From 5bbc38aa3088653efabf7ee8133547e8a0e9ec19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= <nicki@isc.org>
Date: Tue, 25 Mar 2025 16:51:24 +0100
Subject: [PATCH] Allow pushing branches and tags to customer git repos

For pipelines in the private repository, add an optional manual job,
which allows the current branch to be pushed into the specified
customer's git repository. This can be useful to provide patch previews
for early testing.

For tags created in a private repository, add a manual job which pushes
the created tag to all entitled customers.

(cherry picked from commit 378b412e94a40ee74ab5c9edfb3a2059612a59ff)
---
 .gitlab-ci.yml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0f5d86ad76..48ecddbf5f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1591,6 +1591,47 @@ sign:
   when: manual
   allow_failure: false
 
+.customer-git: &customer_git
+  <<: *base_image
+  stage: release
+  when: manual
+  variables:  # ensure clean git environment and sufficient history
+    GIT_STRATEGY: clone
+    GIT_DEPTH: 1000
+
+# To trigger this job and push a branch to a customer, you must set the
+# CUSTOMER job variable by clicking on the manual job (not the play button) and
+# set it to the name of the target customer.
+customer-git:branch:
+  <<: *customer_git
+  needs: []
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "merge_request_event"'
+      variables:
+        BRANCH: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME'
+    - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE =~ /^(api|pipeline|trigger|web)$/'
+      variables:
+        BRANCH: '$CI_COMMIT_BRANCH'
+  before_script:
+    - test -n "$CUSTOMER"
+    - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
+  script:
+    - git checkout -b "$BRANCH"  # ensure refs/heads/$BRANCH exists; GitLab clones with detached HEAD
+    - bind9-qa/releng/push_to_customer_repository.py --branch "$BRANCH" --customer "$CUSTOMER" --force
+
+customer-git:tag:
+  <<: *customer_git
+  needs:
+    - job: release
+      artifacts: false
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_COMMIT_TAG != null'
+  before_script:
+    - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
+    - git clone --depth 1 "https://token:${ISC_CUSTOMERS_WRITE_TOKEN}@gitlab.isc.org/isc-customers/isc-customer-settings.git"
+  script:
+    - bind9-qa/releng/push_to_customer_repository.py --tag "$CI_COMMIT_TAG" --entitlements isc-customer-settings/entitlements.yaml --force
+
 # Coverity Scan analysis upload
 
 .coverity_prep: &coverity_prep