1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
|
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
variables:
RELEASE: 'bookworm'
# Make that build quicker
SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '-Ppkg.linux.quick'
# We have to bump the version in source preparation, not later
SALSA_CI_DISABLE_VERSION_BUMP: 'true'
# Currently broken in quick build
DEBIAN_KERNEL_DISABLE_INSTALLER: 'true'
# Output is limited to 4 MiB total, so use 'terse'.
# Current runners have 2 CPUs but have slow I/O so 'parallel=4' is
# a bit faster.
DEB_BUILD_OPTIONS: 'terse parallel=4'
# Add stages for signed packages
stages:
- provisioning
- build
- publish
- test
- sign-code
- build-signed
- test-signed
# The common Salsa CI pipeline relies on keeping the unpacked source
# as an artifact, but in our case this is far too large for the
# current limits on Salsa (salsa-ci-team/pipeline#195). So we
# redefine the source extraction and build steps to use packed source.
# Our modified extract-source and build jobs
extract-source:
stage: provisioning
image: $SALSA_CI_IMAGES_BASE
cache:
key: "orig-${RELEASE}"
paths:
- orig
extends:
- .artifacts-default-expire
except:
variables:
- $CI_COMMIT_TAG != null
script:
# Move cache to where genorig.py and orig target want it
- mkdir -p orig
- rm -rf ../orig
- mv orig ../orig
# Install dependencies of gencontrol.py, genorig.py, and debian/rules orig
- apt-get update
- |
eatmydata apt-get install --no-install-recommends -y \
debhelper \
git \
gpg \
gpgv \
kernel-wedge \
python3 \
python3-debian \
python3-jinja2 \
quilt \
rsync
- version=$(dpkg-parsechangelog -SVersion)
- upstream_version=$(echo $version | sed 's/-[^-]*$//')
# Merge upstream source. We could use origtargz to download a
# tarball fom the archive if available or run uscan if not, but
# uscan is currently excessively slow for us (bug #1003251).
- |
if [ -f ../orig/linux_${upstream_version}.orig.tar.xz ]; then
ln -s orig/linux_${upstream_version}.orig.tar.xz ..
else
debian/bin/genorig.py https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
fi
- debian/rules orig
# Fudge source version and distribution *before* gencontrol.py
- sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
- version=${version}+salsaci
# Change trusted signing certificate to the one we will use
- |
sed -i -e 's|^trusted-certs:.*|trusted-certs: debian/certs/ci-test-sign/ci-test-sign.pem|' \
debian/config/defines
# Run gencontrol.py
# - create temporary log
- log="$(mktemp)"
# - invoke debian/control-real rule and log output
- |
rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$?
- cat "$log"
# - check for success message and error code
- test $rc = 2
- grep -q 'been generated SUCCESSFULLY' "$log"
# Put packed source in artifacts
- dpkg-buildpackage -uc -us -S -sa -d
- mkdir -p ${WORKING_DIR}
- cp ../orig/linux_${upstream_version}.orig.tar.xz ${WORKING_DIR}
- mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR}
# Move cache back to where GitLab wants it. Only include
# tarballs, not unpacked source.
- mkdir orig
- mv ../orig/*.tar.xz orig
build:
stage: build
timeout: 3 hours
image: $SALSA_CI_IMAGES_BASE
cache:
key: "build-${BUILD_ARCH}_${HOST_ARCH}"
paths:
- .ccache
extends:
- .artifacts-default-expire
except:
variables:
- $CI_COMMIT_TAG != null
variables:
CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
DB_BUILD_TYPE: full
artifacts:
exclude:
- ${WORKING_DIR}/${SOURCE_DIR}/**/*
script:
# Unpack the source
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
dpkg-dev
- dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
# Do the same as the common .build-definition script
- !reference [.build-before-script]
- !reference [.build-script]
- mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
dependencies:
- extract-source
# The folllowing jobs are the standard tests, excluding any that
# require building again
lintian:
extends: .test-lintian
autopkgtest:
extends: .test-autopkgtest
blhc:
extends: .test-blhc
piuparts:
extends: .test-piuparts
missing-breaks:
extends: .test-missing-breaks
rc-bugs:
extends: .test-rc-bugs
# Python static checkers
python-static:
stage: test
image: $SALSA_CI_IMAGES_BASE
except:
variables:
- $CI_COMMIT_TAG != null
script:
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
python3 pycodestyle pyflakes3
# Check Python modules under debian/lib and Python scripts under
# debian/bin or debian/rules.d.
- sources="$(mktemp)"
- find debian/lib/python -name '*.py' > "$sources"
- |
find debian/bin debian/rules.d -type f -perm /111 |
while read script; do
if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then
echo "$script"
fi
done \
>> "$sources"
# Run both checkers and coalesce their results rather than exiting
# on first failure
- pass=true
# Ignore E126,E226,W503 (ignored by default) and also E127,W291 which
# give false positives.
- |
xargs pycodestyle --max-line-length=100 --ignore E126,E127,E226,W291,W503 \
< "$sources" || pass=false
- xargs pyflakes3 < "$sources" || pass=false
- $pass
needs: []
# kconfig static check
kconfig-static:
stage: test
image: $SALSA_CI_IMAGES_BASE
except:
variables:
- $CI_COMMIT_TAG != null
script:
# Unpack source and apply featureset patches
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
debhelper dpkg-dev git python3 quilt
- dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
- cd ${WORKING_DIR}/${SOURCE_DIR}
- debian/rules source
# Fetch kernel-team repository
- kernel_team_dir="$(mktemp -d)"
- |
git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
"$kernel_team_dir"
# Run process.py and treat any error output as a failure
- error_log="$(mktemp)"
- |
"$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \
|| true
- |
if [ -s "$error_log" ]; then cat "$error_log"; false; fi
needs:
- job: extract-source
artifacts: true
# Sign code with the test key and certificate, build and test that
sign-code:
stage: sign-code
image: $SALSA_CI_IMAGES_BASE
extends:
- .artifacts-default-expire
except:
variables:
- $CI_COMMIT_TAG != null
script:
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
dpkg-dev git openssl python3 python3-debian sbsigntool \
${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb
# Fetch kernel-team repository
- kernel_team_dir="$(mktemp -d)"
- |
git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
"$kernel_team_dir"
# Sign the code and build a source package
- |
"$kernel_team_dir"/scripts/debian-test-sign \
${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \
debian/certs/ci-test-sign/ci-test-sign-key.pem \
debian/certs/ci-test-sign/ci-test-sign.pem
artifacts:
paths:
- ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
needs:
- job: build
artifacts: true
build-signed:
stage: build-signed
image: $SALSA_CI_IMAGES_BASE
extends:
- .artifacts-default-expire
except:
variables:
- $CI_COMMIT_TAG != null
variables:
SALSA_CI_DPKG_BUILDPACKAGE_ARGS: ''
CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
DB_BUILD_TYPE: full
script:
# Unpack the source
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
dpkg-dev
- |
dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \
${WORKING_DIR}/${SOURCE_DIR}
# Install build-dependencies produced by build job
- |
apt-get install --no-install-recommends -y \
${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb \
${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb \
${WORKING_DIR}/linux-support-*_all.deb
# Do the same as the common .build-definition script
- !reference [.build-before-script]
- !reference [.build-script]
- mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
artifacts:
# This should include the linux-signed source package, its binary
# packages, and (for piuparts) the versioned dependencies produced
# by the build job
paths:
- ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
- ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-headers-*-common_*_all.deb
- ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-compiler-*_${BUILD_ARCH}.deb
exclude:
- ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb
needs:
- job: build
artifacts: true
- job: sign-code
artifacts: true
lintian-signed:
extends: .test-lintian
stage: test-signed
needs:
- job: build-signed
artifacts: true
piuparts-signed:
extends: .test-piuparts
stage: test-signed
needs:
- job: build-signed
artifacts: true
|