Merge branch 'stable' into devel

[tails.git] / .gitlab-ci.yml

stages:
  - test
  - build-website
  - deploy-website

workflow:
  rules:
    - if: $CI_FORCE_RUN
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_TAG
    - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'

image: debian:bookworm

variables:
    GET_SOURCES_ATTEMPTS: 10

before_script:
  - export DEBIAN_FRONTEND=noninteractive
  - apt-get update -qq

.prepare-lint-po: &prepare-lint-po
  - apt-get -qy install git i18nspector
  - git clone https://gitlab.tails.boum.org/tails/jenkins-tools.git /tmp/jenkins-tools

build-website:
  stage: build-website
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
    - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
    - changes:
        - .gitlab-ci.yml
  cache:
    key: website-$CI_COMMIT_REF_SLUG
    paths:
      - config/chroot_local-includes/usr/share/doc/tails/website
      - wiki/src/.ikiwiki
  script:
    - apt-get -y install wget git
    - wget -q https://gitlab.tails.boum.org/tails/puppet-tails/-/raw/master/files/D68F87149EBA77541573C1C12453AA9CE4123A9A.asc -O /etc/apt/trusted.gpg.d/tails.asc
    - |
      echo -e 'Explanation: tails: po4a
      Package: po4a
      Pin: release n=bullseye, o=Debian
      Pin-Priority: 1000' > /etc/apt/preferences.d/po4a.pref
    - echo 'deb https://deb.tails.boum.org/ ikiwiki main' > /etc/apt/sources.list.d/tails.list
    - echo 'deb https://deb.debian.org/debian bullseye main' > /etc/apt/sources.list.d/bullseye.list
    - apt-get update && apt-get -y install ikiwiki po4a libyaml-perl libyaml-libyaml-perl libyaml-syck-perl perlmagick
    - mkdir /underlays
    - git clone --depth=1 https://gitlab.tails.boum.org/tails/etcher-binary.git /underlays/etcher-binary
    - git clone --depth=1 https://gitlab.tails.boum.org/tails/promotion-material.git /underlays/promotion-material
    - |
      ./build-website \
        --url "https://tails.net" \
        --usedirs \
        --sslcookie \
        --historyurl "https://gitlab.tails.boum.org/tails/tails/-/commits/master/wiki/src/[[file]]" \
        --diffurl "https://gitlab.tails.boum.org/tails/tails/-/commit/[[sha1_commit]]" \
        --rss \
        --atom \
        --set-yaml add_underlays="['/underlays/etcher-binary', '/underlays/promotion-material']"

deploy-website:
  stage: deploy-website
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
  cache:
    key: website-$CI_COMMIT_REF_SLUG
    paths:
      - config/chroot_local-includes/usr/share/doc/tails/website
      - wiki/src/.ikiwiki
    policy: pull
  script:
    - apt-get install -y openssh-client rsync
    - test -e .ssh || mkdir .ssh
    - cp "$WEBSITE_DEPLOY_SSH_PRIVATE_KEY" .ssh/private_key
    - cp "$WEBSITE_DEPLOY_SSH_KNOWN_HOSTS" .ssh/known_hosts
    - chmod 400 .ssh/known_hosts .ssh/private_key
    - echo "variables often lack a trailing newline, which breaks SSH, detect and fix"
    - ssh-keygen -y -f .ssh/private_key || echo >> .ssh/private_key
    - echo "here is the SSH key we will deploy with"
    - ssh-keygen -y -f .ssh/private_key
    - echo -n "Begin rsync, time is " && date '+%Y-%m-%d %H-%M-%S%z'
    - rsync --rsh="ssh -p 3004 -o UserKnownHostsFile=.ssh/known_hosts -i .ssh/private_key" --checksum --archive --no-times --verbose --mkpath --delete "config/chroot_local-includes/usr/share/doc/tails/website/" www-data@chameleon.tails.net:/

lint-po:
  image: debian:testing
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
    - changes:
        - .gitlab-ci.yml
        - ./**.po
  script:
    - *prepare-lint-po
    - /tmp/jenkins-tools/slaves/lint_po

ruff-lint-changed-files:
  only:
    - merge_requests

  image: debian:sid

  script:
    - apt-get -qy install ruff findutils git python3
    - ruff --version
    - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
    - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" check --output-format=junit --output-file=ruff.xml
  artifacts:
    when: always
    reports:
      junit: ruff.xml

ruff-format-changed-files:
  only:
    - merge_requests

  image: debian:sid

  script:
    - apt-get -qy install ruff findutils git python3
    - ruff --version
    - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
    - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" format --check

check-website-core-pages:
  script:
    - apt-get -qy install git
    - ./bin/check-core-pages

check-po-msgfmt:
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
    - changes:
        - .gitlab-ci.yml
        - ./**.po
  script:
    - apt-get -qy install python3 gettext
    - ./bin/check-po-msgfmt

check-po-meta-date:
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
    - changes:
        - .gitlab-ci.yml
        - ./**.po
  script:
    - apt-get -qy install git ruby
    - ./bin/sanity-check-website

check-translatable-live-website-urls:
  script:
    - apt-get -qy install python3-polib
    - ./bin/check-translatable-live-website-urls po/tails.pot

check-locale-descriptions:
  script:
    - apt-get -qy install python3 python3-requests python3-toml python3-bs4
    - echo 'If this fails, look at https://tails.net/contribute/release_process/update_locale_descriptions/'
    - ./bin/locale-descriptions suggest

rubocop:
  image: debian:bookworm
  script:
  - apt-get -qy install rubocop
  - rubocop --version
  - rubocop --format junit --out rubocop.xml --format markdown
  artifacts:
    when: always
    reports:
      junit: rubocop.xml

test-iuk:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
  - './bin/test-utils/test-iuk'

test-perl5lib:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
  - 'cat config/chroot_local-packageslists/tails-perl5lib.list
       | grep -E -v "^#"
       | xargs apt-get -qy install'
  - 'apt-get -qy install
       apt-file
       libdist-zilla-plugin-test-notabs-perl
       libdist-zilla-plugin-test-perl-critic-perl
       libdist-zilla-app-command-authordebs-perl
       libmodule-build-perl
       sudo'
  - apt-get update -qq # Take into account APT configuration added by apt-file
  # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
  - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
  - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib
  - dzil authordebs --install
  - dzil test --all

shellcheck:
  image: debian:testing
  script:
  - apt-get -qy install python3 shellcheck xmlstarlet git
  - shellcheck --version
  - 'git ls-files -z | ./bin/test-utils/is-file-type filter --zero shell | xargs --verbose --no-run-if-empty -0 shellcheck --format=checkstyle
       | xmlstarlet tr config/ci/shellcheck/checkstyle2junit.xslt
       > shellcheck.xml'
  artifacts:
    when: always
    reports:
      junit: shellcheck.xml

test-persistent-storage-config-file:
  script:
    - apt-get -qy install python3 python3-gi acl
    - config/chroot_local-includes/usr/lib/python3/dist-packages/tps/configuration/config_file_test.py

test-python-doctest:
  script:
    - apt-get -qy install python3 python3-sh python3-toml python3-requests python3-bs4
    - config/chroot_local-includes/usr/local/lib/tails-gdm-error-message doctest --verbose
    - env PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages python3 config/chroot_local-includes/usr/local/bin/tails-documentation --doctest
    - ./bin/locale-descriptions doctest

test-tca:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
    - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
       | grep -E -v "^#"
       | xargs apt-get -qy install'
    - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tca -name "*.py" -print0 | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'

test-tca-portal:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
    - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
       | grep -E -v "^#"
       | xargs apt-get -qy install'
    - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages env python3 ./config/chroot_local-includes/usr/local/lib/tca-portal --doctest-only --log-level DEBUG'


test-tailslib:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
    - apt-get -qy install python3 python3-atomicwrites python3-sh python3-gi git
    - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tailslib -name "*.py" -print0 | grep --null-data -v -e netnsdrop.py -e gnome.py | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'

test-whisperback:
  rules:
    - if: '$CI_COMMIT_BRANCH != "master"'
  script:
    - 'cat config/chroot_local-packageslists/whisperback.list | grep -E -v "^#"
         | xargs apt-get -qy install'
    - apt-get -qy install python3-pytest
    - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages
         pytest-3 --verbose --junit-xml=report.xml
         config/chroot_local-includes/usr/lib/python3/dist-packages/whisperBack/test.py'
  artifacts:
    when: always
    reports:
      junit: report.xml

apt-snapshots-expiry:
  script:
    - apt-get -qy install curl git
    - ./bin/apt-snapshots-expiry
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
    - changes:
        - .gitlab-ci.yml
        - config/APT_snapshots.d/*/serial
        - vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial

.install-https-get-expired-build-deps: &install-https-get-expired-build-deps
  - apt-get -qy install --no-install-recommends golang-go ca-certificates

.build-https-get-expired: &build-https-get-expired
  - go build -o ./https-get-expired config/chroot_local-includes/usr/src/https-get-expired.go

.test-https-get-expired: &test-https-get-expired
  - echo "Basic check:"
  - ./https-get-expired -reject-expired https://tails.net/
  - echo "Let's pretend we are in the past. Then, this certificate is still good."
  - ./https-get-expired -current-time 2000-01-01 -reject-expired https://tails.net/
  - echo "Let's pretend we are in the future. Then, this certificate is expired"
  - "! ./https-get-expired -current-time 2090-01-01 -reject-expired https://tails.net/"
  - "! ./https-get-expired -reject-expired https://wrong.host.badssl.com/"
  - "! ./https-get-expired -reject-expired https://self-signed.badssl.com/"
  - "! ./https-get-expired -reject-expired https://untrusted-root.badssl.com/"
  - "! ./https-get-expired -reject-expired https://expired.badssl.com/"
  - echo "Invalid host"
  - "! ./https-get-expired -reject-expired https://nxdomain.tails.net/"
  - "./bin/test-utils/https-get-expired-test-all"

https-get-expired:
  rules:
    - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
    - changes:
        - .gitlab-ci.yml
        - config/chroot_local-includes/usr/src/https-get-expired.go
        - config/chroot_local-includes/etc/default/htpdate.pools
  script:
    - *install-https-get-expired-build-deps
    - *build-https-get-expired
    - *test-https-get-expired

https-get-expired-sid:
  # this job gives us results using a future version of Golang compared to the one we actually use
  image: debian:sid
  rules:
    - if: '$CI_COMMIT_BRANCH == "devel"'
    - changes:
        - .gitlab-ci.yml
        - config/chroot_local-includes/usr/src/https-get-expired.go
        - config/chroot_local-includes/etc/default/htpdate.pools
  script:
    - *install-https-get-expired-build-deps
    - *build-https-get-expired
    - *test-https-get-expired