From baecdc4d4fd05a51aa398c9123db1248a925eb5a Mon Sep 17 00:00:00 2001 From: Jakub Date: Thu, 1 Sep 2022 14:20:13 +0200 Subject: [PATCH] GODT-1833: Build needs test-linux and lint to start and keep vcpkg cache on linux. Builds manuall except linux-qa. --- .gitlab-ci.yml | 81 +++++++++++++++++++++++++++++++---------- utils/gobinsec_conf.yml | 6 +++ 2 files changed, 68 insertions(+), 19 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index dca9d077..40f3b9d1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -40,14 +40,39 @@ stages: - check - mirror + +.rules-branch-and-MR-always: + rules: + - if: $CI_COMMIT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event" + when: always + allow_failure: false + - when: never + +.rules-branch-and-MR-manual: + rules: + - if: $CI_COMMIT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event" + when: manual + allow_failure: true + - when: never + +.rules-branch-manual-MR-always: + rules: + - if: $CI_PIPELINE_SOURCE == "merge_request_event" + when: always + allow_failure: false + - if: $CI_COMMIT_BRANCH + when: manual + allow_failure: true + - when: never + # Stage: CACHE # This will ensure latest dependency versions and updates the cache for # all other following jobs which only pull the cache. cache-push: stage: cache - only: - - branches + extends: + - .rules-branch-and-MR-always script: - echo "" cache: @@ -59,8 +84,8 @@ cache-push: lint: stage: test - only: - - branches + extends: + - .rules-branch-and-MR-always before_script: - mkdir -p .cache/bin - export PATH=$(pwd)/.cache/bin:$PATH @@ -72,8 +97,8 @@ lint: test-linux: stage: test - only: - - branches + extends: + - .rules-branch-manual-MR-always script: - apt-get -y install pass gnupg rng-tools # First have enough of entropy (cat /proc/sys/kernel/random/entropy_avail). @@ -88,15 +113,18 @@ test-linux: - medium test-windows: - extends: .build-windows-base + extends: + - .build-windows-base + - .rules-branch-and-MR-manual # GODT-1833: change to .rules-branch-and-MR-always once runner fixed stage: test + needs: [] script: - make test test-integration: stage: test - only: - - branches + extends: + - .rules-branch-manual-MR-always script: - VERBOSITY=debug make -C test test tags: @@ -111,12 +139,16 @@ dependency-updates: .build-base: stage: build + needs: ["lint"] rules: - - if: $CI_JOB_NAME =~ /test/ && $CI_PIPELINE_SOURCE == "merge_request_event" + # GODT-1833: use `=~ /qa/` after mac and windows runners are fixed + - if: $CI_JOB_NAME =~ /build-linux-qa/ && $CI_PIPELINE_SOURCE == "merge_request_event" when: always - - if: $CI_JOB_NAME =~ /qa/ && $CI_PIPELINE_SOURCE == "merge_request_event" - when: always - - when: manual + allow_failure: false + - if: $CI_COMMIT_BRANCH || $CI_PIPELINE_SOURCE == "merge_request_event" + when: manual + allow_failure: true + - when: never before_script: - mkdir -p .cache/bin - export PATH=$(pwd)/.cache/bin:$PATH @@ -138,6 +170,13 @@ dependency-updates: build-linux: extends: .build-base image: gitlab.protontech.ch:4567/go/bridge-internal:qt6 + variables: + VCPKG_DEFAULT_BINARY_CACHE: ${CI_PROJECT_DIR}/.cache + cache: + key: linux-vcpkg + paths: + - .cache + when: 'always' artifacts: name: "bridge-linux-$CI_COMMIT_SHORT_SHA" @@ -213,22 +252,26 @@ build-windows-qa: name: "bridge-windows-qa-$CI_COMMIT_SHORT_SHA" # Stage: CHECK + check-gobinsec: stage: check - only: - - branches + needs: ["build-linux-qa"] + extends: + - .rules-branch-manual-MR-always cache: - key: gobinsec-cache + key: gobinsec-cache-v2 paths: - - gobinsec-cache.yml + - ./gobinsec-cache-valid.yml policy: pull-push before_script: - mkdir build - tar -xzf bridge_linux_*.tgz -C build + - "[ ! -f ./gobinsec-cache-valid.yml ] && wget bridgeteam.protontech.ch/bridgeteam/gobinsec-cache-valid.yml" + - cp ./gobinsec-cache-valid.yml ./gobinsec-cache.yml script: - - "[ ! -f ./gobinsec-cache.yml ] && wget bridgeteam.protontech.ch/bridgeteam/gobinsec-cache.yml" - cat ./gobinsec-cache.yml - - gobinsec -wait -cache -config utils/gobinsec_conf.yml build/proton-bridge + - gobinsec -wait -cache -config utils/gobinsec_conf.yml build/bridge + - cp ./gobinsec-cache.yml ./gobinsec-cache-valid.yml # Only update cache file if gobinsec succeeds diff --git a/utils/gobinsec_conf.yml b/utils/gobinsec_conf.yml index c2a80986..9a8f07e0 100644 --- a/utils/gobinsec_conf.yml +++ b/utils/gobinsec_conf.yml @@ -1,5 +1,7 @@ --- +wait: true + file: name: "./gobinsec-cache.yml" expiration: 24h @@ -7,3 +9,7 @@ file: ignore: # golang.org/x/net wrong match, we are using 2871e0cb, fixed by 37e1c6af - "CVE-2021-33194" + # GODT-1853: fix golang.org/x/crypto vulns + - "CVE-2021-43565" + # GODT-1853: fix golang.org/x/crypto vulns + - "CVE-2022-27191"