search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'stable' into devel
[tails.git] / .gitlab-ci.yml
blobc97a09f17406f355f8049cebb3f0867600fb61af
1 stages:
2   - test
3   - build-website
4   - deploy-website
5
6 workflow:
7   rules:
8     - if: $CI_FORCE_RUN
9     - if: $CI_MERGE_REQUEST_IID
10     - if: $CI_COMMIT_TAG
11     - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
12
13 image: debian:bookworm
14
15 variables:
16     GET_SOURCES_ATTEMPTS: 10
17
18 before_script:
19   - export DEBIAN_FRONTEND=noninteractive
20   - apt-get update -qq
21
22 .prepare-lint-po: &prepare-lint-po
23   - apt-get -qy install git i18nspector
24   - git clone https://gitlab.tails.boum.org/tails/jenkins-tools.git /tmp/jenkins-tools
25
26 build-website:
27   stage: build-website
28   rules:
29     - if: '$CI_COMMIT_BRANCH == "master"'
30     - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
31     - changes:
32         - .gitlab-ci.yml
33   cache:
34     key: website-$CI_COMMIT_BRANCH
35     paths:
36       - config/chroot_local-includes/usr/share/doc/tails/website
37       - wiki/src/.ikiwiki
38   script:
39     - apt-get update && apt-get -y install wget
40     - wget -q https://gitlab.tails.boum.org/tails/puppet-tails/-/raw/master/files/D68F87149EBA77541573C1C12453AA9CE4123A9A.asc -O /etc/apt/trusted.gpg.d/tails.asc
41     - |
42       echo -e 'Explanation: tails: po4a
43       Package: po4a
44       Pin: release n=bullseye, o=Debian
45       Pin-Priority: 1000' > /etc/apt/preferences.d/po4a.pref
46     - echo 'deb https://deb.tails.boum.org/ ikiwiki main' > /etc/apt/sources.list.d/tails.list
47     - echo 'deb https://deb.debian.org/debian bullseye main' > /etc/apt/sources.list.d/bullseye.list
48     - apt-get update && apt-get -y install ikiwiki po4a libyaml-perl libyaml-libyaml-perl libyaml-syck-perl perlmagick
49     - ./build-website
50
51 deploy-website:
52   stage: deploy-website
53   rules:
54     - if: '$CI_COMMIT_BRANCH == "master"'
55   cache:
56     key: website-$CI_COMMIT_BRANCH
57     paths:
58       - config/chroot_local-includes/usr/share/doc/tails/website
59       - wiki/src/.ikiwiki
60   script:
61     - apt-get install -y openssh-client rsync
62     - test -e .ssh || mkdir .ssh
63     - cp "$WEBSITE_DEPLOY_SSH_PRIVATE_KEY" .ssh/private_key
64     - cp "$WEBSITE_DEPLOY_SSH_KNOWN_HOSTS" .ssh/known_hosts
65     - chmod 400 .ssh/known_hosts .ssh/private_key
66     - echo "variables often lack a trailing newline, which breaks SSH, detect and fix"
67     - ssh-keygen -y -f .ssh/private_key || echo >> .ssh/private_key
68     - echo "here is the SSH key we will deploy with"
69     - ssh-keygen -y -f .ssh/private_key
70     - echo -n "Begin rsync, time is " && date '+%Y-%m-%d %H-%M-%S%z'
71     - rsync --rsh="ssh -p 3004 -o UserKnownHostsFile=.ssh/known_hosts -i .ssh/private_key" --checksum --archive --no-times --verbose --mkpath --delete "config/chroot_local-includes/usr/share/doc/tails/website/" www-data@chameleon.tails.net:/
72
73 lint-po:
74   image: debian:testing
75   rules:
76     - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
77     - changes:
78         - .gitlab-ci.yml
79         - ./**.po
80   script:
81     - *prepare-lint-po
82     - /tmp/jenkins-tools/slaves/lint_po
83
84 ruff-lint-changed-files:
85   only:
86     - merge_requests
87
88   image: debian:sid
89
90   script:
91     - apt-get -qy install ruff findutils git python3
92     - ruff --version
93     - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
94     - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" check --output-format=junit --output-file=ruff.xml
95   artifacts:
96     when: always
97     reports:
98       junit: ruff.xml
99
100 ruff-format-changed-files:
101   only:
102     - merge_requests
103
104   image: debian:sid
105
106   script:
107     - apt-get -qy install ruff findutils git python3
108     - ruff --version
109     - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
110     - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" format --check
111
112 check-website-core-pages:
113   script:
114     - apt-get -qy install git
115     - ./bin/check-core-pages
116
117 check-po-msgfmt:
118   rules:
119     - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
120     - changes:
121         - .gitlab-ci.yml
122         - ./**.po
123   script:
124     - apt-get -qy install python3 gettext
125     - ./bin/check-po-msgfmt
126
127 check-po-meta-date:
128   rules:
129     - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
130     - changes:
131         - .gitlab-ci.yml
132         - ./**.po
133   script:
134     - apt-get -qy install git ruby
135     - ./bin/sanity-check-website
136
137 check-translatable-live-website-urls:
138   script:
139     - apt-get -qy install python3-polib
140     - ./bin/check-translatable-live-website-urls po/tails.pot
141
142 check-locale-descriptions:
143   script:
144     - apt-get -qy install python3 python3-requests python3-toml python3-bs4
145     - echo 'If this fails, look at https://tails.net/contribute/release_process/update_locale_descriptions/'
146     - ./bin/locale-descriptions suggest
147
148 rubocop:
149   image: debian:bookworm
150   script:
151   - apt-get -qy install rubocop
152   - rubocop --version
153   - rubocop --format junit --out rubocop.xml --format markdown
154   artifacts:
155     when: always
156     reports:
157       junit: rubocop.xml
158
159 test-iuk:
160   rules:
161     - if: '$CI_COMMIT_BRANCH != "master"'
162   script:
163   - './bin/test-utils/test-iuk'
164
165 test-perl5lib:
166   rules:
167     - if: '$CI_COMMIT_BRANCH != "master"'
168   script:
169   - 'cat config/chroot_local-packageslists/tails-perl5lib.list
170        | grep -E -v "^#"
171        | xargs apt-get -qy install'
172   - 'apt-get -qy install
173        apt-file
174        libdist-zilla-plugin-test-notabs-perl
175        libdist-zilla-plugin-test-perl-critic-perl
176        libdist-zilla-app-command-authordebs-perl
177        libmodule-build-perl
178        sudo'
179   - apt-get update -qq # Take into account APT configuration added by apt-file
180   # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
181   - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
182   - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib
183   - dzil authordebs --install
184   - dzil test --all
185
186 shellcheck:
187   image: debian:testing
188   script:
189   - apt-get -qy install python3 shellcheck xmlstarlet git
190   - shellcheck --version
191   - 'git ls-files -z | ./bin/test-utils/is-file-type filter --zero shell | xargs --verbose --no-run-if-empty -0 shellcheck --format=checkstyle
192        | xmlstarlet tr config/ci/shellcheck/checkstyle2junit.xslt
193        > shellcheck.xml'
194   artifacts:
195     when: always
196     reports:
197       junit: shellcheck.xml
198
199 test-persistent-storage-config-file:
200   script:
201     - apt-get -qy install python3 python3-gi acl
202     - config/chroot_local-includes/usr/lib/python3/dist-packages/tps/configuration/config_file_test.py
203
204 test-python-doctest:
205   script:
206     - apt-get -qy install python3 python3-sh python3-toml python3-requests python3-bs4
207     - config/chroot_local-includes/usr/local/lib/tails-gdm-error-message doctest --verbose
208     - env PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages python3 config/chroot_local-includes/usr/local/bin/tails-documentation --doctest
209     - ./bin/locale-descriptions doctest
210
211 test-tca:
212   rules:
213     - if: '$CI_COMMIT_BRANCH != "master"'
214   script:
215     - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
216        | grep -E -v "^#"
217        | xargs apt-get -qy install'
218     - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tca -name "*.py" -print0 | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
219
220 test-tca-portal:
221   rules:
222     - if: '$CI_COMMIT_BRANCH != "master"'
223   script:
224     - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
225        | grep -E -v "^#"
226        | xargs apt-get -qy install'
227     - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages env python3 ./config/chroot_local-includes/usr/local/lib/tca-portal --doctest-only --log-level DEBUG'
228
229
230 test-tailslib:
231   rules:
232     - if: '$CI_COMMIT_BRANCH != "master"'
233   script:
234     - apt-get -qy install python3 python3-atomicwrites python3-sh python3-gi git
235     - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tailslib -name "*.py" -print0 | grep --null-data -v -e netnsdrop.py -e gnome.py | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
236
237 test-whisperback:
238   rules:
239     - if: '$CI_COMMIT_BRANCH != "master"'
240   script:
241     - 'cat config/chroot_local-packageslists/whisperback.list | grep -E -v "^#"
242          | xargs apt-get -qy install'
243     - apt-get -qy install python3-pytest
244     - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages
245          pytest-3 --verbose --junit-xml=report.xml
246          config/chroot_local-includes/usr/lib/python3/dist-packages/whisperBack/test.py'
247   artifacts:
248     when: always
249     reports:
250       junit: report.xml
251
252 apt-snapshots-expiry:
253   script:
254     - apt-get -qy install curl git
255     - ./bin/apt-snapshots-expiry
256   rules:
257     - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
258     - changes:
259         - .gitlab-ci.yml
260         - config/APT_snapshots.d/*/serial
261         - vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial
262
263 .install-https-get-expired-build-deps: &install-https-get-expired-build-deps
264   - apt-get -qy install --no-install-recommends golang-go ca-certificates
265
266 .build-https-get-expired: &build-https-get-expired
267   - go build -o ./https-get-expired config/chroot_local-includes/usr/src/https-get-expired.go
268
269 .test-https-get-expired: &test-https-get-expired
270   - echo "Basic check:"
271   - ./https-get-expired -reject-expired https://tails.net/
272   - echo "Let's pretend we are in the past. Then, this certificate is still good."
273   - ./https-get-expired -current-time 2000-01-01 -reject-expired https://tails.net/
274   - echo "Let's pretend we are in the future. Then, this certificate is expired"
275   - "! ./https-get-expired -current-time 2090-01-01 -reject-expired https://tails.net/"
276   - "! ./https-get-expired -reject-expired https://wrong.host.badssl.com/"
277   - "! ./https-get-expired -reject-expired https://self-signed.badssl.com/"
278   - "! ./https-get-expired -reject-expired https://untrusted-root.badssl.com/"
279   - "! ./https-get-expired -reject-expired https://expired.badssl.com/"
280   - echo "Invalid host"
281   - "! ./https-get-expired -reject-expired https://nxdomain.tails.net/"
282   - "./bin/test-utils/https-get-expired-test-all"
283
284 https-get-expired:
285   rules:
286     - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
287     - changes:
288         - .gitlab-ci.yml
289         - config/chroot_local-includes/usr/src/https-get-expired.go
290         - config/chroot_local-includes/etc/default/htpdate.pools
291   script:
292     - *install-https-get-expired-build-deps
293     - *build-https-get-expired
294     - *test-https-get-expired
295
296 https-get-expired-sid:
297   # this job gives us results using a future version of Golang compared to the one we actually use
298   image: debian:sid
299   rules:
300     - if: '$CI_COMMIT_BRANCH == "devel"'
301     - changes:
302         - .gitlab-ci.yml
303         - config/chroot_local-includes/usr/src/https-get-expired.go
304         - config/chroot_local-includes/etc/default/htpdate.pools
305   script:
306     - *install-https-get-expired-build-deps
307     - *build-https-get-expired
308     - *test-https-get-expired
Tor-ified, amnesic Live system