Skip to content
.gitlab-ci.yml 9.76 KiB
Newer Older
stages:
  - lint
  - check
  - test
  - build
  - publish

workflow:
  rules:
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH

variables:                         &default-vars
  GIT_STRATEGY:                    fetch
  GIT_DEPTH:                       100
  CARGO_INCREMENTAL:               0
  ARCH:                            "x86_64"
  CI_IMAGE:                        "paritytech/bridges-ci:production"
  RUST_BACKTRACE:                  full

default:
  cache:                           {}

.collect-artifacts:                &collect-artifacts
  artifacts:
    name:                          "${CI_JOB_NAME}_${CI_COMMIT_REF_NAME}"
    when:                          on_success
    expire_in:                     7 days
    paths:
      - artifacts/

.kubernetes-build:                 &kubernetes-build
  tags:
    - kubernetes-parity-build
  interruptible:                   true

.docker-env:                       &docker-env
  image:                           "${CI_IMAGE}"
  before_script:
    - rustup show
    - cargo --version
    - rustup +nightly show
    - cargo +nightly --version
    - sccache -s
  retry:
    max: 2
    when:
      - runner_system_failure
      - unknown_failure
      - api_failure
  interruptible:                   true
  tags:
    - linux-docker

.test-refs:                        &test-refs
  rules:
    # FIXME: This is the cause why pipelines wouldn't start. The problem might be in our custom
    # mirroring. This should be investigated further, but for now let's have the working
    # pipeline.
    # - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH
    #   changes:
    #     - '**.md'
    #     - diagrams/*
    #     - docs/*
    #   when:                        never
    - if: $CI_PIPELINE_SOURCE == "pipeline"
    - if: $CI_PIPELINE_SOURCE == "web"
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - if: $CI_COMMIT_REF_NAME == "master"
    - if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/                         # PRs
    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/              # i.e. v1.0, v2.1rc1

.build-refs:                       &build-refs
  rules:
    # won't run on the CI image update pipeline
    - if: $CI_PIPELINE_SOURCE == "pipeline"
      when: never
    - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/              # i.e. v1.0, v2.1rc1
    # there are two types of nightly pipelines:
    # 1. this one is triggered by the schedule with $PIPELINE == "nightly", it's for releasing.
    # this job runs only on nightly pipeline with the mentioned variable, against `master` branch
    - if: $CI_PIPELINE_SOURCE == "schedule" && $PIPELINE == "nightly"

.nightly-test:                     &nightly-test
  rules:
    # 2. another is triggered by scripts repo $CI_PIPELINE_SOURCE == "pipeline" it's for the CI image
    #    update, it also runs all the nightly checks.
    - if: $CI_PIPELINE_SOURCE == "pipeline"

#### stage:                        lint

clippy-nightly:
  stage:                           lint
  <<:                              *docker-env
  <<:                              *test-refs
  script:
    - cargo +nightly clippy --all-targets

fmt:
  stage:                           lint
  <<:                              *docker-env
  <<:                              *test-refs
  script:
    - cargo fmt --all -- --check

spellcheck:
  stage:                           lint
  <<:                              *docker-env
  <<:                              *test-refs
  script:
    - cargo spellcheck check -vvvv --cfg=.config/spellcheck.toml --checkers hunspell -m 1

#### stage:                        check

check:
  stage:                           check
  <<:                              *docker-env
  <<:                              *test-refs
  script:                          &check-script
    - time cargo check --verbose --workspace
    # Check Rialto benchmarks runtime
    - time cargo check -p rialto-runtime --features runtime-benchmarks --verbose
    # Check Millau benchmarks runtime
    - time cargo check -p millau-runtime --features runtime-benchmarks --verbose

check-nightly:
  stage:                           check
  <<:                              *docker-env
  <<:                              *nightly-test
  script:
    - rustup default nightly
    - *check-script

#### stage:                        test

test:
  stage:                           test
  <<:                              *docker-env
  <<:                              *test-refs
  variables:
    RUSTFLAGS:                     "-D warnings"
  script:                          &test-script
    - time cargo test --verbose --workspace

test-nightly:
  stage:                           test
  <<:                              *docker-env
  <<:                              *nightly-test
  script:
    - rustup default nightly
    - *test-script

deny:
  stage:                           test
  <<:                              *docker-env
  <<:                              *nightly-test
  <<:                              *collect-artifacts
  script:
    - cargo deny check advisories --hide-inclusion-graph
    - cargo deny check bans sources --hide-inclusion-graph
  after_script:
    - mkdir -p ./artifacts
    - echo "___Complete logs can be found in the artifacts___"
    - cargo deny check advisories 2> advisories.log
    - cargo deny check bans sources 2> bans_sources.log
  # this job is allowed to fail, only licenses check is important
  allow_failure:                   true

deny-licenses:
  stage:                           test
  <<:                              *docker-env
  <<:                              *test-refs
  <<:                              *collect-artifacts
  script:
    - cargo deny check licenses --hide-inclusion-graph
  after_script:
    - mkdir -p ./artifacts
    - echo "___Complete logs can be found in the artifacts___"
    - cargo deny check licenses 2> licenses.log

#### stage:                        build

build:
  stage:                           build
  <<:                              *docker-env
  <<:                              *build-refs
  <<:                              *collect-artifacts
  # master
  script:                          &build-script
    - time cargo build --release --verbose --workspace
  after_script:
    # Prepare artifacts
    - mkdir -p ./artifacts
    - strip ./target/release/rialto-bridge-node
    - mv -v ./target/release/rialto-bridge-node ./artifacts/
    - strip ./target/release/millau-bridge-node
    - mv -v ./target/release/millau-bridge-node ./artifacts/
    - strip ./target/release/ethereum-poa-relay
    - mv -v ./target/release/ethereum-poa-relay ./artifacts/
    - strip ./target/release/substrate-relay
    - mv -v ./target/release/substrate-relay ./artifacts/
    - mv -v ./deployments/local-scripts/bridge-entrypoint.sh ./artifacts/
    - mv -v ./ci.Dockerfile ./artifacts/

build-nightly:
  stage:                           build
  <<:                              *docker-env
  <<:                              *collect-artifacts
  <<:                              *nightly-test
  script:
    - rustup default nightly
    - *build-script

#### stage:                        publish

.build-push-image:                 &build-push-image
  <<:                              *kubernetes-build
  image:                           quay.io/buildah/stable
  <<:                              *build-refs
  variables:                       &image-variables
    GIT_STRATEGY:                  none
    DOCKERFILE:                    ci.Dockerfile
    IMAGE_NAME:                    docker.io/paritytech/$CI_JOB_NAME
    VAULT_SERVER_URL:              "https://vault.parity-mgmt-vault.parity.io"
    VAULT_AUTH_PATH:               "gitlab-parity-io-jwt"
    VAULT_AUTH_ROLE:               "cicd_gitlab_parity_${CI_PROJECT_NAME}"
  needs:
    - job:                         build
      artifacts:                   true
  before_script:                   &check-versions
    - if [[ "${CI_COMMIT_TAG}" ]]; then
        VERSION=${CI_COMMIT_TAG};
      elif [[ "${CI_COMMIT_REF_NAME}" ]]; then
        VERSION=$(echo ${CI_COMMIT_REF_NAME} | sed -r 's#/+#-#g');
      fi
    - echo "Effective tags = ${VERSION} sha-${CI_COMMIT_SHORT_SHA} latest"
  secrets:
      DOCKER_HUB_USER:
        vault:                     cicd/gitlab/parity/DOCKER_HUB_USER@kv
      DOCKER_HUB_PASS:
        vault:                     cicd/gitlab/parity/DOCKER_HUB_PASS@kv
    - test "${DOCKER_HUB_USER}" -a "${DOCKER_HUB_PASS}" ||
        ( echo "no docker credentials provided"; exit 1 )
    - cd ./artifacts
    - buildah bud
        --format=docker
        --build-arg VCS_REF="${CI_COMMIT_SHORT_SHA}"
        --build-arg BUILD_DATE="$(date +%d-%m-%Y)"
        --build-arg PROJECT="${CI_JOB_NAME}"
        --build-arg VERSION="${VERSION}"
        --tag "${IMAGE_NAME}:${VERSION}"
        --tag "${IMAGE_NAME}:sha-${CI_COMMIT_SHORT_SHA}"
        --tag "${IMAGE_NAME}:latest"
        --file "${DOCKERFILE}" .
    # The job will success only on the protected branch
    - echo "${DOCKER_HUB_PASS}" |
        buildah login --username "${DOCKER_HUB_USER}" --password-stdin docker.io
    - buildah info
    - buildah push --format=v2s2 "${IMAGE_NAME}:${VERSION}"
    - buildah push --format=v2s2 "${IMAGE_NAME}:sha-${CI_COMMIT_SHORT_SHA}"
    - buildah push --format=v2s2 "${IMAGE_NAME}:latest"
  after_script:
    - env REGISTRY_AUTH_FILE= buildah logout --all

rialto-bridge-node:
  stage:                           publish
  <<:                              *build-push-image

millau-bridge-node:
  stage:                           publish
  <<:                              *build-push-image

ethereum-poa-relay:
  stage:                           publish
  <<:                              *build-push-image

substrate-relay:
  stage:                           publish
  <<:                              *build-push-image

# FIXME: publish binaries