| blob | 727366bf99f94b60a4c2727a4efccc0d30c892fc |
1 workflow:
2 rules:
3 - if: $CI_FORCE_RUN
4 - if: $CI_MERGE_REQUEST_IID
5 - if: $CI_COMMIT_TAG
6 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
8 image: debian:bookworm
10 variables:
11 GET_SOURCES_ATTEMPTS: 10
13 before_script:
14 - export DEBIAN_FRONTEND=noninteractive
15 - apt-get update -qq
17 .prepare-lint-po: &prepare-lint-po
18 - apt-get -qy install git i18nspector
19 - git clone https://gitlab.tails.boum.org/tails/jenkins-tools.git /tmp/jenkins-tools
21 build-website:
22 rules:
23 - if: '$CI_COMMIT_BRANCH == "master"'
24 - if: '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
25 - changes:
26 - .gitlab-ci.yml
27 script:
28 - apt-get -qy install ikiwiki po4a libyaml-perl libyaml-libyaml-perl libyaml-syck-perl perlmagick
29 - ./build-website
31 lint-po:
32 image: debian:testing
33 rules:
34 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
35 - changes:
36 - .gitlab-ci.yml
37 - ./**.po
38 script:
39 - *prepare-lint-po
40 - /tmp/jenkins-tools/slaves/lint_po
42 bandit:
43 script:
44 - apt-get -qy install python3-bandit file
45 - bandit --version
46 - './bin/bandit-tree --configfile .bandit.yml
47 -ll
48 --format xml
49 --output bandit.xml
50 .'
51 artifacts:
52 when: always
53 reports:
54 junit: bandit.xml
56 check-black:
57 image: debian:bookworm
58 script:
59 - apt-get -qy install black
60 - black --version
61 - black -t py311 --check .
63 ruff-changed-files:
64 only:
65 - merge_requests
67 image: debian:sid
69 script:
70 - apt-get -qy install ruff findutils git file
71 - ruff --version
72 - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}"
73 - ./bin/test-utils/ruff "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:?}" --output-format=junit --output-file=ruff.xml
74 artifacts:
75 when: always
76 reports:
77 junit: ruff.xml
79 check-website-core-pages:
80 script:
81 - apt-get -qy install git
82 - ./bin/check-core-pages
84 check-po-msgfmt:
85 rules:
86 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
87 - changes:
88 - .gitlab-ci.yml
89 - ./**.po
90 script:
91 - apt-get -qy install python3 gettext
92 - ./bin/check-po-msgfmt
94 check-po-meta-date:
95 rules:
96 - if: '$CI_COMMIT_BRANCH =~ /^master|stable|testing|devel$/'
97 - changes:
98 - .gitlab-ci.yml
99 - ./**.po
100 script:
101 - apt-get -qy install git ruby
102 - ./bin/sanity-check-website
104 check-translatable-live-website-urls:
105 script:
106 - apt-get -qy install python3-polib
107 - ./bin/check-translatable-live-website-urls po/tails.pot
109 check-locale-descriptions:
110 script:
111 - apt-get -qy install python3 python3-requests python3-toml python3-bs4
112 - echo 'If this fails, look at https://tails.net/contribute/release_process/update_locale_descriptions/'
113 - ./bin/locale-descriptions suggest
115 rubocop:
116 image: debian:bookworm
117 script:
118 - apt-get -qy install rubocop
119 - rubocop --version
120 - rubocop --format junit --out rubocop.xml --format markdown
121 artifacts:
122 when: always
123 reports:
124 junit: rubocop.xml
126 test-iuk:
127 rules:
128 - if: '$CI_COMMIT_BRANCH != "master"'
129 script:
130 - './bin/test-utils/test-iuk'
132 test-perl5lib:
133 rules:
134 - if: '$CI_COMMIT_BRANCH != "master"'
135 script:
136 - 'cat config/chroot_local-packageslists/tails-perl5lib.list
137 | grep -E -v "^#"
138 | xargs apt-get -qy install'
139 - 'apt-get -qy install
140 apt-file
141 libdist-zilla-plugin-test-notabs-perl
142 libdist-zilla-plugin-test-perl-critic-perl
143 libdist-zilla-app-command-authordebs-perl
144 libmodule-build-perl
145 sudo'
146 - apt-get update -qq # Take into account APT configuration added by apt-file
147 # Otherwise, apt-get called by "dzil authordebs --install" asks confirmation
148 - echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/yes
149 - cd $CI_PROJECT_DIR/config/chroot_local-includes/usr/src/perl5lib
150 - dzil authordebs --install
151 - dzil test --all
153 shellcheck:
154 image: debian:testing
155 script:
156 - apt-get -qy install python3 shellcheck xmlstarlet git
157 - shellcheck --version
158 - 'git ls-files -z | ./bin/test-utils/is-file-type filter --zero shell | xargs --verbose --no-run-if-empty -0 shellcheck --format=checkstyle
159 | xmlstarlet tr config/ci/shellcheck/checkstyle2junit.xslt
160 > shellcheck.xml'
161 artifacts:
162 when: always
163 reports:
164 junit: shellcheck.xml
166 test-persistent-storage-config-file:
167 script:
168 - apt-get -qy install python3 python3-gi acl
169 - config/chroot_local-includes/usr/lib/python3/dist-packages/tps/configuration/config_file_test.py
171 test-python-doctest:
172 script:
173 - apt-get -qy install python3 python3-sh python3-toml python3-requests python3-bs4
174 - config/chroot_local-includes/usr/local/lib/tails-gdm-error-message doctest --verbose
175 - env PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages python3 config/chroot_local-includes/usr/local/bin/tails-documentation --doctest
176 - ./bin/locale-descriptions doctest
178 test-tca:
179 rules:
180 - if: '$CI_COMMIT_BRANCH != "master"'
181 script:
182 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
183 | grep -E -v "^#"
184 | xargs apt-get -qy install'
185 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tca -name "*.py" -print0 | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
187 test-tca-portal:
188 rules:
189 - if: '$CI_COMMIT_BRANCH != "master"'
190 script:
191 - 'cat config/chroot_local-packageslists/tor-connection-assistant.list
192 | grep -E -v "^#"
193 | xargs apt-get -qy install'
194 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages env python3 ./config/chroot_local-includes/usr/local/lib/tca-portal --doctest-only --log-level DEBUG'
197 test-tailslib:
198 rules:
199 - if: '$CI_COMMIT_BRANCH != "master"'
200 script:
201 - apt-get -qy install python3 python3-atomicwrites python3-sh python3-gi git
202 - 'cd config/chroot_local-includes/usr/lib/python3/dist-packages ; find tailslib -name "*.py" -print0 | grep --null-data -v -e netnsdrop.py -e gnome.py | xargs -0 -L1 env PYTHONPATH=. python3 -m doctest'
204 test-whisperback:
205 rules:
206 - if: '$CI_COMMIT_BRANCH != "master"'
207 script:
208 - 'cat config/chroot_local-packageslists/whisperback.list | grep -E -v "^#"
209 | xargs apt-get -qy install'
210 - apt-get -qy install python3-pytest
211 - 'PYTHONPATH=config/chroot_local-includes/usr/lib/python3/dist-packages
212 pytest-3 --verbose --junit-xml=report.xml
213 config/chroot_local-includes/usr/lib/python3/dist-packages/whisperBack/test.py'
214 artifacts:
215 when: always
216 reports:
217 junit: report.xml
219 apt-snapshots-expiry:
220 script:
221 - apt-get -qy install curl git
222 - ./bin/apt-snapshots-expiry
223 rules:
224 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
225 - changes:
226 - .gitlab-ci.yml
227 - config/APT_snapshots.d/*/serial
228 - vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial
230 .install-https-get-expired-build-deps: &install-https-get-expired-build-deps
231 - apt-get -qy install --no-install-recommends golang-go ca-certificates
233 .build-https-get-expired: &build-https-get-expired
234 - go build -o ./https-get-expired config/chroot_local-includes/usr/src/https-get-expired.go
236 .test-https-get-expired: &test-https-get-expired
237 - echo "Basic check:"
238 - ./https-get-expired -reject-expired https://tails.net/
239 - echo "Let's pretend we are in the past. Then, this certificate is still good."
240 - ./https-get-expired -current-time 2000-01-01 -reject-expired https://tails.net/
241 - echo "Let's pretend we are in the future. Then, this certificate is expired"
242 - "! ./https-get-expired -current-time 2090-01-01 -reject-expired https://tails.net/"
243 - "! ./https-get-expired -reject-expired https://wrong.host.badssl.com/"
244 - "! ./https-get-expired -reject-expired https://self-signed.badssl.com/"
245 - "! ./https-get-expired -reject-expired https://untrusted-root.badssl.com/"
246 - "! ./https-get-expired -reject-expired https://expired.badssl.com/"
247 - echo "Invalid host"
248 - "! ./https-get-expired -reject-expired https://nxdomain.tails.net/"
249 - "./bin/test-utils/https-get-expired-test-all"
251 https-get-expired:
252 rules:
253 - if: '$CI_COMMIT_BRANCH =~ /^stable|testing|devel$/'
254 - changes:
255 - .gitlab-ci.yml
256 - config/chroot_local-includes/usr/src/https-get-expired.go
257 - config/chroot_local-includes/etc/default/htpdate.pools
258 script:
259 - *install-https-get-expired-build-deps
260 - *build-https-get-expired
261 - *test-https-get-expired
263 https-get-expired-sid:
264 # this job gives us results using a future version of Golang compared to the one we actually use
265 image: debian:sid
266 rules:
267 - if: '$CI_COMMIT_BRANCH == "devel"'
268 - changes:
269 - .gitlab-ci.yml
270 - config/chroot_local-includes/usr/src/https-get-expired.go
271 - config/chroot_local-includes/etc/default/htpdate.pools
272 script:
273 - *install-https-get-expired-build-deps
274 - *build-https-get-expired
275 - *test-https-get-expired