forked from mendersoftware/mender-artifact
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
306 lines (288 loc) · 9.48 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
stages:
- build
- test
- publish
- trigger_prep
- trigger
include:
- project: "Northern.tech/Mender/mendertesting"
file: ".gitlab-ci-check-golang-lint.yml"
- project: "Northern.tech/Mender/mendertesting"
file: ".gitlab-ci-github-status-updates.yml"
- project: "Northern.tech/Mender/mendertesting"
file: ".gitlab-ci-check-commits.yml"
- project: "Northern.tech/Mender/mendertesting"
file: ".gitlab-ci-check-license.yml"
cache:
paths:
- /go/src/github.com
- /go/src/golang.org
- /go/src/google.golang.org
- /go/src/gopkg.in
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_REPOSITORY: mendersoftware/mender-artifact
S3_BUCKET_NAME: "mender"
S3_BUCKET_PATH: "mender-artifact"
DOCKER_BUILDKIT: 1
test:check-license-source:
variables:
LICENSE_HEADERS_IGNORE_FILES_REGEXP: './artifact/keyfactor/\(signer\|signer_test\)\.go'
build:docker:
image: docker
needs: []
services:
- docker:dind
stage: build
script:
- docker build -t $DOCKER_REPOSITORY:pr .
- docker save $DOCKER_REPOSITORY:pr > image.tar
artifacts:
expire_in: 2w
paths:
- image.tar
tags:
- gitlab-org-docker
build:make:
image: docker
needs: []
services:
- docker:dind
before_script:
- apk add --no-cache make
stage: build
script:
- make build-natives-contained
artifacts:
expire_in: 2w
paths:
- mender-artifact-*
tags:
- mender-qa-worker-generic
variables:
# DinD setup in Mender CI runners
DOCKER_HOST: "tcp://docker:2376"
DOCKER_CERT_PATH: "/certs/client"
DOCKER_TLS_VERIFY: "1"
DOCKER_TLS_CERTDIR: "/certs"
build:coverage:
stage: build
image: docker
needs: []
services:
- docker:dind
before_script:
- apk add --no-cache make
- make instrument-binary-contained
script:
- make build-contained
- mv mender-artifact mender-artifact-linux-coverage
artifacts:
expire_in: 2w
paths:
- mender-artifact-linux-coverage
test:smoketests:mac:
stage: test
image: docker
needs:
- job: build:make
artifacts: true
before_script:
- export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-darwin
script:
- touch test.txt
- ./mender-artifact-darwin
- ./mender-artifact-darwin --version
- ./mender-artifact-darwin write module-image -t test -o test.mender -T script -n test -f test.txt
- ./mender-artifact-darwin read test.mender
- ./mender-artifact-darwin validate test.mender
- ./mender-artifact-darwin write rootfs-image -t test -o test-rfs.mender -n test -f test.txt
- ./mender-artifact-darwin read test-rfs.mender
- ./mender-artifact-darwin validate test-rfs.mender
- ./mender-artifact-darwin validate --key tests/data/ec.pem tests/data/a0-signed-nitro.mender
- ./tests/test_compressions/test_supported_compressions.sh
- make build
tags:
- mac-runner
test:smoketests:linux:
stage: test
image: debian:bullseye-slim
needs:
- job: build:make
artifacts: true
before_script:
- apt-get update && apt-get install -q -y make liblzma-dev libssl-dev jq wget
# yq no longer has a maintained debian repo so we fall back on the GitHub release as the source
- wget -q https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
- ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
- export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux
script:
- touch test.txt
- ./tests/test_sign_with_hsm/test_sign_with_hsm.sh
- ./mender-artifact-linux
- ./mender-artifact-linux --version
- ./mender-artifact-linux write module-image -t test -o test.mender -T script -n test -f test.txt
- ./mender-artifact-linux read test.mender
- ./mender-artifact-linux validate test.mender
- ./mender-artifact-linux write rootfs-image -t test -o test-rfs.mender -n test -f test.txt
- ./mender-artifact-linux read test-rfs.mender
- ./mender-artifact-linux validate test-rfs.mender
- ./mender-artifact-linux validate --key tests/data/ec.pem tests/data/a0-signed-nitro.mender
- test $(./mender-artifact-linux read --no-progress test-rfs.mender | yq eval -o json | jq -r '."Mender Artifact".Name') == "test"
- ./tests/test_compressions/test_supported_compressions.sh
# QA-507: lock mender-artifact to OpenSSL 1.1
- ldd ./mender-artifact-linux | grep libssl.so.1.1
test:coverage:linux:
stage: test
image: debian:bullseye-slim
needs:
- job: build:coverage
artifacts: true
variables:
COVERAGE_FILE: coverage-linux-pkcs.txt
before_script:
- ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
- export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux-coverage
script:
- ./tests/test_sign_with_hsm/test_sign_with_hsm.sh
after_script:
- set -- /tmp/coverage-artifact*.out
- head -n 1 $1 > ${COVERAGE_FILE}
- |
for cover in $@; do
tail -n +2 $cover >> ${COVERAGE_FILE}
done
artifacts:
expire_in: 2w
untracked: true
paths:
- ${COVERAGE_FILE}
.test:unit:
stage: test
image: golang:1.23-bullseye
needs: []
script:
- make coverage
- mv coverage.txt $CI_PROJECT_DIR/$COVERAGE_FILE
artifacts:
expire_in: 2w
untracked: true
paths:
- $COVERAGE_FILE
test:unit:linux:
extends: .test:unit
variables:
COVERAGE_FILE: coverage-linux.txt
before_script:
- apt-get update && apt-get install --quiet --assume-yes
git make bash dosfstools e2fsprogs gcc mtools musl-dev parted xz-utils libssl-dev
test:unit:mac:
extends: .test:unit
variables:
COVERAGE_FILE: coverage-mac.txt
# This is needed because the host is reusing the workdir, it is not a Docker
# runner.
GIT_STRATEGY: clone
tags:
- mac-runner
# Test that we can build with the golang version of the oldest supported yocto LTS release
test:backwards-compatibility:
image: golang:1.17.13-bullseye
needs: []
before_script:
- apt-get update && apt-get install --quiet --assume-yes libssl-dev
script:
- go build
publish:tests:
stage: publish
image: golang:1.23
needs:
- job: test:unit:linux
artifacts: true
- job: test:unit:mac
artifacts: true
- job: test:coverage:linux
artifacts: true
variables:
COVERALLS_WEBHOOK_URL: "https://coveralls.io/webhook"
COVERALLS_RERUN_BUILD_URL: "https://coveralls.io/rerun_build"
before_script:
- go install github.com/mattn/[email protected]
# Coveralls env variables:
# According to https://docs.coveralls.io/supported-ci-services
# we should set CI_NAME, CI_BUILD_NUMBER, etc. But according
# to goveralls source code (https://github.com/mattn/goveralls)
# many of these are not supported. Set CI_BRANCH, CI_PR_NUMBER,
# and pass few others as command line arguments.
# See also https://docs.coveralls.io/api-reference
- export CI_BRANCH=${CI_COMMIT_BRANCH}
- export CI_PR_NUMBER=${CI_COMMIT_BRANCH#pr_}
script:
- if [[ -f coverage-linux.txt && -f coverage-linux-pkcs.txt ]]; then tail -n +2 coverage-linux-pkcs.txt >> coverage-linux.txt; fi
# Submit coverage from all platforms.
- for PLATFORM in linux mac; do
- goveralls
-repotoken ${COVERALLS_TOKEN}
-service gitlab-ci
-jobid $CI_PIPELINE_ID
-parallel
-covermode set
-flagname unittests:$PLATFORM
-coverprofile coverage-$PLATFORM.txt
- done
# Finalize the report
- 'curl -k ${COVERALLS_WEBHOOK_URL}?repo_token=${COVERALLS_TOKEN} -d "payload[build_num]=$CI_PIPELINE_ID&payload[status]=done"'
- 'curl -k "${COVERALLS_RERUN_BUILD_URL}?repo_token=${COVERALLS_TOKEN}&build_num=${CI_PIPELINE_ID}"'
publish:s3:
stage: publish
image: debian:bookworm-slim
needs:
- job: build:make
artifacts: true
- job: test:smoketests:linux
- job: test:smoketests:mac
before_script:
- apt update && apt install -yyq awscli
script:
- for bin in mender-artifact-darwin mender-artifact-linux mender-artifact-windows.exe; do
platform=${bin#mender-artifact-};
platform=${platform%.*};
echo "Publishing ${CI_COMMIT_REF_NAME} version for ${platform} to S3";
aws s3 cp ${bin}
s3://$S3_BUCKET_NAME/$S3_BUCKET_PATH/${CI_COMMIT_REF_NAME}/${platform}/mender-artifact;
aws s3api put-object-acl --acl public-read --bucket $S3_BUCKET_NAME
--key $S3_BUCKET_PATH/${CI_COMMIT_REF_NAME}/${platform}/mender-artifact;
done
only:
- /^(master|[0-9]+\.[0-9]+\.x)$/
generate-qa-trigger:
image: python:alpine
stage: trigger_prep
rules:
- if: '$CI_COMMIT_BRANCH =~ /^(master|[0-9]+\.[0-9]+\.x)$/'
- if: '$CI_PIPELINE_SOURCE == "pipeline"'
when: never
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
before_script:
- apk add --no-cache git
- pip3 install pyyaml
- wget -q https://raw.githubusercontent.com/mendersoftware/mender-qa/master/scripts/generate_client_publish_job.py
script:
- python generate_client_publish_job.py --trigger ${CI_PROJECT_NAME} --version ${CI_COMMIT_REF_NAME} --filename gitlab-ci-client-qemu-publish-job.yml
artifacts:
paths:
- gitlab-ci-client-qemu-publish-job.yml
trigger:mender-qa:
stage: trigger
rules:
- if: '$CI_COMMIT_BRANCH =~ /^(master|[0-9]+\.[0-9]+\.x)$/'
# the following is to prevent an endless loop of qa pipelines caused by downstream pipelines
- if: '$CI_PIPELINE_SOURCE == "pipeline"'
when: never
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
trigger:
include:
- artifact: gitlab-ci-client-qemu-publish-job.yml
job: generate-qa-trigger