stages: - lint - check - test - build - publish workflow: rules: - if: $CI_COMMIT_TAG - if: $CI_COMMIT_BRANCH variables: &default-vars GIT_STRATEGY: fetch GIT_DEPTH: 100 CARGO_INCREMENTAL: 0 ARCH: "x86_64" CI_IMAGE: "paritytech/bridges-ci:production" RUST_BACKTRACE: full default: cache: {} .collect-artifacts: &collect-artifacts artifacts: name: "${CI_JOB_NAME}_${CI_COMMIT_REF_NAME}" when: on_success expire_in: 7 days paths: - artifacts/ .kubernetes-build: &kubernetes-build tags: - kubernetes-parity-build interruptible: true .docker-env: &docker-env image: "${CI_IMAGE}" before_script: - rustup show - cargo --version - rustup +nightly show - cargo +nightly --version - sccache -s retry: max: 2 when: - runner_system_failure - unknown_failure - api_failure interruptible: true tags: - linux-docker .test-refs: &test-refs rules: # FIXME: This is the cause why pipelines wouldn't start. The problem might be in our custom # mirroring. This should be investigated further, but for now let's have the working # pipeline. # - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH # changes: # - '**.md' # - diagrams/* # - docs/* # when: never - if: $CI_PIPELINE_SOURCE == "pipeline" - if: $CI_PIPELINE_SOURCE == "web" - if: $CI_PIPELINE_SOURCE == "schedule" - if: $CI_COMMIT_REF_NAME == "master" - if: $CI_COMMIT_REF_NAME =~ /^[0-9]+$/ # PRs - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/ # i.e. v1.0, v2.1rc1 .build-refs: &build-refs rules: # won't run on the CI image update pipeline - if: $CI_PIPELINE_SOURCE == "pipeline" when: never - if: $CI_COMMIT_REF_NAME =~ /^v[0-9]+\.[0-9]+.*$/ # i.e. v1.0, v2.1rc1 # there are two types of nightly pipelines: # 1. this one is triggered by the schedule with $PIPELINE == "nightly", it's for releasing. # this job runs only on nightly pipeline with the mentioned variable, against `master` branch - if: $CI_PIPELINE_SOURCE == "schedule" && $PIPELINE == "nightly" .nightly-test: &nightly-test rules: # 2. another is triggered by scripts repo $CI_PIPELINE_SOURCE == "pipeline" it's for the CI image # update, it also runs all the nightly checks. - if: $CI_PIPELINE_SOURCE == "pipeline" #### stage: lint clippy-nightly: stage: lint <<: *docker-env <<: *test-refs variables: RUSTFLAGS: "-D warnings" script: - cargo +nightly clippy --all-targets # FIXME: remove when all the warns are fixed allow_failure: true fmt: stage: lint <<: *docker-env <<: *test-refs script: - cargo fmt --all -- --check spellcheck: stage: lint <<: *docker-env <<: *test-refs script: - cargo spellcheck check -vvvv --cfg=.config/spellcheck.toml --checkers hunspell -m 1 #### stage: check check: stage: check <<: *docker-env <<: *test-refs script: &check-script - time cargo check --verbose --workspace # Check Rialto benchmarks runtime - time cargo check -p rialto-runtime --features runtime-benchmarks --verbose # Check Millau benchmarks runtime - time cargo check -p millau-runtime --features runtime-benchmarks --verbose check-nightly: stage: check <<: *docker-env <<: *nightly-test script: - rustup default nightly - *check-script #### stage: test test: stage: test <<: *docker-env <<: *test-refs script: &test-script - time cargo test --verbose --workspace test-nightly: stage: test <<: *docker-env <<: *nightly-test script: - rustup default nightly - *test-script deny: stage: test <<: *docker-env <<: *nightly-test <<: *collect-artifacts script: - cargo deny check advisories --hide-inclusion-graph - cargo deny check bans sources --hide-inclusion-graph after_script: - mkdir -p ./artifacts - echo "___Complete logs can be found in the artifacts___" - cargo deny check advisories 2> advisories.log - cargo deny check bans sources 2> bans_sources.log # this job is allowed to fail, only licenses check is important allow_failure: true deny-licenses: stage: test <<: *docker-env <<: *test-refs <<: *collect-artifacts script: - cargo deny check licenses --hide-inclusion-graph after_script: - mkdir -p ./artifacts - echo "___Complete logs can be found in the artifacts___" - cargo deny check licenses 2> licenses.log #### stage: build build: stage: build <<: *docker-env <<: *build-refs <<: *collect-artifacts # master script: &build-script - time cargo build --release --verbose --workspace after_script: # Prepare artifacts - mkdir -p ./artifacts - strip ./target/release/rialto-bridge-node - mv -v ./target/release/rialto-bridge-node ./artifacts/ - strip ./target/release/millau-bridge-node - mv -v ./target/release/millau-bridge-node ./artifacts/ - strip ./target/release/ethereum-poa-relay - mv -v ./target/release/ethereum-poa-relay ./artifacts/ - strip ./target/release/substrate-relay - mv -v ./target/release/substrate-relay ./artifacts/ - mv -v ./deployments/local-scripts/bridge-entrypoint.sh ./artifacts/ - mv -v ./ci.Dockerfile ./artifacts/ build-nightly: stage: build <<: *docker-env <<: *collect-artifacts <<: *nightly-test script: - rustup default nightly - *build-script #### stage: publish .build-push-image: &build-push-image <<: *kubernetes-build image: quay.io/buildah/stable <<: *build-refs variables: &image-variables GIT_STRATEGY: none DOCKERFILE: ci.Dockerfile IMAGE_NAME: docker.io/paritytech/$CI_JOB_NAME VAULT_SERVER_URL: "https://vault.parity-mgmt-vault.parity.io" VAULT_AUTH_PATH: "gitlab-parity-io-jwt" VAULT_AUTH_ROLE: "cicd_gitlab_parity_${CI_PROJECT_NAME}" needs: - job: build artifacts: true before_script: &check-versions - if [[ "${CI_COMMIT_TAG}" ]]; then VERSION=${CI_COMMIT_TAG}; elif [[ "${CI_COMMIT_REF_NAME}" ]]; then VERSION=$(echo ${CI_COMMIT_REF_NAME} | sed -r 's#/+#-#g'); fi - echo "Effective tags = ${VERSION} sha-${CI_COMMIT_SHORT_SHA} latest" secrets: DOCKER_HUB_USER: vault: cicd/gitlab/parity/DOCKER_HUB_USER@kv DOCKER_HUB_PASS: vault: cicd/gitlab/parity/DOCKER_HUB_PASS@kv script: - test "$(<$DOCKER_HUB_USER)" -a "$(<$DOCKER_HUB_PASS)" || ( echo "no docker credentials provided"; exit 1 ) - cd ./artifacts - buildah bud --format=docker --build-arg VCS_REF="${CI_COMMIT_SHORT_SHA}" --build-arg BUILD_DATE="$(date +%d-%m-%Y)" --build-arg PROJECT="${CI_JOB_NAME}" --build-arg VERSION="${VERSION}" --tag "${IMAGE_NAME}:${VERSION}" --tag "${IMAGE_NAME}:sha-${CI_COMMIT_SHORT_SHA}" --tag "${IMAGE_NAME}:latest" --file "${DOCKERFILE}" . # The job will success only on the protected branch - echo "$(<$DOCKER_HUB_PASS)" | buildah login --username "$(<$DOCKER_HUB_USER)" --password-stdin docker.io - buildah info - buildah push --format=v2s2 "${IMAGE_NAME}:${VERSION}" - buildah push --format=v2s2 "${IMAGE_NAME}:sha-${CI_COMMIT_SHORT_SHA}" - buildah push --format=v2s2 "${IMAGE_NAME}:latest" after_script: - env REGISTRY_AUTH_FILE= buildah logout "$IMAGE_NAME" rialto-bridge-node: stage: publish <<: *build-push-image millau-bridge-node: stage: publish <<: *build-push-image ethereum-poa-relay: stage: publish <<: *build-push-image substrate-relay: stage: publish <<: *build-push-image # FIXME: publish binaries