.gitlab-ci.yml 2.94 KB
Newer Older
1
image: chakralinux/makepkg:latest
AlmAck's avatar
AlmAck committed
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73

variables:
  REPODIR: "$CI_PROJECT_DIR"

stages:
  - package
  - sign
  - deploy


before_script:
  # The repository build script is run by user 'builder'. The build scripts needs
  # to install dependencies using pacman. This requires root permissions.
  # (Note: the build script itself can't be run as root, as makepkg would
  # complain)
  - useradd -m -G users -s /bin/bash builder
  - "echo 'builder ALL=(ALL) NOPASSWD: /usr/bin/pacman' >> /etc/sudoers"
  #- echo -en "builder ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/10-builder

  # SSH setup
  # Run ssh-agent (inside the build environment)
  - eval $(ssh-agent -s)

  # Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
  - ssh-add <(echo "$SSH_PRIVATE_KEY")

  # For Docker builds disable host key checking. Be aware that by adding that
  # you are suspectible to man-in-the-middle attacks.
  # WARNING: Use this only with the Docker executor, if you use it with shell
  # you will overwrite your user's SSH config.
  #- mkdir -p ~/.ssh
  #- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
  # In order to properly check the server's host key, assuming you created the
  # SSH_SERVER_HOSTKEYS variable previously, uncomment the following two lines
  # instead.
  - mkdir -p ~/.ssh
  - '[[ -f /.dockerenv ]] && echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts'
  - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_rsa
  - chmod 600 ~/.ssh/id_rsa && chmod 700 ~/.ssh

  # GPG setup
  - gpg -v --batch --import <(echo "$GPG_PRIVATE_KEY")
  - echo "allow-loopback-pinentry" > ~/.gnupg/gpg-agent.conf
  - gpg-connect-agent reloadagent /bye

  # setup basic environment settings, as root
  - .build-bin/prepare.sh
  # import pgp keys flagged as valid
  - sudo -u builder -E -H .build-bin/import-validpgpkeys.sh

build_repo:
  stage: package
  script:
    # the build script can't be run as root, as makepkg would complain...
    - sudo -u builder -E -H .build-bin/build.sh

  artifacts:
    # expire artifacts per default - the gitlab web frontend can be used to keep
    # artifacts of interest for an unlimited time
    expire_in: 1 week
    paths:
      - ./*.pkg.tar.xz
    name: "$CI_BUILD_NAME"
  cache:
    paths:
      - /var/cache/pacman/pkg
  tags:
    - PKGBUILD

sign_pkgs:
  stage: sign
  script:
AlmAck's avatar
AlmAck committed
74
     - for pkg in $(find . -type f | grep ".pkg.tar.xz"); do echo "signing $pkg" && echo "$GPG_PASSWORD" | gpg -sb --pinentry-mode loopback --passphrase-fd 0 $pkg; done
AlmAck's avatar
AlmAck committed
75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96
  artifacts:
    # expire artifacts per default - the gitlab web frontend can be used to keep
    # artifacts of interest for an unlimited time
    expire_in: 1 week
    paths:
      - ./*.pkg.tar.xz.sig
    name: "$CI_BUILD_NAME"
  tags:
    - signature

deploy_repo:
  stage: deploy
  variables:
    DEPLOY_SERVER: "$DEPLOY_SERVER"
    SSH_USER: "$SSH_USER"
    SSH_PORT: "$SSH_PORT"
  environment: staging-repo
  script:
     - .build-bin/deploy.sh
  when: manual
  tags:
    - rsync