summaryrefslogtreecommitdiffstats
path: root/debian/salsa-ci.yml
blob: 0562e1d59f3c2b9b23588366b2fd43157ba20a12 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml

variables:
  RELEASE: 'unstable'
  # Make that build quicker
  DEB_BUILD_PROFILES: pkg.linux.quick
  # We have to bump the version in source preparation, not later
  SALSA_CI_DISABLE_VERSION_BUMP: 'true'
  # Currently broken in quick build
  DEBIAN_KERNEL_DISABLE_INSTALLER: 'true'
  # Output is limited to 4 MiB total, so use 'terse'.
  # Current runners have 2 CPUs but have slow I/O so 'parallel=4' is
  # a bit faster.
  DEB_BUILD_OPTIONS: 'terse parallel=4'
  DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64: 0

# Add stages for signed packages
stages:
  - provisioning
  - build
  - publish
  - sign-code
  - build-signed
  - test

# The common Salsa CI pipeline relies on keeping the unpacked source
# as an artifact, but in our case this is far too large for the
# current limits on Salsa (salsa-ci-team/pipeline#195).  So we
# redefine the source extraction and build steps to use packed source.

# Our modified extract-source and build jobs

extract-source:
  stage: provisioning
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "orig-${RELEASE}"
    paths:
      - orig
  extends:
    - .artifacts-default-expire
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  script:
    # Move cache to where genorig.py and orig target want it
    - mkdir -p orig
    - rm -rf ../orig
    - mv orig ../orig

    # Install dependencies of gencontrol.py, genorig.py, and debian/rules orig
    - apt-get update
    - |
      eatmydata apt-get install --no-install-recommends -y \
        debhelper \
        git \
        gpg \
        gpgv \
        kernel-wedge \
        python3 \
        python3-dacite \
        python3-debian \
        python3-jinja2 \
        quilt \
        rsync

    - version=$(dpkg-parsechangelog -SVersion)
    - upstream_version=$(echo $version | sed 's/-[^-]*$//')

    # Merge upstream source.  We could use origtargz to download a
    # tarball fom the archive if available or run uscan if not, but
    # uscan is currently excessively slow for us (bug #1003251).
    - |
      if [ -f ../orig/linux_${upstream_version}.orig.tar.xz ]; then
          ln -s orig/linux_${upstream_version}.orig.tar.xz ..
      else
          debian/bin/genorig.py https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
      fi
    - debian/rules orig

    # Fudge source version and distribution *before* gencontrol.py
    - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
    - version=${version}+salsaci

    # Run gencontrol.py
    # - create temporary log
    - log="$(mktemp)"
    # - invoke debian/control-real rule and log output
    - |
      rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$?
    - cat "$log"
    # - check for success message and error code
    - test $rc = 2
    - grep -q 'been generated SUCCESSFULLY' "$log"

    # Put packed source in artifacts
    - dpkg-buildpackage -uc -us -S -sa -d
    - mkdir -p ${WORKING_DIR}
    - cp ../orig/linux_${upstream_version}.orig.tar.xz ${WORKING_DIR}
    - mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR}

    # Move cache back to where GitLab wants it.  Only include
    # tarballs, not unpacked source.
    - mkdir orig
    - mv ../orig/*.tar.xz orig

build:
  stage: build
  timeout: 3 hours
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "build-${BUILD_ARCH}_${HOST_ARCH}"
    paths:
      - .ccache
  extends:
    - .artifacts-default-expire
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  variables:
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  artifacts:
    exclude:
      - ${WORKING_DIR}/${SOURCE_DIR}/**/*
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  dependencies:
    - extract-source

build-arm64:
  extends: build
  image: $SALSA_CI_IMAGES_BASE_ARM64
  variables:
    BUILD_ARCH: 'arm64'
  tags:
    - arm64
  rules:
    - if: $DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/
      when: never
    # Make it possible to override the rules below. E.g. when a project fork
    # has an ARM64 runner available.
    - if: $DEBIAN_KERNEL_ENABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/
      when: always
    # While there isn't an ARM shared runner avilable, let's run this job
    # manually in forks of the kernel-team/linux project, and in branches other
    # than the default branch, and allow it to fail in that case
    - if: $CI_PROJECT_NAMESPACE != "kernel-team"
      allow_failure: true
      when: manual
    - if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
      allow_failure: true
      when: manual
    - when: always

# The folllowing jobs are the standard tests, excluding any that
# require building again

lintian:
  extends: .test-lintian
  script:
  - lintian --suppress-tags "${SALSA_CI_LINTIAN_SUPPRESS_TAGS}" --display-info --pedantic --fail-on error --allow-root ${SALSA_CI_LINTIAN_SHOW_OVERRIDES_ARG} ${SALSA_CI_LINTIAN_ARGS} ${WORKING_DIR}/*.changes | tee lintian.output || ECODE=$?
  - lintian2junit.py --lintian-file lintian.output > ${WORKING_DIR}/lintian.xml
  - exit ${ECODE-0}
  needs:
  - job: build
    artifacts: true
  - job: build-signed
    artifacts: true

autopkgtest:
    extends: .test-autopkgtest

blhc:
    extends: .test-blhc

piuparts:
  extends: .test-piuparts
  needs:
  - job: build
    artifacts: true
  - job: build-signed
    artifacts: true

missing-breaks:
    extends: .test-missing-breaks

rc-bugs:
    extends: .test-rc-bugs

# Python static checkers

python-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        flake8 python3 python3-dacite python3-jinja2 python3-pytest

    # Check Python modules under debian/lib and Python scripts under
    # debian/bin or debian/rules.d.
    - sources="$(mktemp)"
    - find debian/lib/python -name '*.py' > "$sources"
    - |
      find debian/bin debian/rules.d -type f -perm /111 |
          while read script; do
              if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then
                  echo "$script"
              fi
          done \
          >> "$sources"

    # Run both checkers and coalesce their results rather than exiting
    # on first failure
    - pass=true
    - xargs flake8 --max-line-length=100 < "$sources" || pass=false
    - py.test debian/lib/python || pass=false
    - $pass
  needs: []

# kconfig static check

kconfig-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  script:
    # Unpack source and apply featureset patches
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        debhelper dpkg-dev git python3 python3-dacite quilt
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
    - cd ${WORKING_DIR}/${SOURCE_DIR}
    - debian/rules source

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Run process.py and treat any error output as a failure
    - error_log="$(mktemp)"
    - |
      "$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \
      || true
    - |
      if [ -s "$error_log" ]; then cat "$error_log"; false; fi
  needs:
    - job: extract-source
      artifacts: true

# Sign code with the test key and certificate, build and test that

sign-code:
  stage: sign-code
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev git openssl python3 python3-debian sbsigntool

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Sign the code and build a source package
    - |
      "$kernel_team_dir"/scripts/debian-test-sign \
        ${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \
        debian/certs/ci-test-sign/ci-test-sign-key.pem \
        debian/certs/ci-test-sign/ci-test-sign.pem
  artifacts:
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
  needs:
    - job: build
      artifacts: true

build-signed:
  stage: build-signed
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  rules:
    - if: $CI_COMMIT_TAG != null
      when: never
    - when: always
  variables:
    SALSA_CI_DPKG_BUILDPACKAGE_ARGS: ''
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - |
      dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \
        ${WORKING_DIR}/${SOURCE_DIR}

    # Install build-dependencies produced by build job
    - |
      apt-get install --no-install-recommends -y \
        ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  artifacts:
    # This should include the linux-signed source package, its binary
    # packages, and (for piuparts) the versioned dependencies produced
    # by the build job
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
      - ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-headers-*-common_*_all.deb
      - ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-kbuild-*_${BUILD_ARCH}.deb
    exclude:
      - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb
  needs:
    - job: build
      artifacts: true
    - job: sign-code
      artifacts: true