Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>

Signed-off-by: Dylan Aïssi <dylan.aissi@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

The need for this split has been gone since
https://phabricator.apertis.org/T9905 was completed, and it's causing
problems now since it only supports port 22. Instead, we can merge the
options together and use the ssh:// syntax for both ostree-push
variants.

https://phabricator.apertis.org/T10209



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Pablo Vigo Mas authored 1 year ago and Ritesh Raj Sarraf committed 1 year ago

The SSH server on the Aurora system, operating on port 22, is consistently under probing attempts by attackers.
Enhancing security on the server can be achieved by transitioning to port 7711.
The pipeline is now configured to use the new SSH port of the Aurora server.

Signed-off-by: Pablo Vigo <pvigo@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Now that everyone ships a GitLab version modern enough to have
https://gitlab.com/gitlab-org/gitlab/-/issues/35438

 fixed we can rely on
variables to control the rules conditions matching on branch names.

This frees downstreams from having to patch the pipeline, as they can
now just override the variables in the CI settings.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Walter Lozano authored 1 year ago and Emanuele Aina committed 1 year ago

Update the test data used by CI to match the new artifact expiration.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Walter Lozano authored 1 year ago and Emanuele Aina committed 1 year ago

Currently ci-flatdeb-builder sets 3d as default artifact expiration,
requiring an important storage size. Having those artifacts for so
much time brings no value, since the outcome is published in an external
server and the latest artifacts are kept thanks to Gitlab's keep
 artifacts from most recent successful jobs setting.

To reduce the storage requirements, reduce artifact expiration to 1 day,
the same use in apertis-image-recipes.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

The server-side signature configuration was missing from the
non-containerized instance. This has been now installed under
`/srv/images/conf/`, so update the path passed to `ostree-receive`.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

To handle the incompatibility between the ostree-push 0.x and 1.x
protocols a separate server for the 1.x protocol was set up on
port 2222 and we started using it since the commit
f9e8b494 "Add support for ostree-push 1.0".

Multi-protocol compatibility has been introduced into our version of
ostree-push, so we can use the main port 22 for the 1.x protocol
as well.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

Because the one isntalled via pip introduced new version
incompatibilities.

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

When we set the variables to re-enable MR pipelines, the changes don't
actually take effect for a few moments, meaning that the pipeline
creation might fail when run immediately.

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Before, detection would just run inside the outer GitLab pipeline rules.
However, this was actually incorrect all along: generate_pipeline.py has
its own entirely separate logic to determine what Docker image to use
for running the build, which meant that the pipeline itself could end up
assuming a different ostree-push version than was actually being used.

Instead, this moves the detection logic exclusively into
generate_pipeline.py, and the outer pipeline only sets a regex used to
match the releases with legacy ostree-push.

https://phabricator.apertis.org/T9516



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

This adds a new configuration option, OSTREE_PUSH_IS_LEGACY_VERSION,
which, when enabled, skips the manual rebase steps and pushes to a
different port (where a compatible ostree-receive is available).

Additionally, it adds the UPLOAD_PORT option in order to support the
needed alternative ssh port. (This only works with the new ostree-push,
which uses a new URI syntax.)

https://phabricator.apertis.org/T8427



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

Before it required the version to be at the very end of the Git branch
name, which didn't match ci-package-builder's behavior. Now, it can be
at other places in the branch name, as long as it's surrounded by a word
boundary.

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

If the runners are in high demand, 2hr apparently isn't quite enough...

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Downstream distributions may not support ed25519 signatures in the
Flatpak version on the images server, so we need to be able to skip it.

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

No real reason to use the standard runners here, and it ends up slowing
things down a bit.

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

We always used 'kvm' before, but that's not guaranteed to be the one
needed, if any is needed at all.

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

As it turns out, the previous setup only worked on our instance because
GitLab seems to be rather lax about handling invalid credentials if
they're not actually needed to access the underlying repository.
Instead, follow after the pattern of ci-package-builder.

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

https://phabricator.apertis.org/T8425



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

These were used during testing for safety reasons, but they were never
changed afterwards.

https://phabricator.apertis.org/T8889



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Also use a raw string for the script to avoid all the double-escapes.

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

Bash likes to remove these, which meant the metadata that went inside
the new commit didn't actually match the file it was read from.

apertis-issues#170



Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>

We don't need verbose script execution here, it was just a leftover from
before.

Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>