diff options
Diffstat (limited to 'debian/salsa-ci.yml')
-rw-r--r-- | debian/salsa-ci.yml | 340 |
1 files changed, 340 insertions, 0 deletions
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 000000000..70bb09378 --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,340 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + +variables: + RELEASE: 'bookworm' + # Make that build quicker + SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '-Ppkg.linux.quick' + # We have to bump the version in source preparation, not later + SALSA_CI_DISABLE_VERSION_BUMP: 'true' + # Currently broken in quick build + DEBIAN_KERNEL_DISABLE_INSTALLER: 'true' + # Output is limited to 4 MiB total, so use 'terse'. + # Current runners have 2 CPUs but have slow I/O so 'parallel=4' is + # a bit faster. + DEB_BUILD_OPTIONS: 'terse parallel=4' + +# Add stages for signed packages +stages: + - provisioning + - build + - publish + - test + - sign-code + - build-signed + - test-signed + +# The common Salsa CI pipeline relies on keeping the unpacked source +# as an artifact, but in our case this is far too large for the +# current limits on Salsa (salsa-ci-team/pipeline#195). So we +# redefine the source extraction and build steps to use packed source. + +# Our modified extract-source and build jobs + +extract-source: + stage: provisioning + image: $SALSA_CI_IMAGES_BASE + cache: + key: "orig-${RELEASE}" + paths: + - orig + extends: + - .artifacts-default-expire + except: + variables: + - $CI_COMMIT_TAG != null + script: + # Move cache to where genorig.py and orig target want it + - mkdir -p orig + - rm -rf ../orig + - mv orig ../orig + + # Install dependencies of gencontrol.py, genorig.py, and debian/rules orig + - apt-get update + - | + eatmydata apt-get install --no-install-recommends -y \ + debhelper \ + git \ + gpg \ + gpgv \ + kernel-wedge \ + python3 \ + python3-debian \ + python3-jinja2 \ + quilt \ + rsync + + - version=$(dpkg-parsechangelog -SVersion) + - upstream_version=$(echo $version | sed 's/-[^-]*$//') + + # Merge upstream source. We could use origtargz to download a + # tarball fom the archive if available or run uscan if not, but + # uscan is currently excessively slow for us (bug #1003251). + - | + if [ -f ../orig/linux_${upstream_version}.orig.tar.xz ]; then + ln -s orig/linux_${upstream_version}.orig.tar.xz .. + else + debian/bin/genorig.py https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git + fi + - debian/rules orig + + # Fudge source version and distribution *before* gencontrol.py + - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog + - version=${version}+salsaci + + # Change trusted signing certificate to the one we will use + - | + sed -i -e 's|^trusted-certs:.*|trusted-certs: debian/certs/ci-test-sign/ci-test-sign.pem|' \ + debian/config/defines + + # Run gencontrol.py + # - create temporary log + - log="$(mktemp)" + # - invoke debian/control-real rule and log output + - | + rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$? + - cat "$log" + # - check for success message and error code + - test $rc = 2 + - grep -q 'been generated SUCCESSFULLY' "$log" + + # Put packed source in artifacts + - dpkg-buildpackage -uc -us -S -sa -d + - mkdir -p ${WORKING_DIR} + - cp ../orig/linux_${upstream_version}.orig.tar.xz ${WORKING_DIR} + - mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR} + + # Move cache back to where GitLab wants it. Only include + # tarballs, not unpacked source. + - mkdir orig + - mv ../orig/*.tar.xz orig + +build: + stage: build + timeout: 3 hours + image: $SALSA_CI_IMAGES_BASE + cache: + key: "build-${BUILD_ARCH}_${HOST_ARCH}" + paths: + - .ccache + extends: + - .artifacts-default-expire + except: + variables: + - $CI_COMMIT_TAG != null + variables: + CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache + CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache + DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS} + DB_BUILD_TYPE: full + artifacts: + exclude: + - ${WORKING_DIR}/${SOURCE_DIR}/**/* + script: + # Unpack the source + - | + apt-get update && eatmydata apt-get install --no-install-recommends -y \ + dpkg-dev + - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR} + + # Do the same as the common .build-definition script + - !reference [.build-before-script] + - !reference [.build-script] + - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR} + dependencies: + - extract-source + +# The folllowing jobs are the standard tests, excluding any that +# require building again + +lintian: + extends: .test-lintian + +autopkgtest: + extends: .test-autopkgtest + +blhc: + extends: .test-blhc + +piuparts: + extends: .test-piuparts + +missing-breaks: + extends: .test-missing-breaks + +rc-bugs: + extends: .test-rc-bugs + +# Python static checkers + +python-static: + stage: test + image: $SALSA_CI_IMAGES_BASE + except: + variables: + - $CI_COMMIT_TAG != null + script: + - | + apt-get update && eatmydata apt-get install --no-install-recommends -y \ + python3 pycodestyle pyflakes3 + + # Check Python modules under debian/lib and Python scripts under + # debian/bin or debian/rules.d. + - sources="$(mktemp)" + - find debian/lib/python -name '*.py' > "$sources" + - | + find debian/bin debian/rules.d -type f -perm /111 | + while read script; do + if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then + echo "$script" + fi + done \ + >> "$sources" + + # Run both checkers and coalesce their results rather than exiting + # on first failure + - pass=true + # Ignore E126,E226,W503 (ignored by default) and also E127,W291 which + # give false positives. + - | + xargs pycodestyle --max-line-length=100 --ignore E126,E127,E226,W291,W503 \ + < "$sources" || pass=false + - xargs pyflakes3 < "$sources" || pass=false + - $pass + needs: [] + +# kconfig static check + +kconfig-static: + stage: test + image: $SALSA_CI_IMAGES_BASE + except: + variables: + - $CI_COMMIT_TAG != null + script: + # Unpack source and apply featureset patches + - | + apt-get update && eatmydata apt-get install --no-install-recommends -y \ + debhelper dpkg-dev git python3 quilt + - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR} + - cd ${WORKING_DIR}/${SOURCE_DIR} + - debian/rules source + + # Fetch kernel-team repository + - kernel_team_dir="$(mktemp -d)" + - | + git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \ + "$kernel_team_dir" + + # Run process.py and treat any error output as a failure + - error_log="$(mktemp)" + - | + "$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \ + || true + - | + if [ -s "$error_log" ]; then cat "$error_log"; false; fi + needs: + - job: extract-source + artifacts: true + +# Sign code with the test key and certificate, build and test that + +sign-code: + stage: sign-code + image: $SALSA_CI_IMAGES_BASE + extends: + - .artifacts-default-expire + except: + variables: + - $CI_COMMIT_TAG != null + script: + - | + apt-get update && eatmydata apt-get install --no-install-recommends -y \ + dpkg-dev git openssl python3 python3-debian sbsigntool \ + ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb + + # Fetch kernel-team repository + - kernel_team_dir="$(mktemp -d)" + - | + git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \ + "$kernel_team_dir" + + # Sign the code and build a source package + - | + "$kernel_team_dir"/scripts/debian-test-sign \ + ${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \ + debian/certs/ci-test-sign/ci-test-sign-key.pem \ + debian/certs/ci-test-sign/ci-test-sign.pem + artifacts: + paths: + - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_* + needs: + - job: build + artifacts: true + +build-signed: + stage: build-signed + image: $SALSA_CI_IMAGES_BASE + extends: + - .artifacts-default-expire + except: + variables: + - $CI_COMMIT_TAG != null + variables: + SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '' + CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache + CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache + DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS} + DB_BUILD_TYPE: full + script: + # Unpack the source + - | + apt-get update && eatmydata apt-get install --no-install-recommends -y \ + dpkg-dev + - | + dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \ + ${WORKING_DIR}/${SOURCE_DIR} + + # Install build-dependencies produced by build job + - | + apt-get install --no-install-recommends -y \ + ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb \ + ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb \ + ${WORKING_DIR}/linux-support-*_all.deb + + # Do the same as the common .build-definition script + - !reference [.build-before-script] + - !reference [.build-script] + - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR} + artifacts: + # This should include the linux-signed source package, its binary + # packages, and (for piuparts) the versioned dependencies produced + # by the build job + paths: + - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_* + - ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb + - ${WORKING_DIR}/linux-headers-*-common_*_all.deb + - ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb + - ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb + - ${WORKING_DIR}/linux-compiler-*_${BUILD_ARCH}.deb + exclude: + - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb + needs: + - job: build + artifacts: true + - job: sign-code + artifacts: true + +lintian-signed: + extends: .test-lintian + stage: test-signed + needs: + - job: build-signed + artifacts: true + +piuparts-signed: + extends: .test-piuparts + stage: test-signed + needs: + - job: build-signed + artifacts: true |