include:
  - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml

variables:
  RELEASE: 'bookworm'
  # Make that build quicker
  SALSA_CI_DPKG_BUILDPACKAGE_ARGS: '-Ppkg.linux.quick'
  # We have to bump the version in source preparation, not later
  SALSA_CI_DISABLE_VERSION_BUMP: 'true'
  # Currently broken in quick build
  DEBIAN_KERNEL_DISABLE_INSTALLER: 'true'
  # Output is limited to 4 MiB total, so use 'terse'.
  # Current runners have 2 CPUs but have slow I/O so 'parallel=4' is
  # a bit faster.
  DEB_BUILD_OPTIONS: 'terse parallel=4'

# Add stages for signed packages
stages:
  - provisioning
  - build
  - publish
  - test
  - sign-code
  - build-signed
  - test-signed

# The common Salsa CI pipeline relies on keeping the unpacked source
# as an artifact, but in our case this is far too large for the
# current limits on Salsa (salsa-ci-team/pipeline#195).  So we
# redefine the source extraction and build steps to use packed source.

# Our modified extract-source and build jobs

extract-source:
  stage: provisioning
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "orig-${RELEASE}"
    paths:
      - orig
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    # Move cache to where genorig.py and orig target want it
    - mkdir -p orig
    - rm -rf ../orig
    - mv orig ../orig

    # Install dependencies of gencontrol.py, genorig.py, and debian/rules orig
    - apt-get update
    - |
      eatmydata apt-get install --no-install-recommends -y \
        debhelper \
        git \
        gpg \
        gpgv \
        kernel-wedge \
        python3 \
        python3-debian \
        python3-jinja2 \
        quilt \
        rsync

    - version=$(dpkg-parsechangelog -SVersion)
    - upstream_version=$(echo $version | sed 's/-[^-]*$//')

    # Merge upstream source.  We could use origtargz to download a
    # tarball fom the archive if available or run uscan if not, but
    # uscan is currently excessively slow for us (bug #1003251).
    - |
      if [ -f ../orig/linux_${upstream_version}.orig.tar.xz ]; then
          ln -s orig/linux_${upstream_version}.orig.tar.xz ..
      else
          debian/bin/genorig.py https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
      fi
    - debian/rules orig

    # Fudge source version and distribution *before* gencontrol.py
    - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
    - version=${version}+salsaci

    # Change trusted signing certificate to the one we will use
    - |
      sed -i -e 's|^trusted-certs:.*|trusted-certs: debian/certs/ci-test-sign/ci-test-sign.pem|' \
        debian/config/defines

    # Run gencontrol.py
    # - create temporary log
    - log="$(mktemp)"
    # - invoke debian/control-real rule and log output
    - |
      rc=0; debian/rules debian/control-real >"$log" 2>&1 || rc=$?
    - cat "$log"
    # - check for success message and error code
    - test $rc = 2
    - grep -q 'been generated SUCCESSFULLY' "$log"

    # Put packed source in artifacts
    - dpkg-buildpackage -uc -us -S -sa -d
    - mkdir -p ${WORKING_DIR}
    - cp ../orig/linux_${upstream_version}.orig.tar.xz ${WORKING_DIR}
    - mv ../linux_${version}.dsc ../linux_${version}.debian.tar.xz ${WORKING_DIR}

    # Move cache back to where GitLab wants it.  Only include
    # tarballs, not unpacked source.
    - mkdir orig
    - mv ../orig/*.tar.xz orig

build:
  stage: build
  timeout: 3 hours
  image: $SALSA_CI_IMAGES_BASE
  cache:
    key: "build-${BUILD_ARCH}_${HOST_ARCH}"
    paths:
      - .ccache
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  variables:
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  artifacts:
    exclude:
      - ${WORKING_DIR}/${SOURCE_DIR}/**/*
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  dependencies:
    - extract-source

# The folllowing jobs are the standard tests, excluding any that
# require building again

lintian:
    extends: .test-lintian

autopkgtest:
    extends: .test-autopkgtest

blhc:
    extends: .test-blhc

piuparts:
    extends: .test-piuparts

missing-breaks:
    extends: .test-missing-breaks

rc-bugs:
    extends: .test-rc-bugs

# Python static checkers

python-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        python3 pycodestyle pyflakes3

    # Check Python modules under debian/lib and Python scripts under
    # debian/bin or debian/rules.d.
    - sources="$(mktemp)"
    - find debian/lib/python -name '*.py' > "$sources"
    - |
      find debian/bin debian/rules.d -type f -perm /111 |
          while read script; do
              if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then
                  echo "$script"
              fi
          done \
          >> "$sources"

    # Run both checkers and coalesce their results rather than exiting
    # on first failure
    - pass=true
    # Ignore E126,E226,W503 (ignored by default) and also E127,W291 which
    # give false positives.
    - |
      xargs pycodestyle --max-line-length=100 --ignore E126,E127,E226,W291,W503 \
        < "$sources" || pass=false
    - xargs pyflakes3 < "$sources" || pass=false
    - $pass
  needs: []

# kconfig static check

kconfig-static:
  stage: test
  image: $SALSA_CI_IMAGES_BASE
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    # Unpack source and apply featureset patches
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        debhelper dpkg-dev git python3 quilt
    - dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
    - cd ${WORKING_DIR}/${SOURCE_DIR}
    - debian/rules source

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Run process.py and treat any error output as a failure
    - error_log="$(mktemp)"
    - |
      "$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \
      || true
    - |
      if [ -s "$error_log" ]; then cat "$error_log"; false; fi
  needs:
    - job: extract-source
      artifacts: true

# Sign code with the test key and certificate, build and test that

sign-code:
  stage: sign-code
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  script:
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev git openssl python3 python3-debian sbsigntool \
        ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb

    # Fetch kernel-team repository
    - kernel_team_dir="$(mktemp -d)"
    - |
      git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
        "$kernel_team_dir"

    # Sign the code and build a source package
    - |
      "$kernel_team_dir"/scripts/debian-test-sign \
        ${WORKING_DIR}/linux_*_${BUILD_ARCH}.changes \
        debian/certs/ci-test-sign/ci-test-sign-key.pem \
        debian/certs/ci-test-sign/ci-test-sign.pem
  artifacts:
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
  needs:
    - job: build
      artifacts: true

build-signed:
  stage: build-signed
  image: $SALSA_CI_IMAGES_BASE
  extends:
    - .artifacts-default-expire
  except:
    variables:
      - $CI_COMMIT_TAG != null
  variables:
    SALSA_CI_DPKG_BUILDPACKAGE_ARGS: ''
    CCACHE_TMP_DIR: ${CI_PROJECT_DIR}/../.ccache
    CCACHE_WORK_DIR: ${CI_PROJECT_DIR}/.ccache
    DB_BUILD_PARAM: ${SALSA_CI_DPKG_BUILDPACKAGE_ARGS}
    DB_BUILD_TYPE: full
  script:
    # Unpack the source
    - |
      apt-get update && eatmydata apt-get install --no-install-recommends -y \
        dpkg-dev
    - |
      dpkg-source -x ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*.dsc \
        ${WORKING_DIR}/${SOURCE_DIR}

    # Install build-dependencies produced by build job
    - |
      apt-get install --no-install-recommends -y \
        ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb \
        ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb \
        ${WORKING_DIR}/linux-support-*_all.deb

    # Do the same as the common .build-definition script
    - !reference [.build-before-script]
    - !reference [.build-script]
    - mv ${CCACHE_TMP_DIR} ${CCACHE_WORK_DIR}
  artifacts:
    # This should include the linux-signed source package, its binary
    # packages, and (for piuparts) the versioned dependencies produced
    # by the build job
    paths:
      - ${WORKING_DIR}/linux-signed-${BUILD_ARCH}_*
      - ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-headers-*-common_*_all.deb
      - ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-kbuild-*[0-9]_*_${BUILD_ARCH}.deb
      - ${WORKING_DIR}/linux-compiler-*_${BUILD_ARCH}.deb
    exclude:
      - ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb
  needs:
    - job: build
      artifacts: true
    - job: sign-code
      artifacts: true

lintian-signed:
  extends: .test-lintian
  stage: test-signed
  needs:
    - job: build-signed
      artifacts: true

piuparts-signed:
  extends: .test-piuparts
  stage: test-signed
  needs:
    - job: build-signed
      artifacts: true