From e8c4f18de089f66a180f788e2564d6dc6701bab5 Mon Sep 17 00:00:00 2001
From: Patrice Arruda <patrice.arruda@mongodb.com>
Date: Fri, 7 Nov 2025 11:53:11 -0500
Subject: [PATCH] SERVER-104338: Publish the crypt packages. (#36486)

GitOrigin-RevId: aad7f731dec9ae80bab2fafceae5febaab88a057
---
 .../tasks/compile_tasks.yml                   | 64 +++++++++++++++
 evergreen/packages_crypt_publish.sh           | 79 +++++++++++++++++++
 2 files changed, 143 insertions(+)
 create mode 100755 evergreen/packages_crypt_publish.sh

diff --git a/etc/evergreen_yml_components/tasks/compile_tasks.yml b/etc/evergreen_yml_components/tasks/compile_tasks.yml
index 3ca1a1dc096..6efca0cd692 100644
--- a/etc/evergreen_yml_components/tasks/compile_tasks.yml
+++ b/etc/evergreen_yml_components/tasks/compile_tasks.yml
@@ -1312,6 +1312,70 @@ tasks:
             - "SERVER-110427-${revision}"
             - "${MONGO_PR_BOT_APP_ID}"
             - "${MONGO_PR_BOT_PRIVATE_KEY}"
+  - name: publish_crypt_packages
+    run_on: rhel8.7-small
+    tags:
+      [
+        "assigned_to_jira_team_devprod_build",
+        "incompatible_aubsan",
+        "incompatible_community",
+        "incompatible_development_variant",
+        "incompatible_mac",
+        "incompatible_tsan",
+        "incompatible_windows",
+        "publish_crypt",
+        "release_critical",
+        "requires_compile_variant",
+      ]
+    # This should prevent this task from running in patch builds, where we
+    # don't want to publish packages.
+    patchable: false
+    stepback: false
+    # Same dependencies as "push" below
+    depends_on:
+      - name: crypt_push
+      - name: crypt_lib_package
+    commands:
+      - command: manifest.load
+      - func: "git get project and add git tag"
+      - func: "get and apply version expansions"
+      - func: "f_expansions_write"
+      - func: "kill processes"
+      - func: "cleanup environment"
+      - func: "set up venv"
+      - func: "fetch packages"
+      - func: "f_expansions_write"
+      - func: "set up remote credentials"
+        vars:
+          aws_key_remote: ${repo_aws_key}
+          aws_secret_remote: ${repo_aws_secret}
+      - func: "set up notary client credentials"
+      - func: "f_expansions_write"
+      - command: subprocess.exec
+        params:
+          binary: bash
+          silent: true
+          args:
+            - "./src/evergreen/container_registry_login.sh"
+      - command: s3.get
+        params:
+          aws_key: ${aws_key}
+          aws_secret: ${aws_secret}
+          local_file: packages.tgz
+          remote_file: ${project}/${build_variant}/${revision}/artifacts/${build_id}-packages.tgz
+          bucket: mciuploads
+      - command: subprocess.exec
+        params:
+          binary: bash
+          env:
+            AWS_ACCESS_KEY_ID: ${upload_lock_access_key_id}
+            AWS_SECRET_ACCESS_KEY: ${upload_lock_secret_access_key}
+            UPLOAD_LOCK_IMAGE: ${upload_lock_image}
+            UPLOAD_BUCKET: ${upload_lock_bucket}
+            AWS_REGION: ${upload_lock_region}
+            EVERGREEN_TASK_ID: ${task_id}
+          args:
+            - "./src/evergreen/packages_crypt_publish.sh"
 
 ################################################
 #                 Task Groups                  #
diff --git a/evergreen/packages_crypt_publish.sh b/evergreen/packages_crypt_publish.sh
new file mode 100755
index 00000000000..8977603cb7a
--- /dev/null
+++ b/evergreen/packages_crypt_publish.sh
@@ -0,0 +1,79 @@
+set -o errexit
+set -o verbose
+
+REMOVE_CONTENTS=()
+function cleanup() {
+    for content in "${REMOVE_CONTENTS[@]}"; do
+        rm -rf "${content}"
+        echo "Removed temporary content: ${content}"
+    done
+}
+
+source "$(dirname $(realpath ${BASH_SOURCE[0]}))"/prelude.sh
+
+function run_curator() {
+    local -r release_version="4e26080ba03fa83f6988be90d568ff60f69524ef"
+    local -r curator_url="http://boxes.10gen.com/build/curator/curator-dist-rhel70-${release_version}.tar.gz"
+    local -r curator_tgz_sha256="79b9f6258ef73c6142ae8c64fc8db34bc964b94de32cd93d70b2e782c495a828"
+
+    if ! curl --output /dev/null --silent --head --fail "${curator_url}"; then
+        echo "Curator URL is not reachable: ${curator_url}. Verify that the version exists."
+        exit 1
+    fi
+
+    local -r tmp_dir=$(mktemp -d)
+    REMOVE_CONTENTS+=("${tmp_dir}")
+    if ! curl --silent "${curator_url}" --output "${tmp_dir}/curator.tar.gz"; then
+        echo "Failed to download curator from ${curator_url}: $?"
+        exit 1
+    fi
+
+    local -r sha256sum=$(sha256sum --binary "${tmp_dir}/curator.tar.gz" | cut -d ' ' -f 1)
+    if [[ "${sha256sum}" != "${curator_tgz_sha256}" ]]; then
+        echo "Curator tarball file checksum does not match expected value: expected ${curator_tgz_sha256}, got ${sha256sum}"
+        exit 1
+    fi
+
+    if ! tar -xzf "${tmp_dir}/curator.tar.gz" -C "${tmp_dir}"; then
+        echo "Failed to extract curator tarball: $?"
+        exit 1
+    fi
+
+    if ! "${tmp_dir}/curator" $@; then
+        echo "Curator command failed: $?"
+        exit 1
+    fi
+}
+
+readonly CUR_DIR="$(pwd)"
+readonly packages_file="packages.tgz"
+
+podman run \
+    -v "${CUR_DIR}":"${CUR_DIR}" \
+    -w "${CUR_DIR}" \
+    --env-host \
+    ${UPLOAD_LOCK_IMAGE} \
+    -key=${version_id}/${build_id}/packages/${packages_file} -tag=task-id=${EVERGREEN_TASK_ID} ${packages_file}
+
+pushd "src" >&/dev/null
+
+pushd ..
+
+function trap_exit() {
+    echo "Cleaning up temporary files..."
+    cleanup
+    popd >&/dev/null
+}
+trap 'trap_exit' EXIT
+
+source ./notary_env.sh
+
+run_curator \
+    repo submit \
+    --service ${barque_url} \
+    --config ./etc/repo_config.yaml \
+    --distro ${packager_distro} \
+    --edition ${repo_edition} \
+    --version ${version} \
+    --arch ${packager_arch} \
+    --packages ${packages_file}