[neon/ubuntu-core/Neon/core22] debian: Significantly overhaul jobs to use a slightly different approach
Ben Cooksley
null at kde.org
Thu Aug 8 10:34:38 BST 2024
Git commit aa99a15ea658f3c551280feaddbed267032ef643 by Ben Cooksley.
Committed on 08/08/2024 at 09:34.
Pushed by bcooksley into branch 'Neon/core22'.
Significantly overhaul jobs to use a slightly different approach
M +1 -6 debian/.gitlab-ci-neon.yml
M +35 -18 debian/neon-core-image-dangerous.yml
M +35 -17 debian/neon-core-image-signed.yml
M +33 -43 debian/neon-core-models.yml
https://invent.kde.org/neon/ubuntu-core/-/commit/aa99a15ea658f3c551280feaddbed267032ef643
diff --git a/debian/.gitlab-ci-neon.yml b/debian/.gitlab-ci-neon.yml
index 28f0864..5695086 100644
--- a/debian/.gitlab-ci-neon.yml
+++ b/debian/.gitlab-ci-neon.yml
@@ -2,11 +2,6 @@
# SPDX-License-Identifier: CC0-1.0
include:
-# - project: sysadmin/ci-utilities
-# file:
-# - /gitlab-templates/neon-core-models.yml
-# - /gitlab-templates/neon-core-image-dangerous.yml
-# - /gitlab-templates/neon-core-image-signed.yml
- local: debian/neon-core-models.yml
- local: debian/neon-core-image-dangerous.yml
- - local: debian/neon-core-image-signed.yml
\ No newline at end of file
+ #- local: debian/neon-core-image-signed.yml
diff --git a/debian/neon-core-image-dangerous.yml b/debian/neon-core-image-dangerous.yml
index 93f457c..ec515d8 100644
--- a/debian/neon-core-image-dangerous.yml
+++ b/debian/neon-core-image-dangerous.yml
@@ -1,22 +1,39 @@
-include:
- - project: sysadmin/ci-utilities
- file:
- - /gitlab-templates/blocks/snap-base.yml
- - /gitlab-templates/blocks/workflow.yml
-
-neon_core_image_dangerous:
- extends: .snap_base
- inherit:
- default: true
+neon-core-image-dangerous:
+ rules:
+ # Prevent branch pipelines if an MR is open on the branch.
+ - if: $CI_COMMIT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_OPEN_MERGE_REQUESTS
+ when: never
+ # Only allow this job to run when the environment variables $KDE_NEON_CORE_IMAGE_KEY, $PRIVATE_KEY and $OWNER_TRUST are defined
+ # These are normally defined on protected branches on our normal repository but we do the logic this way to allow someone else to set this up in their fork if they want
+ - if: '$KDE_NEON_CORE_IMAGE_KEY != null && $PRIVATE_KEY != null && $OWNER_TRUST != null'
+ variables:
+ SNAPCRAFT_BUILD_ENVIRONMENT: "host"
+ SNAPCRAFT_MANAGED_MODE: "y"
+ tags:
+ - Snap
+ interruptible: true
+ needs:
+ - job: 'neon-core-models'
+ artifacts: true
script:
- # get the missing plasma-desktop-session snap from runner FS
- - cp ../plasma-desktop-session.snap ./local-snaps/
+ # remove the task log file from the model signing that was artifacted...
+ - rm -f task.log
+ # get the missing plasma-desktop-session snap from the latest build...
+ - mkdir workspace/ && cd workspace/
+ - wget "https://invent.kde.org/api/v4/projects/neon/snap-packaging/plasma-desktop-session/jobs/artifacts/master/download?job=snap_snapcraft_lxd"
+ - unzip -e Snap_artifacts.zip
+ - mv .kde-ci-packages/plasma-desktop-session*.snap $CI_PROJECT_DIR/local-snaps/plasma-desktop-session.snap
+ - cd $CI_PROJECT_DIR
# build the image with the project's tooling
- echo building kde-neon-core in dangerous mode ...
- make dangerous 2>&1 | tee task.log
- # make the artifacts dir
- - mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
- # copy the gun zipped tar to the artifacts dir
- - cp -vf ./*.tar.gz $CI_PROJECT_DIR/.kde-ci-packages/
- interruptible: true
-
+ after_script:
+ # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
+ - git clean -dfx .
+ artifacts:
+ name: Signed image
+ when: always
+ paths:
+ - "*.tar.gz"
+ - "task.log"
+ expire_in: 7 days
diff --git a/debian/neon-core-image-signed.yml b/debian/neon-core-image-signed.yml
index b1c75c3..ade1fc7 100644
--- a/debian/neon-core-image-signed.yml
+++ b/debian/neon-core-image-signed.yml
@@ -1,21 +1,39 @@
-include:
- - project: sysadmin/ci-utilities
- file:
- - /gitlab-templates/blocks/snap-base.yml
- - /gitlab-templates/blocks/workflow.yml
-
-neon_core_image_signed:
- extends: .snap_base
- inherit:
- default: true
+neon-core-image-signed:
+ rules:
+ # Prevent branch pipelines if an MR is open on the branch.
+ - if: $CI_COMMIT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_OPEN_MERGE_REQUESTS
+ when: never
+ # Only allow this job to run when the environment variables $KDE_NEON_CORE_IMAGE_KEY, $PRIVATE_KEY and $OWNER_TRUST are defined
+ # These are normally defined on protected branches on our normal repository but we do the logic this way to allow someone else to set this up in their fork if they want
+ - if: '$KDE_NEON_CORE_IMAGE_KEY != null && $PRIVATE_KEY != null && $OWNER_TRUST != null'
+ variables:
+ SNAPCRAFT_BUILD_ENVIRONMENT: "host"
+ SNAPCRAFT_MANAGED_MODE: "y"
+ tags:
+ - Snap
+ interruptible: true
+ needs:
+ - job: 'neon-core-models'
+ artifacts: true
script:
- # get the missing plasma-desktop-session snap from runner FS
- - cp ../plasma-desktop-session.snap ./local-snaps/
+ # remove the task log file from the model signing that was artifacted...
+ - rm -f task.log
+ # get the missing plasma-desktop-session snap from the latest build...
+ - wget "https://invent.kde.org/api/v4/projects/neon/snap-packaging/plasma-desktop-session/jobs/artifacts/master/download?job=snap_snapcraft_lxd"
+ - mkdir workspace/ && cd workspace/
+ - unzip -e Snap_artifacts.zip
+ - mv .kde-ci-packages/plasma-desktop-session*.snap $CI_PROJECT_DIR/local-snaps/plasma-desktop-session.snap
+ - cd $CI_PROJECT_DIR
# build the image with the project's tooling
- echo building kde-neon-core in signed mode ...
- make signed 2>&1 | tee task.log
- # make the artifacts dir
- - mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
- # copy the gun zipped tar to the artifacts dir
- - cp -vf ./*.tar.gz $CI_PROJECT_DIR/.kde-ci-packages/
- interruptible: true
+ after_script:
+ # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
+ - git clean -dfx .
+ artifacts:
+ name: Signed image
+ when: always
+ paths:
+ - "*.tar.gz"
+ - "task.log"
+ expire_in: 7 days
diff --git a/debian/neon-core-models.yml b/debian/neon-core-models.yml
index 828810e..19dbac7 100644
--- a/debian/neon-core-models.yml
+++ b/debian/neon-core-models.yml
@@ -1,61 +1,51 @@
-include:
- - project: sysadmin/ci-utilities
- file:
- - /gitlab-templates/blocks/snap-base.yml
- - /gitlab-templates/blocks/workflow.yml
-
-neon_core_models:
- extends: .snap_base
- inherit:
- default: true
- before_script:
- # set bot identity and switch to the correct branch
- - git config user.email "project_17308_bot_bfe008c722508de9710d4b73ec01c4a0 at invent.kde.org"
- - git config user.name "Neon Core-Bot"
- - git checkout "$CI_COMMIT_REF_NAME"
+neon-core-models:
+ rules:
+ # Prevent branch pipelines if an MR is open on the branch.
+ - if: $CI_COMMIT_BRANCH && $CI_PIPELINE_SOURCE == "push" && $CI_OPEN_MERGE_REQUESTS
+ when: never
+ # Only allow this job to run when the environment variables $KDE_NEON_CORE_IMAGE_KEY, $PRIVATE_KEY and $OWNER_TRUST are defined
+ # These are normally defined on protected branches on our normal repository but we do the logic this way to allow someone else to set this up in their fork if they want
+ - if: '$KDE_NEON_CORE_IMAGE_KEY != null && $PRIVATE_KEY != null && $OWNER_TRUST != null'
+ variables:
+ SNAPCRAFT_BUILD_ENVIRONMENT: "host"
+ SNAPCRAFT_MANAGED_MODE: "y"
+ tags:
+ - Snap
+ interruptible: true
script:
- # make sure there is a snap specific so gpg doesn't freak out
- - mkdir -p -m 0700 ¬/.snap/gnupg/
- - mkdir -p -m 0700 ¬/.snap/gnupg/private-keys-v1.d/
+ # make sure there is a snap specific GPG workspace so gpg doesn't freak out
+ - mkdir -p -m 0700 $CI_PROJECT_DIR/.snap/gnupg/
+ - mkdir -p -m 0700 $CI_PROJECT_DIR/.snap/gnupg/private-keys-v1.d/
# export it as a env var for convenience
- - export GNUPGHOME=¬/.snap/gnupg/
- # test the env var
- - echo $GNUPGHOME
- # copy in the required exported login creds so that snapcraft whoami works
- - echo $KDE_NEON_CORE_IMAGE_KEY > kde-neon-core-image-key
+ - export GNUPGHOME=$CI_PROJECT_DIR/.snap/gnupg/
# feed snap's gpg the required key
- echo $PRIVATE_KEY | base64 --decode | gpg --batch --import
# make sure the key is trusted
- gpg --import-ownertrust <(echo "$OWNER_TRUST")
# test the keys
- gpg --list-keys
+
+ # copy in the required exported login creds so that snapcraft whoami works
+ - echo $KDE_NEON_CORE_IMAGE_KEY > kde-neon-core-image-key
# test the login
- snapcraft whoami
+
# build the model with the project's tooling
- - echo re-generating models for $KDE_SNAP_MODULE_NAME ...
+ - echo re-generating models for $CI_PROJECT_NAME ...
- make kde-neon-core-dangerous-amd64.model 2>&1 | tee task.log
- make kde-neon-core-signed-amd64.model 2>&1 | tee task.log
+
# make the artifacts dir
- mkdir -p $CI_PROJECT_DIR/.kde-ci-packages/
# copy the new models to the artifacts dir
- cp -vf ./*.model $CI_PROJECT_DIR/.kde-ci-packages/
- # add the model and commit
- - git add -f ./kde-neon-core-dangerous-amd64.model ./kde-neon-core-signed-amd64.model
- - git commit -m "Update models"
- # push the new model to gitlab, and prevent the CI from triggering after a bot push
- - git push https://project_17308_bot_bfe008c722508de9710d4b73ec01c4a0:$GIT_MODEL_COMMIT@invent.kde.org/neon/ubuntu-core.git $CI_COMMIT_REF_NAME -o ci.skip
- interruptible: true
after_script:
- # cleanup local branches to avoid outdated states in future runs
- - git checkout "$CI_COMMIT_SHA"
- - git branch -D "$CI_COMMIT_REF_NAME"
- # delete the gpg keyring
- - rm -rf ¬/.snap/gnupg
- # delete the snapcraft auth creds
- - rm kde-neon-core-image-key
- rules: # Only allow manual trigger on `models.*` branches
- - if: '$CI_COMMIT_BRANCH =~ /models\..*/'
- when: manual
- - if: '$CI_COMMIT_BRANCH !~ /models\..*/'
- when: never
-
+ # cleanup local state, including the GPG workspace and the Snapcraft authentication credentials
+ - git clean -dfx .
+ artifacts:
+ name: Signed models
+ when: always
+ paths:
+ - "*.model"
+ - "task.log"
+ expire_in: 28 days
More information about the Neon-commits
mailing list