stages: - stage1-testing # we utilize the images generated by the build-images project, to # speed up CI runs. We also use ccache and store config.cache # to speed up compilation. We include a version number in cache # name to allow expiration of old caches. cache: key: "$CI_JOB_NAME-ver9" paths: - cache/ before_script: # CCache Config - mkdir -p cache - export CCACHE_BASEDIR=${PWD} - export CCACHE_DIR=${PWD}/cache - export CC="ccache gcc" after_script: # somehow after_script looses environment - export CCACHE_BASEDIR=${PWD} - export CCACHE_DIR=${PWD}/cache - ccache -s variables: BUILD_IMAGES_PROJECT: gnutls/build-images DEBIAN_BUILD: buildenv-debian DEBIAN_CROSS_BUILD: buildenv-debian-cross DEBIAN_X86_CROSS_BUILD: buildenv-debian-x86-cross FEDORA28_BUILD: buildenv-f28 FEDORA_BUILD: buildenv-f29 ALPINE_BASE_BUILD: buildenv-alpine-base CPPCHECK_OPTIONS: "--enable=warning --enable=style --enable=performance --enable=portability --std=c99 --suppressions-list=devel/cppcheck.suppressions --template='{id}:{file}:{line},{severity},{message}'" GET_SOURCES_ATTEMPTS: "3" ################################################## # Stage 1, documentation, and advanced checks ################################################## commit-check: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$ALPINE_BASE_BUILD before_script: - /bin/true after_script: - /bin/true except: - master@gnutls/gnutls cache: # do not load cache files key: none policy: pull script: # we want $ALPINE_BASE_BUILD without git, so add it here - apk add git bash - devel/check_if_signed retry: 0 doc-dist.Fedora: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - SUBMODULE_NOFETCH=1 ./bootstrap - CFLAGS="-std=c99 -O2 -g" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --disable-cxx --disable-non-suiteb-curves --enable-gtk-doc --disable-maintainer-mode - make -C doc stamp-vti && make -C doc stamp-1 && make -C doc stamp_enums && make -j$(nproc) - make -C doc gnutls.html - PATH="$PATH:/usr/share/sgml/docbook/xsl-stylesheets-1.79.1/epub/bin/" make -C doc gnutls.epub && make -C doc/latex gnutls.pdf - make distcheck tags: - shared except: - tags retry: 1 abi/coverage: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - SUBMODULE_NOFETCH=1 ./bootstrap - CFLAGS="-g -Og" dash ./configure --disable-gcc-warnings --cache-file cache/config.cache --prefix=/usr --libdir=/usr/lib64 --enable-code-coverage --disable-maintainer-mode --disable-doc - make -j$(nproc) - make abi-check - make pic-check - make -j$(nproc) check - make local-code-coverage-output || true tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.xml - ./gnutls-prev-abi.tmp/ - compat_reports/ - tests/*.log - tests/*/*.log - tests/suite/*/*.log - guile/tests/*.log retry: 1 minimal.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - echo "No tools build" - ./bootstrap - dash ./configure --cache-file cache/config.cache --disable-gcc-warnings --disable-full-test-suite --disable-doc --disable-guile --disable-tools --enable-tests - make -j$(nproc) - make -j$(nproc) check - echo "Minimal build" - dnf remove -y libunistring-devel libtasn1-devel libidn-devel && dash ./configure --cache-file cache/config.cache --with-included-libtasn1 --enable-valgrind-tests --disable-doc --disable-dtls-srtp-support --disable-alpn-support --disable-tests --disable-heartbeat-support --disable-srp-authentication --disable-psk-authentication --disable-anon-authentication --disable-dhe --disable-ecdhe --disable-ocsp --disable-non-suiteb-curves --with-included-unistring --disable-nls --disable-libdane --without-p11-kit --without-tpm --disable-ssl3-support --disable-ssl2-support --disable-doc --enable-openssl-compatibility --disable-gcc-warnings --disable-gost - make clean - make -j$(nproc) tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - fuzz/*.log - tests/*.log - tests/*/*.log - tests/suite/*/*.log retry: 1 # This enables SSL3.0 and SHA-1 support, and runs interop tests # with openssl 1.1.0, which include legacy algorithms like DSA. SSL-3.0.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA28_BUILD script: - ./bootstrap - mkdir -p build && cd build && dash ../configure --disable-tls13-interop --disable-gcc-warnings --cache-file ../cache/config.cache --enable-sha1-support --enable-ssl3-support --enable-seccomp-tests --disable-doc --disable-guile && make -j$(nproc) && make check -j$(nproc) - cd .. tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/guile/tests/*.log - build/tests/*.log - build/*.log - build/tests/*/*.log - build/tests/suite/*/*.log retry: 1 FIPS140-2.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - mkdir -p build && cd build && dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-non-suiteb-curves --enable-fips140-mode --disable-doc --disable-full-test-suite --disable-guile - make -j$(nproc) - mkdir -p lib/.libs/fipscheck && fipshmac -d lib/.libs/fipscheck/ -s .hmac lib/.libs/libgnutls.so* - GNUTLS_FORCE_FIPS_MODE=1 make check -j$(nproc) - cd .. tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/guile/tests/*.log - build/tests/*.log - build/tests/*/*.log retry: 1 valgrind.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-guile --disable-full-test-suite --enable-valgrind-tests - make -j$(nproc) - make check -j$(nproc) tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - tests/*.log - tests/*/*.log retry: 1 # Two runs, one with normal backend and another with pkcs11 trust store asan.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - SUBMODULE_NOFETCH=1 ./bootstrap - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile - make -j$(nproc) - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make check -j$(nproc) - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x1 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x2 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x4 - LSAN_OPTIONS="suppressions=$(pwd)/devel/lsan.supp" make -C fuzz check -j$(nproc) GNUTLS_CPUID_OVERRIDE=0x8 - CFLAGS="-fsanitize=address -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libasan" dash ./configure --cache-file cache/config.cache --disable-doc --with-system-priority-file=/etc/crypto-policies/back-ends/gnutls.config --with-default-priority-string=@SYSTEM --with-default-trust-store-pkcs11="pkcs11:" --disable-guile - make -j$(nproc) - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh priority-init2 set-default-prio" SUBDIRS=. tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - fuzz/*.log - tests/*.log - tests/*/*.log - tests/suite/*/*.log retry: 1 threadsan.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - CFLAGS="-fsanitize=thread -g -O2" CXXFLAGS=$CFLAGS dash ./configure --disable-gcc-warnings --disable-doc --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --enable-fips140-mode - make -j$(nproc) - make -C tests check -j$(nproc) SUBDIRS=. TESTS="tls-pthread dtls-pthread fips-mode-pthread rng-pthread" TSAN_OPTIONS="suppressions=$(pwd)/devel/tsan.supp" GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 GNUTLS_FORCE_FIPS_MODE=1 tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - fuzz/*.log - tests/*.log - tests/*/*.log - tests/suite/*/*.log retry: 1 static-analyzers.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD before_script: - /bin/true script: - ./bootstrap - scan-build ./configure --cache-file cache/config.cache --disable-doc --disable-guile --enable-fips140-mode --enable-valgrind-tests - make -j$(nproc) syntax-check gnulib_dir=$GNULIB_SRCDIR - make -j$(nproc) -C gl - scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C lib - scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C libdane - make -j$(nproc) -C src/gl && scan-build --status-bugs -o scan-build-lib make -j$(nproc) -C src - cppcheck --force -q -Ilib/include -Igl/ -Ilib/ -I. --error-exitcode=1 lib/ -i lib/unistring -i lib/minitasn1 -i lib/nettle/backport -j$(nproc) $CPPCHECK_OPTIONS - cppcheck --force -q -Ilib/include -Igl/ -Ilibdane/ -I. --error-exitcode=1 libdane/ -j$(nproc) $CPPCHECK_OPTIONS after_script: - /bin/true tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - scan-build-lib/* - scan-build-libdane/* retry: 1 MinGW32.DLLs: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - ./bootstrap - export CC="ccache i686-w64-mingw32-gcc" - dash ./configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-nls --disable-guile --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - mingw32-make -j$(nproc) - mingw32-make -C tests check -j$(nproc) # Combine generated apps and DLLs. #libwinpthread is required by libgcc #libffi is required by libp11-kit - mkdir -p win32-build/bin && mkdir -p win32-build/lib/includes && cp lib/.libs/*.dll src/.libs/*.exe win32-build/bin && i686-w64-mingw32-strip --strip-unneeded win32-build/bin/*.dll && i686-w64-mingw32-strip win32-build/bin/*.exe && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win32-build/bin && cp /usr/i686-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win32-build/bin && cp lib/.libs/*.a lib/*.def lib/gnutls.pc win32-build/lib && cp lib/includes/gnutls/*.h win32-build/lib/includes tags: - shared - docker only: - tags artifacts: name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" paths: - win32-build/ retry: 1 MinGW64.DLLs: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register - ./bootstrap - export CC="ccache x86_64-w64-mingw32-gcc" - dash ./configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-non-suiteb-curves --disable-full-test-suite --disable-doc - mingw64-make -j$(nproc) - mingw64-make -C tests check -j$(nproc) # Combine generated apps and DLLs. #libwinpthread is required by libgcc #libffi is required by libp11-kit - mkdir -p win64-build/bin && mkdir -p win64-build/lib/includes && cp lib/.libs/*.dll src/.libs/*.exe win64-build/bin && x86_64-w64-mingw32-strip --strip-unneeded win64-build/bin/*.dll && x86_64-w64-mingw32-strip win64-build/bin/*.exe && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libp11-*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libnettle-*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libhogweed-*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgmp-*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libgcc*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libwinpthread*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libidn2-*.dll win64-build/bin && cp /usr/x86_64-w64-mingw32/sys-root/mingw/bin/libffi-*.dll win64-build/bin && cp lib/.libs/*.a lib/*.def lib/gnutls.pc win64-build/lib && cp lib/includes/gnutls/*.h win64-build/lib/includes tags: - shared - docker only: - tags artifacts: name: "${CI_PROJECT_NAME}-${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}" paths: - win64-build/ retry: 1 MinGW64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - export CC="ccache x86_64-w64-mingw32-gcc" - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine64:' > /proc/sys/fs/binfmt_misc/register && mkdir -p build && cd build - dash ../configure --disable-gcc-warnings --host=x86_64-w64-mingw32 --target=x86_64-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - mingw64-make -j$(nproc) - mingw64-make -C tests check -j$(nproc) - cd .. tags: - shared - docker except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/*.log - build/tests/*.log - build/tests/*/*.log retry: 1 MinGW32: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - export CC="ccache i686-w64-mingw32-gcc" - mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc && echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register && mkdir -p build && cd build - dash ../configure --disable-gcc-warnings --host=i686-w64-mingw32 --target=i686-w64-mingw32 --cache-file ../cache/config.cache --with-included-libtasn1 --disable-guile --disable-nls --with-included-unistring --enable-local-libopts --disable-full-test-suite --disable-non-suiteb-curves --disable-doc - mingw32-make -j$(nproc) - mingw32-make -C tests check -j$(nproc) - cd .. tags: - shared - docker except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/*.log - build/tests/*.log - build/tests/*/*.log retry: 1 # That is a specific runner that we cannot enable universally. # We restrict it to builds under the $BUILD_IMAGES_PROJECT project. FreeBSD.x86_64: stage: stage1-testing image: script: - export CC="ccache clang" - ./bootstrap - LIBS="-L/usr/local/lib" ./configure --disable-full-test-suite --cache-file cache/config.cache --disable-gcc-warnings --disable-guile --disable-doc && gmake -j$(sysctl hw.ncpu | awk '{print $2}') && gmake check -j$(sysctl hw.ncpu | awk '{print $2}') tags: - freebsd only: - branches@gnutls/gnutls except: - tags artifacts: expire_in: 1 week when: on_failure paths: - ./*.log - tests/*.log - tests/*/*.log retry: 1 # Two runs, one with normal backend and another with pkcs11 trust store ubsan-Werror.Fedora.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$FEDORA_BUILD script: - ./bootstrap - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-full-test-suite --disable-doc - make -j$(nproc) -C gl - make -j$(nproc) -C lib CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - make -j$(nproc) -C libdane CFLAGS="-Werror -O2 -g -Wimplicit-fallthrough=2" - make -j$(nproc) -C src/gl - make -j$(nproc) -C src CFLAGS="-Werror -O2 -g -fsanitize=undefined -Wno-error=parentheses -Wno-error=unused-macros -Wimplicit-fallthrough=2 -Wno-duplicated-branches" - make -j$(nproc) - make check -j$(nproc) - CFLAGS="-std=c99 -fsanitize=undefined -fsanitize=bool -fsanitize=alignment -fsanitize=null -fsanitize=bounds-strict -fsanitize=enum -fno-sanitize-recover -g -O2" CXXFLAGS=$CFLAGS LDFLAGS="-static-libubsan" dash ./configure --cache-file cache/config.cache --disable-non-suiteb-curves --disable-guile --disable-doc --disable-full-test-suite --with-default-trust-store-pkcs11="pkcs11:" - make clean - make -j$(nproc) - make -C tests check -j$(nproc) TESTS="trust-store p11-kit-load.sh" SUBDIRS=. tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - guile/tests/*.log - ./*.log - tests/*.log - tests/*/*.log - tests/suite/*/*.log retry: 1 Debian.x86_64: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_BUILD script: - ./bootstrap - mkdir -p build && cd build - dash ../configure --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --disable-full-test-suite LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' - make -j$(nproc) - make check -j$(nproc) - cd .. tags: - shared except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/guile/tests/*.log - build/*.log - build/tests/*.log - build/tests/*/*.log - build/tests/suite/*/*.log retry: 1 Debian.cross.i686-linux-gnu: stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_X86_CROSS_BUILD script: - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - host=i686-linux-gnu # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes # config.guess to detect the target as the build platform and not activate # cross-compile mode even though --build is given - export CC_FOR_BUILD="ccache gcc" - export CC="ccache $host-gcc" - ./bootstrap - mkdir -p build - cd build # Debian's softhsm package is not multiarch yet. Missing softhsm libraries # for the target will cause the test suite to fail when p11-kit is enabled. - dash ../configure --build=$build --host=$host --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --without-p11-kit --disable-full-test-suite - make -j$(nproc) - make check -j$(nproc) - cd .. tags: - shared - docker except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/guile/tests/*.log - build/*.log - build/tests/*.log - build/tests/*/*.log - build/tests/suite/*/*.log retry: 1 .Debian.cross.template: &Debian_cross_template stage: stage1-testing image: $CI_REGISTRY/$BUILD_IMAGES_PROJECT:$DEBIAN_CROSS_BUILD script: - build=$(dpkg-architecture -qDEB_HOST_GNU_TYPE) - host="${CI_JOB_NAME#*.cross.}" # not setting CC_FOR_BUILD paired with qemu-user/binfmt somehow causes # config.guess to detect the target as the build platform and not activate # cross-compile mode even though --build is given - export CC_FOR_BUILD="ccache gcc" - export CC="ccache $host-gcc" - ./bootstrap - sed -i '/errno.==.EINVAL/d' gl/tests/test-strerror.c - mkdir -p build - cd build # Debian's softhsm package is not multiarch yet. Missing softhsm libraries # for the target will cause the test suite to fail when p11-kit is enabled. - dash ../configure --build=$build --host=$host --disable-gcc-warnings --cache-file ../cache/config.cache --disable-doc --disable-guile --without-p11-kit --disable-full-test-suite - make -j$(nproc) - make check -j$(nproc) - cd .. tags: - shared - docker except: - tags artifacts: expire_in: 1 week when: on_failure paths: - build/guile/tests/*.log - build/*.log - build/tests/*.log - build/tests/*/*.log - build/tests/suite/*/*.log retry: 1 Debian.cross.arm-linux-gnueabihf: <<: *Debian_cross_template Debian.cross.mips-linux-gnu: <<: *Debian_cross_template Debian.cross.aarch64-linux-gnu: <<: *Debian_cross_template