.gitlab-ci.yml 9.29 KB
Newer Older
1
2
3
default:
  image: "archlinux:latest"

hashworks's avatar
hashworks committed
4
stages:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5
  - lint
hashworks's avatar
hashworks committed
6
  - rootfs
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
7
  - image
hashworks's avatar
hashworks committed
8
  - test
9
  - upload
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
10
11
  - release
  - publish
hashworks's avatar
hashworks committed
12

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
13
14
15
lint:
  stage: lint
  image: hadolint/hadolint:latest
16
17
  # DL3007: We use the latest tag for multistage build
  script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
18
19
  except:
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
20
    - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
21

Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
22
23
24
25
26
27
28
29
30
get_version:
  stage: .pre
  script:
    - |
      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
      else
31
        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
32
33
      fi
    - export $(< build.env)
34
    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
35
36
37
38
  artifacts:
    reports:
      dotenv: build.env

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
39
.rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
40
41
42
43
44
  stage: rootfs
  before_script:
    - pacman -Syu --noconfirm make devtools fakechroot fakeroot
  artifacts:
    paths:
45
      - output/*
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
46
    expire_in: 2h
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
47

48
rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
49
50
51
  extends: .rootfs
  except:
    - master
52
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
53
54
    - schedules
    - tags
55
56
57
  parallel:
    matrix:
      - GROUP: [base, base-devel]
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
58
  script:
59
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
60

61
rootfs:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
62
63
64
65
66
67
  extends: .rootfs
  tags:
    - secure
  only:
    - master
    - schedules
68
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
69
    - tags
70
    - releases
71
72
73
  parallel:
    matrix:
      - GROUP: [base, base-devel]
hashworks's avatar
hashworks committed
74
  script:
75
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
hashworks's avatar
hashworks committed
76

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
77
78
.image:
  stage: image
hashworks's avatar
hashworks committed
79
80
81
82
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
83
84
    - /kaniko/executor
      --whitelist-var-run="false"
85
      --context $CI_PROJECT_DIR/output
86
87
      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
88

89
image:build:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
90
91
92
  extends: .image
  except:
    - master
93
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
94
95
    - schedules
    - tags
96
97
98
  parallel:
    matrix:
      - GROUP: [base, base-devel]
99
  before_script:
100
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
101

102
image:build:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
103
  extends: .image
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
104
105
  tags:
    - secure
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
106
107
108
  only:
    - master
    - schedules
109
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
110
    - tags
111
112
113
  parallel:
    matrix:
      - GROUP: [base, base-devel]
114
115
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
116

117
image:publish:secure:
118
  extends: .image
119
  retry: 2
120
121
122
123
  tags:
    - secure
  only:
    - tags
124
125
126
  parallel:
    matrix:
      - GROUP: [base, base-devel]
127
  before_script:
128
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
129
130
131
  script:
    - /kaniko/executor
      --whitelist-var-run="false"
132
133
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
134
      --destination archlinux/archlinux:$GROUP-$BUILD_VERSION
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
135

136
.test:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
137
  stage: test
138
  dependencies: []
139
140
141
142
143
144
145
  only:
    variables:
      # Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
      # This is fine as at this point we're sure that the release works anyway.
      - $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
  except:
    refs:
146
      - releases
147
      - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
148
149
150
151
152
153
154
155
  script:
    - pacman -Sy
    - pacman -Qqk
    - pacman -Syu --noconfirm docker grep
    - docker -v
    - id -u http
    - locale | grep -q UTF-8

156
157
158
159
test:base:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
160
test:base-devel:
161
  extends: .test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
162
  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
163
164
165
166
167
  after_script:
    - gcc -v
    - g++ -v
    - make -v

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
168
169
170
release:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
171
172
173
174
175
176
  tags:
    - secure
  only:
    refs:
      - schedules
    variables:
177
      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
178
  before_script:
179
    - apk update
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
180
    - apk add jq curl
181
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
182
183
    - |
      for group in base base-devel; do
184
        sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
185
186
187
188
        echo "Uploading ${group}.tar.xz"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
        echo "Uploading ${group}.tar.xz.SHA256"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
189
        sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > output/Dockerfile.${group}
190
        package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
191
192
        sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" output/Dockerfile.${group}
        sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" output/Dockerfile.${group}
193
      done
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
194
    - >
195
      curl -sSf --request POST -o commit-response.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
196
      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
197
      --form "branch=releases"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
198
199
      --form "commit_message=Release ${BUILD_VERSION}"
      --form "actions[][action]=update"
200
      --form "actions[][file_path]=Dockerfile.base"
201
      --form "actions[][content]=<output/Dockerfile.base"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
202
      --form "actions[][action]=update"
203
      --form "actions[][file_path]=Dockerfile.base-devel"
204
205
206
207
      --form "actions[][content]=<output/Dockerfile.base-devel"
      --form "actions[][action]=update"
      --form "actions[][file_path]=.gitlab-ci.yml"
      --form "actions[][content]=<.gitlab-ci.yml"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
208
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
209
    - echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
210
    - |
211
      base_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
212
      echo "${base_url}"
213
      base_sha_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
214
      echo "${base_sha_url}"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
215
      base_devel_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
216
      echo "${base_devel_url}"
217
      base_devel_sha_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
218
      echo "${base_devel_sha_url}"
219
220
221

      # TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
      # But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
222
      echo "Creating release"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
223
      release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
224
      --tag-name v${BUILD_VERSION} --ref "releases" \
225
226
227
228
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
229
230
231
  artifacts:
    reports:
      dotenv: build.env
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
232

233
# Publish base to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
234
publish:
235
  stage: publish
236
  retry: 2
237
238
239
240
241
242
243
  tags:
    - secure
  image:
    name: gcr.io/go-containerregistry/crane:debug
    entrypoint: [""]
  variables:
    GIT_STRATEGY: none
244
245
  only:
    - tags
246
  before_script:
247
    - echo $DOCKER_ACCESS_TOKEN | crane auth login -u $DOCKER_USERNAME --password-stdin index.docker.io
248
  script:
249
250
251
    - crane tag archlinux/archlinux:base-$BUILD_VERSION base
    - crane tag archlinux/archlinux:base-$BUILD_VERSION latest
    - crane tag archlinux/archlinux:base-devel-$BUILD_VERSION base-devel
hashworks's avatar
hashworks committed
252

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
253
# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
254
255
256
257
258
259
publish:official:
  stage: publish
  only:
    refs:
      - schedules
    variables:
260
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
  before_script:
    - export | grep -q BUILD_VERSION=
    - export | grep -q BUILD_COMMIT=
    - test -n "$BUILD_VERSION"
    - test -n "$BUILD_COMMIT"
    - test -n "$GITHUB_TOKEN"
    - pacman -Syu --noconfirm github-cli git gettext
    - git config --global user.email "github@archlinux.org"
    - git config --global user.name "Arch Linux Technical User"
  script:
    - mkdir official-images
    - cd official-images
    - git init
    - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
    - git fetch --depth=1 https://github.com/docker-library/official-images.git
    - git reset --hard FETCH_HEAD
    - head="release/${BUILD_VERSION}"
    - git checkout -b "$head"
    - envsubst < ../docker-library.template > library/archlinux
    - git diff
    - git add library/archlinux
    - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
    - test -n "$maintainers"
    - 'git commit
        -m "archlinux: Release ${BUILD_VERSION}"
        -m "This is an automated release [1]."
        -m "Maintainers: ${maintainers}"
        -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
    - git push -u origin "$head"
    - gh pr create
        --repo docker-library/official-images
        --fill
        --base master
        --head archlinux:"$head"