1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
|
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
variables:
RELEASE: 'unstable'
# Run lintian from the above release
SALSA_CI_IMAGES_LINTIAN: ${SALSA_CI_IMAGES}/lintian:${RELEASE}
# Make that build quicker
DEB_BUILD_PROFILES: pkg.linux.quick
# We have to bump the version in source preparation, not later
SALSA_CI_DISABLE_VERSION_BUMP: 'true'
# Output is limited to 4 MiB total, so use 'terse'.
# Current runners have 2 CPUs but have slow I/O so 'parallel=4' is
# a bit faster.
DEB_BUILD_OPTIONS: 'terse parallel=4'
DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64: 0
# Add stages for signed packages
stages:
- provisioning
- build
- publish
- sign-code
- build-signed
- test
orig:
stage: provisioning
image: $SALSA_CI_IMAGES_BASE
cache:
key: "orig-${RELEASE}"
paths:
- orig
extends:
- .artifacts-default-expire
except:
variables:
- $CI_COMMIT_TAG != null
script:
# Move orig tarball cache
- |
if [ -d orig ]; then
mv orig/* ..
rmdir orig
fi
- apt-get update
- eatmydata apt-get install --no-install-recommends -y devscripts git
- USCAN_VCS_EXPORT_UNCOMPRESSED=yes origtargz -dt
# Move orig tarballs back to where GitLab wants them
- mkdir orig
- mv ../*.orig.tar.* orig
# Our modified build jobs
build:
timeout: 3 hours
cache:
- key: "orig-${RELEASE}"
paths:
- orig
policy: pull
- key: "build-${BUILD_ARCH}_${HOST_ARCH}"
paths:
- .ccache
needs:
- job: orig
extends:
- .build-definition
rules:
- if: $CI_COMMIT_TAG != null
when: never
- when: always
script:
# Do the same as the common .build-definition script
- !reference [.build-before-script]
- !reference [.build-script-setup-environment]
# Move orig tarball cache
- |
if [ -d orig ]; then
mv orig/* ..
rmdir orig
fi
# Install dependencies of gencontrol.py and debian/rules orig
- apt-get update
- |
eatmydata apt-get install --no-install-recommends -y \
debhelper \
kernel-wedge \
python3 \
python3-dacite \
python3-debian \
python3-jinja2 \
quilt \
rsync
- source=$(dpkg-parsechangelog -SSource)
- version=$(dpkg-parsechangelog -SVersion)
- upstream_version=$(echo $version | sed 's/-[^-]*$//')
# Fudge source version and distribution *before* gencontrol.py
- sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
- version=${version}+salsaci
# Merge upstream source
- debian/rules orig
# Put packed source in artifacts
- dpkg-buildpackage -uc -us -S -sa -d
- mkdir -p ${WORKING_DIR}
- mv ../${source}_${upstream_version}.orig.tar.xz ../${source}_${version}.dsc ../${source}_${version}.debian.tar.xz ../${source}_${version}_source.buildinfo ../${source}_${version}_source.changes ${WORKING_DIR}
- chown -R 'salsa-ci:' ${WORKING_DIR} ${CCACHE_DIR}
- !reference [.build-script-setup-build-command]
- cd ${WORKING_DIR}
- export BUILD_COMMAND="${BUILD_COMMAND} ${source}_${version}.dsc"
- !reference [.build-script-run-build-command]
after_script:
# pass the RELEASE_FROM_CHANGELOG envvar to any consecutive job
- echo "RELEASE_FROM_CHANGELOG=${RELEASE_FROM_CHANGELOG}" | tee ${CI_PROJECT_DIR}/salsa.env
- ls -l ${CI_PROJECT_DIR}/salsa.env
- cat ${CI_PROJECT_DIR}/salsa.env
- !reference [.build-after-script]
build-arm64:
extends: build
image: $SALSA_CI_IMAGES_BUILD_ARM64
variables:
BUILD_ARCH: 'arm64'
tags:
- arm64
rules:
- if: $DEBIAN_KERNEL_DISABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/
when: never
# Make it possible to override the rules below. E.g. when a project fork
# has an ARM64 runner available.
- if: $DEBIAN_KERNEL_ENABLE_BUILD_PACKAGE_ARM64 =~ /^(1|yes|true)$/
when: always
# While there isn't an ARM shared runner avilable, let's run this job
# manually in forks of the kernel-team/linux project, and in branches other
# than the default branch, and allow it to fail in that case
- if: $CI_PROJECT_NAMESPACE != "kernel-team"
allow_failure: true
when: manual
- if: $CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH
allow_failure: true
when: manual
- when: always
# The folllowing jobs are the standard tests, excluding any that
# require building again
lintian:
extends: .test-lintian
script:
- lintian --suppress-tags 'unreleased-changes,changelog-distribution-does-not-match-changes-file' --suppress-tags "${SALSA_CI_LINTIAN_SUPPRESS_TAGS}" --display-info --pedantic --fail-on error --allow-root ${SALSA_CI_LINTIAN_SHOW_OVERRIDES_ARG} ${SALSA_CI_LINTIAN_ARGS} ${WORKING_DIR}/*.changes | tee lintian.output || ECODE=$?
- lintian2junit.py --lintian-file lintian.output > ${WORKING_DIR}/lintian.xml
- exit ${ECODE-0}
needs:
- job: build
artifacts: true
- job: build-signed
artifacts: true
autopkgtest:
extends: .test-autopkgtest
blhc:
extends: .test-blhc
piuparts:
extends: .test-piuparts
needs:
- job: build
artifacts: true
- job: build-signed
artifacts: true
missing-breaks:
extends: .test-missing-breaks
rc-bugs:
extends: .test-rc-bugs
# Python static checkers
python-static:
stage: test
image: $SALSA_CI_IMAGES_BASE
rules:
- if: $CI_COMMIT_TAG != null
when: never
- when: always
script:
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
flake8 python3 python3-dacite python3-jinja2 python3-pytest
# Check Python modules under debian/lib and Python scripts under
# debian/bin or debian/rules.d.
- sources="$(mktemp)"
- find debian/lib/python -name '*.py' > "$sources"
- |
find debian/bin debian/rules.d -type f -perm /111 |
while read script; do
if awk '/^#!.*python/ { exit 0 } { exit 1 }' "$script"; then
echo "$script"
fi
done \
>> "$sources"
# Run both checkers and coalesce their results rather than exiting
# on first failure
- pass=true
- xargs flake8 --max-line-length=100 < "$sources" || pass=false
- pytest debian/lib/python || pass=false
- $pass
needs: []
# kconfig static check
kconfig-static:
stage: test
image: $SALSA_CI_IMAGES_BASE
rules:
- if: $CI_COMMIT_TAG != null
when: never
- when: always
script:
# Unpack source and apply featureset patches
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
debhelper dpkg-dev git python3 python3-dacite quilt
- dpkg-source -x ${WORKING_DIR}/*.dsc ${WORKING_DIR}/${SOURCE_DIR}
- cd ${WORKING_DIR}/${SOURCE_DIR}
- debian/rules source
# Fetch kernel-team repository
- kernel_team_dir="$(mktemp -d)"
- |
git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
"$kernel_team_dir"
# Run process.py and treat any error output as a failure
- error_log="$(mktemp)"
- |
"$kernel_team_dir"/utils/kconfigeditor2/process.py . 2>"$error_log" \
|| true
- |
if [ -s "$error_log" ]; then cat "$error_log"; false; fi
needs:
- job: build
artifacts: true
# Sign code with the test key and certificate, build and test that
sign-code:
stage: sign-code
image: $SALSA_CI_IMAGES_BASE
extends:
- .artifacts-default-expire
rules:
- if: $CI_COMMIT_TAG != null
when: never
- when: always
script:
- |
apt-get update && eatmydata apt-get install --no-install-recommends -y \
dpkg-dev git openssl python3 python3-debian sbsigntool
# Fetch kernel-team repository
- kernel_team_dir="$(mktemp -d)"
- |
git clone --depth=1 https://salsa.debian.org/kernel-team/kernel-team.git \
"$kernel_team_dir"
# Sign the code and build a source package
- |
"$kernel_team_dir"/scripts/debian-test-sign \
${WORKING_DIR}/linux*_${BUILD_ARCH}.changes \
debian/certs/ci-test-sign/ci-test-sign-key.pem \
debian/certs/ci-test-sign/ci-test-sign.pem
artifacts:
paths:
- ${WORKING_DIR}/linux-signed*-${BUILD_ARCH}_*
needs:
- job: build
artifacts: true
build-signed:
stage: build-signed
extends:
- .build-definition
rules:
- if: $CI_COMMIT_TAG != null
when: never
- when: always
variables:
SALSA_CI_DPKG_BUILDPACKAGE_ARGS: ''
# We need linux-image-*-unsigned_*_${BUILD_ARCH}.deb build-dependencies
# from build job
SALSA_CI_SBUILD_EXTRA_PACKAGE: '${WORKING_DIR}/'
script:
# Do the same as the common .build-definition script
- !reference [.build-before-script]
- !reference [.build-script-setup-environment]
- chown -R 'salsa-ci:' ${WORKING_DIR} ${CCACHE_DIR}
- !reference [.build-script-setup-build-command]
- export BUILD_COMMAND="${BUILD_COMMAND} ${WORKING_DIR}/linux-signed*-${BUILD_ARCH}_*.dsc"
- !reference [.build-script-run-build-command]
after_script:
- !reference [.build-after-script]
artifacts:
# This should include the linux-signed source package, its binary
# packages, and (for piuparts) the versioned dependencies produced
# by the build job
paths:
- ${WORKING_DIR}/linux-signed*-${BUILD_ARCH}_*
- ${WORKING_DIR}/linux-base-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-headers-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-headers-*-common_*_all.deb
- ${WORKING_DIR}/linux-image-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/linux-kbuild-*_${BUILD_ARCH}.deb
- ${WORKING_DIR}/kernel-image-*_${BUILD_ARCH}.udeb
exclude:
- ${WORKING_DIR}/linux-image-*-unsigned_*_${BUILD_ARCH}.deb
needs:
- job: build
artifacts: true
- job: sign-code
artifacts: true
|
