-
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy path.gitlab-ci.yml
249 lines (230 loc) · 8.23 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
image: debian:buster
stages:
- deploy
- production
variables:
LC_ALL: C.UTF-8
DEBIAN_FRONTEND: noninteractive
OUT_DIR: build
# This template needs to be in text block format since gitlab-runner
# exec cannot handling templates in list format.
.apt-template: &apt-template |
set -x
set -e
echo Etc/UTC > /etc/timezone
echo 'quiet "1";' \
'APT::Install-Recommends "0";' \
'APT::Install-Suggests "0";' \
'APT::Get::Assume-Yes "true";' \
'Acquire::Retries "20";' \
'Dpkg::Use-Pty "0";' \
> /etc/apt/apt.conf.d/99gitlab
apt-get update
apt-get install ca-certificates
sed -i 's,http:,https:,g' /etc/apt/sources.list
echo "deb https://deb.debian.org/debian/ buster-backports main" >> /etc/apt/sources.list
printf "Package\x3a po4a ruby-git ruby-jekyll-include-cache ruby-jekyll-last-modified-at ruby-jekyll-paginate-v2 ruby-jekyll-redirect-from ruby-jekyll-sitemap ruby-loofah ruby-nokogiri ruby-rchardet ruby-rouge ruby-zip\nPin\x3a release a=buster-backports\nPin-Priority\x3a 500\n" > /etc/apt/preferences.d/debian-buster-backports.pref
apt-get update
apt-get dist-upgrade
# Common steps required for each type of "Build" (f-droid.org, GitLab Pages, feature branches)
#
# This template needs to be in text block format since gitlab-runner
# exec cannot handling templates in list format.
.setup_for_jekyll: &setup_for_jekyll |
set -x
set -e
apt-get install --install-recommends git libunicode-linebreak-perl po4a
apt-get install \
gettext \
linkchecker \
python3-babel \
rsync \
rubocop \
ruby-bundler \
ruby-git \
ruby-jekyll-include-cache \
ruby-jekyll-paginate-v2 \
ruby-jekyll-redirect-from \
ruby-json \
ruby-loofah \
ruby-nokogiri \
ruby-rchardet \
ruby-rouge \
ruby-rspec \
ruby-zip \
unzip
rm -f Gemfile.lock
bundle install --local --verbose
./tools/i18n.sh
# This is a manual task for building in preparation to deploy to
# https://f-droid.org. The intention is for it to be run locally using
# `gitlab-runner` each time a tag is found that is signed by a key in
# the whitelist keyring. Invoke like so:
#
# gitlab-runner exec docker f-droid.org --pre-build-script ./prepare-for-deploy.py \
# --docker-volumes "/root/deploy-whitelist-keyring.gpg:/root/.gnupg/pubring.gpg:ro" \
# --docker-volumes `pwd`/_site:/builds/output
#
# And when it is finished, you should have a directory in _site/build/
# which includes the entire static site ready to be deployed to
# https://f-droid.org.
f-droid.org:
stage: production
only:
- tags@fdroid/fdroidserver
- master@fdroid/fdroidserver
when: manual
script:
- '[ ! -d /builds/output ] && echo "ERROR: /builds/output is not mounted inside docker!" && exit 1'
- *apt-template
- *setup_for_jekyll
- sed -Ei
-e "s,^(url\x3a).*,\1 https://f-droid.org,"
-e 's,^(baseurl\x3a).*,\1 "",'
_config.yml
- echo "Jekyll config used for CI:" && cat _config.yml
- jekyll build -d $OUT_DIR --trace
- ./tools/prepare-multi-lang.sh $OUT_DIR
- ./tools/deploy-external-assets.sh $OUT_DIR
- rsync -ax --delete $OUT_DIR /builds/output/
pages:
stage: deploy
except:
- triggers
artifacts:
paths:
- public
expire_in: 1w
when: always
script:
- (find _*/ -type f | grep -Ev '\.(html|json|md|rb|scss|xml|yaml)$')
&& (echo "ERROR The above files have a bad or missing file extension"; exit 1)
- *apt-template
- apt-get install curl python3-colorama python3-yaml
- ./tools/trigger-spellcheckbot
# use the 'gitlab ci' subset of languages
- sed -i 's,^languages:,ignored_languages:,' _config.yml
- sed -i 's,^gitlab_ci_languages:,languages:,' _config.yml
- *setup_for_jekyll
- ./tools/check-liquid-strings-var-names.py
- ./tools/check-format-strings.py
- ./tools/check-page-links.py
- ./tools/check-yaml-front-matter.py
- ./tools/check-do-not-translate
- ./tools/check-markdown-headers-are-localizable.py
# This is where GitLab pages will deploy to by default (e.g. "https://fdroid.gitlab.io/fdroid-website")
# so we need to make sure that the Jekyll configuration understands this.
- sed -Ei
-e "s,^(url\x3a).*,\1 'https://$CI_PROJECT_NAMESPACE.gitlab.io',"
-e "s,^(baseurl\x3a).*,\1 '/$CI_PROJECT_NAME',"
_config.yml
- echo "Jekyll config used for CI:" && cat _config.yml
- jekyll build -d public --trace --future
- cp public/robots.txt.noindex public/robots.txt
- ./tools/prepare-multi-lang.sh public --no-type-maps
- mkdir linkchecker/
- ln -s ../public linkchecker/$CI_PROJECT_NAME
- ruby -run -e httpd linkchecker/ -p 4000 > /dev/null 2>&1 &
- linkchecker http://localhost:4000/$CI_PROJECT_NAME --config=.linkcheckerrc
# check rsync mirrors still available
rsync mirrors:
image: debian:bullseye-slim
stage: deploy
only:
- master@fdroid/fdroidserver
script:
- apt-get update
- apt-get -qy install rsync
- for f in `sed 's,[^:]*:,,' _data/rsync_mirrors.yaml`; do
rsync --list-only rsync -axv ${f}::fdroid \
|| rsync --list-only rsync -axv ${f}::fdroid \
|| rsync --list-only rsync -axv ${f}::fdroid;
done
spellcheckbot:
image: debian:bullseye
stage: deploy
allow_failure: true
only:
- triggers
script:
- *apt-template
- apt-get install git
- test -n ${FROM_CI_PROJECT_URL}
- test -n ${FROM_CI_COMMIT_SHA}
- git fetch ${FROM_CI_PROJECT_URL} ${FROM_CI_COMMIT_SHA}
- for f in `git diff --name-only --diff-filter=d HEAD...${FROM_CI_COMMIT_SHA}`; do
export CHANGED="$CHANGED `echo $f | grep '\.md$' || true`";
done
- if [ -z "`echo $CHANGED | sed 's,\s*,,g'`" ]; then
echo "No markdown files changed";
exit 0;
else
echo "Spellchecking $CHANGED";
git checkout --force ${FROM_CI_COMMIT_SHA};
fi
- apt-get install hunspell-en-us nodejs npm python3-gitlab python3-requests
- ./tools/fetch-spelling-words.py >> .spelling
- npm i markdown-spellcheck -g
- (mdspell --report --en-gb --ignore-numbers --ignore-acronyms $CHANGED > output.txt 2>&1)
|| ./tools/spellcheckbot.py
- cat output.txt
# Download and verify that the FDroid.apk is signed by the right PGP
# key. The only time that F-Droid's signed metadata does not verify
# the APK is the initial download and install of F-Droid itself. An
# attacker could replace the FDroid.apk and PGP signature on the
# website. The gpg key model is to trust only the key that is included
# in this script, so there is a test to check that it is starting with
# an empty keyring.
check_fdroid_apk_bot:
stage: deploy
only:
- schedules
- master@fdroid/fdroidserver
image: alpine:3.16
variables:
apk: F-Droid.apk
asc: F-Droid.apk.asc
curl: "curl --user-agent F-Droid --retry 99"
fingerprint: 37D2C98789D8311948394E3E41E7044E1DBA2E89
pip: pip3 --timeout 100 --retries 10
artifacts:
name: "$apk-failed-${CI_JOB_ID}"
paths:
- $apk
- $asc
expire_in: 180 days
when: on_failure
script:
- apk add --no-cache gnupg curl
- "! (gpg --list-keys | grep pub)"
- $curl https://f-droid.org/[email protected] | gpg --import || true
- gpg --recv-key $fingerprint || true
- gpg --keyserver https://keyserver.ubuntu.com --recv-key $fingerprint || true
- gpg --list-key $fingerprint
- echo "${fingerprint}:6:" | gpg --import-ownertrust
- $curl https://f-droid.org/$apk > $apk
- $curl https://f-droid.org/$asc > $asc
- ls -l $apk $asc
- sha256sum $apk
- gpg --batch --trust-model always --verify $asc $apk || (
apk add --no-cache python3;
python3 -m ensurepip;
$pip install python-gitlab;
./tools/run-check-fdroid-apk-bot.py;
)
# basic checks for dev setup
Vagrantfile:
stage: deploy
image: debian:bullseye-slim
only:
changes:
- .gitlab-ci.yml
- Vagrantfile
script:
- apt-get update
- apt-get -qy install --no-install-recommends kmod procps ruby vagrant vagrant-libvirt
- export EXITVALUE=0
- function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
- ruby -c Vagrantfile || set_error
- vagrant validate || set_error;
- exit $EXITVALUE