[neon/ubuntu-core/models.add-models-pipeline] /: Models CI: Update makefile, readme and yamls

Antoine Gonzalez null at kde.org
Wed Aug 7 15:17:19 BST 2024 

Git commit dba99d7c554d3170fbc9cd6c889fefde8ba880c9 by Antoine Gonzalez.
Committed on 07/08/2024 at 14:15.
Pushed by daspood into branch 'models.add-models-pipeline'.

Models CI: Update makefile, readme and yamls

D  +0    -15   CONTRIBUTING
M  +10   -9    Makefile
M  +18   -4    README.md
M  +8    -5    debian/.gitlab-ci-neon.yml
A  +23   -0    debian/neon-core-image-dangerous.yml
A  +22   -0    debian/neon-core-image-signed.yml
R  +9    -9    debian/neon-core-models.yml [from: debian/snap-image-model.yml - 072% similarity]

https://invent.kde.org/neon/ubuntu-core/-/commit/dba99d7c554d3170fbc9cd6c889fefde8ba880c9

diff --git a/CONTRIBUTING b/CONTRIBUTING
deleted file mode 100644
index 33eeea4..0000000
--- a/CONTRIBUTING
+++ /dev/null
@@ -1,15 +0,0 @@
-## Generate new model files for the image
-
-After changing the `kde-neon-core-amd64.json` file, you will need to update the signed `kde-neon-core-*-amd64.model`
-files in order to build the image. If you do not have the necessary credentials to sign these models locally, you can
-use the CI instead.
-
-In the Gitlab web interface, go to the Pipelines page and click the "Run pipeline" button. This will take you to
-https://invent.kde.org/neon/ubuntu-core/-/pipelines/new. On this page, select your branch, and click the "Run pipeline"
-button again. In the pipeline view, you can click the "snap_image_model" job to manually start it.
-
-Your branch needs to be protected, and its name needs to match the `models.*` pattern for the job to run.
-
-Once the job is complete, it will upload both `dangerous` and `signed` versions of the model as pipeline artefacts, and
-push them to your branch in a "Update models" commit. Once you pull the commit, you will be able to build the full image
-locally.
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 723cde4..3c5837a 100644
--- a/Makefile
+++ b/Makefile
@@ -4,20 +4,21 @@ dangerous: kde-neon-core-dangerous-amd64.tar.gz
 
 signed: kde-neon-core-signed-amd64.tar.gz
 
-kde-neon-core-signed-amd64.json: kde-neon-core-amd64.json
-	./finalize-json.sh signed $< $@
-
-kde-neon-core-dangerous-amd64.json: kde-neon-core-amd64.json
-	./finalize-json.sh dangerous $< $@
-
 kde-neon-core-signed-amd64.snap-list: kde-neon-core-amd64.json
 	./create-snap-list.sh signed $< $@
 
 kde-neon-core-dangerous-amd64.snap-list: kde-neon-core-amd64.json
 	./create-snap-list.sh dangerous $< $@
 
-%.model: %.json
-	snap sign -k kde-neon-core-image-key $< > $@
+kde-neon-core-signed-amd64.model: kde-neon-core-amd64.json
+	./finalize-json.sh signed kde-neon-core-amd64.json model-in.json
+	snap sign -k kde-neon-core-image-key model-in.json > $@
+	rm model-in.json
+
+kde-neon-core-dangerous-amd64.model: kde-neon-core-amd64.json
+	./finalize-json.sh dangerous kde-neon-core-amd64.json model-in.json
+	snap sign -k kde-neon-core-image-key model-in.json > $@
+	rm model-in.json
 
 %.img: %.model %.snap-list
 	$(eval SNAPS = $(shell cat $(basename $@).snap-list))
@@ -30,6 +31,6 @@ kde-neon-core-dangerous-amd64.snap-list: kde-neon-core-amd64.json
 
 clean:
 	rm -rf *.model.build
-	rm -f *.snap-list *.model *.img *.tar.gz *-signed-*.json *-dangerous-*.json
+	rm -f *.snap-list *.img *.tar.gz *-signed-*.json *-dangerous-*.json
 
 .PHONY: all clean dangerous signed
diff --git a/README.md b/README.md
index ae5a951..4ea3fe9 100644
--- a/README.md
+++ b/README.md
@@ -4,11 +4,17 @@ This repository contains all that's needed to build and run images provided the
 
 ## Building images
 
-There are two grades of images: signed and dangerous. Using `make <grade>` to build one of the two images. `make` or `make all` will build both the dangerous and the signed images. They will also be automatically compressed in `tar.gz` format at the end of the process.
+There are two grades of images: signed and dangerous. Using `make <grade>` to build one of the two images. `make` or `make all` will build both the dangerous and the signed images. They will also be automatically compressed in `tar.gz` format at the end of the process. You can also use `make kde-neon-core-<grade>-amd64.img` to build the image without compression and without deleting temporary files.
 
 ### Signatures and keys
 
-Signatures will occur during this process. This requires having an Ubuntu One account as described here:
+In order to build the image, a signed `.model` file needs to exist. Up-to-date models are provided in the repository.
+
+After changing the `kde-neon-core-amd64.json` file, you will need to update these `kde-neon-core-<grade>-amd64.model` files.
+
+#### Generating models with Make
+
+The `Makefile` can handle that step for you if you call `make <model-file>`. Signatures will occur during this process. This requires having an Ubuntu One account as described here:
 
 https://ubuntu.com/core/docs/create-ubuntu-one
 
@@ -16,9 +22,17 @@ This also requires having registered keys, as described in the first two steps o
 
 https://ubuntu.com/core/docs/sign-model-assertion
 
-The `Makefile` will handle the rest for you but it assumes your key to be created with the name `kde-neon-core-image-key`.
+The Makefile assumes your key to be created with the name `kde-neon-core-image-key`. Also, no build can occur if you're not authenticated in your Ubuntu One account with `snapcraft`. To sanity check this, running `snapcraft whoami` will tell you under which account you are authenticated.
+
+#### Generating models with the CI
+
+If Make is not a practical option for you, it is possible to let the CI handle the update of model files:
+
+In the Gitlab web interface, go to the Pipelines page and click the "Run pipeline" button. This will take you to https://invent.kde.org/neon/ubuntu-core/-/pipelines/new. On this page, select your branch, and click the "Run pipeline" button again. In the pipeline view, you can click the "snap_image_model" job to manually start it.
+
+Your branch needs to be protected, and its name needs to match the `models.*` pattern for the job to run.
 
-Also, no build can occur if you're not authenticated in your Ubuntu One account with `snapcraft`. To sanity check this, running `snapcraft whoami` will tell you under which account you are authenticated.
+Once the job is complete, it will upload both `dangerous` and `signed` versions of the model as pipeline artefacts, and push them to your branch in a "Update models" commit. Once you pull the commit, you will be able to build the full image locally.
 
 ### dangerous vs signed
 
diff --git a/debian/.gitlab-ci-neon.yml b/debian/.gitlab-ci-neon.yml
index dce4ab7..28f0864 100644
--- a/debian/.gitlab-ci-neon.yml
+++ b/debian/.gitlab-ci-neon.yml
@@ -2,8 +2,11 @@
 # SPDX-License-Identifier: CC0-1.0
 
 include:
-  - project: sysadmin/ci-utilities
-    file:
-      - /gitlab-templates/snap-image-dangerous.yml
-#      - /gitlab-templates/snap-image-signed.yml
-  - local: debian/snap-image-model.yml
\ No newline at end of file
+#  - project: sysadmin/ci-utilities
+#    file:
+#      - /gitlab-templates/neon-core-models.yml
+#      - /gitlab-templates/neon-core-image-dangerous.yml
+#      - /gitlab-templates/neon-core-image-signed.yml
+  - local: debian/neon-core-models.yml
+  - local: debian/neon-core-image-dangerous.yml
+  - local: debian/neon-core-image-signed.yml
\ No newline at end of file
diff --git a/debian/neon-core-image-dangerous.yml b/debian/neon-core-image-dangerous.yml
new file mode 100644
index 0000000..6a86dff
--- /dev/null
+++ b/debian/neon-core-image-dangerous.yml
@@ -0,0 +1,23 @@
+include:
+  - /gitlab-templates/blocks/workflow.yml
+
+neon_core_image_dangerous:
+  script:
+    # build the image with the project's tooling
+    - echo building kde-neon-core in dangerous mode ...
+    - make dangerous 2>&1 | tee task.log
+    # make the artifacts dir
+    - mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
+    # copy the gun zipped tar to the artifacts dir
+    - cp -vf ./*.tar.gz  $CI_PROJECT_DIR/.kde-ci-packages/
+  interruptible: true
+  artifacts:
+    name: CI artifacts
+    expose_as: 'KDE Neon Core images'
+    when: always
+    paths:
+      - ".kde-ci-packages/"
+      - "task.log"
+      - "task-debug.log"
+    expire_in: 7 days
+
diff --git a/debian/neon-core-image-signed.yml b/debian/neon-core-image-signed.yml
new file mode 100644
index 0000000..3a62fd7
--- /dev/null
+++ b/debian/neon-core-image-signed.yml
@@ -0,0 +1,22 @@
+include:
+  - /gitlab-templates/blocks/workflow.yml
+
+neon_core_image_signed:
+  script:
+    # build the image with the project's tooling
+    - echo building kde-neon-core in signed mode ...
+    - make signed 2>&1 | tee task.log
+    # make the artifacts dir
+    - mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
+    # copy the gun zipped tar to the artifacts dir
+    - cp -vf ./*.tar.gz  $CI_PROJECT_DIR/.kde-ci-packages/
+  interruptible: true
+  artifacts:
+    name: CI artifacts
+    expose_as: 'KDE Neon Core images'
+    when: always
+    paths:
+      - ".kde-ci-packages/"
+      - "task.log"
+      - "task-debug.log"
+    expire_in: 7 days
diff --git a/debian/snap-image-model.yml b/debian/neon-core-models.yml
similarity index 72%
rename from debian/snap-image-model.yml
rename to debian/neon-core-models.yml
index 3217516..3f029c8 100644
--- a/debian/snap-image-model.yml
+++ b/debian/neon-core-models.yml
@@ -4,12 +4,11 @@ include:
       - /gitlab-templates/blocks/snap-base.yml
       - /gitlab-templates/blocks/workflow.yml
 
-snap_image_model:
+neon_core_models:
   extends: .snap_base
   inherit:
     default: true
-  script:  # Have to duplicate most of the snap-image code as the default `make` command will remove the model file
-    - echo currently on branch $CI_COMMIT_BRANCH, ref $CI_COMMIT_REF_NAME, pipeline source is $CI_PIPELINE_SOURCE
+  script:
     # make sure there is a snap specific so gpg doesn't freak out
     - mkdir -p -m 0700 ¬/.snap/gnupg/
     - mkdir -p -m 0700 ¬/.snap/gnupg/private-keys-v1.d/
@@ -35,13 +34,14 @@ snap_image_model:
     - mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
     # copy the new model to the artifacts dir
     - cp -vf ./*.model  $CI_PROJECT_DIR/.kde-ci-packages/
-    # push the new model to gitlab
-    - echo pushing new models to ref $CI_COMMIT_REF_NAME
-    - git config user.email "ubuntu-neon-core-models-bot at kde.org"
-    - git config user.name "ubuntu-neon-core models-bot"
-    - git add -f ./*.model
+    # set our identity
+    - git config user.email "project_17308_bot_bfe008c722508de9710d4b73ec01c4a0 at invent.kde.org"
+    - git config user.name "Neon Core-Bot"
+    # add the model and commit
+    - git add -f ./kde-neon-core-dangerous-amd64.model ./kde-neon-core-signed-amd64.model
     - git commit -m "Update models"
-    - git push https://project_17308_bot_a45360256b28775b175cf622f6b817ad:$UBUNTU_NEON_CORE_ACCESS_TOKEN@invent.kde.org/neon/ubuntu-core.git HEAD:$CI_COMMIT_REF_NAME -o ci.skip
+    # push the new model to gitlab, and prevent the CI from triggering after a bot push
+    - git push https://project_17308_bot_bfe008c722508de9710d4b73ec01c4a0:$GIT_MODEL_COMMIT@invent.kde.org/neon/ubuntu-core.git $CI_COMMIT_REF_NAME -o ci.skip
   interruptible: true
   after_script:
     # delete the gpg keyring

More information about the Neon-commits mailing list