.gitlab-ci.yml 9.44 KB
Newer Older
1
2
3
default:
  image: "archlinux:latest"

hashworks's avatar
hashworks committed
4
stages:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5
  - lint
hashworks's avatar
hashworks committed
6
  - rootfs
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
7
  - image
hashworks's avatar
hashworks committed
8
  - test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
9
10
  - release
  - publish
hashworks's avatar
hashworks committed
11

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
12
13
14
lint:
  stage: lint
  image: hadolint/hadolint:latest
15
  # DL3018: We don't need alpine version pins
16
  script: hadolint --ignore DL3018 --ignore DL3020 Dockerfile.template
17
18
  except:
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
19
    - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
20

Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
21
22
23
24
25
26
27
28
29
get_version:
  stage: .pre
  script:
    - |
      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
      else
30
        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
31
32
      fi
    - export $(< build.env)
33
    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
34
35
36
37
  artifacts:
    reports:
      dotenv: build.env

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
38
.rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
39
40
41
42
43
  stage: rootfs
  before_script:
    - pacman -Syu --noconfirm make devtools fakechroot fakeroot
  artifacts:
    paths:
44
      - output/*
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
45
    expire_in: 2h
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
46

47
rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
48
49
50
  extends: .rootfs
  except:
    - master
51
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
52
53
    - schedules
    - tags
54
55
56
  parallel:
    matrix:
      - GROUP: [base, base-devel]
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
57
  script:
58
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
59

60
rootfs:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
61
62
63
64
65
66
  extends: .rootfs
  tags:
    - secure
  only:
    - master
    - schedules
67
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
68
    - tags
69
    - releases
70
71
72
  parallel:
    matrix:
      - GROUP: [base, base-devel]
hashworks's avatar
hashworks committed
73
  script:
74
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
hashworks's avatar
hashworks committed
75

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
76
77
.image:
  stage: image
hashworks's avatar
hashworks committed
78
79
80
81
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
82
83
    - /kaniko/executor
      --whitelist-var-run="false"
84
      --context $CI_PROJECT_DIR/output
85
86
      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
87

88
image:build:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
89
90
91
  extends: .image
  except:
    - master
92
    - releases
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
93
94
    - schedules
    - tags
95
96
97
  parallel:
    matrix:
      - GROUP: [base, base-devel]
98
  before_script:
99
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
100

101
image:build:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
102
  extends: .image
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
103
104
  tags:
    - secure
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
105
106
107
  only:
    - master
    - schedules
108
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
109
    - tags
110
111
112
  parallel:
    matrix:
      - GROUP: [base, base-devel]
113
114
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
115

116
# Build and publish to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
117
image:publish:secure:
118
  extends: .image
119
  retry: 2
120
121
122
123
  tags:
    - secure
  only:
    - tags
124
125
126
  parallel:
    matrix:
      - GROUP: [base, base-devel]
127
  before_script:
128
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKERHUB_USERNAME\",\"password\":\"$DOCKERHUB_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
129
  script:
hashworks's avatar
hashworks committed
130
    - LATEST=""
131
    - if [[ "$GROUP" == "base" ]]; then
hashworks's avatar
hashworks committed
132
        LATEST="--destination archlinux/archlinux:latest";
133
      fi
134
135
    - /kaniko/executor
      --whitelist-var-run="false"
136
137
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile.$GROUP
hashworks's avatar
hashworks committed
138
139
140
      --destination archlinux/archlinux:$GROUP
      --destination archlinux/archlinux:$GROUP-$BUILD_VERSION
      $LATEST
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
141

142
.test:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
143
  stage: test
144
  dependencies: []
145
146
147
148
149
150
151
  only:
    variables:
      # Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
      # This is fine as at this point we're sure that the release works anyway.
      - $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
  except:
    refs:
152
      - releases
153
      - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
154
155
156
157
158
159
160
161
  script:
    - pacman -Sy
    - pacman -Qqk
    - pacman -Syu --noconfirm docker grep
    - docker -v
    - id -u http
    - locale | grep -q UTF-8

162
163
164
165
test:base:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
166
test:base-devel:
167
  extends: .test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
168
  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
169
170
171
172
173
  after_script:
    - gcc -v
    - g++ -v
    - make -v

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
174
175
176
release:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
177
178
179
180
181
  tags:
    - secure
  only:
    refs:
      - schedules
182
183
184
    variables:
      - $PUBLISH_ARCHLINUX_REPOSITORY == "TRUE"
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
185
  before_script:
186
    - apk update
187
    - apk add jq curl httpie
188
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
189
    - |
190
      # Update the description on https://hub.docker.com/r/archlinux/archlinux
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
191
192
      TOKEN="$(http --ignore-stdin POST https://hub.docker.com/v2/users/login username="${DOCKERHUB_USERNAME}" password="${DOCKERHUB_PASSWORD}" | jq -er .token)"
      http --ignore-stdin PATCH https://hub.docker.com/v2/repositories/archlinux/archlinux/ Authorization:"JWT ${TOKEN}" full_description="$(cat README.md)"
193
194

      # Upload rootfs to the Generic Packages Repository
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
195
      for group in base base-devel; do
196
        sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
197
198
199
200
        echo "Uploading ${group}.tar.xz"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
        echo "Uploading ${group}.tar.xz.SHA256"
        curl -sSf --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
201
        sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > output/Dockerfile.${group}
202
        package_url=$(./ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
203
204
        sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" output/Dockerfile.${group}
        sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" output/Dockerfile.${group}
205
      done
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
206
    - >
207
      curl -sSf --request POST -o commit-response.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
208
      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
209
      --form "branch=releases"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
210
211
      --form "commit_message=Release ${BUILD_VERSION}"
      --form "actions[][action]=update"
212
      --form "actions[][file_path]=Dockerfile.base"
213
      --form "actions[][content]=<output/Dockerfile.base"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
214
      --form "actions[][action]=update"
215
      --form "actions[][file_path]=Dockerfile.base-devel"
216
217
218
219
      --form "actions[][content]=<output/Dockerfile.base-devel"
      --form "actions[][action]=update"
      --form "actions[][file_path]=.gitlab-ci.yml"
      --form "actions[][content]=<.gitlab-ci.yml"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
220
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
221
    - echo "BUILD_COMMIT=$(jq -r '.id' commit-response.json)" >> build.env
222
    - |
223
      base_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
224
      echo "${base_url}"
225
      base_sha_url=$(./ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
226
      echo "${base_sha_url}"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
227
      base_devel_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
228
      echo "${base_devel_url}"
229
      base_devel_sha_url=$(./ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
230
      echo "${base_devel_sha_url}"
231
232
233

      # TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
      # But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
234
      echo "Creating release"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
235
      release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
236
      --tag-name v${BUILD_VERSION} --ref "releases" \
237
238
239
240
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
241
242
243
  artifacts:
    reports:
      dotenv: build.env
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
244
245

# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
246
publish:
247
248
249
250
251
  stage: publish
  only:
    refs:
      - schedules
    variables:
252
      - $PUBLISH_OFFICIAL_LIBRARY == "TRUE"
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
  before_script:
    - export | grep -q BUILD_VERSION=
    - export | grep -q BUILD_COMMIT=
    - test -n "$BUILD_VERSION"
    - test -n "$BUILD_COMMIT"
    - test -n "$GITHUB_TOKEN"
    - pacman -Syu --noconfirm github-cli git gettext
    - git config --global user.email "github@archlinux.org"
    - git config --global user.name "Arch Linux Technical User"
  script:
    - mkdir official-images
    - cd official-images
    - git init
    - 'git remote add origin "https://x-access-token:${GITHUB_TOKEN}@github.com/archlinux/official-images.git"'
    - git fetch --depth=1 https://github.com/docker-library/official-images.git
    - git reset --hard FETCH_HEAD
    - head="release/${BUILD_VERSION}"
    - git checkout -b "$head"
    - envsubst < ../docker-library.template > library/archlinux
    - git diff
    - git add library/archlinux
    - maintainers="$(grep \(@ ../docker-library.template | cut -d\( -f2 | cut -d\) -f1 | xargs)"
    - test -n "$maintainers"
    - 'git commit
        -m "archlinux: Release ${BUILD_VERSION}"
        -m "This is an automated release [1]."
        -m "Maintainers: ${maintainers}"
        -m "[1] ${CI_PROJECT_URL}/-/blob/master/.gitlab-ci.yml"'
    - git push -u origin "$head"
    - gh pr create
        --repo docker-library/official-images
        --fill
        --base master
        --head archlinux:"$head"