Newer
Older
default:
image: "archlinux:latest"
lint:
stage: lint
image: hadolint/hadolint:latest
# DL3007: We use the latest tag for multistage build
script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
get_version:
stage: .pre
script:
- |
# If we're building a tagged release, use the tag (without the 'v' prefix) as the
# BUILD_VERSION. Otherwise, determine a new BUILD_VERSION.
if [[ -n "$CI_COMMIT_TAG" ]]; then
echo "BUILD_VERSION=${CI_COMMIT_TAG/v/}" > build.env
else
echo "BUILD_VERSION=$(date +%Y%m%d).0.$CI_JOB_ID" > build.env
- echo "PACKAGE_REGISTRY_URL=${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/rootfs/${BUILD_VERSION}" >> build.env
stage: rootfs
before_script:
- pacman -Syu --noconfirm make devtools fakechroot fakeroot
artifacts:
paths:
rootfs:
parallel:
matrix:
- GROUP: [base, base-devel]
- make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
rootfs:secure:
extends: .rootfs
tags:
- secure
only:
- master
parallel:
matrix:
- GROUP: [base, base-devel]
- make $PWD/output/$GROUP.tar.xz $PWD/output/Dockerfile.$GROUP
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- /kaniko/executor
--whitelist-var-run="false"
--context $CI_PROJECT_DIR/output
--dockerfile $CI_PROJECT_DIR/output/Dockerfile.$GROUP
--destination $CI_REGISTRY_IMAGE:$GROUP-$CI_COMMIT_REF_SLUG
image:build:
parallel:
matrix:
- GROUP: [base, base-devel]
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
image:build:secure:
- add-base-devel-tags
parallel:
matrix:
- GROUP: [base, base-devel]
before_script:
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$GITLAB_PROJECT_USER\",\"password\":\"$GITLAB_PROJECT_TOKEN\"}}}" > /kaniko/.docker/config.json
image:publish:secure:
extends: .image
tags:
- secure
only:
- tags
parallel:
matrix:
- GROUP: [base, base-devel]
- echo "{\"auths\":{\"https://index.docker.io/v1/\":{\"username\":\"$DOCKER_USERNAME\",\"password\":\"$DOCKER_ACCESS_TOKEN\"}}}" > /kaniko/.docker/config.json
script:
- /kaniko/executor
--whitelist-var-run="false"
--context $CI_PROJECT_DIR/ci/$GROUP
--dockerfile $CI_PROJECT_DIR/ci/$GROUP/Dockerfile
--destination archlinux/archlinux:$GROUP-$BUILD_VERSION
only:
variables:
# Workaround for https://gitlab.com/gitlab-org/gitlab/-/issues/259663
# This is fine as at this point we're sure that the release works anyway.
- $GITLAB_USER_EMAIL != "project10185_bot2@example.com"
except:
refs:
- tags
script:
- pacman -Sy
- pacman -Qqk
- pacman -Syu --noconfirm docker grep
- docker -v
- id -u http
- locale | grep -q UTF-8
test:base:
extends: .test
image: $CI_REGISTRY_IMAGE:base-$CI_COMMIT_REF_SLUG
image: $CI_REGISTRY_IMAGE:base-devel-$CI_COMMIT_REF_SLUG
after_script:
- gcc -v
- g++ -v
- make -v
upload_and_commit_rootfs:
stage: upload
image: curlimages/curl:latest
tags:
- secure
only:
refs:
- schedules
variables:
- $SCHEDULED_PUBLISH == "TRUE"
script:
sed -i "s|${group}.tar.xz|${group}-${BUILD_VERSION}.tar.xz|" output/${group}.tar.xz.SHA256
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file output/${group}.tar.xz.SHA256 ${PACKAGE_REGISTRY_URL}/${group}-${BUILD_VERSION}.tar.xz.SHA256
sed "/TEMPLATE_ROOTFS_FILE/d" Dockerfile.template > ci/${group}/Dockerfile
package_url=$(ci/get-public-download-for-generic-package.sh ${group}-${BUILD_VERSION}.tar.xz)
sed -i "s|TEMPLATE_ROOTFS_URL|${package_url}|" ci/${group}/Dockerfile
sed -i "s|TEMPLATE_ROOTFS_HASH|$(cat output/${group}.tar.xz.SHA256)|" ci/${group}/Dockerfile
--header "PRIVATE-TOKEN: ${GITLAB_PROJECT_TOKEN}"
--form "commit_message=Release ${BUILD_VERSION}"
--form "actions[][action]=update"
--form "actions[][file_path]=ci/base/Dockerfile"
--form "actions[][content]=<ci/base/Dockerfile"
--form "actions[][action]=update"
--form "actions[][file_path]=ci/base-devel/Dockerfile"
--form "actions[][content]=<ci/base-devel/Dockerfile"
"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/repository/commits"
image: registry.gitlab.com/gitlab-org/release-cli:latest
base_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
base_sha_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz.SHA256)
base_devel_url=$(ci/get-public-download-for-generic-package.sh base-${BUILD_VERSION}.tar.xz)
base_devel_sha_url=$(ci/get-public-download-for-generic-package.sh base-devel-${BUILD_VERSION}.tar.xz.SHA256)
# TODO: We should actually be able to do something like \"url\":\"${PACKAGE_REGISTRY_URL}/base-${BUILD_VERSION}.tar.xz\"
# But it doesn't appear that those downloads are public. I consider this a bug and hopefully it's fixed in a future version!
release-cli create --name "Release ${BUILD_VERSION}" --description "Release ${BUILD_VERSION}" \
--tag-name v${BUILD_VERSION} --ref "add-base-devel-tags" \
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_url}\"}" \
--assets-link "{\"name\":\"base-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_sha_url}\"}" \
--assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz\",\"url\":\"${base_devel_url}\"}" \
--assets-link "{\"name\":\"base-devel-${BUILD_VERSION}.tar.xz.SHA256\",\"url\":\"${base_devel_sha_url}\"}"
# Publish base to the Arch Linux group namespace: https://hub.docker.com/r/archlinux/archlinux
stage: publish
tags:
- secure
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
variables:
GIT_STRATEGY: none
- echo $DOCKER_ACCESS_TOKEN | crane auth login -u $DOCKER_USERNAME --password-stdin index.docker.io
- crane tag archlinux/archlinux:base-$BUILD_VERSION base
- crane tag archlinux/archlinux:base-$BUILD_VERSION latest
- crane tag archlinux/archlinux:base-devel-$BUILD_VERSION base-devel
# Publish to the official Docker namespace: https://hub.docker.com/_/archlinux
# publish:official:
# TODO No idea right now how we're going to automatically do the official Docker Hub pull request