1 files changed, 228 insertions, 45 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d2d0d55dd4..ba61c71b2b 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,45 +1,228 @@
-before_script:
-    - apt-get update -qq
-    - apt-get upgrade -qy
-
-build:
-  script:
-    - apt-get install -qy --fix-missing automake build-essential
-      libevent-dev libssl-dev zlib1g-dev
-      libseccomp-dev liblzma-dev libscrypt-dev
-    - ./autogen.sh
-    - ./configure --disable-asciidoc --enable-fatal-warnings
-      --disable-silent-rules
-    - make check || (e=$?; cat test-suite.log; exit $e)
-    - make install
-
-update:
-  only:
-    - schedules
-  script: 
-    - "apt-get install -y --fix-missing git openssh-client"
-    
-    # Run ssh-agent (inside the build environment)
-    - eval $(ssh-agent -s)
-
-    # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
-    - ssh-add <(echo "$DEPLOY_KEY")
-
-    # For Docker builds disable host key checking. Be aware that by adding that
-    # you are susceptible to man-in-the-middle attacks.
-    # WARNING: Use this only with the Docker executor, if you use it with shell
-    # you will overwrite your user's SSH config.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
-    # In order to properly check the server's host key, assuming you created the
-    # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
-    # instead.
-    - mkdir -p ~/.ssh
-    - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
-    - echo "merging from torgit"
-    - git config --global user.email "labadmin@oniongit.eu"
-    - git config --global user.name "gitadmin"
-    - "mkdir tor"
-    - "cd tor" 
-    - git clone --bare https://git.torproject.org/tor.git
-    - git push --mirror git@oniongit.eu:network/tor.git
+####
+# DO NOT EDIT THIS FILE IN MASTER.  ONLY EDIT IT IN THE OLDEST SUPPORTED
+# BRANCH, THEN MERGE FORWARD.
+####
+
+# This file controls how gitlab validates Tor commits and merge requests.
+#
+# It is primarily based on a set of scripts and configurations by
+# Hans-Christoph Steiner.  It only copies parts of those scripts and
+# configurations for now.  If you want a new piece of functionality
+# (more debians, more fedoras, android support) then you shouldn't
+# start from scratch: have a look at the original ticket, at
+# https://gitlab.torproject.org/tpo/core/tor/-/issues/32193 !
+#
+# The file to copy from is
+# https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/96/diffs#diff-content-587d266bb27a4dc3022bbed44dfa19849df3044c
+#
+# Having said that, if there is anything really stupid here, don't
+# blame it on Hans-Christoph! Tor probably added it on their own.
+#
+# Copyright 2020, The Tor Project, Inc.
+# See LICENSE for licence information.
+
+# These variables are set everywhere, unconditionally.
+variables:
+  TERM: "ansi"
+  DEBUG_CI: "yes"
+
+# This template is for exporting ephemeral things from the scripts.  By
+# convention we expect our scripts to copy stuff into artifacts/, rather than
+# having a big list of files that be treated as artifacts.
+.artifacts-template: &artifacts-template
+  artifacts:
+    name: "${CI_PROJECT_PATH}_${CI_JOB_STAGE}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}"
+    expire_in: 1 week
+    when: always
+    paths:
+      - artifacts/
+
+# This template should be usable on any system that's based on apt.
+.apt-template: &apt-template |
+      export LC_ALL=C.UTF-8
+      echo Etc/UTC > /etc/timezone
+      mkdir -p apt-cache
+      export APT_CACHE_DIR="$(pwd)/apt-cache"
+      echo 'quiet "1";' \
+           'APT::Install-Recommends "0";' \
+           'APT::Install-Suggests "0";' \
+           'APT::Acquire::Retries "20";' \
+           'APT::Get::Assume-Yes "true";' \
+           'Dpkg::Use-Pty "0";' \
+           "Dir::Cache::Archives \"${APT_CACHE_DIR}\"; " \
+        >> /etc/apt/apt.conf.d/99gitlab
+      apt-get update -qq
+      apt-get upgrade -qy
+
+# This template sets us up for Debian system in particular.
+.debian-template: &debian-template
+  <<: *artifacts-template
+  variables:
+    DEBIAN_FRONTEND: "noninteractive"
+  # TODO: Using "cache" in this way speeds up our downloads.  It would be
+  # even better, though, to start with a pre-upgraded debian image.
+  #
+  # TODO: Will we have to do this differently once we have more than one
+  # debian version that we're using?
+  cache:
+    key: apt
+    paths:
+      - apt-cache
+  before_script:
+    - *apt-template
+    # Install patches unconditionally.
+    - apt-get install
+        automake
+        build-essential
+        ca-certificates
+        git
+        libevent-dev
+        liblzma-dev
+        libscrypt-dev
+        libseccomp-dev
+        libssl-dev
+        pkg-config
+        python3
+        zlib1g-dev
+    # Install patches that we only need for some use cases.
+    - if [ "$ASCIIDOC" = yes ]; then apt-get install asciidoc xmlto; fi
+    - if [ "$DOXYGEN" = yes ]; then apt-get install doxygen; fi
+    - if [ "$STEM" = yes ]; then apt-get install timelimit; fi
+    - if [ "$CC" = clang ]; then apt-get install clang; fi
+    - if [ "$NSS" = yes ]; then apt-get install libnss3 libnss3-dev; fi
+    # TODO: This next line should not be debian-only.
+    - if [ "$STEM" = yes ]; then git clone --depth 1 https://git.torproject.org/stem.git ; export STEM_PATH="$(pwd)/stem"; fi
+    # TODO: This next line should not be debian-only.
+    - if [ "$CHUTNEY" = yes ]; then git clone --depth 1 https://git.torproject.org/chutney.git ;  export CHUTNEY_PATH="$(pwd)/chutney"; fi
+    - if [ "$TRACING" = yes ]; then apt install liblttng-ust-dev; fi
+
+# Minmal check on debian: just make, make check.
+#
+debian-minimal:
+  image: debian:stable
+  <<: *debian-template
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# Run "make check" with a hardened clang on debian stable.  This takes
+# care of a hardening check, and a compile-with-clang check.
+#
+# TODO: This will be faster once we merge #40098 and #40099.
+debian-hardened:
+  image: debian:testing
+  <<: *debian-template
+  variables:
+    ALL_BUGS_ARE_FATAL: "yes"
+    HARDENING: "yes"
+    CC: "clang"
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# Distcheck on debian stable
+debian-distcheck:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    DISTCHECK: "yes"
+    CHECK: "no"
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# Documentation tests on debian stable: doxygen and asciidoc.
+debian-docs:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    DOXYGEN: "yes"
+    ASCIIDOC: "yes"
+    CHECK: "no"
+    RUN_STAGE_BUILD: "no"
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# Integration tests on debian stable: chutney and stem.
+#
+# TODO: It would be cool if this target didn't have to re-build tor, and
+#       could instead re-use Tor from debian-minimal.  That can be done
+#       with the 'artifacts' mechanism, in theory, but it would be good to
+#       avoid having to have a system with hundreds of artifacts.
+debian-integration:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    CHECK: "no"
+    CHUTNEY: "yes"
+    CHUTNEY_MAKE_TARGET: "test-network-all"
+    STEM: "yes"
+    ALL_BUGS_ARE_FATAL: "yes"
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# Tracing build on Debian stable.
+debian-tracing:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    TRACING: "yes"
+    CHECK: "no"
+  script:
+    - ./scripts/ci/ci-driver.sh
+  # Ensure that we only run tracing when it's implemented.
+  #
+  # Once versions before 0.4.5 are obsolete, we can remove this test.
+  rules:
+    # This first "if" check prevents us from running a duplicate version of
+    # this pipeline whenever we push and create an MR.  I don't understand why
+    # it is necessary, though the following URL purports to explain:
+    #
+    # https://docs.gitlab.com/ee/ci/yaml/#prevent-duplicate-pipelines
+    - if: '$CI_PIPELINE_SOURCE == "push"'
+      exists:
+        - src/lib/trace/trace_sys.c
+
+#####
+# No-authority mode
+debian-disable-dirauth:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    DISABLE_DIRAUTH: "yes"
+  script:
+    - ./scripts/ci/ci-driver.sh
+
+#####
+# No-relay mode
+debian-disable-relay:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    DISABLE_RELAY: "yes"
+  script:
+    - ./scripts/ci/ci-driver.sh
+  # Ensure that we only run tracing when it's implemented.
+  #
+  # Once versions before 0.4.3 are obsolete, we can remove this test.
+  rules:
+    # This first "if" check prevents us from running a duplicate version of
+    # this pipeline whenever we push and create an MR.  I don't understand why
+    # it is necessary, though the following URL purports to explain:
+    #
+    # https://docs.gitlab.com/ee/ci/yaml/#prevent-duplicate-pipelines
+    - if: '$CI_PIPELINE_SOURCE == "push"'
+      exists:
+        - src/feature/relay/relay_stub.c
+
+#####
+# NSS check on debian
+debian-nss:
+  image: debian:stable
+  <<: *debian-template
+  variables:
+    NSS: "yes"
+  script:
+    - ./scripts/ci/ci-driver.sh