stages: - bootstrap - build - test - archive variables: GIT_SUBMODULE_STRATEGY: recursive # we utilize the images generated by the build-images project, to # speed up CI runs. We also use ccache and store config.cache # to speed up compilation. We include a version number in cache # name to allow expiration of old caches. BUILD_IMAGES_PROJECT: gnutls/build-images DEBIAN_BUILD: buildenv-debian-testing DEBIAN_CROSS_BUILD: buildenv-debian-cross-testing DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross FEDORA_BUILD: buildenv-fedora35 MINGW_BUILD: buildenv-mingw-fedora35 ALPINE_BASE_BUILD: buildenv-alpine-base COMPILER: gcc CPPCHECK_OPTIONS: "--enable=warning --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'" GET_SOURCES_ATTEMPTS: "3" # With just one virtual core, parallel builds only make sense when # I/O wait is involved. If too many parallel builds are used, the overall # time even increases (e.g. due to more cache misses). # $BUILDJOBS seems to be best with $(nproc)+1, while $CHECKJOBS can be much # higher because several tests have a large I/O waiting time. # The numbers are hard-coded for the platforms without the nproc command. BUILDJOBS: 2 CHECKJOBS: 16 cache: key: "$CI_JOB_NAME-ver29" paths: - cache/ .prepare-ccache: &prepare-ccache # CCache Config - mkdir -p cache - export CCACHE_BASEDIR=${PWD} - export CCACHE_DIR=${PWD}/cache - export CCACHE_FILE=${CCACHE_DIR}/config.cache - export CC="ccache $COMPILER" default: before_script: - *prepare-ccache - | if test -e stamp.pre-bootstrap; then devel/preserve-timestamp --restore stamp.pre-bootstrap fi after_script: # after_script is executed in separate shell - *prepare-ccache - ccache -s interruptible: true .bootstrap: stage: bootstrap tags: - shared - linux script: - devel/preserve-timestamp stamp.pre-bootstrap - SUBMODULE_NOFETCH=1 ./bootstrap --copy --skip-po artifacts: expire_in: 1 day untracked: true .build: stage: build tags: - shared - linux except: - tags # TODO artifacts: expire_in: 1 day untracked: true .test: stage: test script: - make -j$CHECKJOBS check tags: - shared - linux except: - tags # TODO artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - ./**/*.log .fedora: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD .fedora-nettle: extends: - .fedora variables: COMPILER: clang NETTLE_DIR: nettle .debian: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD .debian-cross-i686: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD .debian-cross-other: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD .mingw: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD variables: COMPILER: "${arch_name}-w64-mingw32-gcc" CFLAGS: "-fstack-protector" CXXFLAGS: "-fstack-protector" LDFLAGS: "-fstack-protector" WINEPATH: "/usr/${arch_name}-w64-mingw32/sys-root/mingw/bin" before_script: - *prepare-ccache - | if test -e stamp.pre-bootstrap; then devel/preserve-timestamp --restore stamp.pre-bootstrap fi - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register .mingw-vista: variables: # Target Vista instead of XP, currently the default in mingw CPPFLAGS: "-D_WIN32_WINNT=0x600" .mingw32: extends: - .mingw variables: arch_bits: 32 arch_name: i686 .mingw64: extends: - .mingw variables: arch_bits: 64 arch_name: x86_64 ############################################################################## ############# Standalone checks without dependencies ######################### ############################################################################## commit-check: stage: test image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD needs: [] # can be run immediately before_script: [] after_script: [] except: - master@gnutls/gnutls cache: {} script: # we want $ALPINE_BASE_BUILD without git, so we are adding it here - apk add git bash - devel/check_if_signed retry: 0 doc-dist.Fedora: extends: - .test - .fedora needs: - fedora/bootstrap script: - GUILE=/usr/bin/guile2.2 - GUILD=/usr/bin/guild2.2 - guile_snarf=/usr/bin/guile-snarf2.2 - export GUILE GUILD guile_snarf - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS -C doc stamp-vti - make -j$BUILDJOBS -C doc stamp-1 - make -j$BUILDJOBS -C doc stamp_enums - make -j$BUILDJOBS - make -j$BUILDJOBS -C doc gnutls.html - texconfig rehash - make -j$BUILDJOBS -C doc/latex gnutls.pdf - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub - make -j$CHECKJOBS distcheck # Two runs, one with normal backend and another with pkcs11 trust store UB+ASAN-Werror.Fedora.x86_64.gcc: extends: - .test - .fedora needs: - fedora/bootstrap script: - export UBSAN_OPTIONS=print_stacktrace=1 - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" - export CXXFLAGS="$CFLAGS" - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --with-pkcs12-iter-count=10000 - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) - make -j$BUILDJOBS check -C fuzz - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 - make -j$CHECKJOBS check -C tests - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --with-pkcs12-iter-count=10000 --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - make clean - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - shared - linux except: - tags # Same as UB+ASAN-Werror.Fedora.x86_64.gcc, except -DAGGRESSIVE_REALLOC is set UB+ASAN-Werror-aggressive.Fedora.x86_64.gcc: extends: - .test - .fedora needs: - fedora/bootstrap script: - export UBSAN_OPTIONS=print_stacktrace=1 - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope -DAGGRESSIVE_REALLOC" - export CXXFLAGS="$CFLAGS" - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --with-pkcs12-iter-count=10000 - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) - make -j$BUILDJOBS check -C fuzz - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 - make -j$CHECKJOBS check -C tests - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --with-pkcs12-iter-count=10000 --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - make clean - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - shared - linux except: - tags # ASan with -DAGGRESSIVE_REALLOC is set # Two runs, one with normal backend and another with pkcs11 trust store UB+ASAN-Werror.Fedora.x86_64.gcc-aggressive: extends: - .test - .fedora needs: - fedora/bootstrap script: - export UBSAN_OPTIONS=print_stacktrace=1 - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope -DAGGRESSIVE_REALLOC" - export CXXFLAGS="$CFLAGS" - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) - make -j$BUILDJOBS check -C fuzz - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 - make -j$CHECKJOBS check -C tests - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - make clean - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - make -j$BUILDJOBS # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - shared - linux except: - tags ############################################################################## ########################### Fedora pipelines ################################# ############################################################################## fedora/bootstrap: extends: - .bootstrap - .fedora fedora-notools/build: extends: - .build - .fedora needs: - fedora/bootstrap script: - dash ./configure --cache-file $CCACHE_FILE --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS # build tests, but don't execute them - make -j$BUILDJOBS check TESTS="" fedora-notools/test: extends: - .test - .fedora dependencies: - fedora-notools/build needs: - fedora-notools/build fedora-minimal/build: extends: - .build - .fedora needs: - fedora/bootstrap script: - dnf remove -y libunistring-devel libtasn1-devel libidn-devel - dash ./configure --cache-file $CCACHE_FILE --with-included-libtasn1 --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication --disable-anon-authentication --disable-dhe --disable-ecdhe --disable-ocsp --disable-non-suiteb-curves --with-included-unistring --disable-nls --disable-libdane --without-p11-kit --without-tpm --without-tpm2 --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility --disable-gcc-warnings --with-system-priority-file="" --disable-gost --disable-guile --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS # build tests, but don't execute them - make -j$BUILDJOBS check TESTS="" fedora-minimal/test: extends: - .test - .fedora dependencies: - fedora-minimal/build needs: - fedora-minimal/build fedora-interop/test: extends: - .test - .fedora dependencies: - fedora-minimal/build needs: - fedora-minimal/build parallel: matrix: - COMPONENT: - openssl #- nss # currently fails on Fedora due to NSS bug TYPE: - 2way #- 3way # these tests take too long, plan is to split them #- 4way #- 5way #- p256 #- p384 #- p521 #- rsae #- rsapss allow_failure: true script: - cd tests/suite/tls-interoperability/ - echo "Tests to run:" - tmt run plans -n interop tests -f "tag:interop-gnutls" -f "tag:interop-$TYPE" -f "tag:interop-$COMPONENT" discover -v - echo "Run the tests:" - tmt run -a plans -n interop tests -f "tag:interop-gnutls" -f "tag:interop-$TYPE" -f "tag:interop-$COMPONENT" provision -h local execute -h tmt --interactive fedora-SSL-3.0/build: extends: - .build - .fedora needs: - fedora/bootstrap script: - update-crypto-policies --set LEGACY - dash ./configure --disable-tls13-interop --disable-gcc-warnings --cache-file $CCACHE_FILE --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS # build tests, but don't execute them - make -j$BUILDJOBS check TESTS="" fedora-SSL-3.0/test: extends: - .test - .fedora dependencies: - fedora-SSL-3.0/build needs: - fedora-SSL-3.0/build fedora-FIPS140-2/build: extends: - .build - .fedora needs: - fedora/bootstrap script: - dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS # build tests, but don't execute them - GNUTLS_FORCE_FIPS_MODE=1 make -j$BUILDJOBS check TESTS="" fedora-FIPS140-2/test: extends: - .test - .fedora dependencies: - fedora-FIPS140-2/build needs: - fedora-FIPS140-2/build script: - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check fedora-ktls/build: extends: - .build - .fedora needs: - fedora/bootstrap script: - dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-ktls --disable-doc --disable-full-test-suite --disable-guile --with-pkcs12-iter-count=10000 - make -j$BUILDJOBS # build tests, but don't execute them - make -j$BUILDJOBS check TESTS="" fedora-ktls/test: extends: - .test - .fedora dependencies: - fedora-ktls/build needs: - fedora-ktls/build script: - | cat > /etc/crypto-policies/local.d/gnutls-ktls.config < /proc/sys/fs/binfmt_misc/register - dash ./configure --disable-gcc-warnings --host=${arch_name}-w64-mingw32 --target=${arch_name}-w64-mingw32 --cache-file $CCACHE_FILE --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --disable-non-suiteb-curves --disable-full-test-suite --disable-doc --with-pkcs12-iter-count=10000 - mingw${arch_bits}-make -j$BUILDJOBS # https://bugzilla.redhat.com/show_bug.cgi?id=2049401 - mingw${arch_bits}-make -j$BUILDJOBS -C $PWD/tests check TESTS="" .mingw/test: extends: - .test script: # https://bugzilla.redhat.com/show_bug.cgi?id=2049401 - mingw${arch_bits}-make -j$CHECKJOBS -C $PWD/tests check timeout: 3h .mingw/archive: stage: archive # TODO this should be here, but I want to see if it works without tagging # only: # - tags script: # Combine generated apps and DLLs. #libwinpthread is required by libgcc #libffi is required by libp11-kit - mkdir -p win${arch_bits}-build/bin win${arch_bits}-build/lib/includes - cp lib/.libs/*.dll src/.libs/*.exe win${arch_bits}-build/bin - ${arch_name}-w64-mingw32-strip --strip-unneeded win${arch_bits}-build/bin/*.dll - ${arch_name}-w64-mingw32-strip win${arch_bits}-build/bin/*.exe - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win${arch_bits}-build/bin - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win${arch_bits}-build/bin - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win${arch_bits}-build/lib - cp lib/includes/gnutls/*.h win${arch_bits}-build/lib/includes artifacts: name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" paths: - win${arch_bits}-build/ mingw/bootstrap: extends: - .bootstrap - .mingw mingw64/build: extends: - .mingw/build - .mingw64 needs: - mingw/bootstrap mingw64/test: extends: - .mingw/test - .mingw64 dependencies: - mingw64/build needs: - mingw64/build mingw64/archive: extends: - .mingw/archive - .mingw64 dependencies: - mingw64/build needs: # archive only if tests successful - mingw64/build - mingw64/test mingw64-vista/build: extends: - .mingw/build - .mingw64 - .mingw-vista needs: - mingw/bootstrap mingw64-vista/test: extends: - .mingw/test - .mingw64 - .mingw-vista dependencies: - mingw64-vista/build needs: - mingw64-vista/build mingw64-vista/archive: extends: - .mingw/archive - .mingw64 - .mingw-vista dependencies: - mingw64-vista/build needs: # archive only if tests successful - mingw64-vista/build - mingw64-vista/test mingw32/build: extends: - .mingw/build - .mingw32 needs: - mingw/bootstrap mingw32/test: extends: - .mingw/test - .mingw32 dependencies: - mingw32/build needs: - mingw32/build mingw32/archive: extends: - .mingw/archive - .mingw32 dependencies: - mingw32/build needs: # archive only if tests successful - mingw32/build - mingw32/test mingw32-vista/build: extends: - .mingw/build - .mingw32 - .mingw-vista needs: - mingw/bootstrap mingw32-vista/test: extends: - .mingw/test - .mingw32 - .mingw-vista dependencies: - mingw32-vista/build needs: - mingw32-vista/build mingw32-vista/archive: extends: - .mingw/archive - .mingw32 - .mingw-vista dependencies: - mingw32-vista/build needs: # archive only if tests successful - mingw32-vista/build - mingw32-vista/test