.gitlab-ci.yml 5.75 KB
Newer Older
1
image: ruby:2.3-jessie
2

3
stages:
4
 - deploy
5
 - production
6 7 8 9 10

variables:
  OUT_DIR: build


11 12
# Common steps required for each type of "Build" (f-droid.org, GitLab Pages, feature branches)
.setup_for_jekyll: &setup_for_jekyll |
13 14
  set -x
  set -e
15 16
  ruby -v
  apt-get update
17
  apt-get install -y locales zlib1g-dev gettext po4a linkchecker bundler unzip python3 rsync python3-babel
18 19 20 21 22
  echo "en_US UTF-8" > /etc/locale.gen
  locale-gen en_US.UTF-8
  export LANG=en_US.UTF-8
  export LANGUAGE=en_US:en
  export LC_ALL=en_US.UTF-8
23
  ./tools/i18n.sh po2md
24 25 26
  bundle install --path vendor


27
#
28 29 30 31
# This is a manual task for building in preperation to deploy to
# https://f-droid.org. The intention is for it to be run locally using
# `gitlab-runner` each time a tag is found that is signed by a key in
# the whitelist keyring.  Invoke like so:
32
#
33 34
#  gitlab-runner exec docker f-droid.org --pre-build-script ./prepare-for-deploy.py \
#    --docker-volumes "/root/deploy-whitelist-keyring.gpg:/root/.gnupg/pubring.gpg:ro" \
35
#    --docker-volumes `pwd`/_site:/builds/output
36
#
37 38 39
# And when it is finished, you should have a directory in _site/build/
# which includes the entire static site ready to be deployed to
# https://f-droid.org.
40 41
#
f-droid.org:
42
  stage: production
43 44 45
  only:
    - tags@fdroid/fdroidserver
    - master@fdroid/fdroidserver
46 47
  when: manual
  cache:
48
    paths: [ vendor/ruby ]
49 50

  script:
51
   - '[ ! -d /builds/output ] && echo "ERROR: /builds/output is not mounted inside docker!" && exit 1'
52
   - *setup_for_jekyll
53 54 55
   - 'echo "url: https://f-droid.org" > userconfig.yml'
   - 'echo "baseurl: \"\"" >> userconfig.yml'
   - echo "Additional Jekyll config used for CI:" && cat userconfig.yml
56
   - bundle exec jekyll build -d $OUT_DIR --config _config.yml,userconfig.yml --trace
57
   - ./tools/prepare-multi-lang.sh $OUT_DIR
58
   - ./tools/deploy-external-assets.sh $OUT_DIR
59
   - rsync -ax --delete $OUT_DIR /builds/output/
60

61 62
pages:
  stage: deploy
63
  cache:
64 65
    paths:
      - vendor/ruby
66
  artifacts:
67 68
    paths:
      - public
69
    expire_in: 1w
70
  script:
71
   - *setup_for_jekyll
72 73 74
   # use the 'gitlab ci' subset of languages
   - sed -i 's,^languages:,ignored_languages:,' _config.yml
   - sed -i 's,^gitlab_ci_languages:,languages:,' _config.yml
75
   - ./tools/check-format-strings.py
76
   - ./tools/check-page-links.py
77 78
   - ./tools/i18n.sh md2po
   - git checkout po/*.pot  # ignore the newly generated timestamp
79
   - git --no-pager diff --ignore-all-space --name-only po/
80 81 82 83
   # This is where GitLab pages will deploy to by default (e.g. "https://fdroid.gitlab.io/fdroid-website")
   # so we need to make sure that the Jekyll configuration understands this.
   - 'echo url: https://$CI_PROJECT_NAMESPACE.gitlab.io > userconfig.yml'
   - 'echo baseurl: /$CI_PROJECT_NAME >> userconfig.yml'
84
   - echo "Additional Jekyll config used for CI:" && cat userconfig.yml
85
   - bundle exec jekyll build -d public --config _config.yml,userconfig.yml --trace
86
   - ./tools/prepare-multi-lang.sh public --no-type-maps
87 88 89 90
   - mkdir linkchecker/
   - ln -s ../public linkchecker/$CI_PROJECT_NAME
   - ruby -run -e httpd linkchecker/ -p 4000 2>&1 /dev/null &
   - linkchecker http://localhost:4000/$CI_PROJECT_NAME --config=.linkcheckerrc
91
      --ignore-url ".*/packages/[b-z].*" --ignore-url "/F-Droid\.apk(\.asc)?$"
92 93 94 95 96 97 98 99 100 101 102 103 104 105 106



# Download and verify that the FDroid.apk is signed by the right PGP
# key.  The only time that F-Droid's signed metadata does not verify
# the APK is the initial download and install of F-Droid itself.  An
# attacker could replace the FDroid.apk and PGP signature on the
# website. The gpg key model is to trust only the key that is included
# in this script, so there is a test to check that it is starting with
# an empty keyring.

check_fdroid_apk:
  stage: deploy
  only:
    - schedules
107
    - master@fdroid/fdroidserver
108 109
  image: alpine:3.5
  variables:
110 111
    apk: F-Droid.apk
    asc: F-Droid.apk.asc
112
    curl: "curl --silent --user-agent F-Droid --retry 20"
113
    fingerprint: 37D2C98789D8311948394E3E41E7044E1DBA2E89
114 115 116 117 118 119 120
  artifacts:
    name: "$apk-failed-${CI_JOB_ID}"
    paths:
      - $apk
      - $asc
    expire_in: 180 days
    when: on_failure
121 122
  script:
    - apk add --no-cache gnupg curl
123
    - "! (gpg --list-keys | grep pub)"
124
    - while ! gpg --keyserver pgp.mit.edu --recv-key $fingerprint; do sleep 10; done
125 126 127 128 129 130
    - gpg --list-key --fingerprint | tr -d '[:space:]' | grep $fingerprint
    - echo "${fingerprint}:6:" | gpg --import-ownertrust
    - $curl https://f-droid.org/$apk > $apk
    - $curl https://f-droid.org/$asc > $asc
    - sha256sum $apk
    - gpg --batch --trust-model always --verify $asc $apk
131 132 133

i18n_sync:
  stage: deploy
134
  image: debian:jessie-slim
135
  script:
136 137
    - apt update -y
    - apt-get install -y --no-install-recommends bash gettext git grep po4a sed
138 139 140 141 142 143 144
    - for f in po/_posts.*.po; do msgmerge --no-wrap --sort-by-file  --add-location=file --update $f po/_posts.pot; done
    - for f in po/_docs.*.po; do msgmerge --no-wrap --sort-by-file  --add-location=file --update $f po/_docs.pot; done
    - git checkout po/*.pot  # ignore the newly generated timestamp
    - git add po/*.po
    - git config user.email "you@example.com"
    - git config user.name "DO NOT MERGE"
    - git commit po/*.po po/*.pot -m "DO NOT MERGE sort before test"
145
    - ./tools/i18n.sh md2po
146 147
    - for f in po/_posts.*.po; do msgmerge --no-wrap --sort-by-file  --add-location=file --update $f po/_posts.pot; done
    - for f in po/_docs.*.po; do msgmerge --no-wrap --sort-by-file  --add-location=file --update $f po/_docs.pot; done
148
    - git checkout po/*.pot  # ignore the newly generated timestamp
149
    - git --no-pager diff --exit-code --ignore-all-space -G'^msg' po/
150 151
        || (echo 'This test failed because the localization files were not synced.  To do that, run `./tools/i18n.sh md2po` then commit the changes in po/ and include them in this merge request.'; exit 1)
  allow_failure: true