.gitlab-ci.yml 10.5 KB
Newer Older
1
2
3
default:
  image: "archlinux:latest"

hashworks's avatar
hashworks committed
4
stages:
5
  - cleanup
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
6
  - lint
hashworks's avatar
hashworks committed
7
  - rootfs
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
8
  - image
hashworks's avatar
hashworks committed
9
  - test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
10
11
  - release
  - publish
hashworks's avatar
hashworks committed
12

13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
cleanup:
  stage: cleanup
  tags:
    - secure
  only:
    refs:
      - schedules
    variables:
      - $CLEANUP_PACKAGE_REGISTRY == "TRUE"
  before_script:
    - pacman -Syu --noconfirm jq
  script:
    - |
      for id in $(curl --silent --fail --show-error "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages?per_page=100&order_by=created_at&sort=asc" | jq '.[] | select(.created_at | split("T")[0] | . < (now-60*60*24*60|strflocaltime("%Y-%m-%d"))) | .id'); do
        curl --silent --fail --show-error --request DELETE --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/${id}"
      done

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
30
31
lint:
  stage: lint
32
  image: hadolint/hadolint:latest-alpine
33
  # DL3018: We don't need alpine version pins
34
  script: hadolint --ignore DL3018 Dockerfile.template
35
36
  except:
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
37
    - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
38

Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
39
40
41
42
43
44
45
46
47
get_version:
  stage: .pre
  script:
    - |
      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
      else
48
        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
49
50
      fi
    - export $(< build.env)
51
    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
52
53
54
55
  artifacts:
    reports:
      dotenv: build.env

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
56
.rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
57
58
59
  stage: rootfs
  before_script:
    - pacman -Syu --noconfirm make devtools fakechroot fakeroot
hashworks's avatar
hashworks committed
60
61
  script:
    - make $PWD/output/Dockerfile.$GROUP
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
62
63
  artifacts:
    paths:
64
      - output/*
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
65
    expire_in: 2h
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
66

67
rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
68
69
70
  extends: .rootfs
  except:
    - master
71
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
72
73
    - schedules
    - tags
74
75
76
  parallel:
    matrix:
      - GROUP: [base, base-devel]
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
77

78
rootfs:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
79
80
81
82
83
84
  extends: .rootfs
  tags:
    - secure
  only:
    - master
    - schedules
85
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
86
    - tags
87
    - releases
88
89
90
  parallel:
    matrix:
      - GROUP: [base, base-devel]
hashworks's avatar
hashworks committed
91

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
92
93
.image:
  stage: image
hashworks's avatar
hashworks committed
94
95
96
97
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
98
    - /kaniko/executor
99
      --force
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
100
      --whitelist-var-run="false"
101
      --context $CI_PROJECT_DIR/output
102
103
      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
104

105
image:build:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
106
107
108
  extends: .image
  except:
    - master
109
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
110
111
    - schedules
    - tags
112
113
114
  parallel:
    matrix:
      - GROUP: [base, base-devel]
115
  before_script:
116
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
117

118
image:build:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
119
  extends: .image
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
120
121
  tags:
    - secure
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
122
123
124
  only:
    - master
    - schedules
125
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
126
    - tags
127
128
129
  parallel:
    matrix:
      - GROUP: [base, base-devel]
130
131
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
132

133
# Build and publish to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
134
image:publish:secure:
135
  extends: .image
136
  retry: 2
137
138
139
140
  tags:
    - secure
  only:
    - tags
141
142
143
  parallel:
    matrix:
      - GROUP: [base, base-devel]
144
  before_script:
145
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKERHUB_USERNAME\",\"password\":\"$DOCKERHUB_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
146
  script:
hashworks's avatar
hashworks committed
147
    - LATEST=""
148
    - if [[ "$GROUP" == "base" ]]; then
hashworks's avatar
hashworks committed
149
        LATEST="--destination archlinux/archlinux:latest";
150
      fi
151
    - /kaniko/executor
152
      --force
153
      --whitelist-var-run="false"
154
155
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
hashworks's avatar
hashworks committed
156
157
158
      --destination archlinux/archlinux:$GROUP
      --destination archlinux/archlinux:$GROUP-$BUILD_VERSION
      $LATEST
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
159

160
.test:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
161
  stage: test
162
  dependencies: []
163
164
165
166
167
168
169
  only:
    variables:
      # Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
      # This is fine as at this point we're sure that the release works anyway.
      - $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
  except:
    refs:
170
      - releases
171
      - tags
172
173

.test-script: &test-script
174
175
  - test "$(cat /etc/group | wc -l)" -gt 10
  - test "$(cat /etc/passwd | wc -l)" -gt 10
176
177
178
179
180
181
  - pacman -Sy
  - pacman -Qqk
  - pacman -Syu --noconfirm docker grep
  - docker -v
  - id -u http
  - locale | grep -q UTF-8
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
182

183
184
185
test:base:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG
186
187
  script:
    - *test-script
188

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
189
test:base-devel:
190
  extends: .test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
191
  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
192
193
  script:
    - *test-script
194
195
196
197
    - gcc -v
    - g++ -v
    - make -v

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
198
199
200
release:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
201
202
203
204
205
  tags:
    - secure
  only:
    refs:
      - schedules
206
207
208
    variables:
      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
209
  before_script:
210
    - apk update
211
    - apk add jq curl httpie
212
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
213
    - |
214
      # Update the description on https://hub.docker.com/r/archlinux/archlinux
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
215
216
      TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)"
      http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)"
217
218

      # Upload rootfs to the Generic Packages Repository
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
219
      for group in base base-devel; do
220
        sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
221
222
223
224
        echo "Uploading ${group}.tar.xz"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
        echo "Uploading ${group}.tar.xz.SHA256"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
225
        sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > output/Dockerfile.${group}
226
        package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
227
        sed -i "s|TEMPLATE_ROOTFS_RELEASE_URL|https://gitlab.archlinux.org/archlinux/archlinux-docker/-/releases/v${BUILD_VERSION}|" output/Dockerfile.${group}
hashworks's avatar
hashworks committed
228
        sed -i "s|TEMPLATE_ROOTFS_DOWNLOAD|ROOTFS=\"\$(curl -sOJL -w \"%{filename_effective}\" \"${package_url}\")\"|" output/Dockerfile.${group}
229
        sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" output/Dockerfile.${group}
230
      done
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
231
    - >
232
      curl -sSf --request POST -o commit-response.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
233
      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
234
      --form "branch=releases"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
235
236
      --form "commit_message=Release ${BUILD_VERSION}"
      --form "actions[][action]=update"
237
      --form "actions[][file_path]=Dockerfile.base"
238
      --form "actions[][content]=<output/Dockerfile.base"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
239
      --form "actions[][action]=update"
240
      --form "actions[][file_path]=Dockerfile.base-devel"
241
242
243
244
      --form "actions[][content]=<output/Dockerfile.base-devel"
      --form "actions[][action]=update"
      --form "actions[][file_path]=.gitlab-ci.yml"
      --form "actions[][content]=<.gitlab-ci.yml"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
245
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
246
    - echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
247
    - |
248
      base_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
249
      echo "${base_url}"
250
      base_sha_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
251
      echo "${base_sha_url}"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
252
      base_devel_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
253
      echo "${base_devel_url}"
254
      base_devel_sha_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
255
      echo "${base_devel_sha_url}"
256
257
258

      # TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
      # But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
259
      echo "Creating release"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
260
      release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
261
      --tag-name v${BUILD_VERSION} --ref "releases" \
262
263
264
265
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
266
267
268
  artifacts:
    reports:
      dotenv: build.env
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
269
270

# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
271
publish:
272
273
274
275
276
  stage: publish
  only:
    refs:
      - schedules
    variables:
277
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
278
279
280
281
282
283
284
285
286
287
288
289
290
291
  before_script:
    - export | grep -q BUILD_VERSION=
    - export | grep -q BUILD_COMMIT=
    - test -n "$BUILD_VERSION"
    - test -n "$BUILD_COMMIT"
    - test -n "$GITHUB_TOKEN"
    - pacman -Syu --noconfirm github-cli git gettext
    - git config --global user.email "github@archlinux.org"
    - git config --global user.name "Arch Linux Technical User"
  script:
    - mkdir official-images
    - cd official-images
    - git init
    - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
292
    - git fetch https://github.com/docker-library/official-images.git
293
294
295
296
297
298
299
300
301
302
303
304
305
    - git reset --hard FETCH_HEAD
    - head="release/${BUILD_VERSION}"
    - git checkout -b "$head"
    - envsubst < ../docker-library.template > library/archlinux
    - git diff
    - git add library/archlinux
    - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
    - test -n "$maintainers"
    - 'git commit
        -m "archlinux: Release ${BUILD_VERSION}"
        -m "This is an automated release [1]."
        -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
    - git push -u origin "$head"
306
    - 'gh pr create
307
        --repo docker-library/official-images
308
309
        --title "$(git show --no-patch --format="%s")"
        --body "$(printf "%s\n\n---\n\nMaintainers: ${maintainers}\n" "$(git show --no-patch --format="%b")")"
310
        --base master
311
        --head archlinux:"$head"'