# SPDX-FileCopyrightText: 2022-2024 Sarah Vaupel , Gregor Kleen # # SPDX-License-Identifier: AGPL-3.0-or-later # workflow: # rules: # - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # - if: $CI_MERGE_REQUEST_ID # - if: $CI_COMMIT_TAG =~ /^v/ # - if: $CI_COMMIT_TAG =~ /^t/ default: image: name: registry.uniworx.de/uniworx/containers/nix-attic:latest variables: NIX_PATH: "nixpkgs=http://nixos.org/channels/nixos-21.05/nixexprs.tar.xz" AWS_SHARED_CREDENTIALS_FILE: "/etc/aws/credentials" TRANSFER_METER_FREQUENCY: "2s" NIX_CONFIG: |- extra-substituters = https://cache.iog.io extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= stages: - frontend:build - backend:build - test - container:build - prepare release - release node dependencies: stage: frontend:build script: - nix -L build -o result ".#uniworxNodeDependencies" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > node-dependencies.nar.xz before_script: &nix-before - git config --global init.defaultBranch master - install -v -m 0700 -d ~/.ssh - install -v -T -m 0644 "${SSH_KNOWN_HOSTS}" ~/.ssh/known_hosts - install -v -T -m 0400 "${SSH_DEPLOY_KEY}" ~/.ssh/deploy && echo "IdentityFile ~/.ssh/deploy" >> ~/.ssh/config; - install -v -T -m 0644 "${FONTAWESOME_NPM_AUTH_FILE}" /etc/fontawesome-token - install -v -T -m 0644 "${NIX_NETRC}" /etc/nix/netrc artifacts: paths: - node-dependencies.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true well known: stage: frontend:build script: # - xzcat node-dependencies.nar.xz > node-dependencies-debug.nar # - nix-shell -p util-linux --command "hexdump -C node-dependencies-debug.nar | head -n 10" # - nix nar ls node-dependencies-debug.nar / - xzcat node-dependencies.nar.xz | nix-store --import - nix -L build -o result ".#uniworxWellKnown" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > well-known.nar.xz before_script: *nix-before needs: - job: node dependencies artifacts: true artifacts: paths: - well-known.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true frontend: stage: frontend:build script: - xzcat node-dependencies.nar.xz | nix-store --import - xzcat well-known.nar.xz | nix-store --import - nix -L build -o result ".#uniworxFrontend" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > frontend.nar.xz before_script: *nix-before needs: - job: node dependencies artifacts: true - job: well known artifacts: true artifacts: paths: - frontend.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true uniworx:lib:uniworx: stage: backend:build script: - xzcat frontend.nar.xz | nix-store --import - nix -L build -o result ".#uniworx:lib:uniworx" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > uniworx:lib:uniworx.nar.xz before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend artifacts: true artifacts: paths: - uniworx:lib:uniworx.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true uniworx:exe:uniworx: stage: backend:build script: - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import - nix -L build -o result ".#uniworx:exe:uniworx" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > uniworx:exe:uniworx.nar.xz before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx artifacts: true artifacts: paths: - uniworx:exe:uniworx.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true uniworx:exe:uniworxdb: stage: backend:build script: - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import - nix -L build -o result ".#uniworx:exe:uniworxdb" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > uniworx:exe:uniworxdb.nar.xz before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx artifacts: true artifacts: paths: - uniworx:exe:uniworxdb.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true uniworx:exe:uniworxload: stage: backend:build script: - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import - nix -L build -o result ".#uniworx:exe:uniworxload" - nix-store --gc - nix-store --export $(nix-store -qR result) | xz -T0 -2 > uniworx:exe:uniworxload.nar.xz before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx artifacts: true artifacts: paths: - uniworx:exe:uniworxload.nar.xz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true check: stage: test script: - xzcat frontend.nar.xz | nix-store --import - xzcat uniworx:lib:uniworx.nar.xz | nix-store --import - nix -L flake check . before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend artifacts: true - job: uniworx:lib:uniworx artifacts: true retry: 2 interruptible: true container: stage: container:build script: - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import # - &container-remove-nodejs # "for i in `ls /nix/store/ | grep -E -i '^[a-z0-9]+-nodejs-'` ; do ( nix store delete --ignore-liveness \"/nix/store/$i\" || ( echo \"Could not remove NodeJS from /nix/store/ due to: \" && ( nix-store --query --roots \"/nix/store/$i\" | cat ) && echo \"Removing NodeJS by brute force...\" && rm -rf \"/nix/store/$i\" ) ) ; done" - cp -p --reflink=auto -L $(nix build --print-out-paths ".#uniworxDocker") uniworx.tar.gz before_script: *nix-before # TODO: reintroduce working version of after_script # after_script: &container-fail-on-nodejs # - (ls /nix/store/ | grep -E -i '^[a-z0-9]+-nodejs-') && (echo "NodeJS remainder in container /nix/store!" 1>&2; exit 1) needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx artifacts: true - job: check # sanity artifacts: false artifacts: paths: - uniworx.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: &release-rules - if: $CI_COMMIT_TAG =~ /^v/ test container: stage: container:build script: - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import # - *container-remove-nodejs - cp -p --reflink=auto -L $(nix build --print-out-paths ".#uniworxTestDocker") uniworx.tar.gz before_script: *nix-before # after_script: *container-fail-on-nodejs needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx artifacts: true - job: check # sanity artifacts: false artifacts: paths: - uniworx.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: &test-release-rules - if: $CI_COMMIT_TAG =~ /^t/ dev container: stage: container:build script: - xzcat uniworx:exe:uniworx.nar.xz | nix-store --import - cp -p --reflink=auto -L $(nix build --print-out-paths ".#uniworxDevDocker") uniworx.tar.gz before_script: *nix-before needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # tranitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx artifacts: true - job: check # sanity artifacts: false artifacts: paths: - uniworx.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: &dev-release-rules - if: $CI_COMMIT_TAG =~ /^d/ sanitize container: stage: container:build needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: check # sanity artifacts: false - job: container artifacts: true before_script: *nix-before script: - nix shell nixpkgs#perl --command ./.gitlab-ci/sanitize-docker.pl after_script: - tar xzvf uniworx-sanitized.tar.gz - for i in `tar tf */layer.tar | grep 'nix/store/[0-9a-z]*-nodejs'`; do echo "NodeJS remainer found in /nix/store!"; echo "$i"; exit 1; done artifacts: paths: - uniworx-sanitized.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: *release-rules sanitize test container: stage: container:build needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: check # sanity artifacts: false - job: test container artifacts: true before_script: *nix-before script: - nix shell nixpkgs#perl --command ./.gitlab-ci/sanitize-docker.pl after_script: - tar xzvf uniworx-sanitized.tar.gz - for i in `tar tf */layer.tar | grep 'nix/store/[0-9a-z]*-nodejs'`; do echo "NodeJS remainer found in /nix/store!"; echo "$i"; exit 1; done artifacts: paths: - uniworx-sanitized.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: *test-release-rules sanitize dev container: stage: container:build needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: check # sanity artifacts: false - job: dev container artifacts: true before_script: *nix-before script: - nix shell nixpkgs#perl --command ./.gitlab-ci/sanitize-docker.pl after_script: - tar xzvf uniworx-sanitized.tar.gz - for i in `tar tf */layer.tar | grep 'nix/store/[0-9a-z]*-nodejs'`; do echo "NodeJS remainer found in /nix/store!"; echo "$i"; exit 1; done artifacts: paths: - uniworx-sanitized.tar.gz name: "${CI_JOB_NAME}-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true rules: *dev-release-rules parse changelog: stage: prepare release needs: - job: node dependencies artifacts: true rules: *release-rules before_script: *nix-before script: - xzcat node-dependencies.nar.xz | nix-store --import - nix -L run ".#jqChangelogJson" -- -r '.versions[0].version' > .current-version - nix -L run ".#jqChangelogJson" -- -r '.versions[0].body' > .current-changelog.md - echo "VERSION=$(cat .current-version)" >> build.env artifacts: reports: dotenv: build.env paths: - .current-version - .current-changelog.md name: "changelog-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true parse test changelog: stage: prepare release needs: - job: node dependencies artifacts: true rules: *test-release-rules before_script: *nix-before script: - xzcat node-dependencies.nar.xz | nix-store --import - nix -L run ".#jqChangelogJson" -- -r '.versions[0].version' > .current-version - nix -L run ".#jqChangelogJson" -- -r '.versions[0].body' > .current-changelog.md - echo "VERSION=$(cat .current-version)" >> build.env artifacts: reports: dotenv: build.env paths: - .current-version - .current-changelog.md name: "changelog-${CI_COMMIT_SHORT_SHA}" expire_in: "1 day" retry: 2 interruptible: true upload container: variables: GIT_STRATEGY: none stage: release image: quay.io/skopeo/stable:latest script: - skopeo --insecure-policy copy --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker-archive://$(pwd)/uniworx-sanitized.tar.gz docker://${CI_REGISTRY_IMAGE}:${VERSION} - skopeo --insecure-policy copy --src-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker://${CI_REGISTRY_IMAGE}:${VERSION} docker://${CI_REGISTRY_IMAGE}:latest needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: container # transitive artifacts: false - job: parse changelog artifacts: true - job: check # sanity artifacts: false - job: sanitize container artifacts: true rules: *release-rules retry: 2 upload test container: variables: GIT_STRATEGY: none stage: release image: quay.io/skopeo/stable:latest script: - skopeo --insecure-policy copy --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker-archive://$(pwd)/uniworx-sanitized.tar.gz docker://${CI_REGISTRY}/fradrive/fradrive/test:${CI_COMMIT_REF_NAME} - skopeo --insecure-policy copy --src-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker://${CI_REGISTRY}/fradrive/fradrive/test:${CI_COMMIT_REF_NAME} docker://${CI_REGISTRY}/fradrive/fradrive/test:latest needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: test container # transitive artifacts: false - job: parse test changelog artifacts: true - job: check # sanity artifacts: false - job: sanitize test container artifacts: true rules: *test-release-rules retry: 2 upload dev container: variables: GIT_STRATEGY: none stage: release image: quay.io/skopeo/stable:latest script: - skopeo --insecure-policy copy --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker-archive://$(pwd)/uniworx-sanitized.tar.gz docker://${CI_REGISTRY}/fradrive/fradrive/dev:${CI_COMMIT_REF_NAME} - skopeo --insecure-policy copy --src-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" --dest-creds "${CI_REGISTRY_USER}:${CI_JOB_TOKEN}" docker://${CI_REGISTRY}/fradrive/fradrive/dev:${CI_COMMIT_REF_NAME} docker://${CI_REGISTRY}/fradrive/fradrive/dev:latest needs: - job: node dependencies # transitive artifacts: false - job: well known # transitive artifacts: false - job: frontend # transitive artifacts: false - job: uniworx:lib:uniworx # transitive artifacts: false - job: uniworx:exe:uniworx # transitive artifacts: false - job: dev container # transitive artifacts: false - job: check # sanity artifacts: false - job: sanitize dev container artifacts: true rules: *dev-release-rules retry: 2 release: variables: GIT_STRATEGY: none stage: release image: registry.gitlab.com/gitlab-org/release-cli:latest rules: *release-rules script: - echo "Will create release ${VERSION}..." release: name: '$VERSION' tag_name: '$CI_COMMIT_TAG' description: .current-changelog.md needs: - job: check # sanity artifacts: false - job: parse changelog artifacts: true test release: variables: GIT_STRATEGY: none stage: release image: registry.gitlab.com/gitlab-org/release-cli:latest rules: *test-release-rules script: - echo "Will create test release ${VERSION}-test..." release: name: "${VERSION}-test" tag_name: '$CI_COMMIT_TAG' description: .current-changelog.md needs: - job: check # sanity artifacts: false - job: parse test changelog artifacts: true dev release: variables: GIT_STRATEGY: none stage: release image: registry.gitlab.com/gitlab-org/release-cli:latest rules: *dev-release-rules script: - echo "Will create dev release ${VERSION}-dev..." release: name: "${VERSION}-dev" tag_name: '$CI_COMMIT_TAG' description: .current-changelog.md needs: - job: check # sanity artifacts: false