diff options
Diffstat (limited to '.gitlab-ci.yml')
-rw-r--r-- | .gitlab-ci.yml | 273 |
1 files changed, 228 insertions, 45 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d2d0d55dd4..ba61c71b2b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,45 +1,228 @@ -before_script: - - apt-get update -qq - - apt-get upgrade -qy - -build: - script: - - apt-get install -qy --fix-missing automake build-essential - libevent-dev libssl-dev zlib1g-dev - libseccomp-dev liblzma-dev libscrypt-dev - - ./autogen.sh - - ./configure --disable-asciidoc --enable-fatal-warnings - --disable-silent-rules - - make check || (e=$?; cat test-suite.log; exit $e) - - make install - -update: - only: - - schedules - script: - - "apt-get install -y --fix-missing git openssh-client" - - # Run ssh-agent (inside the build environment) - - eval $(ssh-agent -s) - - # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store - - ssh-add <(echo "$DEPLOY_KEY") - - # For Docker builds disable host key checking. Be aware that by adding that - # you are susceptible to man-in-the-middle attacks. - # WARNING: Use this only with the Docker executor, if you use it with shell - # you will overwrite your user's SSH config. - - mkdir -p ~/.ssh - - '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' - # In order to properly check the server's host key, assuming you created the - # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines - # instead. - - mkdir -p ~/.ssh - - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts' - - echo "merging from torgit" - - git config --global user.email "labadmin@oniongit.eu" - - git config --global user.name "gitadmin" - - "mkdir tor" - - "cd tor" - - git clone --bare https://git.torproject.org/tor.git - - git push --mirror git@oniongit.eu:network/tor.git +#### +# DO NOT EDIT THIS FILE IN MASTER. ONLY EDIT IT IN THE OLDEST SUPPORTED +# BRANCH, THEN MERGE FORWARD. +#### + +# This file controls how gitlab validates Tor commits and merge requests. +# +# It is primarily based on a set of scripts and configurations by +# Hans-Christoph Steiner. It only copies parts of those scripts and +# configurations for now. If you want a new piece of functionality +# (more debians, more fedoras, android support) then you shouldn't +# start from scratch: have a look at the original ticket, at +# https://gitlab.torproject.org/tpo/core/tor/-/issues/32193 ! +# +# The file to copy from is +# https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/96/diffs#diff-content-587d266bb27a4dc3022bbed44dfa19849df3044c +# +# Having said that, if there is anything really stupid here, don't +# blame it on Hans-Christoph! Tor probably added it on their own. +# +# Copyright 2020, The Tor Project, Inc. +# See LICENSE for licence information. + +# These variables are set everywhere, unconditionally. +variables: + TERM: "ansi" + DEBUG_CI: "yes" + +# This template is for exporting ephemeral things from the scripts. By +# convention we expect our scripts to copy stuff into artifacts/, rather than +# having a big list of files that be treated as artifacts. +.artifacts-template: &artifacts-template + artifacts: + name: "${CI_PROJECT_PATH}_${CI_JOB_STAGE}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}" + expire_in: 1 week + when: always + paths: + - artifacts/ + +# This template should be usable on any system that's based on apt. +.apt-template: &apt-template | + export LC_ALL=C.UTF-8 + echo Etc/UTC > /etc/timezone + mkdir -p apt-cache + export APT_CACHE_DIR="$(pwd)/apt-cache" + echo 'quiet "1";' \ + 'APT::Install-Recommends "0";' \ + 'APT::Install-Suggests "0";' \ + 'APT::Acquire::Retries "20";' \ + 'APT::Get::Assume-Yes "true";' \ + 'Dpkg::Use-Pty "0";' \ + "Dir::Cache::Archives \"${APT_CACHE_DIR}\"; " \ + >> /etc/apt/apt.conf.d/99gitlab + apt-get update -qq + apt-get upgrade -qy + +# This template sets us up for Debian system in particular. +.debian-template: &debian-template + <<: *artifacts-template + variables: + DEBIAN_FRONTEND: "noninteractive" + # TODO: Using "cache" in this way speeds up our downloads. It would be + # even better, though, to start with a pre-upgraded debian image. + # + # TODO: Will we have to do this differently once we have more than one + # debian version that we're using? + cache: + key: apt + paths: + - apt-cache + before_script: + - *apt-template + # Install patches unconditionally. + - apt-get install + automake + build-essential + ca-certificates + git + libevent-dev + liblzma-dev + libscrypt-dev + libseccomp-dev + libssl-dev + pkg-config + python3 + zlib1g-dev + # Install patches that we only need for some use cases. + - if [ "$ASCIIDOC" = yes ]; then apt-get install asciidoc xmlto; fi + - if [ "$DOXYGEN" = yes ]; then apt-get install doxygen; fi + - if [ "$STEM" = yes ]; then apt-get install timelimit; fi + - if [ "$CC" = clang ]; then apt-get install clang; fi + - if [ "$NSS" = yes ]; then apt-get install libnss3 libnss3-dev; fi + # TODO: This next line should not be debian-only. + - if [ "$STEM" = yes ]; then git clone --depth 1 https://git.torproject.org/stem.git ; export STEM_PATH="$(pwd)/stem"; fi + # TODO: This next line should not be debian-only. + - if [ "$CHUTNEY" = yes ]; then git clone --depth 1 https://git.torproject.org/chutney.git ; export CHUTNEY_PATH="$(pwd)/chutney"; fi + - if [ "$TRACING" = yes ]; then apt install liblttng-ust-dev; fi + +# Minmal check on debian: just make, make check. +# +debian-minimal: + image: debian:stable + <<: *debian-template + script: + - ./scripts/ci/ci-driver.sh + +##### +# Run "make check" with a hardened clang on debian stable. This takes +# care of a hardening check, and a compile-with-clang check. +# +# TODO: This will be faster once we merge #40098 and #40099. +debian-hardened: + image: debian:testing + <<: *debian-template + variables: + ALL_BUGS_ARE_FATAL: "yes" + HARDENING: "yes" + CC: "clang" + script: + - ./scripts/ci/ci-driver.sh + +##### +# Distcheck on debian stable +debian-distcheck: + image: debian:stable + <<: *debian-template + variables: + DISTCHECK: "yes" + CHECK: "no" + script: + - ./scripts/ci/ci-driver.sh + +##### +# Documentation tests on debian stable: doxygen and asciidoc. +debian-docs: + image: debian:stable + <<: *debian-template + variables: + DOXYGEN: "yes" + ASCIIDOC: "yes" + CHECK: "no" + RUN_STAGE_BUILD: "no" + script: + - ./scripts/ci/ci-driver.sh + +##### +# Integration tests on debian stable: chutney and stem. +# +# TODO: It would be cool if this target didn't have to re-build tor, and +# could instead re-use Tor from debian-minimal. That can be done +# with the 'artifacts' mechanism, in theory, but it would be good to +# avoid having to have a system with hundreds of artifacts. +debian-integration: + image: debian:stable + <<: *debian-template + variables: + CHECK: "no" + CHUTNEY: "yes" + CHUTNEY_MAKE_TARGET: "test-network-all" + STEM: "yes" + ALL_BUGS_ARE_FATAL: "yes" + script: + - ./scripts/ci/ci-driver.sh + +##### +# Tracing build on Debian stable. +debian-tracing: + image: debian:stable + <<: *debian-template + variables: + TRACING: "yes" + CHECK: "no" + script: + - ./scripts/ci/ci-driver.sh + # Ensure that we only run tracing when it's implemented. + # + # Once versions before 0.4.5 are obsolete, we can remove this test. + rules: + # This first "if" check prevents us from running a duplicate version of + # this pipeline whenever we push and create an MR. I don't understand why + # it is necessary, though the following URL purports to explain: + # + # https://docs.gitlab.com/ee/ci/yaml/#prevent-duplicate-pipelines + - if: '$CI_PIPELINE_SOURCE == "push"' + exists: + - src/lib/trace/trace_sys.c + +##### +# No-authority mode +debian-disable-dirauth: + image: debian:stable + <<: *debian-template + variables: + DISABLE_DIRAUTH: "yes" + script: + - ./scripts/ci/ci-driver.sh + +##### +# No-relay mode +debian-disable-relay: + image: debian:stable + <<: *debian-template + variables: + DISABLE_RELAY: "yes" + script: + - ./scripts/ci/ci-driver.sh + # Ensure that we only run tracing when it's implemented. + # + # Once versions before 0.4.3 are obsolete, we can remove this test. + rules: + # This first "if" check prevents us from running a duplicate version of + # this pipeline whenever we push and create an MR. I don't understand why + # it is necessary, though the following URL purports to explain: + # + # https://docs.gitlab.com/ee/ci/yaml/#prevent-duplicate-pipelines + - if: '$CI_PIPELINE_SOURCE == "push"' + exists: + - src/feature/relay/relay_stub.c + +##### +# NSS check on debian +debian-nss: + image: debian:stable + <<: *debian-template + variables: + NSS: "yes" + script: + - ./scripts/ci/ci-driver.sh |