-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
243 lines (218 loc) · 5.44 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
# CentOS EOL dates https://www.centos.org/centos-stream/
# Fedora EOL dates https://fedorapeople.org/groups/schedule/
# Ubuntu EOL dates https://wiki.ubuntu.com/Releases/
---
default:
interruptible: true
stages:
- build
- lint
- test
- deploy
variables:
ANSIBLE_FORCE_COLOR: "1"
# https://bixense.com/clicolors/ standard for enabling colours in CI
CLICOLOR: "1"
workflow:
rules: &rules_default
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_MERGE_REQUEST_IID
.build_img:
stage: build
image:
# debug image has a shell
name: gcr.io/kaniko-project/executor:v1.21.1-debug
entrypoint: [""]
needs:
- job: lint:shellcheck
artifacts: false
.test:
stage: test
script:
# GitLab clones the project as writable by everyone
# This breaks checks that are done inside the tools
- chmod -R go-w .
# Container runs as root to support systemd as the init system
# switch to the test user 'public' to run the scripts like a user would
- su public --command="./setup.sh"
- su public --command="./.gitlab/check_versions.bash"
- su public --command="./.gitlab/verify_no_changes.sh"
.rules_ubuntu:
rules: *rules_default
.rules_eol:
rules:
- when: manual
allow_failure: true
.rules_lint:
rules: *rules_default
.rules_redhat:
rules: *rules_default
# This rule set is for any OS which is not used as my primary
.rules_secondary_os:
rules:
- when: manual
allow_failure: true
# This is used for distributions which are used as flags for upcoming errors
.rules_only_warn:
rules:
- allow_failure: true
build:linter:
extends:
- .build_img
script:
- mkdir -p /kaniko/.docker
- |
tee /kaniko/.docker/config.json <<-JSON
{
"auths": {
"$CI_REGISTRY": {
"username":"$CI_REGISTRY_USER",
"password":"$CI_REGISTRY_PASSWORD"
}
}
}
JSON
- >
/kaniko/executor
--cleanup
--cache
--cache-repo $CI_REGISTRY_IMAGE/cache
--context $CI_PROJECT_DIR
--destination $CI_REGISTRY_IMAGE/linter:$CI_COMMIT_REF_SLUG
--dockerfile $CI_PROJECT_DIR/.gitlab/linter.dockerfile
build:centos:stream9:
extends:
- .build_img
- .rules_secondary_os
script:
- ./.gitlab/build_image.sh centos stream9
build:fedora:41:
extends:
- .build_img
script:
- ./.gitlab/build_image.sh fedora 41
build:fedora:42:
extends:
- .build_img
script:
- ./.gitlab/build_image.sh fedora 42
# unreleased
when: manual
allow_failure: true
build:fedora:rawhide:
extends:
- .build_img
script:
- ./.gitlab/build_image.sh fedora rawhide
# unreleased
when: manual
allow_failure: true
build:ubuntu:24.04:
extends:
- .build_img
script:
- ./.gitlab/build_image.sh ubuntu 24.04
lint:shellcheck:
extends:
- .rules_lint
stage: .pre
image: koalaman/shellcheck-alpine
script:
- shellcheck --external-sources setup.sh $(find . -name '*.sh' -path '**/latest/**')
lint:ansible:
extends:
- .rules_lint
stage: lint
image: $CI_REGISTRY_IMAGE/linter:$CI_COMMIT_REF_SLUG
needs:
- job: build:linter
artifacts: false
script:
# ansible-lint uses git which checks directory ownership before running
# This happens because gitlab uses 777 on the directory
- git config --global --add safe.directory $CI_PROJECT_DIR
- go-task ans:lint
# Also check all other non ansible files
- yamllint -f parsable .
test:centos:stream9:
extends:
- .test
- .rules_secondary_os
image: ${CI_REGISTRY_IMAGE}/centos:stream9-${CI_COMMIT_REF_SLUG}
needs:
- job: build:centos:stream9
artifacts: false
- job: lint:ansible
artifacts: false
test:fedora:41:
# EOL: ~2025-10-22
extends:
- .test
- .rules_redhat
image: ${CI_REGISTRY_IMAGE}/fedora:41-${CI_COMMIT_REF_SLUG}
needs:
- job: build:fedora:41
artifacts: false
- job: lint:ansible
artifacts: false
test:fedora:42:
# EOL: ~2026-04-22
extends:
- .test
- .rules_redhat
image: ${CI_REGISTRY_IMAGE}/fedora:42-${CI_COMMIT_REF_SLUG}
needs:
- job: build:fedora:42
artifacts: false
- job: lint:ansible
artifacts: false
# unreleased
when: manual
allow_failure: true
test:fedora:rawhide:
extends:
- .test
- .rules_redhat
image: ${CI_REGISTRY_IMAGE}/fedora:rawhide-${CI_COMMIT_REF_SLUG}
needs:
- job: build:fedora:rawhide
artifacts: false
- job: lint:ansible
artifacts: false
# unreleased
when: manual
allow_failure: true
test:ubuntu:24.04:
# EOL: 2029-06
extends:
- .test
- .rules_ubuntu
image: ${CI_REGISTRY_IMAGE}/ubuntu:24.04-${CI_COMMIT_REF_SLUG}
needs:
- job: build:ubuntu:24.04
artifacts: false
- job: lint:ansible
artifacts: false
deploy:github:
stage: deploy
interruptible: false
script:
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- echo "${GITHUB_KEY}" > ~/.ssh/id_rsa
- echo "${GITHUB_KEY_PUB}" > ~/.ssh/id_rsa.pub
- chmod 700 ~/.ssh/id_rsa*
- ssh-keyscan 'github.com' >> ~/.ssh/known_hosts
- git remote add github -t main [email protected]:perobertson/setup.git
- git fetch --all --verbose
- git checkout -B "${CI_COMMIT_REF_NAME}"
- git push --set-upstream github "${CI_COMMIT_REF_NAME}"
after_script:
- rm ~/.ssh/id_rsa
- rm ~/.ssh/id_rsa.pub
environment:
name: github
resource_group: github
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH