.gitlab-ci.yml

stages:
  - build
  - test
  - publish
  - trigger_prep
  - trigger

include:
  - project: "Northern.tech/Mender/mendertesting"
    file: ".gitlab-ci-check-golang-lint.yml"
  - project: "Northern.tech/Mender/mendertesting"
    file: ".gitlab-ci-github-status-updates.yml"
  - project: "Northern.tech/Mender/mendertesting"
    file: ".gitlab-ci-check-commits.yml"
  - project: "Northern.tech/Mender/mendertesting"
    file: ".gitlab-ci-check-license.yml"

cache:
  paths:
    - /go/src/github.com
    - /go/src/golang.org
    - /go/src/google.golang.org
    - /go/src/gopkg.in

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_REPOSITORY: mendersoftware/mender-artifact
  S3_BUCKET_NAME: "mender"
  S3_BUCKET_PATH: "mender-artifact"
  DOCKER_BUILDKIT: 1

test:check-license-source:
  variables:
    LICENSE_HEADERS_IGNORE_FILES_REGEXP: './artifact/keyfactor/\(signer\|signer_test\)\.go'

build:docker:
  image: docker
  needs: []
  services:
    - docker:dind
  stage: build
  script:
    - docker build -t $DOCKER_REPOSITORY:pr .
    - docker save $DOCKER_REPOSITORY:pr > image.tar
  artifacts:
    expire_in: 2w
    paths:
      - image.tar
  tags:
    - gitlab-org-docker

build:make:
  image: docker
  needs: []
  services:
    - docker:dind
  before_script:
    - apk add --no-cache make
  stage: build
  script:
    - make build-natives-contained
  artifacts:
    expire_in: 2w
    paths:
      - mender-artifact-*
  tags:
    - mender-qa-worker-generic
  variables:
    # DinD setup in Mender CI runners
    DOCKER_HOST: "tcp://docker:2376"
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_TLS_VERIFY: "1"
    DOCKER_TLS_CERTDIR: "/certs"

build:coverage:
  stage: build
  image: docker
  needs: []
  services:
    - docker:dind
  before_script:
    - apk add --no-cache make
    - make instrument-binary-contained
  script:
    - make build-contained
    - mv mender-artifact mender-artifact-linux-coverage
  artifacts:
    expire_in: 2w
    paths:
      - mender-artifact-linux-coverage

test:smoketests:mac:
  stage: test
  image: docker
  needs:
    - job: build:make
      artifacts: true
  before_script:
    - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-darwin
  script:
    - touch test.txt
    - ./mender-artifact-darwin
    - ./mender-artifact-darwin --version
    - ./mender-artifact-darwin write module-image -t test -o test.mender -T script -n test -f test.txt
    - ./mender-artifact-darwin read test.mender
    - ./mender-artifact-darwin validate test.mender
    - ./mender-artifact-darwin write rootfs-image -t test -o test-rfs.mender -n test -f test.txt
    - ./mender-artifact-darwin read test-rfs.mender
    - ./mender-artifact-darwin validate test-rfs.mender
    - ./mender-artifact-darwin validate --key tests/data/ec.pem tests/data/a0-signed-nitro.mender
    - ./tests/test_compressions/test_supported_compressions.sh
    - make build
  tags:
    - mac-runner

test:smoketests:linux:
  stage: test
  image: debian:bullseye-slim
  needs:
    - job: build:make
      artifacts: true
  before_script:
    - apt-get update && apt-get install -q -y make liblzma-dev libssl-dev jq wget
    # yq no longer has a maintained debian repo so we fall back on the GitHub release as the source
    - wget -q https://github.com/mikefarah/yq/releases/download/v4.44.2/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
    - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
    - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux
  script:
    - touch test.txt
    - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh
    - ./mender-artifact-linux
    - ./mender-artifact-linux --version
    - ./mender-artifact-linux write module-image -t test -o test.mender -T script -n test -f test.txt
    - ./mender-artifact-linux read test.mender
    - ./mender-artifact-linux validate test.mender
    - ./mender-artifact-linux write rootfs-image -t test -o test-rfs.mender -n test -f test.txt
    - ./mender-artifact-linux read test-rfs.mender
    - ./mender-artifact-linux validate test-rfs.mender
    - ./mender-artifact-linux validate --key tests/data/ec.pem tests/data/a0-signed-nitro.mender
    - test $(./mender-artifact-linux read --no-progress test-rfs.mender | yq eval -o json | jq -r '."Mender Artifact".Name') == "test"
    - ./tests/test_compressions/test_supported_compressions.sh
    # QA-507: lock mender-artifact to OpenSSL 1.1
    - ldd ./mender-artifact-linux | grep libssl.so.1.1

test:coverage:linux:
  stage: test
  image: debian:bullseye-slim
  needs:
    - job: build:coverage
      artifacts: true
  variables:
    COVERAGE_FILE: coverage-linux-pkcs.txt
  before_script:
    - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh --setup
    - export TEST_MENDER_ARTIFACT_PATH=./mender-artifact-linux-coverage
  script:
    - ./tests/test_sign_with_hsm/test_sign_with_hsm.sh
  after_script:
    - set -- /tmp/coverage-artifact*.out
    - head -n 1 $1 > ${COVERAGE_FILE}
    - |
      for cover in $@; do
        tail -n +2 $cover >> ${COVERAGE_FILE}
      done
  artifacts:
    expire_in: 2w
    untracked: true
    paths:
      - ${COVERAGE_FILE}

.test:unit:
  stage: test
  image: golang:1.23-bullseye
  needs: []
  script:
    - make coverage
    - mv coverage.txt $CI_PROJECT_DIR/$COVERAGE_FILE
  artifacts:
    expire_in: 2w
    untracked: true
    paths:
      - $COVERAGE_FILE

test:unit:linux:
  extends: .test:unit
  variables:
    COVERAGE_FILE: coverage-linux.txt
  before_script:
    - apt-get update && apt-get install --quiet --assume-yes
      git make bash dosfstools e2fsprogs gcc mtools musl-dev parted xz-utils libssl-dev

test:unit:mac:
  extends: .test:unit
  variables:
    COVERAGE_FILE: coverage-mac.txt
    # This is needed because the host is reusing the workdir, it is not a Docker
    # runner.
    GIT_STRATEGY: clone
  tags:
    - mac-runner

# Test that we can build with the golang version of the oldest supported yocto LTS release
test:backwards-compatibility:
  image: golang:1.17.13-bullseye
  needs: []
  before_script:
    - apt-get update && apt-get install --quiet --assume-yes libssl-dev
  script:
    - go build

publish:tests:
  stage: publish
  image: golang:1.23
  needs:
    - job: test:unit:linux
      artifacts: true
    - job: test:unit:mac
      artifacts: true
    - job: test:coverage:linux
      artifacts: true
  variables:
    COVERALLS_WEBHOOK_URL: "https://coveralls.io/webhook"
    COVERALLS_RERUN_BUILD_URL: "https://coveralls.io/rerun_build"
  before_script:
    - go install github.com/mattn/goveralls@v0.0.12
    # Coveralls env variables:
    #  According to https://docs.coveralls.io/supported-ci-services
    #  we should set CI_NAME, CI_BUILD_NUMBER, etc. But according
    #  to goveralls source code (https://github.com/mattn/goveralls)
    #  many of these are not supported. Set CI_BRANCH, CI_PR_NUMBER,
    #  and pass few others as command line arguments.
    #  See also https://docs.coveralls.io/api-reference
    - export CI_BRANCH=${CI_COMMIT_BRANCH}
    - export CI_PR_NUMBER=${CI_COMMIT_BRANCH#pr_}
  script:
    - if [[ -f coverage-linux.txt && -f coverage-linux-pkcs.txt ]]; then tail -n +2 coverage-linux-pkcs.txt >> coverage-linux.txt; fi
    # Submit coverage from all platforms.
    - for PLATFORM in linux mac; do
    - goveralls
      -repotoken ${COVERALLS_TOKEN}
      -service gitlab-ci
      -jobid $CI_PIPELINE_ID
      -parallel
      -covermode set
      -flagname unittests:$PLATFORM
      -coverprofile coverage-$PLATFORM.txt
    - done
    # Finalize the report
    - 'curl -k ${COVERALLS_WEBHOOK_URL}?repo_token=${COVERALLS_TOKEN} -d "payload[build_num]=$CI_PIPELINE_ID&payload[status]=done"'
    - 'curl -k "${COVERALLS_RERUN_BUILD_URL}?repo_token=${COVERALLS_TOKEN}&build_num=${CI_PIPELINE_ID}"'

publish:s3:
  stage: publish
  image: debian:bookworm-slim
  needs:
    - job: build:make
      artifacts: true
    - job: test:smoketests:linux
    - job: test:smoketests:mac
  before_script:
    - apt update && apt install -yyq awscli
  script:
    - for bin in mender-artifact-darwin mender-artifact-linux mender-artifact-windows.exe; do
      platform=${bin#mender-artifact-};
      platform=${platform%.*};
      echo "Publishing ${CI_COMMIT_REF_NAME} version for ${platform} to S3";
      aws s3 cp ${bin}
      s3://$S3_BUCKET_NAME/$S3_BUCKET_PATH/${CI_COMMIT_REF_NAME}/${platform}/mender-artifact;
      aws s3api put-object-acl --acl public-read --bucket $S3_BUCKET_NAME
      --key $S3_BUCKET_PATH/${CI_COMMIT_REF_NAME}/${platform}/mender-artifact;
      done
  only:
    - /^(master|[0-9]+\.[0-9]+\.x)$/

generate-qa-trigger:
  image: python:alpine
  stage: trigger_prep
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^(master|[0-9]+\.[0-9]+\.x)$/'
    - if: '$CI_PIPELINE_SOURCE == "pipeline"'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
  before_script:
    - apk add --no-cache git
    - pip3 install pyyaml
    - wget -q https://raw.githubusercontent.com/mendersoftware/mender-qa/master/scripts/generate_client_publish_job.py
  script:
    - python generate_client_publish_job.py --trigger ${CI_PROJECT_NAME} --version ${CI_COMMIT_REF_NAME} --filename gitlab-ci-client-qemu-publish-job.yml
  artifacts:
    paths:
      - gitlab-ci-client-qemu-publish-job.yml

trigger:mender-qa:
  stage: trigger
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^(master|[0-9]+\.[0-9]+\.x)$/'
    # the following is to prevent an endless loop of qa pipelines caused by downstream pipelines
    - if: '$CI_PIPELINE_SOURCE == "pipeline"'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
  trigger:
    include:
      - artifact: gitlab-ci-client-qemu-publish-job.yml
        job: generate-qa-trigger