diff options
| author | Daiki Ueno <ueno@gnu.org> | 2021-01-08 10:19:43 +0000 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2021-01-08 10:19:43 +0000 |
| commit | 45baab1a79cfcdf5fd12b1c1564716d047701635 (patch) | |
| tree | c1f6e21858186ce1aaff1377a5b8d09d65accdc4 | |
| parent | 6a6a3d4f6825d053933872d8d441417704bbdf03 (diff) | |
| parent | 536f10e1e06244afdfc8e74bb1ef4eb63184e1ec (diff) | |
| download | gnutls-45baab1a79cfcdf5fd12b1c1564716d047701635.tar.gz | |
Merge branch 'ci-rework' into 'master'
CI pipeline rework - using stages and inheritance
See merge request gnutls/gnutls!1366
| -rw-r--r-- | .gitlab-ci.yml | 1488 |
1 files changed, 746 insertions, 742 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f000f82944..22edca6ada 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,819 +1,823 @@ stages: - - stage1-testing - -# we utilize the images generated by the build-images project, to -# speed up CI runs. We also use ccache and store config.cache -# to speed up compilation. We include a version number in cache -# name to allow expiration of old caches. - -cache: - key: "$CI_JOB_NAME-ver18" - paths: - - cache/ - -before_script: - # CCache Config - - mkdir -p cache - - export CCACHE_BASEDIR=${PWD} - - export CCACHE_DIR=${PWD}/cache - - export CC="ccache gcc" - -# With just one virtual core, parallel builds only make sense when -# I/O wait is involved. If too many parallel builds are used, the overall -# time even increases (e.g. due to more cache misses). -# $BUILDJOBS seems to be best with $(nproc)+1, while $CHECKJOBS can be much -# higher because several tests have a large I/O waiting time. -# The numbers are hard-coded since FreeBSD doesn't know the nproc command. - - export BUILDJOBS=2 - - export CHECKJOBS=16 - -after_script: - # somehow after_script looses environment - - export CCACHE_BASEDIR=${PWD} - - export CCACHE_DIR=${PWD}/cache - - ccache -s + - build + - test + - archive variables: + # we utilize the images generated by the build-images project, to + # speed up CI runs. We also use ccache and store config.cache + # to speed up compilation. We include a version number in cache + # name to allow expiration of old caches. BUILD_IMAGES_PROJECT: gnutls/build-images DEBIAN_BUILD: buildenv-debian-testing DEBIAN_CROSS_BUILD: buildenv-debian-cross-testing DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross - FEDORA28_BUILD: buildenv-f28 FEDORA_BUILD: buildenv-fedora33 MINGW_BUILD: buildenv-mingw-fedora33 ALPINE_BASE_BUILD: buildenv-alpine-base-nettle36 + COMPILER: gcc CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'" GET_SOURCES_ATTEMPTS: "3" + # With just one virtual core, parallel builds only make sense when + # I/O wait is involved. If too many parallel builds are used, the overall + # time even increases (e.g. due to more cache misses). + # $BUILDJOBS seems to be best with $(nproc)+1, while $CHECKJOBS can be much + # higher because several tests have a large I/O waiting time. + # The numbers are hard-coded since FreeBSD doesn't know the nproc command. + BUILDJOBS: 2 + CHECKJOBS: 16 -################################################## -# Stage 1, documentation, and advanced checks -################################################## +cache: + key: "$CI_JOB_NAME-ver19" + paths: + - cache/ -commit-check: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD +.prepare-ccache: &prepare-ccache + # CCache Config + - mkdir -p cache + - export CCACHE_BASEDIR=${PWD} + - export CCACHE_DIR=${PWD}/cache + - export CCACHE_FILE=${CCACHE_DIR}/config.cache + - export CC="ccache $COMPILER" + +default: before_script: - - /bin/true - after_script: - - /bin/true - except: - - master@gnutls/gnutls - cache: - # do not load cache files - key: none - policy: pull - script: - # we want $ALPINE_BASE_BUILD without git, so add it here - - apk add git bash - - devel/check_if_signed - retry: 0 + - *prepare-ccache -doc-dist.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - SUBMODULE_NOFETCH=1 ./bootstrap - - GUILE=/usr/bin/guile2.2 - - GUILD=/usr/bin/guild2.2 - - guile_snarf=/usr/bin/guile-snarf2.2 - - export GUILE GUILD guile_snarf - - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode - - make -j$BUILDJOBS -C doc stamp-vti - - make -j$BUILDJOBS -C doc stamp-1 - - make -j$BUILDJOBS -C doc stamp_enums - - make -j$BUILDJOBS - - make -j$BUILDJOBS -C doc gnutls.html - - make -j$BUILDJOBS -C doc/latex gnutls.pdf - - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) - - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub -# check whether distribution with or without included libopts is ok - - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" - - make -j$CHECKJOBS distcheck - tags: - - shared - - linux - except: - - tags - retry: 1 + after_script: + # after_script is executed in separate shell + - *prepare-ccache + - ccache -s -abi/coverage: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - SUBMODULE_NOFETCH=1 ./bootstrap - - GUILE=/usr/bin/guile2.2 - - GUILD=/usr/bin/guild2.2 - - guile_snarf=/usr/bin/guile-snarf2.2 - - export GUILE GUILD guile_snarf - - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc - - make -j$BUILDJOBS - - make abi-check - - make pic-check - - make -j$CHECKJOBS check - - make local-code-coverage-output || true - - if objdump -R lib/.libs/libgnutls.so | grep INTERNAL ; then false ; fi +.build: + stage: build tags: - - shared - - linux + - shared + - linux except: - - tags + - tags # TODO artifacts: - expire_in: 1 week - when: on_failure + expire_in: 1 day + #when: on_failure paths: - - ./*.xml - - ./gnutls-prev-abi.tmp/ - - compat_reports/ - - ./*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - - guile/tests/*.log - retry: 1 - -minimal.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + - ./ + exclude: + - .git/ # passing forward .git causes warnings and possibly problems + - ./**/.git/ # passing forward .git causes warnings and possibly problems + - ./**/*.c + - ./**/*.h + - ./**/*.o + +.test: + stage: test script: - - echo "No tools build" - - ./bootstrap - - dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - echo "Minimal build" - - dnf remove -y libunistring-devel libtasn1-devel libidn-devel - - dash ./configure --cache-file cache/config.cache --with-included-libtasn1 - --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests - --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication - --disable-anon-authentication --disable-dhe --disable-ecdhe - --disable-ocsp --disable-non-suiteb-curves --with-included-unistring - --disable-nls --disable-libdane --without-p11-kit --without-tpm - --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility - --disable-gcc-warnings --with-system-priority-file="" - --disable-gost - --disable-guile - - make clean - - make -j$BUILDJOBS - - make -j$CHECKJOBS check + - make -j$CHECKJOBS check tags: - - shared - - linux + - shared + - linux except: - - tags + - tags # TODO artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -# This enables SSL3.0 and SHA-1 support, and runs interop tests -# with openssl 1.1.0, which include legacy algorithms like DSA. -SSL-3.0.Fedora.x86_64: - stage: stage1-testing + - ./**/*.log + +.fedora: image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - script: - - update-crypto-policies --set LEGACY - - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux + +.fedora-nettle: + extends: + - .fedora + variables: + COMPILER: clang + NETTLE_DIR: nettle + +.debian: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD + +.debian-cross-i686: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD + +.debian-cross-other: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD + +.mingw: + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD + variables: + COMPILER: "${arch_name}-w64-mingw32-gcc" + CFLAGS: "-fstack-protector" + CXXFLAGS: "-fstack-protector" + LDFLAGS: "-fstack-protector" + WINEPATH: "/usr/${arch_name}-w64-mingw32/sys-root/mingw/bin" + before_script: + - *prepare-ccache + - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc + - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register + +.mingw-vista: + variables: + # Target Vista instead of XP, currently the default in mingw + CPPFLAGS: "-D_WIN32_WINNT=0x600" + +.mingw32: + extends: + - .mingw + variables: + arch_bits: 32 + arch_name: i686 + +.mingw64: + extends: + - .mingw + variables: + arch_bits: 64 + arch_name: x86_64 + +############################################################################## +############# Standalone checks without dependencies ######################### +############################################################################## + +commit-check: + stage: test + image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD + needs: [] # can be run immediately + before_script: [] + after_script: [] except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/tests/*.log - - build/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -FIPS140-2.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + - master@gnutls/gnutls + cache: {} script: - - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - mkdir -p lib/.libs/fipscheck - - | - for i in lib/.libs/libgnutls.so*; do - openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex $i | cut -f 2 -d ' ' > lib/.libs/fipscheck/$(basename $i).hmac - done - - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + # we want $ALPINE_BASE_BUILD without git, so we are adding it here + - apk add git bash + - devel/check_if_signed + retry: 0 -valgrind.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +doc-dist.Fedora: + extends: + - .test + - .fedora + needs: [] # can be run immediately script: - - ./bootstrap -# gcc in fedora31 inlines strcmp in a way that causes valgrind errors - - CFLAGS="-O2 -g -fno-builtin-strcmp" ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-guile --disable-full-test-suite --enable-valgrind-tests - - make -j$BUILDJOBS - - make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - tests/*.log - - tests/*/*.log - retry: 1 + - SUBMODULE_NOFETCH=1 ./bootstrap + - GUILE=/usr/bin/guile2.2 + - GUILD=/usr/bin/guild2.2 + - guile_snarf=/usr/bin/guile-snarf2.2 + - export GUILE GUILD guile_snarf + - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode + - make -j$BUILDJOBS -C doc stamp-vti + - make -j$BUILDJOBS -C doc stamp-1 + - make -j$BUILDJOBS -C doc stamp_enums + - make -j$BUILDJOBS + - make -j$BUILDJOBS -C doc gnutls.html + - make -j$BUILDJOBS -C doc/latex gnutls.pdf + - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) + - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub + # check whether distribution with or without included libopts is ok + - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" + - make -j$CHECKJOBS distcheck -threadsan.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD + +# That is a specific runner that we cannot enable universally. +# We restrict it to builds under the $BUILD_IMAGES_PROJECT project. +FreeBSD.x86_64: + extends: + - .test + needs: [] # builds own artifacts, no need to wait + variables: + COMPILER: clang + image: script: - - ./bootstrap - - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS - dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --enable-fips140-mode --disable-full-test-suite - - make -j$BUILDJOBS - - make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git + - export NETTLE_DIR=${PWD}/nettle + - cd nettle-git + - ./.bootstrap + - ./configure --enable-mini-gmp --disable-documentation --disable-openssl --prefix=$NETTLE_DIR + - gmake + - gmake install + - cd - + - ./bootstrap + - export LDFLAGS="-Wl,-rpath,$NETTLE_DIR/lib -L$NETTLE_DIR/lib -L/usr/local/lib" + - export PKG_CONFIG_PATH=$NETTLE_DIR/lib/pkgconfig + - export CPPFLAGS=`pkg-config hogweed --cflags-only-I` + - export LD_LIBRARY_PATH=$NETTLE_DIR/lib + - ./configure --disable-full-test-suite --cache-file $CCACHE_FILE --disable-gcc-warnings --disable-guile --disable-doc --with-nettle-mini + - gmake V=1 2>&1 | tee make.log + - gmake check tags: - - shared - - linux + - freebsd + only: + - branches@gnutls/gnutls except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -static-analyzers.Fedora.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD - before_script: - - /bin/true + - tags + +# Two runs, one with normal backend and another with pkcs11 trust store +UB+ASAN-Werror.Fedora.x86_64.gcc: + extends: + - .test + - .fedora + needs: [] # builds own artifacts, no need to wait script: - - ./bootstrap - - scan-build ./configure --cache-file cache/config.cache --disable-doc --disable-guile --enable-fips140-mode - - make -j$BUILDJOBS syntax-check gnulib_dir=$GNULIB_SRCDIR - - make -j$BUILDJOBS -C gl - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C lib - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C libdane - - make -j$BUILDJOBS -C src/gl - - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C src - - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -i lib/nettle/ecc -j2 $CPPCHECK_OPTIONS - - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j2 $CPPCHECK_OPTIONS - after_script: - - /bin/true + - ./bootstrap + - export UBSAN_OPTIONS=print_stacktrace=1 + - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp + - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" + - export CXXFLAGS="$CFLAGS" + - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile + - make -j$BUILDJOBS + # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) + - make -j$BUILDJOBS check -C fuzz + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 + - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 + - make -j$CHECKJOBS check -C tests + - dash ./configure --cache-file $CCACHE_FILE --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM + - make clean + - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile + - make -j$BUILDJOBS + # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests + - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - - shared - - linux + - shared + - linux except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - scan-build-lib/* - - scan-build-libdane/* - retry: 1 + - tags +############################################################################## +########################### Fedora pipelines ################################# +############################################################################## -MinGW32.DLLs: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-notools/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache i686-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw32-make -j$BUILDJOBS - - mingw32-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win32-build/bin win32-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win32-build/bin - - i686-w64-mingw32-strip --strip-unneeded win32-build/bin/*.dll - - i686-w64-mingw32-strip win32-build/bin/*.exe - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win32-build/bin - - cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win32-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win32-build/lib - - cp lib/includes/gnutls/*.h win32-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win32-build/ - retry: 1 + - ./bootstrap + - dash ./configure --cache-file $CCACHE_FILE --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW64.DLLs: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-notools/test: + extends: + - .test + - .fedora + dependencies: + - fedora-notools/build + needs: + - fedora-notools/build + +fedora-minimal/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win64-build/bin win64-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin - - x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll - - x86_64-w64-mingw32-strip win64-build/bin/*.exe - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib - - cp lib/includes/gnutls/*.h win64-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win64-build/ - retry: 1 + - ./bootstrap + - dnf remove -y libunistring-devel libtasn1-devel libidn-devel + - dash ./configure --cache-file $CCACHE_FILE --with-included-libtasn1 + --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests + --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication + --disable-anon-authentication --disable-dhe --disable-ecdhe + --disable-ocsp --disable-non-suiteb-curves --with-included-unistring + --disable-nls --disable-libdane --without-p11-kit --without-tpm + --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility + --disable-gcc-warnings --with-system-priority-file="" + --disable-gost + --disable-guile + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW64.DLLs.Vista+: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-minimal/test: + extends: + - .test + - .fedora + dependencies: + - fedora-minimal/build + needs: + - fedora-minimal/build + +fedora-SSL-3.0/build: + extends: + - .build + - .fedora script: - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - # Target Vista instead of XP, currently the default in mingw - - export CPPFLAGS="-D_WIN32_WINNT=0x600" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$BUILDJOBS -C tests check -# Combine generated apps and DLLs. -#libwinpthread is required by libgcc -#libffi is required by libp11-kit - - mkdir -p win64-build/bin win64-build/lib/includes - - cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin - - x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll - - x86_64-w64-mingw32-strip win64-build/bin/*.exe - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin - - cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin - - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib - - cp lib/includes/gnutls/*.h win64-build/lib/includes - tags: - - shared - - docker - - linux - only: - - tags - artifacts: - name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" - paths: - - win64-build/ - retry: 1 + - update-crypto-policies --set LEGACY + - ./bootstrap + - dash ./configure --disable-tls13-interop --disable-gcc-warnings --cache-file $CCACHE_FILE --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile --disable-strict-der-time + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" -MinGW64.Vista+: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-SSL-3.0/test: + extends: + - .test + - .fedora + dependencies: + - fedora-SSL-3.0/build + needs: + - fedora-SSL-3.0/build + +fedora-FIPS140-2/build: + extends: + - .build + - .fedora script: - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - # Target Vista instead of XP, currently the default in mingw - - export CPPFLAGS="-D_WIN32_WINNT=0x600" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - # generate the certtool autogen file to check whether later compilation will modify it - - mingw64-make -j$BUILDJOBS -C src certtool-args.c.bak - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$CHECKJOBS -C tests check - - cd .. - # since we use --enable-local-libopts the generated files must equal the .bak - - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + - ./bootstrap + - dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile + - make -j$BUILDJOBS + - make -j$CHECKJOBS check + - mkdir -p lib/.libs/fipscheck + - | + for i in lib/.libs/libgnutls.so*; do + openssl sha256 -hmac orboDeJITITejsirpADONivirpUkvarP -hex $i | cut -f 2 -d ' ' > lib/.libs/fipscheck/$(basename $i).hmac + done + # build tests, but don't execute them + - GNUTLS_FORCE_FIPS_MODE=1 make -j$BUILDJOBS check TESTS="" -MinGW64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +fedora-FIPS140-2/test: + extends: + - .test + - .fedora + dependencies: + - fedora-FIPS140-2/build + needs: + - fedora-FIPS140-2/build script: - - ./bootstrap - - export CC="ccache x86_64-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/x86_64-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - # generate the certtool autogen file to check whether later compilation will modify it - - mingw64-make -j$BUILDJOBS -C src certtool-args.c.bak - - mingw64-make -j$BUILDJOBS - - mingw64-make -j$CHECKJOBS -C tests check - - cd .. - # since we use --enable-local-libopts the generated files must equal the .bak - - cmp build/src/certtool-args.c build/src/certtool-args.c.bak || false - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + - GNUTLS_FORCE_FIPS_MODE=1 make -j$CHECKJOBS check -MinGW32: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$MINGW_BUILD +.fedora-nettle/build: + extends: + - .build + - .fedora-nettle script: - - ./bootstrap - - export CC="ccache i686-w64-mingw32-gcc" - - export CFLAGS="-fstack-protector" - - export CXXFLAGS="-fstack-protector" - - export LDFLAGS="-fstack-protector" - - export WINEPATH=/usr/i686-w64-mingw32/sys-root/mingw/bin - - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc - - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - - mkdir -p build - - cd build - - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - - mingw32-make -j$BUILDJOBS - - mingw32-make -j$CHECKJOBS -C tests check - - cd .. - tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - retry: 1 + - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git + - pushd nettle-git + - ./.bootstrap + - ./configure --disable-documentation --prefix=${PWD}/$NETTLE_DIR $NETTLE_CONFIGURE_ARGS + - make -j$BUILDJOBS + - make -j$BUILDJOBS install + - popd + - SUBMODULE_NOFETCH=1 ./bootstrap + - PKG_CONFIG_PATH=${PWD}/$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" -# That is a specific runner that we cannot enable universally. -# We restrict it to builds under the $BUILD_IMAGES_PROJECT project. -FreeBSD.x86_64: - stage: stage1-testing - image: +.fedora-nettle/test: + extends: + - .test + - .fedora-nettle script: - - export CC="ccache clang" - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - cd nettle-git - - ./.bootstrap - - ./configure --enable-mini-gmp --disable-documentation --disable-openssl --prefix=$NETTLE_DIR - - gmake - - gmake install - - cd - - - ./bootstrap - - export LDFLAGS="-Wl,-rpath,$NETTLE_DIR/lib -L$NETTLE_DIR/lib -L/usr/local/lib" - - export PKG_CONFIG_PATH=$NETTLE_DIR/lib/pkgconfig - - export CPPFLAGS=`pkg-config hogweed --cflags-only-I` - - export LD_LIBRARY_PATH=$NETTLE_DIR/lib - - ./configure --disable-full-test-suite --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc --with-nettle-mini - - gmake V=1 2>&1 | tee make.log - - gmake check - tags: - - freebsd - only: - - branches@gnutls/gnutls - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - tests/*.log - - tests/*/*.log - retry: 1 + - PKG_CONFIG_PATH=${PWD}/$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=${PWD}/$NETTLE_DIR/lib64 make -j$CHECKJOBS check -# Two runs, one with normal backend and another with pkcs11 trust store -UB+ASAN-Werror.Fedora.x86_64.gcc: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +fedora-nettle/build: + extends: + - .fedora-nettle/build + variables: + NETTLE_CONFIGURE_ARGS: "" + +fedora-nettle/test: + extends: + - .fedora-nettle/test + dependencies: + - fedora-nettle/build + needs: + - fedora-nettle/build + +fedora-nettle-minigmp/build: + extends: + - .fedora-nettle/build + variables: + NETTLE_CONFIGURE_ARGS: "--enable-mini-gmp" + +fedora-nettle-minigmp/test: + extends: + - .fedora-nettle/test + dependencies: + - fedora-nettle-minigmp/build + needs: + - fedora-nettle-minigmp/build + +fedora-valgrind/build: + extends: + - .build + - .fedora script: - - ./bootstrap - - export UBSAN_OPTIONS=print_stacktrace=1 - - export LSAN_OPTIONS=suppressions=$(pwd)/devel/lsan.supp - - export CFLAGS="-std=c99 -O1 -g -Wno-cpp -Werror -fno-omit-frame-pointer -fsanitize=undefined,bool,alignment,null,enum,bounds-strict,address,leak,nonnull-attribute -fno-sanitize-recover=all -fsanitize-address-use-after-scope" - - export CXXFLAGS="$CFLAGS" - - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration - - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - - make -j$BUILDJOBS - # Use $BUILDJOBS since the fuzzers should use mainly CPU (no blocking I/O) - - make -j$BUILDJOBS check -C fuzz - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x1 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x2 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x4 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x8 - - make -j$BUILDJOBS check -C fuzz GNUTLS_CPUID_OVERRIDE=0x20 - - make -j$CHECKJOBS check -C tests - - dash ./configure --cache-file cache/config.cache --disable-guile --disable-doc --disable-hardware-acceleration --with-default-trust-store-pkcs11="pkcs11:" --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM - - make clean - - sed -i 's/-Werror/-Wno-parentheses -Werror/g' src/Makefile - - make -j$BUILDJOBS - # Use $BUILDJOBS since most of the job is building all tests, then just running 4 tests - - make -j$BUILDJOBS check -C tests TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. + - ./bootstrap + # gcc in fedora31 inlines strcmp in a way that causes valgrind errors + - CFLAGS="-O2 -g -fno-builtin-strcmp" ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-guile --disable-full-test-suite --enable-valgrind-tests + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" + +fedora-valgrind/test: + extends: + - .test + - .fedora + dependencies: + - fedora-valgrind/build + needs: + - fedora-valgrind/build + timeout: 2h + +fedora-threadsan/build: + extends: + - .build + - .fedora + script: + - ./bootstrap + - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS + dash ./configure --disable-gcc-warnings --disable-doc --cache-file $CCACHE_FILE --disable-non-suiteb-curves --disable-guile --enable-fips140-mode --disable-full-test-suite + - make -j$BUILDJOBS + - make -j$BUILDJOBS -C tests check SUBDIRS=. TESTS="" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + +fedora-threadsan/test: + extends: + - .test + - .fedora + dependencies: + - fedora-threadsan/build + needs: + - fedora-threadsan/build + script: + - make -j$CHECKJOBS -C tests check SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 + +fedora-static-analyzers/build: + extends: + - .build + - .fedora + #TODO originally, before_script was set to "/bin/true".. is there a reason not to create the cache? + script: + - ./bootstrap + - scan-build ./configure --cache-file $CCACHE_FILE --disable-doc --disable-guile --enable-fips140-mode + - make -j$BUILDJOBS syntax-check gnulib_dir=$GNULIB_SRCDIR + - make -j$BUILDJOBS -C gl + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C lib + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C libdane + - make -j$BUILDJOBS -C src/gl + - scan-build --status-bugs -o scan-build-lib make -j$BUILDJOBS -C src + #TODO originally, after_script was set to "/bin/true".. is there a reason not to create the cache? + +fedora-static-analyzers/test: + extends: + - .test + - .fedora + dependencies: + - fedora-static-analyzers/build + needs: + - fedora-static-analyzers/build + script: + - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -i lib/nettle/ecc -j2 $CPPCHECK_OPTIONS + - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j2 $CPPCHECK_OPTIONS + +# TODO this does not work, so we keep using old job doc-dist.Fedora +# Keeping it here until I figure it out. +#fedora-docdist/build: +# extends: +# - .build +# - .fedora +# script: +# - SUBMODULE_NOFETCH=1 ./bootstrap +# - GUILE=/usr/bin/guile2.2 +# - GUILD=/usr/bin/guild2.2 +# - guile_snarf=/usr/bin/guile-snarf2.2 +# - export GUILE GUILD guile_snarf +# - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode +# - make -j$BUILDJOBS -C doc stamp-vti +# - make -j$BUILDJOBS -C doc stamp-1 +# - make -j$BUILDJOBS -C doc stamp_enums +# - make -j$BUILDJOBS +# - make -j$BUILDJOBS -C doc gnutls.html +# - make -j$BUILDJOBS -C doc/latex gnutls.pdf +# - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) +# - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub +# # we don't throw away intermediate compilation results as /test job does some compiling, too +# artifacts: +# expire_in: 1 day +# paths: +# - ./ +# exclude: +# - .git/ # passing forward .git causes warnings and possibly problems +# - ./**/.git/ # passing forward .git causes warnings and possibly problems +# +#fedora-docdist/test: +# extends: +# - .test +# - .fedora +# dependencies: +# - fedora-docdist/build +# needs: +# - fedora-docdist/build +# script: # shall we separate it to two jobs? +# - export CFLAGS="-std=c99 -O2 -g" +# - DB2EPUBDIR=$(dirname $(find /usr/share/sgml/docbook/xsl-ns-stylesheets-*/epub/bin/ -name dbtoepub -print)) +# - PATH="$PATH:$DB2EPUBDIR" make -C doc gnutls.epub +# # check whether distribution with or without included libopts is ok +# - make -j$CHECKJOBS distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-local-libopts --disable-tests" +# - make -j$CHECKJOBS distcheck + +fedora-abicoverage/build: + extends: + - .build + - .fedora + script: + script: + - SUBMODULE_NOFETCH=1 ./bootstrap + - GUILE=/usr/bin/guile2.2 + - GUILD=/usr/bin/guild2.2 + - guile_snarf=/usr/bin/guile-snarf2.2 + - export GUILE GUILD guile_snarf + - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file $CCACHE_FILE --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc + - make -j$BUILDJOBS + - make -j$BUILDJOBS check TESTS="" tags: - - shared - - linux + - shared + - linux except: - - tags + - tags + +fedora-abicoverage/test: + extends: + - .test + - .fedora + dependencies: + - fedora-abicoverage/build + needs: + - fedora-abicoverage/build + script: + - make abi-check + - make pic-check + - make -j$CHECKJOBS check + - make local-code-coverage-output || true + - if objdump -R lib/.libs/libgnutls.so | grep INTERNAL ; then false ; fi artifacts: expire_in: 1 week when: on_failure paths: - - guile/tests/*.log + - ./*.xml - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -# This includes interoperability testing with gnutls 2.12.x -Debian.x86_64: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD + - ./**/*.log + - gnutls-prev-abi.tmp/ + - compat_reports/ + +############################################################################## +########################### Debian pipelines ################################# +############################################################################## + +debian/build: + extends: + - .build + - .debian script: - ./bootstrap - - mkdir -p build - - cd build - - dash ../configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' + - dash ./configure --enable-oldgnutls-interop --disable-gcc-warnings --cache-file $CCACHE_FILE --disable-doc --disable-guile LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' - make -j$BUILDJOBS - - make -j$CHECKJOBS check - - cd .. - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -Debian.cross.i686-linux-gnu: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD + - make -j$BUILDJOBS check TESTS="" + +debian/test: + extends: + - .test + - .debian + dependencies: + - debian/build + needs: + - debian/build + +.debian-cross/build: + extends: + - .build script: - - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - - host=i686-linux-gnu - # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes - # config.guess to detect the target as the build platform and not activate - # cross-compile mode even though --build is given - - export CC_FOR_BUILD="ccache gcc" - - export CC="ccache $host-gcc" - - ./bootstrap - - mkdir -p build - - cd build - # Debian's softhsm package is not multiarch yet. Missing softhsm libraries - # for the target will cause the test suite to fail when p11-kit is enabled. - - dash ../configure --build=$build --host=$host --disable-gcc-warnings - --cache-file ../cache/config.cache --disable-doc --disable-guile - --without-p11-kit --disable-full-test-suite - - make -j$BUILDJOBS - - make pic-check - # Parallel tests cause random failures, likely timing errors - - make -j1 check - - cd .. + - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) + - host=$(echo $CI_JOB_NAME |cut -d/ -f2) + - echo "host is $host" + # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes + # config.guess to detect the target as the build platform and not activate + # cross-compile mode even though --build is given + - export CC_FOR_BUILD="ccache gcc" + - export CC="ccache $host-gcc" + - ./bootstrap + # Debian's softhsm package is not multiarch yet. Missing softhsm libraries + # for the target will cause the test suite to fail when p11-kit is enabled. + - dash ./configure --build=$build --host=$host --disable-gcc-warnings + --cache-file $CCACHE_FILE --disable-doc --disable-guile + --without-p11-kit --disable-full-test-suite + - make -j$BUILDJOBS + # build tests, but don't execute them + - make -j$BUILDJOBS check TESTS="" tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -.Debian.cross.template: &Debian_cross_template - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD + - shared + - docker + - linux + +.debian-cross/test: + extends: + - .test script: - - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - - host="${CI_JOB_NAME#*.cross.}" - # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes - # config.guess to detect the target as the build platform and not activate - # cross-compile mode even though --build is given - - export CC_FOR_BUILD="ccache gcc" - - export CC="ccache $host-gcc" - - ./bootstrap - - sed -i '/errno.==.EINVAL/d' src/gl/tests/test-strerror.c - - mkdir -p build - - cd build - # Debian's softhsm package is not multiarch yet. Missing softhsm libraries - # for the target will cause the test suite to fail when p11-kit is enabled. - - dash ../configure --build=$build --host=$host --disable-gcc-warnings - --cache-file ../cache/config.cache --disable-doc --disable-guile - --without-p11-kit --disable-full-test-suite - - make -j$BUILDJOBS - # Parallel tests cause random failures, likely timing errors - - make -j1 check - - cd .. + - make pic-check + # Parallel tests cause random failures, likely timing errors + - make -j1 check tags: - - shared - - docker - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - build/guile/tests/*.log - - build/*.log - - build/tests/*.log - - build/tests/*/*.log - - build/tests/suite/*/*.log - retry: 1 - -Debian.cross.arm-linux-gnueabihf: - <<: *Debian_cross_template - -Debian.cross.aarch64-linux-gnu: - <<: *Debian_cross_template + - shared + - docker + - linux + +debian-cross/i686-linux-gnu/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-i686 + +debian-cross/i686-linux-gnu/test: + extends: + - .debian-cross/test + - .debian-cross-i686 + dependencies: + - debian-cross/i686-linux-gnu/build + needs: + - debian-cross/i686-linux-gnu/build + +debian-cross/arm-linux-gnueabihf/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-other + +debian-cross/arm-linux-gnueabihf/test: + extends: + - .debian-cross/test + - .debian-cross-other + dependencies: + - debian-cross/arm-linux-gnueabihf/build + needs: + - debian-cross/arm-linux-gnueabihf/build + timeout: 2h + +debian-cross/aarch64-linux-gnu/build: # name is important, see .debian-cross/build + extends: + - .debian-cross/build + - .debian-cross-other + +debian-cross/aarch64-linux-gnu/test: + extends: + - .debian-cross/test + - .debian-cross-other + dependencies: + - debian-cross/aarch64-linux-gnu/build + needs: + - debian-cross/aarch64-linux-gnu/build + timeout: 2h allow_failure: true -nettle-master.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +.mingw/build: + extends: + - .build script: - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - pushd nettle-git - - ./.bootstrap - - ./configure --disable-documentation --prefix=$NETTLE_DIR - - make -j$BUILDJOBS - - make -j$BUILDJOBS install - - popd - - SUBMODULE_NOFETCH=1 ./bootstrap - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile - - make -j$BUILDJOBS - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=$NETTLE_DIR/lib64 make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags - artifacts: - expire_in: 1 week - when: on_failure - paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 - -nettle-master-minigmp.Fedora: - stage: stage1-testing - image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD +# - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc +# - echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register + - ./bootstrap + - dash ./configure --disable-gcc-warnings --host=${arch_name}-w64-mingw32 --target=${arch_name}-w64-mingw32 --cache-file $CCACHE_FILE --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc + # since we use --enable-local-libopts the generated files must equal the .bak + - mingw${arch_bits}-make -j$BUILDJOBS -C src certtool-args.c.bak + - cmp src/certtool-args.c src/certtool-args.c.bak || false # TODO not really sure about what is this for + - mingw${arch_bits}-make -j$BUILDJOBS + - mingw${arch_bits}-make -j$BUILDJOBS -C tests check TESTS="" + +############################################################################## +########################### MinGW pipelines ################################## +############################################################################## + +.mingw/test: + extends: + - .test script: - - git clone --depth 1 --branch master https://gitlab.com/gnutls/nettle.git nettle-git - - export NETTLE_DIR=${PWD}/nettle - - pushd nettle-git - - ./.bootstrap - - ./configure --disable-documentation --enable-mini-gmp --prefix=$NETTLE_DIR - - make -j$BUILDJOBS - - make -j$BUILDJOBS install - - popd - - SUBMODULE_NOFETCH=1 ./bootstrap - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig dash ./configure --disable-gcc-warnings --disable-doc --disable-guile --disable-full-test-suite - - make -j$BUILDJOBS - - PKG_CONFIG_PATH=$NETTLE_DIR/lib64/pkgconfig LD_LIBRARY_PATH=$NETTLE_DIR/lib64 make -j$CHECKJOBS check - tags: - - shared - - linux - except: - - tags + - mingw${arch_bits}-make -j$CHECKJOBS -C tests check + +.mingw/archive: + stage: archive +# TODO this should be here, but I want to see if it works without tagging +# only: +# - tags + script: + # Combine generated apps and DLLs. + #libwinpthread is required by libgcc + #libffi is required by libp11-kit + - mkdir -p win${arch_bits}-build/bin win${arch_bits}-build/lib/includes + - cp lib/.libs/*.dll src/.libs/*.exe win${arch_bits}-build/bin + - ${arch_name}-w64-mingw32-strip --strip-unneeded win${arch_bits}-build/bin/*.dll + - ${arch_name}-w64-mingw32-strip win${arch_bits}-build/bin/*.exe + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win${arch_bits}-build/bin + - cp /usr/${arch_name}-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win${arch_bits}-build/bin + - cp lib/.libs/*.a lib/*.def lib/gnutls.pc win${arch_bits}-build/lib + - cp lib/includes/gnutls/*.h win${arch_bits}-build/lib/includes artifacts: - expire_in: 1 week - when: on_failure + name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" paths: - - ./*.log - - fuzz/*.log - - tests/*.log - - tests/*/*.log - - tests/suite/*/*.log - retry: 1 + - win${arch_bits}-build/ + +mingw64/build: + extends: + - .mingw/build + - .mingw64 + +mingw64/test: + extends: + - .mingw/test + - .mingw64 + dependencies: + - mingw64/build + needs: + - mingw64/build + +mingw64/archive: + extends: + - .mingw/archive + - .mingw64 + dependencies: + - mingw64/build + needs: # archive only if tests successful + - mingw64/build + - mingw64/test + +mingw64-vista/build: + extends: + - .mingw/build + - .mingw64 + - .mingw-vista + +mingw64-vista/test: + extends: + - .mingw/test + - .mingw64 + - .mingw-vista + dependencies: + - mingw64-vista/build + needs: + - mingw64-vista/build + +mingw64-vista/archive: + extends: + - .mingw/archive + - .mingw64 + - .mingw-vista + dependencies: + - mingw64-vista/build + needs: # archive only if tests successful + - mingw64-vista/build + - mingw64-vista/test + +mingw32/build: + extends: + - .mingw/build + - .mingw32 + +mingw32/test: + extends: + - .mingw/test + - .mingw32 + dependencies: + - mingw32/build + needs: + - mingw32/build + +mingw32/archive: + extends: + - .mingw/archive + - .mingw32 + dependencies: + - mingw32/build + needs: # archive only if tests successful + - mingw32/build + - mingw32/test + +mingw32-vista/build: + extends: + - .mingw/build + - .mingw32 + - .mingw-vista + +mingw32-vista/test: + extends: + - .mingw/test + - .mingw32 + - .mingw-vista + dependencies: + - mingw32-vista/build + needs: + - mingw32-vista/build + +mingw32-vista/archive: + extends: + - .mingw/archive + - .mingw32 + - .mingw-vista + dependencies: + - mingw32-vista/build + needs: # archive only if tests successful + - mingw32-vista/build + - mingw32-vista/test |