.gitlab-ci.yml 7.57 KB
Newer Older
1
2
3
default:
  image: "archlinux:latest"

hashworks's avatar
hashworks committed
4
stages:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
5
  - lint
hashworks's avatar
hashworks committed
6
  - rootfs
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
7
  - image
hashworks's avatar
hashworks committed
8
  - test
9
  - upload
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
10
11
  - release
  - publish
hashworks's avatar
hashworks committed
12

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
13
14
15
lint:
  stage: lint
  image: hadolint/hadolint:latest
16
17
  # DL3007: We use the latest tag for multistage build
  script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
18

Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
19
20
21
22
23
24
25
26
27
get_version:
  stage: .pre
  script:
    - |
      # If we're building a tagged release, use the tag (without the 'v' prefix) as the
      # BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
      else
28
        echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
29
30
      fi
    - export $(< build.env)
31
    - echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
Sven-Hendrik Haase's avatar
Debug    
Sven-Hendrik Haase committed
32
33
34
35
  artifacts:
    reports:
      dotenv: build.env

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
36
.rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
37
38
39
40
41
  stage: rootfs
  before_script:
    - pacman -Syu --noconfirm make devtools fakechroot fakeroot
  artifacts:
    paths:
42
      - output/*
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
43
    expire_in: 2h
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
44

45
rootfs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
46
47
48
  extends: .rootfs
  except:
    - master
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
49
    - add-base-devel-tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
50
51
    - schedules
    - tags
52
53
54
  parallel:
    matrix:
      - GROUP: [base, base-devel]
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
55
  script:
56
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
57

58
rootfs:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
59
60
61
62
63
  extends: .rootfs
  tags:
    - secure
  only:
    - master
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
64
    - add-base-devel-tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
65
    - schedules
66
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
67
    - tags
68
69
70
  parallel:
    matrix:
      - GROUP: [base, base-devel]
hashworks's avatar
hashworks committed
71
  script:
72
    - make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
hashworks's avatar
hashworks committed
73

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
74
75
.image:
  stage: image
hashworks's avatar
hashworks committed
76
77
78
79
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
80
81
    - /kaniko/executor
      --whitelist-var-run="false"
82
      --context $CI_PROJECT_DIR/output
83
84
      --dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
      --destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
85

86
image:build:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
87
88
89
  extends: .image
  except:
    - master
90
    - add-base-devel-tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
91
92
    - schedules
    - tags
93
94
95
  parallel:
    matrix:
      - GROUP: [base, base-devel]
96
  before_script:
97
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
98

99
image:build:secure:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
100
  extends: .image
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
101
102
  tags:
    - secure
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
103
104
  only:
    - master
105
    - add-base-devel-tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
106
    - schedules
107
  except:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
108
    - tags
109
110
111
  parallel:
    matrix:
      - GROUP: [base, base-devel]
112
113
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
114

115
image:publish:secure:
116
117
118
119
120
  extends: .image
  tags:
    - secure
  only:
    - tags
121
122
123
  parallel:
    matrix:
      - GROUP: [base, base-devel]
124
  before_script:
125
    - echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
126
127
128
  script:
    - /kaniko/executor
      --whitelist-var-run="false"
129
130
131
      --context $CI_PROJECT_DIR/ci/$GROUP
      --dockerfile $CI_PROJECT_DIR/ci/$GROUP/Dockerfile
      --destination archlinux/archlinux:$GROUP-$BUILD_VERSION
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
132

133
.test:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
134
  stage: test
135
  dependencies: []
136
137
138
139
140
141
142
143
  only:
    variables:
      # Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
      # This is fine as at this point we're sure that the release works anyway.
      - $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
  except:
    refs:
      - tags
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
144
145
146
147
148
149
150
151
  script:
    - pacman -Sy
    - pacman -Qqk
    - pacman -Syu --noconfirm docker grep
    - docker -v
    - id -u http
    - locale | grep -q UTF-8

152
153
154
155
test:base:
  extends: .test
  image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
156
test:base-devel:
157
  extends: .test
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
158
  image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
159
160
161
162
163
  after_script:
    - gcc -v
    - g++ -v
    - make -v

164
165
166
167
168
169
170
171
172
173
174
upload_and_commit_rootfs:
  stage: upload
  image: curlimages/curl:latest
  tags:
    - secure
  only:
    refs:
      - schedules
    variables:
      - $SCHEDULED_PUBLISH == "TRUE"
  script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
175
176
    - |
      for group in base base-devel; do
177
178
179
        sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
        curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
        curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
180
        sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > ci/${group}/Dockerfile
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
181
        package_url=$(ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
182
183
        sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" ci/${group}/Dockerfile
        sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" ci/${group}/Dockerfile
184
      done
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
185
186
    - >
      curl --request POST
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
187
      --header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
188
      --form "branch=add-base-devel-tags"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
189
190
191
192
193
194
195
196
      --form "commit_message=Release ${BUILD_VERSION}"
      --form "actions[][action]=update"
      --form "actions[][file_path]=ci/base/Dockerfile"
      --form "actions[][content]=<ci/base/Dockerfile"
      --form "actions[][action]=update"
      --form "actions[][file_path]=ci/base-devel/Dockerfile"
      --form "actions[][content]=<ci/base-devel/Dockerfile"
      "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
197

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
198
199
release:
  stage: release
200
  image: registry.gitlab.com/gitlab-org/release-cli:latest
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
201
202
  tags:
    - secure
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
203
204
  only:
    refs:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
205
      - schedules
Sven-Hendrik Haase's avatar
Undebug    
Sven-Hendrik Haase committed
206
207
    variables:
      - $SCHEDULED_PUBLISH == "TRUE"
208
  before_script:
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
209
    - apk add jq curl
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
210
  script:
211
    - |
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
212
213
214
215
      base_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
      base_sha_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
      base_devel_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
      base_devel_sha_url=$(ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
216
217
218

      # TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
      # But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
219
220
      release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
      --tag-name v${BUILD_VERSION} --ref "add-base-devel-tags" \
221
222
223
224
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
      --assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
      --assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
225

226
# Publish base to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
227
publish:
228
229
230
231
232
233
234
235
  stage: publish
  tags:
    - secure
  image:
    name: gcr.io/go-containerregistry/crane:debug
    entrypoint: [""]
  variables:
    GIT_STRATEGY: none
236
237
  only:
    - tags
238
  before_script:
239
    - echo $DOCKER_ACCESS_TOKEN | crane auth login -u $DOCKER_USERNAME --password-stdin index.docker.io
240
  script:
241
242
243
    - crane tag archlinux/archlinux:base-$BUILD_VERSION base
    - crane tag archlinux/archlinux:base-$BUILD_VERSION latest
    - crane tag archlinux/archlinux:base-devel-$BUILD_VERSION base-devel
hashworks's avatar
hashworks committed
244

Sven-Hendrik Haase's avatar
Sven-Hendrik Haase committed
245
246
247
# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
# publish:official:
# TODO No idea right now how we're going to automatically do the official Docker Hub pull request