167 lines
6.7 KiB
YAML
167 lines
6.7 KiB
YAML
stages:
|
|
- ci
|
|
- artifacts
|
|
- publish
|
|
|
|
variables:
|
|
# Makes some things print in color
|
|
TERM: ansi
|
|
|
|
# Avoid duplicate pipelines
|
|
# See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines
|
|
workflow:
|
|
rules:
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
|
- if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
|
|
when: never
|
|
- if: $CI
|
|
|
|
before_script:
|
|
# Enable nix-command and flakes
|
|
- if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi
|
|
|
|
# Add conduwuit binary cache
|
|
- if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduwuit" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduwuit:lYPVh7o1hLu1idH4Xt2QHaRa49WRGSAqzcfFd94aOTw=" >> /etc/nix/nix.conf; fi
|
|
|
|
- if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduit" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:Isq8FGyEC6FOXH6nD+BOeAA+bKp6X6UIbupSlGEPuOg=" >> /etc/nix/nix.conf; fi
|
|
|
|
# Add upstream Conduit binary cache
|
|
- if command -v nix > /dev/null; then echo "extra-substituters = https://nix.computer.surgery/conduit" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:ZGAf6P6LhNvnoJJ3Me3PRg7tlLSrPxcQ2RiE5LIppjo=" >> /etc/nix/nix.conf; fi
|
|
|
|
# Add alternate binary cache
|
|
- if command -v nix > /dev/null && [ -n "$ATTIC_ENDPOINT" ]; then echo "extra-substituters = $ATTIC_ENDPOINT" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null && [ -n "$ATTIC_PUBLIC_KEY" ]; then echo "extra-trusted-public-keys = $ATTIC_PUBLIC_KEY" >> /etc/nix/nix.conf; fi
|
|
|
|
# Add crane binary cache
|
|
- if command -v nix > /dev/null; then echo "extra-substituters = https://crane.cachix.org" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" >> /etc/nix/nix.conf; fi
|
|
|
|
# Add nix-community binary cache
|
|
- if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi
|
|
- if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi
|
|
|
|
# Install direnv and nix-direnv
|
|
- if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi
|
|
|
|
# Allow .envrc
|
|
- if command -v nix > /dev/null; then direnv allow; fi
|
|
|
|
# Set CARGO_HOME to a cacheable path
|
|
- export CARGO_HOME="$(git rev-parse --show-toplevel)/.gitlab-ci.d/cargo"
|
|
|
|
ci:
|
|
stage: ci
|
|
image: nixos/nix:2.21.0
|
|
script:
|
|
# Cache the inputs required for the devShell
|
|
- ./bin/nix-build-and-cache .#devShells.x86_64-linux.default.inputDerivation
|
|
|
|
- direnv exec . engage
|
|
cache:
|
|
key: nix
|
|
paths:
|
|
- target
|
|
- .gitlab-ci.d
|
|
rules:
|
|
# CI on upstream runners (only available for maintainers)
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event" && $IS_UPSTREAM_CI == "true"
|
|
# Manual CI on unprotected branches that are not MRs
|
|
- if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_REF_PROTECTED == "false"
|
|
when: manual
|
|
# Manual CI on forks
|
|
- if: $IS_UPSTREAM_CI != "true"
|
|
when: manual
|
|
- if: $CI
|
|
interruptible: true
|
|
|
|
artifacts:
|
|
stage: artifacts
|
|
image: nixos/nix:2.21.0
|
|
script:
|
|
- ./bin/nix-build-and-cache .#static-x86_64-unknown-linux-musl
|
|
- cp result/bin/conduit x86_64-unknown-linux-musl
|
|
|
|
- mkdir -p target/release
|
|
- cp result/bin/conduit target/release
|
|
- direnv exec . cargo deb --no-build
|
|
- mv target/debian/*.deb x86_64-unknown-linux-musl.deb
|
|
|
|
# Since the OCI image package is based on the binary package, this has the
|
|
# fun side effect of uploading the normal binary too. Conduit users who are
|
|
# deploying with Nix can leverage this fact by adding our binary cache to
|
|
# their systems.
|
|
#
|
|
# Note that although we have an `oci-image-x86_64-unknown-linux-musl`
|
|
# output, we don't build it because it would be largely redundant to this
|
|
# one since it's all containerized anyway.
|
|
- ./bin/nix-build-and-cache .#oci-image
|
|
- cp result oci-image-amd64.tar.gz
|
|
|
|
- ./bin/nix-build-and-cache .#static-aarch64-unknown-linux-musl
|
|
- cp result/bin/conduit aarch64-unknown-linux-musl
|
|
|
|
- ./bin/nix-build-and-cache .#oci-image-aarch64-unknown-linux-musl
|
|
- cp result oci-image-arm64v8.tar.gz
|
|
artifacts:
|
|
paths:
|
|
- x86_64-unknown-linux-musl
|
|
- aarch64-unknown-linux-musl
|
|
- x86_64-unknown-linux-musl.deb
|
|
- oci-image-amd64.tar.gz
|
|
- oci-image-arm64v8.tar.gz
|
|
rules:
|
|
# CI required for all MRs
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
|
# Optional CI on forks
|
|
- if: $IS_UPSTREAM_CI != "true"
|
|
when: manual
|
|
allow_failure: true
|
|
- if: $CI
|
|
interruptible: true
|
|
|
|
.push-oci-image:
|
|
stage: publish
|
|
image: docker:25.0.4
|
|
services:
|
|
- docker:25.0.4-dind
|
|
variables:
|
|
IMAGE_SUFFIX_AMD64: amd64
|
|
IMAGE_SUFFIX_ARM64V8: arm64v8
|
|
script:
|
|
- docker load -i oci-image-amd64.tar.gz
|
|
- IMAGE_ID_AMD64=$(docker images -q conduit:main)
|
|
- docker load -i oci-image-arm64v8.tar.gz
|
|
- IMAGE_ID_ARM64V8=$(docker images -q conduit:main)
|
|
# Tag and push the architecture specific images
|
|
- docker tag $IMAGE_ID_AMD64 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64
|
|
- docker tag $IMAGE_ID_ARM64V8 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
|
|
- docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64
|
|
- docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
|
|
# Tag the multi-arch image
|
|
- docker manifest create $IMAGE_NAME:$CI_COMMIT_SHA --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
|
|
- docker manifest push $IMAGE_NAME:$CI_COMMIT_SHA
|
|
# Tag and push the git ref
|
|
- docker manifest create $IMAGE_NAME:$CI_COMMIT_REF_NAME --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
|
|
- docker manifest push $IMAGE_NAME:$CI_COMMIT_REF_NAME
|
|
# Tag git tags as 'latest'
|
|
- |
|
|
if [[ -n "$CI_COMMIT_TAG" ]]; then
|
|
docker manifest create $IMAGE_NAME:latest --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
|
|
docker manifest push $IMAGE_NAME:latest
|
|
fi
|
|
dependencies:
|
|
- artifacts
|
|
only:
|
|
- main
|
|
- tags
|
|
|
|
oci-image:push-gitlab:
|
|
extends: .push-oci-image
|
|
variables:
|
|
IMAGE_NAME: $CI_REGISTRY_IMAGE/conduwuit
|
|
before_script:
|
|
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
|