TOR-Official/.gitlab-ci.yml

####
# DO NOT EDIT THIS FILE IN MASTER.  ONLY EDIT IT IN THE OLDEST SUPPORTED
# BRANCH, THEN MERGE FORWARD.
####

# This file controls how gitlab validates Tor commits and merge requests.
#
# It is primarily based on a set of scripts and configurations by
# Hans-Christoph Steiner.  It only copies parts of those scripts and
# configurations for now.  If you want a new piece of functionality
# (more debians, more fedoras, android support) then you shouldn't
# start from scratch: have a look at the original ticket, at
# https://gitlab.torproject.org/tpo/core/tor/-/issues/32193 !
#
# The file to copy from is
# https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/96/diffs#diff-content-587d266bb27a4dc3022bbed44dfa19849df3044c
#
# Having said that, if there is anything really stupid here, don't
# blame it on Hans-Christoph! Tor probably added it on their own.
#
# Copyright 2020, The Tor Project, Inc.
# See LICENSE for licence information.

# These variables are set everywhere, unconditionally.
variables:
  TERM: "ansi"
  DEBUG_CI: "yes"

# This template is for exporting ephemeral things from the scripts.  By
# convention we expect our scripts to copy stuff into artifacts/, rather than
# having a big list of files that be treated as artifacts.
.artifacts-template: &artifacts-template
  artifacts:
    name: "${CI_PROJECT_PATH}_${CI_JOB_STAGE}_${CI_COMMIT_REF_NAME}_${CI_COMMIT_SHA}"
    expire_in: 1 week
    when: always
    paths:
      - artifacts/


# This template is used for x86-64 builds.
.x86-64-template: &x86-64-template
  tags:
    - amd64
    - physical

# This template should be usable on any system that's based on apt.
.apt-template: &apt-template |
      export LC_ALL=C.UTF-8
      echo Etc/UTC > /etc/timezone
      mkdir -p apt-cache
      export APT_CACHE_DIR="$(pwd)/apt-cache"
      rm -f /etc/apt/apt.conf.d/docker-clean
      echo 'quiet "1";' \
           'Acquire::Retries "20";' \
           'APT::Install-Recommends "0";' \
           'APT::Install-Suggests "0";' \
           'APT::Get::Assume-Yes "true";' \
           'Dpkg::Use-Pty "0";' \
           "Dir::Cache::Archives \"${APT_CACHE_DIR}\"; " \
        >> /etc/apt/apt.conf.d/99gitlab
      apt-get update -qq
      apt-get upgrade -qy

# This template sets us up for Debian system in particular.
.debian-template: &debian-template
  <<: *artifacts-template
  <<: *x86-64-template
  variables:
    DEBIAN_FRONTEND: "noninteractive"
  # TODO: Using "cache" in this way speeds up our downloads.  It would be
  # even better, though, to start with a pre-upgraded debian image.
  #
  # TODO: Will we have to do this differently once we have more than one
  # debian version that we're using?
  cache:
    key: apt
    paths:
      - apt-cache
  before_script:
    - *apt-template
    # Install patches unconditionally.
    - apt-get install
        apt-utils
        automake
        build-essential
        ca-certificates
        file
        git
        libevent-dev
        liblzma-dev
        libscrypt-dev
        libseccomp-dev
        libssl-dev
        pkg-config
        python3
        zlib1g-dev
    # Install patches that we only need for some use cases.
    - if [ "$ASCIIDOC" = yes ]; then apt-get install asciidoc xmlto; fi
    - if [ "$DOXYGEN" = yes ]; then apt-get install doxygen; fi
    - if [ "$STEM" = yes ]; then apt-get install timelimit; fi
    - if [ "$CC" = clang ]; then apt-get install clang; fi
    - if [ "$NSS" = yes ]; then apt-get install libnss3 libnss3-dev; fi
    # llvm-symbolizer for sanitizer backtrace
    - if [ "$HARDENING" = yes ]; then apt-get install llvm; fi
    # TODO: This next line should not be debian-only.
    - if [ "$STEM" = yes ]; then git clone --depth 1 https://gitlab.torproject.org/tpo/network-health/stem.git ; export STEM_PATH="$(pwd)/stem"; fi
    # TODO: This next line should not be debian-only.
    - if [ "$CHUTNEY" = yes ]; then git clone --depth 1 https://gitlab.torproject.org/tpo/core/chutney.git ;  export CHUTNEY_PATH="$(pwd)/chutney"; fi
    - if [ "$TRACING" = yes ]; then apt install liblttng-ust-dev; fi

# Minimal check on debian: just make, make check.
#
debian-minimal:
  image: debian:bullseye
  <<: *debian-template
  script:
    - ./scripts/ci/ci-driver.sh

# Minimal check on debian/i386: just make, make check.
#
debian-i386-minimal:
  image: i386/debian:bullseye
  <<: *debian-template
  script:
    - ./scripts/ci/ci-driver.sh
  tags:
    - physical

#####
# Run "make check" with a hardened clang on debian stable.  This takes
# care of a hardening check, and a compile-with-clang check.
#
# TODO: This will be faster once we merge #40098 and #40099.
debian-hardened:
  image: debian:bullseye
  <<: *debian-template
  variables:
    ALL_BUGS_ARE_FATAL: "yes"
    HARDENING: "yes"
    CC: "clang"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# Distcheck on debian stable
debian-distcheck:
  image: debian:bullseye
  <<: *debian-template
  variables:
    DISTCHECK: "yes"
    CHECK: "no"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# Documentation tests on debian stable: doxygen and asciidoc.
debian-docs:
  image: debian:bullseye
  <<: *debian-template
  variables:
    DOXYGEN: "yes"
    ASCIIDOC: "yes"
    CHECK: "no"
    RUN_STAGE_BUILD: "no"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# Integration tests on debian stable: chutney and stem.
#
# TODO: It would be cool if this target didn't have to re-build tor, and
#       could instead re-use Tor from debian-minimal.  That can be done
#       with the 'artifacts' mechanism, in theory, but it would be good to
#       avoid having to have a system with hundreds of artifacts.
debian-integration:
  image: debian:bullseye
  <<: *debian-template
  variables:
    CHECK: "no"
    CHUTNEY: "yes"
    CHUTNEY_MAKE_TARGET: "test-network-all"
    STEM: "yes"
    ALL_BUGS_ARE_FATAL: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# Tracing build on Debian stable.
debian-tracing:
  image: debian:bullseye
  <<: *debian-template
  variables:
    TRACING: "yes"
    CHECK: "no"
    DISTCHECK: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# No-authority mode
debian-disable-dirauth:
  image: debian:bullseye
  <<: *debian-template
  variables:
    DISABLE_DIRAUTH: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# No-relay mode
debian-disable-relay:
  image: debian:bullseye
  <<: *debian-template
  variables:
    DISABLE_RELAY: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# GPL licensed mode, enables pow module
debian-gpl:
  image: debian:buster
  <<: *debian-template
  variables:
    GPL: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# NSS check on debian
debian-nss:
  image: debian:bullseye
  <<: *debian-template
  variables:
    NSS: "yes"
  script:
    - ./scripts/ci/ci-driver.sh

#####
# Debian packaging triggers for maintenance branches
debian-packaging-0.4.5:
  stage: deploy
  trigger:
    project: tpo/core/debian/tor
    branch: debian-0.4.5
  rules:
    - if: $CI_PROJECT_NAMESPACE == "tpo/core" &&
          $CI_COMMIT_BRANCH == "maint-0.4.5"
debian-packaging-0.4.6:
  stage: deploy
  trigger:
    project: tpo/core/debian/tor
    branch: debian-0.4.6
  rules:
    - if: $CI_PROJECT_NAMESPACE == "tpo/core" &&
          $CI_COMMIT_BRANCH == "maint-0.4.6"

#####
# Run tests written in Rust, and run clippy on all Rust code here.
rust-latest:
  image: rust:latest
  <<: *debian-template
  script:
    - apt-get install llvm-dev libclang-dev clang
    - rustup show
    - cargo build --locked --verbose
    - cargo test --verbose
    - rustup component add clippy
    - rustup show
    - cargo clippy --all-features --all-targets -- -D warnings
  after_script:
    - cargo clean