######################################################################### ## ## ## gitlab CI defintition for rippled build containers and distro ## ## packages (rpm and dpkg). ## ## ## ######################################################################### # NOTE: these are sensible defaults for Ripple pipelines. These # can be overridden by project or group variables as needed. variables: # these containers are built manually using the rippled # cmake build (container targets) and tagged/pushed so they # can be used here RPM_CONTAINER_TAG: "2023-02-13" RPM_CONTAINER_NAME: "rippled-rpm-builder" RPM_CONTAINER_FULLNAME: "${RPM_CONTAINER_NAME}:${RPM_CONTAINER_TAG}" DPKG_CONTAINER_TAG: "2023-03-20" DPKG_CONTAINER_NAME: "rippled-dpkg-builder" DPKG_CONTAINER_FULLNAME: "${DPKG_CONTAINER_NAME}:${DPKG_CONTAINER_TAG}" ARTIFACTORY_HOST: "artifactory.ops.ripple.com" ARTIFACTORY_HUB: "${ARTIFACTORY_HOST}:6555" GIT_SIGN_PUBKEYS_URL: "https://gitlab.ops.ripple.com/xrpledger/rippled-packages/snippets/49/raw" PUBLIC_REPO_ROOT: "https://repos.ripple.com/repos" # also need to define this variable ONLY for the primary # build/publish pipeline on the mainline repo: # IS_PRIMARY_REPO = "true" stages: - build_packages - sign_packages - smoketest - verify_sig - tag_images - push_to_test - verify_from_test - wait_approval_prod - push_to_prod - verify_from_prod - get_final_hashes - build_containers .dind_template: &dind_param before_script: - . ./Builds/containers/gitlab-ci/docker_alpine_setup.sh variables: docker_driver: overlay2 DOCKER_TLS_CERTDIR: "" image: name: artifactory.ops.ripple.com/docker:latest services: # workaround for TLS issues - consider going back # back to unversioned `dind` when issues are resolved - name: artifactory.ops.ripple.com/docker:stable-dind alias: docker tags: - 4xlarge .only_primary_template: &only_primary only: refs: - /^(master|release|develop)$/ variables: - $IS_PRIMARY_REPO == "true" .smoketest_local_template: &run_local_smoketest tags: - xlarge script: - . ./Builds/containers/gitlab-ci/smoketest.sh local .smoketest_repo_template: &run_repo_smoketest tags: - xlarge script: - . ./Builds/containers/gitlab-ci/smoketest.sh repo ######################################################################### ## ## ## stage: build_packages ## ## ## ## build packages using containers from previous stage. ## ## ## ######################################################################### rpm_build: timeout: "1h 30m" stage: build_packages <<: *dind_param artifacts: paths: - build/rpm/packages/ script: - . ./Builds/containers/gitlab-ci/build_package.sh rpm dpkg_build: timeout: "1h 30m" stage: build_packages <<: *dind_param artifacts: paths: - build/dpkg/packages/ script: - . ./Builds/containers/gitlab-ci/build_package.sh dpkg ######################################################################### ## ## ## stage: sign_packages ## ## ## ## build packages using containers from previous stage. ## ## ## ######################################################################### rpm_sign: stage: sign_packages dependencies: - rpm_build image: name: artifactory.ops.ripple.com/centos:7 <<: *only_primary before_script: - | # Make sure GnuPG is installed yum -y install gnupg rpm-sign # checking GPG signing support if [ -n "$GPG_KEY_B64" ]; then echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import - unset GPG_KEY_B64 export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di) unset GPG_KEY_PASS_B64 export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5) else echo -e "\033[0;31m****** GPG signing disabled ******\033[0m" exit 1 fi artifacts: paths: - build/rpm/packages/ script: - ls -alh build/rpm/packages - . ./Builds/containers/gitlab-ci/sign_package.sh rpm dpkg_sign: stage: sign_packages dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/ubuntu:18.04 <<: *only_primary before_script: - | # make sure we have GnuPG apt update apt install -y gpg dpkg-sig # checking GPG signing support if [ -n "$GPG_KEY_B64" ]; then echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import - unset GPG_KEY_B64 export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di) unset GPG_KEY_PASS_B64 export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5) else echo -e "\033[0;31m****** GPG signing disabled ******\033[0m" exit 1 fi artifacts: paths: - build/dpkg/packages/ script: - ls -alh build/dpkg/packages - . ./Builds/containers/gitlab-ci/sign_package.sh dpkg ######################################################################### ## ## ## stage: smoketest ## ## ## ## install unsigned packages from previous step and run unit tests. ## ## ## ######################################################################### centos_7_smoketest: stage: smoketest dependencies: - rpm_build image: name: artifactory.ops.ripple.com/centos:7 <<: *run_local_smoketest rocky_8_smoketest: stage: smoketest dependencies: - rpm_build image: name: artifactory.ops.ripple.com/rockylinux/rockylinux:8 <<: *run_local_smoketest fedora_37_smoketest: stage: smoketest dependencies: - rpm_build image: name: artifactory.ops.ripple.com/fedora:37 <<: *run_local_smoketest fedora_38_smoketest: stage: smoketest dependencies: - rpm_build image: name: artifactory.ops.ripple.com/fedora:38 <<: *run_local_smoketest ubuntu_18_smoketest: stage: smoketest dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/ubuntu:18.04 <<: *run_local_smoketest ubuntu_20_smoketest: stage: smoketest dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/ubuntu:20.04 <<: *run_local_smoketest ubuntu_22_smoketest: stage: smoketest dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/ubuntu:22.04 <<: *run_local_smoketest debian_10_smoketest: stage: smoketest dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/debian:10 <<: *run_local_smoketest debian_11_smoketest: stage: smoketest dependencies: - dpkg_build image: name: artifactory.ops.ripple.com/debian:11 <<: *run_local_smoketest ######################################################################### ## ## ## stage: verify_sig ## ## ## ## use git/gpg to verify that HEAD is signed by an approved ## ## committer. The whitelist of pubkeys is manually mantained ## ## and fetched from GIT_SIGN_PUBKEYS_URL (currently a snippet ## ## link). ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### verify_head_signed: stage: verify_sig image: name: artifactory.ops.ripple.com/ubuntu:latest <<: *only_primary script: - . ./Builds/containers/gitlab-ci/verify_head_commit.sh ######################################################################### ## ## ## stage: tag_images ## ## ## ## apply rippled version tag to containers from previous stage. ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### tag_bld_images: stage: tag_images variables: docker_driver: overlay2 DOCKER_TLS_CERTDIR: "" image: name: artifactory.ops.ripple.com/docker:latest services: # workaround for TLS issues - consider going back # back to unversioned `dind` when issues are resolved - name: artifactory.ops.ripple.com/docker:stable-dind alias: docker tags: - large dependencies: - rpm_sign - dpkg_sign <<: *only_primary script: - . ./Builds/containers/gitlab-ci/tag_docker_image.sh ######################################################################### ## ## ## stage: push_to_test ## ## ## ## push packages to artifactory repositories (test) ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### push_test: stage: push_to_test variables: DEB_REPO: "rippled-deb-test-mirror" RPM_REPO: "rippled-rpm-test-mirror" image: name: artifactory.ops.ripple.com/alpine:latest artifacts: paths: - files.info dependencies: - rpm_sign - dpkg_sign <<: *only_primary script: - . ./Builds/containers/gitlab-ci/push_to_artifactory.sh "PUT" "." ######################################################################### ## ## ## stage: verify_from_test ## ## ## ## install/test packages from test repos. ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### centos_7_verify_repo_test: stage: verify_from_test variables: RPM_REPO: "rippled-rpm-test-mirror" image: name: artifactory.ops.ripple.com/centos:7 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest rocky_8_verify_repo_test: stage: verify_from_test variables: RPM_REPO: "rippled-rpm-test-mirror" image: name: artifactory.ops.ripple.com/rockylinux/rockylinux:8 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest fedora_37_verify_repo_test: stage: verify_from_test variables: RPM_REPO: "rippled-rpm-test-mirror" image: name: artifactory.ops.ripple.com/fedora:37 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest fedora_38_verify_repo_test: stage: verify_from_test variables: RPM_REPO: "rippled-rpm-test-mirror" image: name: artifactory.ops.ripple.com/fedora:38 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_18_verify_repo_test: stage: verify_from_test variables: DISTRO: "bionic" DEB_REPO: "rippled-deb-test-mirror" image: name: artifactory.ops.ripple.com/ubuntu:18.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_20_verify_repo_test: stage: verify_from_test variables: DISTRO: "focal" DEB_REPO: "rippled-deb-test-mirror" image: name: artifactory.ops.ripple.com/ubuntu:20.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_22_verify_repo_test: stage: verify_from_test variables: DISTRO: "jammy" DEB_REPO: "rippled-deb-test-mirror" image: name: artifactory.ops.ripple.com/ubuntu:22.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest debian_10_verify_repo_test: stage: verify_from_test variables: DISTRO: "buster" DEB_REPO: "rippled-deb-test-mirror" image: name: artifactory.ops.ripple.com/debian:10 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest debian_11_verify_repo_test: stage: verify_from_test variables: DISTRO: "bullseye" DEB_REPO: "rippled-deb-test-mirror" image: name: artifactory.ops.ripple.com/debian:11 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ######################################################################### ## ## ## stage: wait_approval_prod ## ## ## ## wait for manual approval before proceeding to next stage ## ## which pushes to prod repo. ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### wait_before_push_prod: stage: wait_approval_prod image: name: artifactory.ops.ripple.com/alpine:latest <<: *only_primary script: - echo "proceeding to next stage" when: manual allow_failure: false ######################################################################### ## ## ## stage: push_to_prod ## ## ## ## push packages to artifactory repositories (prod) ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### push_prod: variables: DEB_REPO: "rippled-deb" RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/alpine:latest stage: push_to_prod artifacts: paths: - files.info dependencies: - rpm_sign - dpkg_sign <<: *only_primary script: - . ./Builds/containers/gitlab-ci/push_to_artifactory.sh "PUT" "." ######################################################################### ## ## ## stage: verify_from_prod ## ## ## ## install/test packages from prod repos. ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### centos_7_verify_repo_prod: stage: verify_from_prod variables: RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/centos:7 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest rocky_8_verify_repo_prod: stage: verify_from_prod variables: RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/rockylinux/rockylinux:8 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest fedora_37_verify_repo_prod: stage: verify_from_prod variables: RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/fedora:37 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest fedora_38_verify_repo_prod: stage: verify_from_prod variables: RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/fedora:38 dependencies: - rpm_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_18_verify_repo_prod: stage: verify_from_prod variables: DISTRO: "bionic" DEB_REPO: "rippled-deb" image: name: artifactory.ops.ripple.com/ubuntu:18.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_20_verify_repo_prod: stage: verify_from_prod variables: DISTRO: "focal" DEB_REPO: "rippled-deb" image: name: artifactory.ops.ripple.com/ubuntu:20.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ubuntu_22_verify_repo_prod: stage: verify_from_prod variables: DISTRO: "jammy" DEB_REPO: "rippled-deb" image: name: artifactory.ops.ripple.com/ubuntu:22.04 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest debian_10_verify_repo_prod: stage: verify_from_prod variables: DISTRO: "buster" DEB_REPO: "rippled-deb" image: name: artifactory.ops.ripple.com/debian:10 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest debian_11_verify_repo_prod: stage: verify_from_prod variables: DISTRO: "bullseye" DEB_REPO: "rippled-deb" image: name: artifactory.ops.ripple.com/debian:11 dependencies: - dpkg_sign <<: *only_primary <<: *run_repo_smoketest ######################################################################### ## ## ## stage: get_final_hashes ## ## ## ## fetch final hashes from artifactory. ## ## ONLY RUNS FOR PRIMARY BRANCHES/REPO ## ## ## ######################################################################### get_prod_hashes: variables: DEB_REPO: "rippled-deb" RPM_REPO: "rippled-rpm" image: name: artifactory.ops.ripple.com/alpine:latest stage: get_final_hashes artifacts: paths: - files.info dependencies: - rpm_sign - dpkg_sign <<: *only_primary script: - . ./Builds/containers/gitlab-ci/push_to_artifactory.sh "GET" ".checksums" ######################################################################### ## ## ## stage: build_containers ## ## ## ## build containers from docker definitions. These containers are NOT ## ## used for the package build. This step is only used to ensure that ## ## the package build targets and files are still working properly. ## ## ## ######################################################################### build_centos_container: stage: build_containers <<: *dind_param script: - . ./Builds/containers/gitlab-ci/build_container.sh rpm build_ubuntu_container: stage: build_containers <<: *dind_param script: - . ./Builds/containers/gitlab-ci/build_container.sh dpkg