diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bbc2422d803e95553ed5bf8849dfd778cc14dffe..877458d80661cc3116721e5260c79d4c3749970e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -47,282 +47,12 @@ stages: - release include: - - local: ci/unit-tests.yaml - - local: ci/build-image.yaml - - local: ci/hotfix-prepare.yaml - - local: ci/cluster-tests.yaml - - local: ci/diagnostic-tools.yaml - - local: ci/release.yaml - - -# always lint on merge trains -.default_lint_rules: - rules: - - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train" - when: on_success - -tflint: - image: - name: "ghcr.io/terraform-linters/tflint:v0.58.1" - entrypoint: ["/bin/sh", "-c"] - stage: lint - script: - - tflint --chdir=terraform/ - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - changes: - - 'terraform/**/*' - if: $SKIP_LINT != "true" - when: on_success - - when: never - -shellcheck: - image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/koalaman/shellcheck-alpine:v0.11.0" - stage: lint - script: - - "find -iname '*.sh' '!' -ipath './.git/**' -print0 | xargs -0 -- shellcheck -Calways" - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - changes: - - '**/*.sh' - if: $SKIP_LINT != "true" - when: on_success - - when: never - -yamllint: - stage: lint - tags: - - docker - image: registry.gitlab.com/pipeline-components/yamllint:latest - script: - - yamllint . - rules: - - !reference [.default_lint_rules, rules] - - changes: - - '**/*.{yaml,yml}' - if: $SKIP_LINT != "true" - when: on_success - - when: never - -detect-vault-image: - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - stage: lint - script: - - bash ./actions/detect-vault-image.sh - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - when: on_success - if: $SKIP_LINT != "true" - -ansible-lint: - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - stage: lint - script: - - "ansible-galaxy install -r ansible/requirements.yaml" - - "ANSIBLE_ROLES_PATH=./k8s-core/ansible/roles:./k8s-supplements/ansible/roles:./k8s-supplements/ansible/test-roles ansible-lint -c ci/lint/ansible-lint-conf --offline" - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - when: on_success - if: $SKIP_LINT != "true" - -flake8: - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - script: - - 'python3 -m flake8' - stage: lint - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - changes: - - '**/*.py' - if: $SKIP_LINT != "true" - when: on_success - - when: never - -render-options: - stage: housekeeping - needs: - - job: build_image # otherwise it would be run at the same time as build_image (and then fail) if the optional job was skipped - optional: true - - job: release-note-file-check - optional: true - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - before_script: - - git config --global user.email "$GITLAB_USER_EMAIL" - - git config --global user.name "$GITLAB_USER_NAME" - script: - - bash ./ci/housekeeping/render-options.sh - artifacts: - paths: - - public/ - rules: - - !reference [.default_lint_rules, rules] - - changes: - - nix/yk8s/**/* - if: $SKIP_HOUSEKEEPING != "true" - when: on_success - - when: never - -pre-commit-hooks: - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - script: - - 'SKIP=shellcheck,yamllint,flake8,check-flake pre-commit run --all-files || true' - - git --no-pager diff - - git restore . - - 'SKIP=shellcheck,yamllint,flake8,check-flake pre-commit run --all-files' - stage: lint - tags: - - docker - rules: - - !reference [.default_lint_rules, rules] - - when: on_success - if: $SKIP_LINT != "true" - -build-docs-check: - stage: lint - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - script: - - towncrier build --version x.x.x --keep - - sphinx-build -W docs _build/html - - mv _build/html public - artifacts: - expose_as: "Rendered Docs" - expire_in: "7 days" - paths: - - public/ - rules: - # run only on MR when changes were made - - if: '($CI_MERGE_REQUEST_EVENT_TYPE == "detached" || $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result") && ($SKIP_LINT != "true")' - changes: - - 'docs/**/*' - - 'docs/*' # the above does not include files directly in docs/ - - 'CHANGELOG.rst' - when: on_success - - when: never - tags: - - docker - -check-key-expiry: - stage: lint - image: "nixery.dev/shell/coreutils/findutils/gnupg/gnugrep/file" - script: - - ci/lint/check-key-expiry.sh - - rules: - - !reference [.default_lint_rules, rules] - # run only on MR when changes were made - - if: '($CI_MERGE_REQUEST_EVENT_TYPE == "detached" || $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result") && ($SKIP_LINT != "true")' - changes: - - '**/*.gpg' - when: on_success - # always run on devel branch - - if: $CI_COMMIT_REF_NAME == $YAOOK_K8S_DEFAULT_BRANCH - when: on_success - - when: never - tags: - - docker - -release-note-file-check: - stage: housekeeping - image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" - variables: - CONFIG_FILE: towncrier.toml - HOTFIX: "False" - SOURCE_BRANCH: origin/${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} - TARGET_BRANCH: origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME} - COMMIT_MESSAGE: MR-number for releasenote(s) changed - COMMIT_FILES: docs/_releasenotes - before_script: - - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}" - - | - if [ "${CI_MERGE_REQUEST_PROJECT_URL}" = "${CI_MERGE_REQUEST_SOURCE_PROJECT_URL}" ]; then - FORK=False - else - FORK=True - fi - - git config --global user.name "${GITLAB_USER_NAME}" - - git config --global user.email "${GITLAB_USER_EMAIL}" - script: - # we need to catch the exit-code from python as it otherwise will not be transmitted correctly - - exit_code=0 - - python3 ci/housekeeping/check-releasenote-file.py "${CI_PROJECT_DIR}" "${TARGET_BRANCH}" "${CONFIG_FILE}" "${CI_MERGE_REQUEST_IID}" "${COMMIT_FILES}" "${FORK}" "${HOTFIX}" || exit_code=$? - - echo $exit_code - - towncrier build --version x.x.x --config "${CONFIG_FILE}" --draft - - | - if [ "${exit_code}" != 0 ]; then - exit "${exit_code}" - fi - - | - if [ "${FORK}" = "False" ]; then - git fetch origin "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" - git checkout "${SOURCE_BRANCH}" - git status - CHANGES=$(git diff "${SOURCE_BRANCH}" --name-only -- "${COMMIT_FILES}" | wc -l) - if [ "${CHANGES}" -gt 0 ]; then - echo "committing" - git add ${COMMIT_FILES} - git commit --amend --no-edit - git push --force -o ci.skip "https://gitlab-ci-token:${PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}" HEAD:"${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" - fi - fi - tags: - - docker - retry: 1 - allow_failure: - exit_codes: 13 # if number in hotfix doesn't match MR-IID, exit with warning - rules: - # don't run when CHANGELOG.rst has been edited - - if: $SKIP_HOUSEKEEPING != "true" - changes: - - CHANGELOG.rst - when: never - # run only for MRs from hotfixing-branches .. - - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $REGEX_RELEASE_HOTFIX_BRANCH_PREFIX' - variables: - COMMIT_FILES: docs/_releasenotes/hotfix - HOTFIX: "True" - when: on_success - # .. and to devel - - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $YAOOK_K8S_DEFAULT_BRANCH - when: on_success - - when: never - -pages-dry-run: - stage: lint - image: !reference [.pages, image] - before_script: !reference [.pages, before_script] - script: - - !reference [.pages, script] - - mv _build/html private - tags: !reference [.pages, tags] - dependencies: !reference [.pages, dependencies] - artifacts: - expose_as: "Rendered Multiversion Docs" - expire_in: "7 days" - paths: - - private/ - rules: - - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train" - when: on_success - - changes: - - 'docs/**/*' - - 'docs/*' # the above does not include files directly in docs/ - - 'CHANGELOG.rst' - # sphinx-multiversion may be updated - - nix/dependencies.nix - - flake.lock - # sphinx-multiversion always uses this file from the current branch, so changes may break other versions - - docs/conf.py - if: $SKIP_LINT != "true" - when: on_success - - when: manual - allow_failure: true + - local: ci/stages/build-image.yaml + - local: ci/stages/housekeeping.yaml + - local: ci/stages/lint.yaml + - local: ci/stages/unit-tests.yaml + - local: ci/stages/hotfix-prepare.yaml + - local: ci/stages/cluster-tests.yaml + - local: ci/stages/diagnostic-tools.yaml + - local: ci/stages/tag-image.yaml + - local: ci/stages/release.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 239969d0d8770edecda982735225d6adda2c01c7..f86ce3c412ab897c2d587862ff80a0bd002a3c44 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -31,19 +31,19 @@ repos: - id: portable-shebangs name: make sure shebangs are portable types: [executable, text] - entry: ci/lint/portable-shebangs.sh + entry: ci/scripts/portable-shebangs.sh language: script stages: [pre-commit, pre-push, manual] - id: check-flake name: check flake files: .*\.nix$' - entry: ci/lint/check-flake.sh + entry: ci/scripts/check-flake.sh language: script stages: [pre-commit, pre-push, manual] - id: nix-fmt name: nix-fmt files: '.*\.nix$' - entry: ci/lint/format-flake.sh + entry: ci/scripts/format-flake.sh language: script stages: [pre-commit, pre-push, manual] - id: restricted-yml-filenames diff --git a/actions/detect-vault-image.sh b/actions/detect-vault-image.sh index f0faba18f1762f2b620540bae2f52ea7f37c27ad..ae0a4e69b40d33928b1b70df2e80cd85c8444ffa 100755 --- a/actions/detect-vault-image.sh +++ b/actions/detect-vault-image.sh @@ -4,6 +4,6 @@ # docker). We want to have the image version detection well-tested in CI # because it is easy to break accidentally. set -euo pipefail -gitlab_ci_file="$(dirname "$0")/../ci/cluster-tests.yaml" +gitlab_ci_file="$(dirname "$0")/../ci/stages/cluster-tests.yaml" # shellcheck disable=SC2016 exec grep -Po '(?<=\${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/)hashicorp/vault:\S+(?=")' "$gitlab_ci_file" diff --git a/ci/custom-play.yaml b/ci/custom-play.yaml deleted file mode 100644 index 1beff0b8cd88dd31a31393259aa37ec302f5c5f7..0000000000000000000000000000000000000000 --- a/ci/custom-play.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -- name: Restart everything - hosts: orchestrator - gather_facts: false - vars_files: - - k8s-core-vars/retries.yaml - tasks: - - name: Restart (almost) everything (╯°□°)╯︵ ┻━┻ - run_once: true - block: - - name: Gather all namespaces - kubernetes.core.k8s_info: - kind: Namespace - register: gather_namespaces - - - name: Restart (almost) everything (╯°□°)╯︵ ┻━┻ # noqa no-changed-when - with_nested: - - "{{ gather_namespaces.resources }}" - - ["daemonset", "deployment", "statefulset"] - loop_control: - label: "Restart every {{ item[1] }} in namespace {{ item[0].metadata.name }}" - command: - argv: - - kubectl - - rollout - - restart - - "{{ item[1] }}" - - --namespace - - "{{ item[0].metadata.name }}" - register: rollout_restart - until: rollout_restart.rc == 0 - retries: "{{ error_retries }}" - delay: "{{ error_delay }}" - - - name: Pause, let things settle for 3m - pause: - minutes: 3 -... diff --git a/ci/lint/ansible-lint-conf b/ci/res/ansible-lint-conf similarity index 100% rename from ci/lint/ansible-lint-conf rename to ci/res/ansible-lint-conf diff --git a/ci/res/custom-play.yaml b/ci/res/custom-play.yaml index 4a477f9e0b35db14dd9b503fc979315330a1fc20..1beff0b8cd88dd31a31393259aa37ec302f5c5f7 100644 --- a/ci/res/custom-play.yaml +++ b/ci/res/custom-play.yaml @@ -1,10 +1,38 @@ -# Custom playbook for the CI -# to test the custom stage --- -- name: Verify custom stage +- name: Restart everything hosts: orchestrator + gather_facts: false + vars_files: + - k8s-core-vars/retries.yaml tasks: - - name: Verify custom stage - debug: - msg: "It works!" + - name: Restart (almost) everything (╯°□°)╯︵ ┻━┻ + run_once: true + block: + - name: Gather all namespaces + kubernetes.core.k8s_info: + kind: Namespace + register: gather_namespaces + + - name: Restart (almost) everything (╯°□°)╯︵ ┻━┻ # noqa no-changed-when + with_nested: + - "{{ gather_namespaces.resources }}" + - ["daemonset", "deployment", "statefulset"] + loop_control: + label: "Restart every {{ item[1] }} in namespace {{ item[0].metadata.name }}" + command: + argv: + - kubectl + - rollout + - restart + - "{{ item[1] }}" + - --namespace + - "{{ item[0].metadata.name }}" + register: rollout_restart + until: rollout_restart.rc == 0 + retries: "{{ error_retries }}" + delay: "{{ error_delay }}" + + - name: Pause, let things settle for 3m + pause: + minutes: 3 ... diff --git a/towncrier.toml b/ci/res/towncrier.toml similarity index 100% rename from towncrier.toml rename to ci/res/towncrier.toml diff --git a/ci/after_script_cleanup.sh b/ci/scripts/after_script_cleanup.sh similarity index 100% rename from ci/after_script_cleanup.sh rename to ci/scripts/after_script_cleanup.sh diff --git a/ci/lint/check-flake.sh b/ci/scripts/check-flake.sh similarity index 100% rename from ci/lint/check-flake.sh rename to ci/scripts/check-flake.sh diff --git a/ci/lint/check-key-expiry.sh b/ci/scripts/check-key-expiry.sh similarity index 100% rename from ci/lint/check-key-expiry.sh rename to ci/scripts/check-key-expiry.sh diff --git a/ci/housekeeping/check-releasenote-file.py b/ci/scripts/check-releasenote-file.py similarity index 100% rename from ci/housekeeping/check-releasenote-file.py rename to ci/scripts/check-releasenote-file.py diff --git a/ci/clean-up-os-project.py b/ci/scripts/clean-up-os-project.py similarity index 100% rename from ci/clean-up-os-project.py rename to ci/scripts/clean-up-os-project.py diff --git a/ci/create_renovate_release_note.sh b/ci/scripts/create_renovate_release_note.sh similarity index 100% rename from ci/create_renovate_release_note.sh rename to ci/scripts/create_renovate_release_note.sh diff --git a/ci/lint/format-flake.sh b/ci/scripts/format-flake.sh similarity index 100% rename from ci/lint/format-flake.sh rename to ci/scripts/format-flake.sh diff --git a/ci/housekeeping/lib.sh b/ci/scripts/lib.sh similarity index 100% rename from ci/housekeeping/lib.sh rename to ci/scripts/lib.sh diff --git a/ci/lint/portable-shebangs.sh b/ci/scripts/portable-shebangs.sh similarity index 100% rename from ci/lint/portable-shebangs.sh rename to ci/scripts/portable-shebangs.sh diff --git a/ci/housekeeping/render-options.sh b/ci/scripts/render-options.sh similarity index 78% rename from ci/housekeeping/render-options.sh rename to ci/scripts/render-options.sh index ed19d613b64f1af33ee4fb35e6de51adb619c30f..25698cb21301eadf935421ff4a29b2397191fb5c 100755 --- a/ci/housekeeping/render-options.sh +++ b/ci/scripts/render-options.sh @@ -1,12 +1,12 @@ #!/usr/bin/env bash set -euo pipefail -# shellcheck source=ci/housekeeping/lib.sh +# shellcheck source=ci/scripts/lib.sh . "$(dirname "$0")/lib.sh" run nix build --no-link .#referenceOptionsRST out="$(nix build --print-out-paths --no-link .#referenceOptionsRST)" DIFF_PATH=./docs/user/reference/options run rsync -rL --delete --chmod 664 "$out/" "${DIFF_PATH}" -COMMIT_MSG="Update rendered docs" +export COMMIT_MSG="Update rendered docs" push_if_changed diff --git a/ci/test.sh b/ci/scripts/test.sh similarity index 100% rename from ci/test.sh rename to ci/scripts/test.sh diff --git a/ci/build-image.yaml b/ci/stages/build-image.yaml similarity index 91% rename from ci/build-image.yaml rename to ci/stages/build-image.yaml index 42192eb56e11ad00327bdf3980bfc29220f9d5f1..4d793f277bef3072040cc15181345e65a84987aa 100644 --- a/ci/build-image.yaml +++ b/ci/stages/build-image.yaml @@ -32,18 +32,6 @@ build_image: reports: dotenv: image.env - -.deploy_image: - image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/nixos/nix:2.30.2" - stage: tag-image - before_script: - - | - cat > /etc/nix/nix.conf < ./version # create towncrier-config - - sed -e "s|directory.*releasenote.*|directory = \"${RELEASENOTE_PATH}\"|g" towncrier.toml > "${TOWNCRIER_CONFIG}" + - sed -e "s|directory.*releasenote.*|directory = \"${RELEASENOTE_PATH}\"|g" ci/res/towncrier.toml > "${TOWNCRIER_CONFIG}" # create changelog - towncrier build --version "v${VERSION}" --config "${TOWNCRIER_CONFIG}" --yes - rm "${TOWNCRIER_CONFIG}" diff --git a/ci/stages/housekeeping.yaml b/ci/stages/housekeeping.yaml new file mode 100644 index 0000000000000000000000000000000000000000..1218f688b723eff8a7b864eef436d3a389c13392 --- /dev/null +++ b/ci/stages/housekeeping.yaml @@ -0,0 +1,88 @@ +render-options: + stage: housekeeping + needs: + - job: build_image # otherwise it would be run at the same time as build_image (and then fail) if the optional job was skipped + optional: true + - job: release-note-file-check + optional: true + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + before_script: + - git config --global user.email "$GITLAB_USER_EMAIL" + - git config --global user.name "$GITLAB_USER_NAME" + script: + - bash ./ci/scripts/render-options.sh + artifacts: + paths: + - public/ + rules: + - !reference [.default_lint_rules, rules] + - changes: + - nix/yk8s/**/* + if: $SKIP_HOUSEKEEPING != "true" + when: on_success + - when: never + +release-note-file-check: + stage: housekeeping + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + variables: + CONFIG_FILE: ci/res/towncrier.toml + HOTFIX: "False" + SOURCE_BRANCH: origin/${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} + TARGET_BRANCH: origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME} + COMMIT_MESSAGE: MR-number for releasenote(s) changed + COMMIT_FILES: docs/_releasenotes + before_script: + - git fetch origin "${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}" + - | + if [ "${CI_MERGE_REQUEST_PROJECT_URL}" = "${CI_MERGE_REQUEST_SOURCE_PROJECT_URL}" ]; then + FORK=False + else + FORK=True + fi + - git config --global user.name "${GITLAB_USER_NAME}" + - git config --global user.email "${GITLAB_USER_EMAIL}" + script: + # we need to catch the exit-code from python as it otherwise will not be transmitted correctly + - exit_code=0 + - python3 ci/scripts/check-releasenote-file.py "${CI_PROJECT_DIR}" "${TARGET_BRANCH}" "${CONFIG_FILE}" "${CI_MERGE_REQUEST_IID}" "${COMMIT_FILES}" "${FORK}" "${HOTFIX}" || exit_code=$? + - echo $exit_code + - towncrier build --version x.x.x --config "${CONFIG_FILE}" --draft + - | + if [ "${exit_code}" != 0 ]; then + exit "${exit_code}" + fi + - | + if [ "${FORK}" = "False" ]; then + git fetch origin "${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" + git checkout "${SOURCE_BRANCH}" + git status + CHANGES=$(git diff "${SOURCE_BRANCH}" --name-only -- "${COMMIT_FILES}" | wc -l) + if [ "${CHANGES}" -gt 0 ]; then + echo "committing" + git add ${COMMIT_FILES} + git commit --amend --no-edit + git push --force -o ci.skip "https://gitlab-ci-token:${PUSH_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}" HEAD:"${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" + fi + fi + tags: + - docker + retry: 1 + allow_failure: + exit_codes: 13 # if number in hotfix doesn't match MR-IID, exit with warning + rules: + # don't run when CHANGELOG.rst has been edited + - if: $SKIP_HOUSEKEEPING != "true" + changes: + - CHANGELOG.rst + when: never + # run only for MRs from hotfixing-branches .. + - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $REGEX_RELEASE_HOTFIX_BRANCH_PREFIX' + variables: + COMMIT_FILES: docs/_releasenotes/hotfix + HOTFIX: "True" + when: on_success + # .. and to devel + - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $YAOOK_K8S_DEFAULT_BRANCH + when: on_success + - when: never diff --git a/ci/stages/lint.yaml b/ci/stages/lint.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d3a8029e06a61b2dca131cd4545788e2d4bfeb6d --- /dev/null +++ b/ci/stages/lint.yaml @@ -0,0 +1,184 @@ +# always lint on merge trains +.default_lint_rules: + rules: + - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train" + when: on_success + +tflint: + image: + name: "ghcr.io/terraform-linters/tflint:v0.58.1" + entrypoint: ["/bin/sh", "-c"] + stage: lint + script: + - tflint --chdir=terraform/ + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - changes: + - 'terraform/**/*' + if: $SKIP_LINT != "true" + when: on_success + - when: never + +shellcheck: + image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/koalaman/shellcheck-alpine:v0.11.0" + stage: lint + script: + - "find -iname '*.sh' '!' -ipath './.git/**' -print0 | xargs -0 -- shellcheck -Calways" + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - changes: + - '**/*.sh' + if: $SKIP_LINT != "true" + when: on_success + - when: never + +yamllint: + stage: lint + tags: + - docker + image: registry.gitlab.com/pipeline-components/yamllint:latest + script: + - yamllint . + rules: + - !reference [.default_lint_rules, rules] + - changes: + - '**/*.{yaml,yml}' + if: $SKIP_LINT != "true" + when: on_success + - when: never + +detect-vault-image: + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + stage: lint + script: + - bash ./actions/detect-vault-image.sh + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - when: on_success + if: $SKIP_LINT != "true" + +ansible-lint: + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + stage: lint + script: + - "ansible-galaxy install -r ansible/requirements.yaml" + - "ANSIBLE_ROLES_PATH=./k8s-core/ansible/roles:./k8s-supplements/ansible/roles:./k8s-supplements/ansible/test-roles ansible-lint -c ci/res/ansible-lint-conf --offline" + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - when: on_success + if: $SKIP_LINT != "true" + +flake8: + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + script: + - 'python3 -m flake8' + stage: lint + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - changes: + - '**/*.py' + if: $SKIP_LINT != "true" + when: on_success + - when: never + +pre-commit-hooks: + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + script: + - 'SKIP=shellcheck,yamllint,flake8,check-flake pre-commit run --all-files || true' + - git --no-pager diff + - git restore . + - 'SKIP=shellcheck,yamllint,flake8,check-flake pre-commit run --all-files' + stage: lint + tags: + - docker + rules: + - !reference [.default_lint_rules, rules] + - when: on_success + if: $SKIP_LINT != "true" + +build-docs-check: + stage: lint + image: "${YAOOK_K8S_CI_IMAGE_NAME}:${YAOOK_K8S_CI_IMAGE_TAG}" + variables: + CONFIG_FILE: ci/res/towncrier.toml + script: + - towncrier build --version x.x.x --config "${CONFIG_FILE}" --keep + - sphinx-build -W docs _build/html + - mv _build/html public + artifacts: + expose_as: "Rendered Docs" + expire_in: "7 days" + paths: + - public/ + rules: + # run only on MR when changes were made + - if: '($CI_MERGE_REQUEST_EVENT_TYPE == "detached" || $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result") && ($SKIP_LINT != "true")' + changes: + - 'docs/**/*' + - 'docs/*' # the above does not include files directly in docs/ + - 'CHANGELOG.rst' + when: on_success + - when: never + tags: + - docker + +check-key-expiry: + stage: lint + image: "nixery.dev/shell/coreutils/findutils/gnupg/gnugrep/file" + script: + - ci/scripts/check-key-expiry.sh + + rules: + - !reference [.default_lint_rules, rules] + # run only on MR when changes were made + - if: '($CI_MERGE_REQUEST_EVENT_TYPE == "detached" || $CI_MERGE_REQUEST_EVENT_TYPE == "merged_result") && ($SKIP_LINT != "true")' + changes: + - '**/*.gpg' + when: on_success + # always run on devel branch + - if: $CI_COMMIT_REF_NAME == $YAOOK_K8S_DEFAULT_BRANCH + when: on_success + - when: never + tags: + - docker + +pages-dry-run: + stage: lint + image: !reference [.pages, image] + before_script: !reference [.pages, before_script] + script: + - !reference [.pages, script] + - mv _build/html private + tags: !reference [.pages, tags] + dependencies: !reference [.pages, dependencies] + artifacts: + expose_as: "Rendered Multiversion Docs" + expire_in: "7 days" + paths: + - private/ + rules: + - if: $CI_MERGE_REQUEST_EVENT_TYPE == "merge_train" + when: on_success + - changes: + - 'docs/**/*' + - 'docs/*' # the above does not include files directly in docs/ + - 'CHANGELOG.rst' + # sphinx-multiversion may be updated + - nix/dependencies.nix + - flake.lock + # sphinx-multiversion always uses this file from the current branch, so changes may break other versions + - docs/conf.py + if: $SKIP_LINT != "true" + when: on_success + - when: manual + allow_failure: true diff --git a/ci/release.yaml b/ci/stages/release.yaml similarity index 100% rename from ci/release.yaml rename to ci/stages/release.yaml diff --git a/ci/stages/tag-image.yaml b/ci/stages/tag-image.yaml new file mode 100644 index 0000000000000000000000000000000000000000..82cc4970a0be8e56e53a0b9685d0cc115d96f731 --- /dev/null +++ b/ci/stages/tag-image.yaml @@ -0,0 +1,10 @@ +.deploy_image: + image: "${CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX}/nixos/nix:2.30.2" + stage: tag-image + before_script: + - | + cat > /etc/nix/nix.conf <