summaryrefslogtreecommitdiffstats
path: root/debian/salsa-ci.yml
blob: 70bb0937876bde260ce3a73ade09964b43488200 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml

variables:
  RELEASE: 'bookworm'
  # Make that build quicker
  SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '-Ppkg.linux.quick'
  # We have to bump the version in source preparation, not later
  SALSA_CI_DISABLE_VERSION_BUMP: 'true'
  # Currently broken in quick build
  DEBIAN_KERNEL_DISABLE_INSTALLER: 'true'
  # Output is limited to 4 MiB total, so use 'terse'.
  # Current runners have 2 CPUs but have slow I/O so 'parallel=4' is
  # a bit faster.
  DEB_BUILD_OPTIONS: 'terse parallel=4'

# Add stages for signed packages
stages:
  - provisioning
  - build
  - publish
  - test
  - sign-code
  - build-signed
  - test-signed

# The common Salsa CI pipeline relies on keeping the unpacked source
# as an artifact, but in our case this is far too large for the
# current limits on Salsa (salsa-ci-team/pipeline#195).  So we
# redefine the source extraction and build steps to use packed source.

# Our modified extract-source and build jobs

extract-source:
  stage: provisioning
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "orig-${RELEASE}"
    paths:
      - orig
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    # Move cache to where genorig.py and orig target want it
    - mkdir -p orig
    - rm -rf ../orig
    - mv orig ../orig

    # Install dependencies of gencontrol.py, genorig.py, and debian/rules orig
    - apt-get update
    - |
      eatmydata apt-get install --no-install-recommends -y \
        debhelper \
        git \
        gpg \
        gpgv \
        kernel-wedge \
        python3 \
        python3-debian \
        python3-jinja2 \
        quilt \
        rsync

    - version=$(dpkg-parsechangelog -SVersion)
    - upstream_version=$(echo $version | sed 's/-[^-]*$//')

    # Merge upstream source.  We could use origtargz to download a
    # tarball fom the archive if available or run uscan if not, but
    # uscan is currently excessively slow for us (bug #1003251).
    - |
      if [ -f ../orig/linux_${upstream_version}.orig.tar.xz ]; then
          ln -s orig/linux_${upstream_version}.orig.tar.xz ..
      else
          debian/bin/genorig.py https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
      fi
    - debian/rules orig

    # Fudge source version and distribution *before* gencontrol.py
    - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
    - version=${version}+salsaci

    # Change trusted signing certificate to the one we will use
    - |
      sed -i -e 's|^trusted-certs:.*|trusted-certs: debian/certs/ci-test-sign/ci-test-sign.pem|' \
        debian/config/defines

    # Run gencontrol.py
    # - create temporary log
    - log="$(mktemp)"
    # - invoke debian/control-real rule and log output
    - |
      rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$?
    - cat "$log"
    # - check for success message and error code
    - test $rc = 2
    - grep -q 'been generated SUCCESSFULLY' "$log"

    # Put packed source in artifacts
    - dpkg-buildpackage -uc -us -S -sa -d
    - mkdir -p ${WORKING_DIR}
    - cp ../orig/linux_${upstream_version}.orig.tar.xz ${WORKING_DIR}
    - mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR}

    # Move cache back to where GitLab wants it.  Only include
    # tarballs, not unpacked source.
    - mkdir orig
    - mv ../orig/*.tar.xz orig

build:
  stage: build
  timeout: 3 hours
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "build-${BUILD_ARCH}_${HOST_ARCH}"
    paths:
      - .ccache
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  variables:
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  artifacts:
    exclude:
      - ${WORKING_DIR}/${SOURCE_DIR}/**/*
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  dependencies:
    - extract-source

# The folllowing jobs are the standard tests, excluding any that
# require building again

lintian:
    extends: .test-lintian

autopkgtest:
    extends: .test-autopkgtest

blhc:
    extends: .test-blhc

piuparts:
    extends: .test-piuparts

missing-breaks:
    extends: .test-missing-breaks

rc-bugs:
    extends: .test-rc-bugs

# Python static checkers

python-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        python3 pycodestyle pyflakes3

    # Check Python modules under debian/lib and Python scripts under
    # debian/bin or debian/rules.d.
    - sources="$(mktemp)"
    - find debian/lib/python -name '*.py' > "$sources"
    - |
      find debian/bin debian/rules.d -type f -perm /111 |
          while read script; do
              if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then
                  echo "$script"
              fi
          done \
          >> "$sources"

    # Run both checkers and coalesce their results rather than exiting
    # on first failure
    - pass=true
    # Ignore E126,E226,W503 (ignored by default) and also E127,W291 which
    # give false positives.
    - |
      xargs pycodestyle --max-line-length=100 --ignore E126,E127,E226,W291,W503 \
        < "$sources" || pass=false
    - xargs pyflakes3 < "$sources" || pass=false
    - $pass
  needs: []

# kconfig static check

kconfig-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    # Unpack source and apply featureset patches
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        debhelper dpkg-dev git python3 quilt
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
    - cd ${WORKING_DIR}/${SOURCE_DIR}
    - debian/rules source

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Run process.py and treat any error output as a failure
    - error_log="$(mktemp)"
    - |
      "$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \
      || true
    - |
      if [ -s "$error_log" ]; then cat "$error_log"; false; fi
  needs:
    - job: extract-source
      artifacts: true

# Sign code with the test key and certificate, build and test that

sign-code:
  stage: sign-code
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev git openssl python3 python3-debian sbsigntool \
        ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Sign the code and build a source package
    - |
      "$kernel_team_dir"/scripts/debian-test-sign \
        ${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \
        debian/certs/ci-test-sign/ci-test-sign-key.pem \
        debian/certs/ci-test-sign/ci-test-sign.pem
  artifacts:
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
  needs:
    - job: build
      artifacts: true

build-signed:
  stage: build-signed
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  variables:
    SALSA_CI_DPKG_BUILDPACKAGE_ARGS: ''
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - |
      dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \
        ${WORKING_DIR}/${SOURCE_DIR}

    # Install build-dependencies produced by build job
    - |
      apt-get install --no-install-recommends -y \
        ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb \
        ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb \
        ${WORKING_DIR}/linux-support-*_all.deb

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  artifacts:
    # This should include the linux-signed source package, its binary
    # packages, and (for piuparts) the versioned dependencies produced
    # by the build job
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
      - ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-headers-*-common_*_all.deb
      - ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-compiler-*_${BUILD_ARCH}.deb
    exclude:
      - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb
  needs:
    - job: build
      artifacts: true
    - job: sign-code
      artifacts: true

lintian-signed:
  extends: .test-lintian
  stage: test-signed
  needs:
    - job: build-signed
      artifacts: true

piuparts-signed:
  extends: .test-piuparts
  stage: test-signed
  needs:
    - job: build-signed
      artifacts: true