
+        struct TokenResponse {
+            token: String,
+        }
+        let token = send_request::<TokenResponse>(&mut self.client)?.token;
+        Ok(RepositoryClient {
+            github: self,
+            repo: repository.to_owned(),
+            token,
+        })
+    }
+}
+
+impl RepositoryClient<'_> {
+    fn start_new_request(&mut self) -> anyhow::Result<()> {
+        self.github.client.reset();
+        let mut headers = curl::easy::List::new();
+        headers.append(&format!("Authorization: token {}", self.token))?;
+        self.github.client.http_headers(headers)?;
+        Ok(())
+    }
+
+    pub(crate) fn tag(&mut self, tag: CreateTag<'_>) -> anyhow::Result<()> {
+        #[derive(serde::Deserialize)]
+        struct CreatedTag {
+            sha: String,
+        }
+        self.start_new_request()?;
+        self.github.client.post(true)?;
+        self.github.client.url(&format!(
+            "https://api.github.com/repos/{repository}/git/tags",
+            repository = self.repo,
+        ))?;
+        let created = send_request_body::<CreatedTag, _>(
+            &mut self.github.client,
+            CreateTagInternal {
+                tag: tag.tag_name,
+                message: tag.message,
+                object: tag.commit,
+                type_: "commit",
+                tagger: CreateTagTaggerInternal {
+                    name: tag.tagger_name,
+                    email: tag.tagger_email,
+                },
+            },
+        )?;
+
+        // This mostly exists to make sure the request is successful rather than
+        // really checking the created ref (which we already know).
+        #[derive(serde::Deserialize)]
+        struct CreatedTagRef {
+            #[serde(rename = "ref")]
+            #[allow(unused)]
+            ref_: String,
+        }
+        self.start_new_request()?;
+        self.github.client.post(true)?;
+        self.github.client.url(&format!(
+            "https://api.github.com/repos/{repository}/git/refs",
+            repository = self.repo,
+        ))?;
+        send_request_body::<CreatedTagRef, _>(
+            &mut self.github.client,
+            CreateRefInternal {
+                ref_: &format!("refs/tags/{}", tag.tag_name),
+                sha: &created.sha,
+            },
+        )?;
+
+        Ok(())
+    }
+}
+
+#[derive(Copy, Clone)]
+pub(crate) struct CreateTag<'a> {
+    pub(crate) commit: &'a str,
+    pub(crate) tag_name: &'a str,
+    pub(crate) message: &'a str,
+    pub(crate) tagger_name: &'a str,
+    pub(crate) tagger_email: &'a str,
+}
+
+#[derive(serde::Serialize)]
+struct CreateTagInternal<'a> {
+    tag: &'a str,
+    message: &'a str,
+    /// sha of the object being tagged
+    object: &'a str,
+    #[serde(rename = "type")]
+    type_: &'a str,
+    tagger: CreateTagTaggerInternal<'a>,
+}
+
+#[derive(serde::Serialize)]
+struct CreateTagTaggerInternal<'a> {
+    name: &'a str,
+    email: &'a str,
+}
+
+#[derive(serde::Serialize)]
+struct CreateRefInternal<'a> {
+    #[serde(rename = "ref")]
+    ref_: &'a str,
+    sha: &'a str,
+}
+
+fn send_request_body<T: serde::de::DeserializeOwned, S: serde::Serialize>(
+    client: &mut Easy,
+    body: S,
+) -> anyhow::Result<T> {
+    use std::io::Read;
+    client.useragent("rust-lang/promote-release").unwrap();
+    let mut response = Vec::new();
+    let body = serde_json::to_vec(&body).unwrap();
+    {
+        let mut transfer = client.transfer();
+        let mut body = &body[..];
+        // The unwrap in the read_function is basically guaranteed to not
+        // happen: reading into a slice can't fail. We can't use `?` since the
+        // return type inside transfer isn't compatible with io::Error.
+        transfer.read_function(move |dest| Ok(body.read(dest).unwrap()))?;
+        transfer.write_function(|new_data| {
+            response.extend_from_slice(new_data);
+            Ok(new_data.len())
+        })?;
+        transfer.perform()?;
+    }
+    serde_json::from_slice(&response)
+        .with_context(|| format!("{}", String::from_utf8_lossy(&response)))
+}
+
+fn send_request<T: serde::de::DeserializeOwned>(client: &mut Easy) -> anyhow::Result<T> {
+    client.useragent("rust-lang/promote-release").unwrap();
+    let mut response = Vec::new();
+    {
+        let mut transfer = client.transfer();
+        transfer.write_function(|new_data| {
+            response.extend_from_slice(new_data);
+            Ok(new_data.len())
+        })?;
+        transfer.perform()?;
+    }
+    serde_json::from_slice(&response)
+        .with_context(|| format!("{}", String::from_utf8_lossy(&response)))
+}