.gitlab-ci.yml 9.41 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
default:
  image: "archlinux:latest"

stages:
  - lint
  - rootfs
  - image
  - test
  - release
  - publish

lint:
  stage: lint
  image: hadolint/hadolint:latest
15
16
  # DL3018: We don't need alpine version pins
  script: hadolint --ignore DL3018 Dockerfile.template
17
18
  except:
    - releases
19
    - tags
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

get_version:
  stage: .pre
  script:
    - |
      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
      else
        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
      fi
    - export $(< build.env)
    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
  artifacts:
    reports:
      dotenv: build.env

.rootfs:
  stage: rootfs
  before_script:
    - pacman -Syu --noconfirm make devtools fakechroot fakeroot
  artifacts:
    paths:
      - output/*
    expire_in: 2h

rootfs:
  extends: .rootfs
  except:
    - master
51
    - releases
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
    - schedules
    - tags
  parallel:
    matrix:
      - GROUP: [base, base-devel]
  script:
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP

rootfs:secure:
  extends: .rootfs
  tags:
    - secure
  only:
    - master
    - schedules
  except:
    - tags
69
    - releases
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
  parallel:
    matrix:
      - GROUP: [base, base-devel]
  script:
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP

.image:
  stage: image
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --whitelist-var-run="false"
      --context $CI_PROJECT_DIR/output
      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG

image:build:
  extends: .image
  except:
    - master
92
    - releases
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
    - schedules
    - tags
  parallel:
    matrix:
      - GROUP: [base, base-devel]
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json

image:build:secure:
  extends: .image
  tags:
    - secure
  only:
    - master
    - schedules
  except:
    - tags
  parallel:
    matrix:
      - GROUP: [base, base-devel]
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json

116
# Build and publish to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
117
118
image:publish:secure:
  extends: .image
119
  retry: 2
120
121
122
123
124
125
126
127
  tags:
    - secure
  only:
    - tags
  parallel:
    matrix:
      - GROUP: [base, base-devel]
  before_script:
128
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKERHUB_USERNAME\",\"password\":\"$DOCKERHUB_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
129
  script:
130
131
    - LATEST=""
    - if [[ "$GROUP" == "base" ]]; then
132
        LATEST="--destination archlinux/archlinux:latest";
133
      fi
134
135
136
137
    - /kaniko/executor
      --whitelist-var-run="false"
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
138
      --destination archlinux/archlinux:$GROUP
139
      --destination archlinux/archlinux:$GROUP-$BUILD_VERSION
140
      $LATEST
141
142
143
144
145
146
147
148
149
150
151

.test:
  stage: test
  dependencies: []
  only:
    variables:
      # Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
      # This is fine as at this point we're sure that the release works anyway.
      - $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
  except:
    refs:
152
      - releases
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
      - tags
  script:
    - pacman -Sy
    - pacman -Qqk
    - pacman -Syu --noconfirm docker grep
    - docker -v
    - id -u http
    - locale | grep -q UTF-8

test:base:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG

test:base-devel:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
  after_script:
    - gcc -v
    - g++ -v
    - make -v

release:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  tags:
    - secure
  only:
    refs:
      - schedules
    variables:
183
      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
184
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
185
  before_script:
186
    - apk update
187
    - apk add jq curl httpie
188
189
  script:
    - |
190
191
192
193
194
      # Update the description on https://hub.docker.com/r/archlinux/archlinux
      TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)"
      http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)"

      # Upload rootfs to the Generic Packages Repository
195
196
197
198
199
200
201
202
203
204
205
206
      for group in base base-devel; do
        sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
        echo "Uploading ${group}.tar.xz"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
        echo "Uploading ${group}.tar.xz.SHA256"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
        sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > output/Dockerfile.${group}
        package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
        sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" output/Dockerfile.${group}
        sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" output/Dockerfile.${group}
      done
    - >
207
      curl -sSf --request POST -o commit-response.json
208
209
210
211
212
213
214
215
216
217
218
219
220
      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
      --form "branch=releases"
      --form "commit_message=Release ${BUILD_VERSION}"
      --form "actions[][action]=update"
      --form "actions[][file_path]=Dockerfile.base"
      --form "actions[][content]=<output/Dockerfile.base"
      --form "actions[][action]=update"
      --form "actions[][file_path]=Dockerfile.base-devel"
      --form "actions[][content]=<output/Dockerfile.base-devel"
      --form "actions[][action]=update"
      --form "actions[][file_path]=.gitlab-ci.yml"
      --form "actions[][content]=<.gitlab-ci.yml"
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
221
    - echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
    - |
      base_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
      echo "${base_url}"
      base_sha_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
      echo "${base_sha_url}"
      base_devel_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz)
      echo "${base_devel_url}"
      base_devel_sha_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
      echo "${base_devel_sha_url}"

      # TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
      # But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
      echo "Creating release"
      release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
      --tag-name v${BUILD_VERSION} --ref "releases" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
241
242
243
  artifacts:
    reports:
      dotenv: build.env
244
245

# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
246
publish:
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
  stage: publish
  only:
    refs:
      - schedules
    variables:
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
  before_script:
    - export | grep -q BUILD_VERSION=
    - export | grep -q BUILD_COMMIT=
    - test -n "$BUILD_VERSION"
    - test -n "$BUILD_COMMIT"
    - test -n "$GITHUB_TOKEN"
    - pacman -Syu --noconfirm github-cli git gettext
    - git config --global user.email "github@archlinux.org"
    - git config --global user.name "Arch Linux Technical User"
  script:
    - mkdir official-images
    - cd official-images
    - git init
    - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
267
    - git fetch https://github.com/docker-library/official-images.git
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
    - git reset --hard FETCH_HEAD
    - head="release/${BUILD_VERSION}"
    - git checkout -b "$head"
    - envsubst < ../docker-library.template > library/archlinux
    - git diff
    - git add library/archlinux
    - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
    - test -n "$maintainers"
    - 'git commit
        -m "archlinux: Release ${BUILD_VERSION}"
        -m "This is an automated release [1]."
        -m "Maintainers: ${maintainers}"
        -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
    - git push -u origin "$head"
    - gh pr create
        --repo docker-library/official-images
        --fill
        --base master
        --head archlinux:"$head"