Commit 69f43fd5 authored by ng's avatar ng

Merge branch '324-ci-debian-build-package' into 'master'

CI: Introduce jobs to build Debian package and run lintian on the result

Closes #324

See merge request !202
parents feddb3b1 7ad5f4da
......@@ -2,6 +2,8 @@
- static
- test
- debian:build
- debian:qa
- docker
......@@ -27,16 +29,23 @@ cache:
# To keep things DRY, use an env var to handle packages to be installed via APT
- apt-get install -qq -y $APT_INSTALL_PACKAGES
.setup_entropy: &setup_entropy
# Link /dev/random to /dev/urandom do deal with limited entropy, which otherwise blocks the test suite.
- rm /dev/random && ln -s /dev/urandom /dev/random
.setup_prerequisites: &setup_prerequisites
<<: [*setup_apt,*setup_entropy]
.test_ruby: &test_ruby
APT_INSTALL_PACKAGES: gnupg2 libgpgme11-dev libsqlite3-dev eatmydata
# Use quotes so the following does get recognized as a string, not as a bool
<<: *setup_apt
<<: *setup_prerequisites
- eatmydata gem install bundler --no-ri --no-rdoc
- eatmydata bundle install --jobs $(nproc) --path vendor
- rm /dev/random && ln -s /dev/urandom /dev/random
- SCHLEUDER_ENV=test SCHLEUDER_CONFIG=spec/schleuder.yml eatmydata bundle exec rake db:init
- eatmydata bundle exec rspec
......@@ -44,7 +53,7 @@ changelog:
image: debian:unstable
APT_INSTALL_PACKAGES: ca-certificates git
<<: *setup_apt
<<: *setup_prerequisites
# Ensure we work with the latest master
- git fetch origin master:master
......@@ -65,7 +74,7 @@ codespell:
image: debian:unstable
<<: *setup_apt
<<: *setup_prerequisites
# Run codespell to check for spelling errors, using a config with ignored words, skipping files
# (German translations, v2 list configs and code of installed dependencies) leading to false positives,
......@@ -119,3 +128,67 @@ build_docker_image:
- unset HISTFILE
- echo $CI_JOB_TOKEN | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
- docker push $IMAGE_TAG
stage: debian:build
APT_INSTALL_PACKAGES: build-essential ca-certificates dpkg-dev fakeroot git git-buildpackage
<<: *setup_prerequisites
# Ensure we work with the latest state pushed to the git repository.
- git fetch --all --quiet
# Setting the git user email is needed, otherwise, merging fails.
- git config
# We're keeping the current Debian packaging state in a separate branch. Therefore, we need to pull in this.
- git merge --allow-unrelated-histories --no-edit --quiet origin/debian/unstable
# TODO: Find a way to integrate this into the common "APT install" step above.
# The tricky part about this: This comes in quite late, it's not available any sooner. We're relying on GitLab CI
# variables to tell APT what needs to be installed. These variables are evaluated at the very beginning of the job.
- export APT_BUILD_DEPENDS=`perl -ne 'next if /^#/; $p=(s/^Build-Depends:\s*/ / or (/^ / and $p)); s/,|\n|\([^)]+\)//mg; print if $p' < debian/control`
- apt-get install -qq -y $APT_BUILD_DEPENDS
# Get the latest upstream version from the Debian changelog. This is needed to ensure the tarball we'll create
# is found by gbp, the tool we're using to build the Debian package.
- export UPSTREAM_VERSION=`dpkg-parsechangelog --show-field Version | cut -d- -f1`
# We're relying on .gitattribute to exclude files and directories if creating the upstream release tarball
# via git archive.
# While this makes sense normally, doing so here leads to dpkg-source (which is called from gbp) being unhappy,
# due to "local changes detected, the modified files are ..." as there are some files, which don't exist in the
# tarball, but which do exist in our current working directory. Therefore, create the tarball manually (which
# ignores the existing .gitattributes file), to ensure it contains all (without the .git/ directory) content of
# the current working directory.
# Besides this, we're caching APT packages within vendor/. Currently, GitLab CI is only able to cache stuff within
# the working directory. However, again in this case, this leads to the same error as described above. Therefore,
# move the vendor/ directory temporarily out of the way. We'll move it back after the build was done, further below.
- mv vendor/ /tmp
- tar --exclude='./.git' -czf /tmp/schleuder_$UPSTREAM_VERSION.orig.tar.gz .
# Normally, we're checking the signature of the upstream release, to ensure the code we're pulling into Debian
# wasn't tampered with along the way. However, as we're creating the tarball on our own, there is no signature.
# During the check for packaging errors later on via lintian this would lead to a warning. Therefore, create a
# "dummy" signature file.
- touch /tmp/schleuder_$UPSTREAM_VERSION.orig.tar.gz.asc
# Check if we're good to go regarding the installed packages.
- dpkg-checkbuilddeps
# TODO: Use sbuild to be closer to the common Debian package build environment. This needs chroot creation upfront,
# though. Creating the chroot needs a mounted /proc filesystem. This works if running a privileged container,
# however, in our case it fails due to "mount(2) system call failed: Too many levels of symbolic links".
# I'm not sure why is that, currently, or how to solve it.
- gbp buildpackage --git-ignore-branch --git-ignore-new --git-tarball-dir=/tmp --git-upstream-branch="$CI_COMMIT_REF_NAME" --git-upstream-tree=BRANCH -us -uc --lintian-opts --no-lintian
# Move the vendor/ directory back into the current working directory to ensure it gets cached.
- mv /tmp/vendor .
# Store and upload the artifacts to make them available for the subsequent jobs.
- mkdir results
- cp ../{*.buildinfo,*.changes,*.deb,*.dsc,*.xz} /tmp/schleuder_* results/
allow_failure: true
expire_in: 1 day
- results/
stage: debian:qa
<<: *setup_prerequisites
- lintian --allow-root --display-experimental --display-info --info --pedantic results/*.changes
allow_failure: true
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment