9 - if: $CI_MERGE_REQUEST_IID
11 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
13 image: debian:bookworm
16 GET_SOURCES_ATTEMPTS: 10
19 - export DEBIAN_FRONTEND=noninteractive
22 .prepare-lint-po: &prepare-lint-po
23 - apt-get -qy install git i18nspector
24 - git clone https://gitlab.tails.boum.org/tails/jenkins-tools.git /tmp/jenkins-tools
29 - if: '$CI_COMMIT_BRANCH == "master"'
30 - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
34 key: website-$CI_COMMIT_BRANCH
36 - config/chroot_local-includes/usr/share/doc/tails/website
39 - apt-get update && apt-get -y install wget
40 - wget -q https://gitlab.tails.boum.org/tails/puppet-tails/-/raw/master/files/D68F87149EBA77541573C1C12453AA9CE4123A9A.asc -O /etc/apt/trusted.gpg.d/tails.asc
42 echo -e 'Explanation: tails: po4a
44 Pin: release n=bullseye, o=Debian
45 Pin-Priority: 1000' > /etc/apt/preferences.d/po4a.pref
46 - echo 'deb https://deb.tails.boum.org/ ikiwiki main' > /etc/apt/sources.list.d/tails.list
47 - echo 'deb https://deb.debian.org/debian bullseye main' > /etc/apt/sources.list.d/bullseye.list
48 - apt-get update && apt-get -y install ikiwiki po4a libyaml-perl libyaml-libyaml-perl libyaml-syck-perl perlmagick
54 - if: '$CI_COMMIT_BRANCH == "master"'
56 key: website-$CI_COMMIT_BRANCH
58 - config/chroot_local-includes/usr/share/doc/tails/website
61 - apt-get install -y openssh-client rsync
62 - test -e .ssh || mkdir .ssh
63 - cp "$WEBSITE_DEPLOY_SSH_PRIVATE_KEY" .ssh/private_key
64 - cp "$WEBSITE_DEPLOY_SSH_KNOWN_HOSTS" .ssh/known_hosts
65 - chmod 400 .ssh/known_hosts .ssh/private_key
66 - echo "variables often lack a trailing newline, which breaks SSH, detect and fix"
67 - ssh-keygen -y -f .ssh/private_key || echo >> .ssh/private_key
68 - echo "here is the SSH key we will deploy with"
69 - ssh-keygen -y -f .ssh/private_key
70 - echo -n "Begin rsync, time is " && date '+%Y-%m-%d %H-%M-%S%z'
71 - rsync --rsh="ssh -p 3004 -o UserKnownHostsFile=.ssh/known_hosts -i .ssh/private_key" --checksum --archive --no-times --verbose --mkpath --delete "config/chroot_local-includes/usr/share/doc/tails/website/" www-data@chameleon.tails.net:/
76 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
82 - /tmp/jenkins-tools/slaves/lint_po
84 ruff-lint-changed-files:
91 - apt-get -qy install ruff findutils git python3
93 - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
94 - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" check --output-format=junit --output-file=ruff.xml
100 ruff-format-changed-files:
107 - apt-get -qy install ruff findutils git python3
109 - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
110 - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" format --check
112 check-website-core-pages:
114 - apt-get -qy install git
115 - ./bin/check-core-pages
119 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
124 - apt-get -qy install python3 gettext
125 - ./bin/check-po-msgfmt
129 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
134 - apt-get -qy install git ruby
135 - ./bin/sanity-check-website
137 check-translatable-live-website-urls:
139 - apt-get -qy install python3-polib
140 - ./bin/check-translatable-live-website-urls po/tails.pot
142 check-locale-descriptions:
144 - apt-get -qy install python3 python3-requests python3-toml python3-bs4
145 - echo 'If this fails, look at https://tails.net/contribute/release_process/update_locale_descriptions/'
146 - ./bin/locale-descriptions suggest
149 image: debian:bookworm
151 - apt-get -qy install rubocop
153 - rubocop --format junit --out rubocop.xml --format markdown
161 - if: '$CI_COMMIT_BRANCH != "master"'
163 - './bin/test-utils/test-iuk'
167 - if: '$CI_COMMIT_BRANCH != "master"'
169 - 'cat config/chroot_local-packageslists/tails-perl5lib.list
171 | xargs apt-get -qy install'
172 - 'apt-get -qy install
174 libdist-zilla-plugin-test-notabs-perl
175 libdist-zilla-plugin-test-perl-critic-perl
176 libdist-zilla-app-command-authordebs-perl
179 - apt-get update -qq # Take into account APT configuration added by apt-file
180 # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
181 - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
182 - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib
183 - dzil authordebs --install
187 image: debian:testing
189 - apt-get -qy install python3 shellcheck xmlstarlet git
190 - shellcheck --version
191 - 'git ls-files -z | ./bin/test-utils/is-file-type filter --zero shell | xargs --verbose --no-run-if-empty -0 shellcheck --format=checkstyle
192 | xmlstarlet tr config/ci/shellcheck/checkstyle2junit.xslt
197 junit: shellcheck.xml
199 test-persistent-storage-config-file:
201 - apt-get -qy install python3 python3-gi acl
202 - config/chroot_local-includes/usr/lib/python3/dist-packages/tps/configuration/config_file_test.py
206 - apt-get -qy install python3 python3-sh python3-toml python3-requests python3-bs4
207 - config/chroot_local-includes/usr/local/lib/tails-gdm-error-message doctest --verbose
208 - env PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages python3 config/chroot_local-includes/usr/local/bin/tails-documentation --doctest
209 - ./bin/locale-descriptions doctest
213 - if: '$CI_COMMIT_BRANCH != "master"'
215 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
217 | xargs apt-get -qy install'
218 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tca -name "*.py" -print0 | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
222 - if: '$CI_COMMIT_BRANCH != "master"'
224 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
226 | xargs apt-get -qy install'
227 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages env python3 ./config/chroot_local-includes/usr/local/lib/tca-portal --doctest-only --log-level DEBUG'
232 - if: '$CI_COMMIT_BRANCH != "master"'
234 - apt-get -qy install python3 python3-atomicwrites python3-sh python3-gi git
235 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tailslib -name "*.py" -print0 | grep --null-data -v -e netnsdrop.py -e gnome.py | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
239 - if: '$CI_COMMIT_BRANCH != "master"'
241 - 'cat config/chroot_local-packageslists/whisperback.list | grep -E -v "^#"
242 | xargs apt-get -qy install'
243 - apt-get -qy install python3-pytest
244 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages
245 pytest-3 --verbose --junit-xml=report.xml
246 config/chroot_local-includes/usr/lib/python3/dist-packages/whisperBack/test.py'
252 apt-snapshots-expiry:
254 - apt-get -qy install curl git
255 - ./bin/apt-snapshots-expiry
257 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
260 - config/APT_snapshots.d/*/serial
261 - vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial
263 .install-https-get-expired-build-deps: &install-https-get-expired-build-deps
264 - apt-get -qy install --no-install-recommends golang-go ca-certificates
266 .build-https-get-expired: &build-https-get-expired
267 - go build -o ./https-get-expired config/chroot_local-includes/usr/src/https-get-expired.go
269 .test-https-get-expired: &test-https-get-expired
270 - echo "Basic check:"
271 - ./https-get-expired -reject-expired https://tails.net/
272 - echo "Let's pretend we are in the past. Then, this certificate is still good."
273 - ./https-get-expired -current-time 2000-01-01 -reject-expired https://tails.net/
274 - echo "Let's pretend we are in the future. Then, this certificate is expired"
275 - "! ./https-get-expired -current-time 2090-01-01 -reject-expired https://tails.net/"
276 - "! ./https-get-expired -reject-expired https://wrong.host.badssl.com/"
277 - "! ./https-get-expired -reject-expired https://self-signed.badssl.com/"
278 - "! ./https-get-expired -reject-expired https://untrusted-root.badssl.com/"
279 - "! ./https-get-expired -reject-expired https://expired.badssl.com/"
280 - echo "Invalid host"
281 - "! ./https-get-expired -reject-expired https://nxdomain.tails.net/"
282 - "./bin/test-utils/https-get-expired-test-all"
286 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
289 - config/chroot_local-includes/usr/src/https-get-expired.go
290 - config/chroot_local-includes/etc/default/htpdate.pools
292 - *install-https-get-expired-build-deps
293 - *build-https-get-expired
294 - *test-https-get-expired
296 https-get-expired-sid:
297 # this job gives us results using a future version of Golang compared to the one we actually use
300 - if: '$CI_COMMIT_BRANCH == "devel"'
303 - config/chroot_local-includes/usr/src/https-get-expired.go
304 - config/chroot_local-includes/etc/default/htpdate.pools
306 - *install-https-get-expired-build-deps
307 - *build-https-get-expired
308 - *test-https-get-expired