| blob | a4009d8952469d56c62eae3d5d41251ae2b09e34 |
1 workflow:
2 rules:
3 - if: $CI_MERGE_REQUEST_IID
4 - if: $CI_COMMIT_TAG
5 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
7 image: debian:bullseye
9 variables:
10 GET_SOURCES_ATTEMPTS: 10
12 before_script:
13 - export DEBIAN_FRONTEND=noninteractive
14 - apt-get update -qq
16 .prepare-lint-po: &prepare-lint-po
17 - apt-get -qy install git i18nspector
18 - git clone https://gitlab.tails.boum.org/tails/jenkins-tools.git /tmp/jenkins-tools
20 build-website:
21 rules:
22 - if: '$CI_COMMIT_BRANCH == "master"'
23 - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
24 - changes:
25 - .gitlab-ci.yml
26 script:
27 - apt-get -qy install ikiwiki po4a libyaml-perl libyaml-libyaml-perl libyaml-syck-perl perlmagick
28 - ./build-website
30 lint-po:
31 image: debian:testing
32 rules:
33 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
34 - changes:
35 - .gitlab-ci.yml
36 - ./**.po
37 script:
38 - *prepare-lint-po
39 - /tmp/jenkins-tools/slaves/lint_po
41 bandit:
42 script:
43 - apt-get -qy install python3-bandit file
44 - bandit --version
45 - './bin/bandit-tree --configfile .bandit.yml
46 -ll
47 --format xml
48 --output bandit.xml
49 .'
50 artifacts:
51 when: always
52 reports:
53 junit: bandit.xml
55 check-website-core-pages:
56 script:
57 - apt-get -qy install git
58 - ./bin/check-core-pages
60 check-po-msgfmt:
61 rules:
62 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
63 - changes:
64 - .gitlab-ci.yml
65 - ./**.po
66 script:
67 - apt-get -qy install python3 gettext
68 - ./bin/check-po-msgfmt
70 check-po-meta-date:
71 rules:
72 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
73 - changes:
74 - .gitlab-ci.yml
75 - ./**.po
76 script:
77 - apt-get -qy install git ruby
78 - ./bin/sanity-check-website
80 check-translatable-live-website-urls:
81 script:
82 - apt-get -qy install python3-polib
83 - ./bin/check-translatable-live-website-urls po/tails.pot
85 test-iuk:
86 rules:
87 - if: '$CI_COMMIT_BRANCH != "master"'
88 script:
89 - 'cat config/chroot_local-packageslists/tails-perl5lib.list
90 config/chroot_local-packageslists/tails-iuk.list
91 | grep -E -v "^#"
92 | xargs apt-get -qy install'
93 - 'apt-get -qy install
94 apt-file
95 libdist-zilla-plugin-test-notabs-perl
96 libdist-zilla-plugin-test-perl-critic-perl
97 libdist-zilla-app-command-authordebs-perl
98 libmodule-build-perl
99 sudo
100 attr
101 libarchive-tools
102 libdevice-cdio-perl
103 faketime
104 genisoimage
105 gnutls-bin
106 libdata-dumper-concise-perl
107 libdatetime-perl
108 libfile-copy-recursive-perl
109 libtest-lwp-useragent-perl'
110 - apt-get update -qq # Take into account APT configuration added by apt-file
111 # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
112 - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
113 - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/iuk
114 - dzil authordebs --install
115 - export SOURCE_DATE_EPOCH=$(date --utc +%s)
116 - 'TAILS_GIT_CHECKOUT=$CI_PROJECT_DIR
117 PERL5LIB=$CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib/lib
118 LC_ALL=C.UTF-8
119 dzil test --all'
121 test-perl5lib:
122 rules:
123 - if: '$CI_COMMIT_BRANCH != "master"'
124 script:
125 - 'cat config/chroot_local-packageslists/tails-perl5lib.list
126 | grep -E -v "^#"
127 | xargs apt-get -qy install'
128 - 'apt-get -qy install
129 apt-file
130 libdist-zilla-plugin-test-notabs-perl
131 libdist-zilla-plugin-test-perl-critic-perl
132 libdist-zilla-app-command-authordebs-perl
133 libmodule-build-perl
134 sudo'
135 - apt-get update -qq # Take into account APT configuration added by apt-file
136 # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
137 - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
138 - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib
139 - dzil authordebs --install
140 - dzil test --all
142 shellcheck:
143 image: debian:testing
144 script:
145 - apt-get -qy install python3 shellcheck xmlstarlet file
146 - shellcheck --version
147 - './bin/shellcheck-tree --format=checkstyle
148 | xmlstarlet tr config/ci/shellcheck/checkstyle2junit.xslt
149 > shellcheck.xml'
150 artifacts:
151 when: always
152 reports:
153 junit: shellcheck.xml
155 test-persistent-storage-config-file:
156 script:
157 - apt-get -qy install python3 python3-gi acl
158 - config/chroot_local-includes/usr/lib/python3/dist-packages/tps/configuration/config_file_test.py
160 test-python-doctest:
161 script:
162 - apt-get -qy install python3 python3-sh
163 - config/chroot_local-includes/usr/local/lib/tails-gdm-error-message doctest --verbose
164 - env PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages python3 config/chroot_local-includes/usr/local/bin/tails-documentation --doctest
166 test-tca:
167 rules:
168 - if: '$CI_COMMIT_BRANCH != "master"'
169 script:
170 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
171 | grep -E -v "^#"
172 | xargs apt-get -qy install'
173 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tca -name "*.py" -print0 | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
175 test-tca-portal:
176 rules:
177 - if: '$CI_COMMIT_BRANCH != "master"'
178 script:
179 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
180 | grep -E -v "^#"
181 | xargs apt-get -qy install'
182 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages env python3 ./config/chroot_local-includes/usr/local/lib/tca-portal --doctest-only --log-level DEBUG'
185 test-tailslib:
186 rules:
187 - if: '$CI_COMMIT_BRANCH != "master"'
188 script:
189 - apt-get -qy install python3 python3-atomicwrites python3-sh git
190 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tailslib -name "*.py" -print0 | grep --null-data -v -e netnsdrop.py -e gnome.py | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
192 test-whisperback:
193 rules:
194 - if: '$CI_COMMIT_BRANCH != "master"'
195 script:
196 - 'cat config/chroot_local-packageslists/whisperback.list | grep -E -v "^#"
197 | xargs apt-get -qy install'
198 - apt-get -qy install python3-pytest
199 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages
200 pytest-3 --verbose --junit-xml=report.xml
201 config/chroot_local-includes/usr/lib/python3/dist-packages/whisperBack/test.py'
202 artifacts:
203 when: always
204 reports:
205 junit: report.xml
207 apt-snapshots-expiry:
208 script:
209 - apt-get -qy install curl git
210 - ./bin/apt-snapshots-expiry
211 rules:
212 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
213 - changes:
214 - .gitlab-ci.yml
215 - config/APT_snapshots.d/*/serial
216 - vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial
218 .install-https-get-expired-build-deps: &install-https-get-expired-build-deps
219 - apt-get -qy install --no-install-recommends golang-go ca-certificates
221 .build-https-get-expired: &build-https-get-expired
222 - go build -o ./https-get-expired config/chroot_local-includes/usr/src/https-get-expired.go
224 .test-https-get-expired: &test-https-get-expired
225 - echo "Basic check:"
226 - ./https-get-expired -reject-expired https://tails.boum.org/
227 - echo "Let's pretend we are in the past. Then, this certificate is still good."
228 - ./https-get-expired -current-time 2000-01-01 -reject-expired https://tails.boum.org/
229 - echo "Let's pretend we are in the future. Then, this certificate is expired"
230 - "! ./https-get-expired -current-time 2090-01-01 -reject-expired https://tails.boum.org/"
231 - "! ./https-get-expired -reject-expired https://wrong.host.badssl.com/"
232 - "! ./https-get-expired -reject-expired https://self-signed.badssl.com/"
233 - "! ./https-get-expired -reject-expired https://untrusted-root.badssl.com/"
234 - "! ./https-get-expired -reject-expired https://expired.badssl.com/"
235 - echo "Invalid host"
236 - "! ./https-get-expired -reject-expired https://nxdomain.tails.boum.org/"
237 - "( . config/chroot_local-includes/etc/default/htpdate.pools; err=0; for url in $(echo $HTP_POOL_1 $HTP_POOL_2 $HTP_POOL_3 | tr ',' ' '); do echo $url; if ! ./https-get-expired -reject-expired https://$url; then echo ERROR on $url; err=1; fi; done; exit $err; )"
239 https-get-expired:
240 rules:
241 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
242 - changes:
243 - .gitlab-ci.yml
244 - config/chroot_local-includes/usr/src/https-get-expired.go
245 - config/chroot_local-includes/etc/default/htpdate.pools
246 script:
247 - *install-https-get-expired-build-deps
248 - *build-https-get-expired
249 - *test-https-get-expired
251 https-get-expired-sid:
252 # this job gives us results using a future version of Golang compared to the one we actually use
253 image: debian:sid
254 rules:
255 - if: '$CI_COMMIT_BRANCH == "devel"'
256 - changes:
257 - .gitlab-ci.yml
258 - config/chroot_local-includes/usr/src/https-get-expired.go
259 - config/chroot_local-includes/etc/default/htpdate.pools
260 script:
261 - *install-https-get-expired-build-deps
262 - *build-https-get-expired
263 - *test-https-get-expired