# This file is a template, and might need editing before it works on your project. # see https://docs.gitlab.com/ee/ci/yaml/README.html for all available options variables: DEFAULT_IMAGE: registry.gitlab.com/gridtracker.org/gtbuilder:v1-6 APT_CACHE_DIR: $CI_PROJECT_DIR/.cache/apt NPM_CONFIG_CACHE: $CI_PROJECT_DIR/.cache/npm # # We have code in here for releasing on both GS and S3, control it through variables # on GitLab, do not change it in this file. # GCLOUD_PROJECT_ID: "cent7-288417" GCLOUD_SERVICE_ACCOUNT: /dev/null GCLOUD_DEPLOY_PATH: gs://downloads.gridtracker.org/$CI_COMMIT_TAG NR0Q_SERVER_ADDRESS: "" NR0Q_SERVER_PASSWORD: "" # nothing in this file ill be allowed to run automatically except for: # 1. merge requests # 2. manual tagging # 3. committing to the default branch include: - template: "Workflows/MergeRequest-Pipelines.gitlab-ci.yml" - template: "Security/Dependency-Scanning.gitlab-ci.yml" - template: "Security/Secret-Detection.gitlab-ci.yml" - template: "Security/SAST.gitlab-ci.yml" stages: - build - test - staging - package - pre-deploy - deploy - publish default: image: ${DEFAULT_IMAGE} interruptible: true # just do a quick syntax check job, we don't need to "build" anything here other than the # outer dev environment for gridtracker npm:test: stage: test image: node:latest script: - npm install - npm test # test2: # stage: test # script: # - echo "Do another parallel test here" # - echo "For example run a lint test" # package binaries and create build artifacts that may be used in later stages win:package: stage: package rules: # only do this with a manual tag starting with v or test_ - if: '$CI_COMMIT_TAG =~ /^(v|test_|win_).*/' artifacts: paths: - artifacts/ name: '$CI_COMMIT_REF_SLUG' cache: paths: - .cache/ - node_modules/ key: files: - package.json - package.nw/package.json before_script: - | mkdir -p $NPM_CONFIG_CACHE mkdir -p artifacts echo -e "\e[0Ksection_start:`date +%s`:apt_get[collapsed=true]\r\e[0KGetting Build Dependencies" apt-get update && apt-get upgrade -y apt-get install curl p7zip -y wget https://nsis.sourceforge.io/mediawiki/images/4/47/Registry.zip unzip -bj Registry.zip Desktop/Plugin/registry.dll -d /usr/share/nsis/Plugins/x86-unicode/ unzip -bj Registry.zip Desktop/Include/Registry.nsh -d /usr/share/nsis/Include/ wget https://nsis.sourceforge.io/mediawiki/images/1/18/NsProcess.zip 7zr e NsProcess.zip -y -o/usr/share/nsis/Include/ Include/nsProcess.nsh 7zr e NsProcess.zip -y -o/usr/share/nsis/Plugins/x86-unicode/ Plugin/nsProcessW.dll mv /usr/share/nsis/Plugins/x86-unicode/nsProcessW.dll /usr/share/nsis/Plugins/x86-unicode/nsProcess.dll curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash script: - | # Making our Windows packages echo -e "\e[0Ksection_end:`date +%s`:apt_get\r\e[0K" test `node version.js` = `dpkg-parsechangelog -S version` || (echo "package.nw/package.json and debian/changelog version mismatch"; exit 1) echo -e "\e[0Ksection_start:`date +%s`:native_build\r\e[0KBuilding native packages" npm install --prefer-offline npm run dist-win for dir in dist/*-win-* ; do if [ -f $dir ] && [[ "$dir" == *"-Setup.exe" ]] ; then echo "deleting broken installer $dir" rm $dir fi done rm dist/*-win-*/locales/*.info # Now we need to sign the executable before it get's stuffed into Nullsoft # using mono signcode echo $SIGN_PASS | signcode -a sha256 -n GridTracker -i https://gridtracker.org -spc .secure_files/beau-gunderson.spc -v .secure_files/beau-gunderson.pvk dist/GridTracker-*-win-x86/GridTracker.exe rm dist/*win*/*.bak # Now the executable should be signed sed "s##`node version.js`#g" windows/win_installer.nsi > windows/setup.nsi.tmp.1 sed "s##`pwd`#g" windows/setup.nsi.tmp.1 > windows/setup.nsi makensis windows/setup.nsi # clean up generated files rm windows/setup.nsi rm windows/setup.nsi.tmp.1 echo $SIGN_PASS | signcode -a sha256 -n GridTracker -i https://gridtracker.org -spc .secure_files/beau-gunderson.spc -v .secure_files/beau-gunderson.pvk dist/GridTracker-Installer.*.exe (cd dist ; mv GridTracker-Installer.*.exe ../artifacts) echo -e "\e[0Ksection_end:`date +%s`:native_build\e[0K" linux:package: stage: package rules: # only do this with a manual tag starting with v or test_ - if: '$CI_COMMIT_TAG =~ /^(v|test_|lin_).*/' artifacts: paths: - artifacts/ name: '$CI_COMMIT_REF_SLUG' cache: paths: - .cache/ - node_modules/ key: files: - package.json - package.nw/package.json before_script: - | mkdir -p $NPM_CONFIG_CACHE mkdir -p artifacts echo -e "\e[0Ksection_start:`date +%s`:apt_get[collapsed=true]\r\e[0KGetting Build Dependencies" apt-get update && apt-get upgrade -y apt-get install gnupg -y curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash export GPG_TTY=$(tty) gpg --pinentry-mode loopback --passphrase ${GPG_PASS} --import .secure_files/debiankey.asc echo ${GPG_TRUST} | gpg --import-ownertrust echo 'use-agent' >> ~/.gnupg/gpg.conf echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf echo -e "\e[0Ksection_end:`date +%s`:apt_get\r\e[0K" script: - | # Making our distro agnostic Linux packages test `node version.js` = `dpkg-parsechangelog -S version` || (echo "package.nw/package.json and debian/changelog version mismatch"; exit 1) echo -e "\e[0Ksection_start:`date +%s`:native_build\r\e[0KBuilding native packages" npm install --prefer-offline npm run dist-nix chmod 755 dist/*-linux-*/GridTracker dist/*-linux-*/lib dist/*-linux-*/locales dist/*-linux-*/swiftshader/ dist/*-linux-*/chrome_crashpad_handler for dir in dist/*-linux-* ; do if [ -d $dir ] ; then cp package.nw/img/gridtracker.png $dir/ rm $dir/locales/*.info tar -C dist -czf ${dir}.tar.gz `basename $dir` fi done (cd dist; mv *.tar.gz ../artifacts/) gpg --batch --no-tty --detach-sign --armor --passphrase ${GPG_PASS} artifacts/GridTracker*x86.tar.gz gpg --batch --no-tty --detach-sign --armor --passphrase ${GPG_PASS} artifacts/GridTracker*x64.tar.gz echo -e "\e[0Ksection_end:`date +%s`:native_build\e[0K" # This section does debian DEBs echo -e "\e[0Ksection_start:`date +%s`:debian_build\r\e[0KBuilding Debian packages" dpkg-buildpackage -b --no-sign mv ../*.{deb,buildinfo,changes} artifacts/ echo -e "\e[0Ksection_end:`date +%s`:debian_build\r\e[0K" echo "we made LINUX packages!" ls -laR artifacts mac:package: stage: package rules: # only do this with a manual tag starting with v or test_ - if: '$CI_COMMIT_TAG =~ /^(v|test_|mac_).*/' artifacts: paths: - artifacts/ name: '$CI_COMMIT_REF_SLUG' cache: paths: - .cache/ - node_modules/ key: files: - package.json - package.nw/package.json before_script: - | mkdir -p $NPM_CONFIG_CACHE mkdir -p artifacts echo -e "\e[0Ksection_start:`date +%s`:apt_get[collapsed=true]\r\e[0KGetting Build Dependencies" apt-get update && apt-get upgrade -y echo -e "\e[0Ksection_end:`date +%s`:apt_get\r\e[0K" script: - | # Making our MacOS packages test `node version.js` = `dpkg-parsechangelog -S version` || (echo "package.nw/package.json and debian/changelog version mismatch"; exit 1) echo -e "\e[0Ksection_start:`date +%s`:native_build\r\e[0KBuilding native packages" npm install --prefer-offline npm run dist-mac (cd dist; mv *.zip ../artifacts/) echo -e "\e[0Ksection_end:`date +%s`:native_build\e[0K" echo "we made MAC packages!" ls -laR artifacts arm:package: stage: package variables: NWJS_VERSION: "v0.54.2" NWJS32_BUILD: "nw54_2021-07-09" NWJS64_BUILD: "nw54-arm64_2021-07-10" rules: # only do this with a manual tag starting with v or test_ - if: '$CI_COMMIT_TAG =~ /^(v|test_|lin_).*/' artifacts: paths: - artifacts/ name: '$CI_COMMIT_REF_SLUG' cache: paths: - .cache/ - node_modules/ key: files: - package.json - package.nw/package.json before_script: - | mkdir -p $NPM_CONFIG_CACHE mkdir -p artifacts #dpkg --add-architecture armhf echo -e "\e[0Ksection_start:`date +%s`:apt_get[collapsed=true]\r\e[0KGetting Build Dependencies" apt-get update && apt-get upgrade -y apt-get install gnupg -y curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash export GPG_TTY=$(tty) gpg --pinentry-mode loopback --passphrase ${GPG_PASS} --import .secure_files/debiankey.asc echo ${GPG_TRUST} | gpg --import-ownertrust echo 'use-agent' >> ~/.gnupg/gpg.conf echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf apt-get build-dep . echo -e "\e[0Ksection_end:`date +%s`:apt_get\r\e[0K" script: - | # This is for ARM 32 arch build test `node version.js` = `dpkg-parsechangelog -S version` || (echo "package.nw/package.json and debian/changelog version mismatch"; exit 1) echo -e "\e[0Ksection_start:`date +%s`:wget[collapsed=true]\r\e[0KGetting Upstream NWJS Binary" wget https://github.com/LeonardLaszlo/nw.js-armv7-binaries/releases/download/$NWJS32_BUILD/$NWJS32_BUILD.tar.gz tar -xf $NWJS32_BUILD.tar.gz tar -xf usr/docker/dist/nwjs-chromium-ffmpeg-branding/nwjs-$NWJS_VERSION-linux-arm.tar.gz echo -e "\e[0Ksection_end:`date +%s`:wget\r\e[0K" rm nwjs-$NWJS_VERSION-linux-arm/locales/*.info mv nwjs-$NWJS_VERSION-linux-arm/nw nwjs-$NWJS_VERSION-linux-arm/GridTracker version=`node ./version.js` mkdir GridTracker-$version-linux-arm32 cp -r nwjs-$NWJS_VERSION-linux-arm/* GridTracker-$version-linux-arm32/ cp -r arm/* GridTracker-$version-linux-arm32/ cp -r package.nw GridTracker-$version-linux-arm32/ cp LICENSE GridTracker-$version-linux-arm32/ tar -czf GridTracker-$version-linux-arm32.tar.gz GridTracker-$version-linux-arm32 mv GridTracker-$version-linux-arm32.tar.gz artifacts/ # This is for ARM 64 arch build wget https://github.com/LeonardLaszlo/nw.js-armv7-binaries/releases/download/$NWJS64_BUILD/$NWJS64_BUILD.tar.gz tar -xf $NWJS64_BUILD.tar.gz tar -xf usr/docker/dist/nwjs-chromium-ffmpeg-branding/nwjs-$NWJS_VERSION-linux-arm64.tar.gz rm nwjs-$NWJS_VERSION-linux-arm64/locales/*.info mv nwjs-$NWJS_VERSION-linux-arm64/nw nwjs-$NWJS_VERSION-linux-arm64/GridTracker version=`node ./version.js` mkdir GridTracker-$version-linux-arm64 cp -r nwjs-$NWJS_VERSION-linux-arm64/* GridTracker-$version-linux-arm64/ cp -r arm/* GridTracker-$version-linux-arm64/ cp -r package.nw GridTracker-$version-linux-arm64/ cp LICENSE GridTracker-$version-linux-arm64/ tar -czf GridTracker-$version-linux-arm64.tar.gz GridTracker-$version-linux-arm64 mv GridTracker-$version-linux-arm64.tar.gz artifacts/ gpg --batch --no-tty --detach-sign --armor --passphrase ${GPG_PASS} artifacts/GridTracker*arm32.tar.gz gpg --batch --no-tty --detach-sign --armor --passphrase ${GPG_PASS} artifacts/GridTracker*arm64.tar.gz echo "we made ARM packages!" ls -laR artifacts # copy test assets to Google Storage upload-Google: stage: deploy image: google/cloud-sdk variables: GIT_STRATEGY: none rules: - if: '$CI_COMMIT_TAG =~ /^(v|test_|win_|mac_|lin_).*/' script: - | echo $GCP_SERVICE_KEY > gcloud-service-key.json gcloud auth activate-service-account --key-file gcloud-service-key.json gcloud config set project $GCLOUD_PROJECT_ID gsutil -m cp -R artifacts/* $GCLOUD_DEPLOY_PATH/ update_deb_repo: stage: deploy rules: - if: '$CI_COMMIT_TAG =~ /^(v|test_|lin_).*/' before_script: - | apt-get update && apt-get upgrade -y apt-get install apt apt-utils apt-transport-https ca-certificates gnupg -y echo "deb [signed-by=/usr/share/keyrings/cloud.google.asc] https://packages.cloud.google.com/apt cloud-sdk main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | tee /usr/share/keyrings/cloud.google.asc apt-get update && apt-get install google-cloud-cli -y curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash echo $GCP_SERVICE_KEY > gcloud-service-key.json export GPG_TTY=$(tty) gpg --pinentry-mode loopback --passphrase ${GPG_PASS} --import .secure_files/debiankey.asc echo ${GPG_TRUST} | gpg --import-ownertrust echo 'use-agent' >> ~/.gnupg/gpg.conf echo 'pinentry-mode loopback' >> ~/.gnupg/gpg.conf echo 'allow-loopback-pinentry' >> ~/.gnupg/gpg-agent.conf gcloud auth activate-service-account --key-file gcloud-service-key.json gcloud config set project $GCLOUD_PROJECT_ID script: - | VER=`node version.js` mkdir debianrepo gsutil cp gs://debian.gridtracker.org/debian/* debianrepo/ cp artifacts/gridtracker_${VER}_all.deb debianrepo/ cd debianrepo rm InRelease rm Release.gpg apt-ftparchive packages . > Packages apt-ftparchive release . > Release gpg --batch --no-tty --passphrase ${GPG_PASS} --clearsign -o InRelease Release gpg --batch --no-tty --passphrase ${GPG_PASS} -abs -o Release.gpg Release if [[ ${CI_COMMIT_TAG} = test_* ]] || [[ ${CI_COMMIT_TAG} = lin_* ]] then gsutil cp ./* gs://debian.gridtracker.org/test/ fi if [[ ${CI_COMMIT_TAG} = v* ]] then gsutil cp ./* gs://debian.gridtracker.org/debian/ fi update_arch_aur: stage: deploy image: archlinux:base-devel rules: # only do this with a manual tag starting with v - if: '$CI_COMMIT_TAG =~ /^v.*/ && $AUR_KEY != ""' # Allow AUR to fail without failing the whole pipeline allow_failure: true before_script: - | pacman -Sy; pacman -S --needed --noconfirm openssh git eval $(ssh-agent -s) echo "$AUR_KEY" | tr -d '\r' | ssh-add - mkdir -p ~/.ssh; chmod 700 ~/.ssh git config --global user.name "nr0q" git config --global user.email "nr0q@gridtracker.org" script: # generate the PKGBUILD - | cd arch-linux curl -o gridtracker.tar.gz "https://gitlab.com/gridtracker.org/gridtracker/-/archive/${CI_COMMIT_TAG}/gridtracker-${CI_COMMIT_TAG}.tar.gz" SHASUM=$(sha256sum gridtracker.tar.gz | cut -d ' ' -f1) sed "s/REPLACE_WITH_VERSION/${CI_COMMIT_TAG#v}/;s/REPLACE_WITH_SHASUM/${SHASUM}/" PKGBUILD.template > PKGBUILD # test that it builds - | useradd builder -m passwd -d builder printf 'builder ALL=(ALL) ALL\n' | tee -a /etc/sudoers # build nwjs-bin sudo -u builder bash -c 'git clone https://aur.archlinux.org/nwjs-bin.git nwjs-bin && cd nwjs-bin && makepkg -si --noconfirm' # build gridtracker sudo -u builder makepkg -si --noconfirm PKGBUILD # push the new version - | sudo -u builder makepkg --printsrcinfo > .SRCINFO git clone ssh://aur@aur.archlinux.org/gridtracker.git cp PKGBUILD gridtracker/PKGBUILD cp .SRCINFO gridtracker/.SRCINFO cd gridtracker git add PKGBUILD .SRCINFO && git commit -m "upgpkg: gridtracker ${CI_COMMIT_TAG#v}" && git push # this only creates a "source code release" -- gitlab doesn't specify binaries # except as links to external storage, which is suboptimal for now sourcerelease: stage: publish image: registry.gitlab.com/gitlab-org/release-cli:latest variables: GIT_STRATEGY: none rules: - if: '$CI_COMMIT_TAG =~ /^(v).*/' release: tag_name: $CI_COMMIT_TAG name: GridTracker $CI_COMMIT_TAG description: GridTracker release $CI_COMMIT_TAG ref: '$CI_COMMIT_SHA' assets: links: - name: Windows Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-Installer.${CI_COMMIT_TAG#v}.exe external: true link_type: package - name: Mac x64 ZIP Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-${CI_COMMIT_TAG#v}-mac-x64.zip external: true link_type: package - name: Linux Arm32 GZIP Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-${CI_COMMIT_TAG#v}-linux-arm32.tar.gz external: true link_type: package - name: Linux Arm64 GZIP Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-${CI_COMMIT_TAG#v}-linux-arm64.tar.gz external: true link_type: package - name: Linux x86 GZIP Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-${CI_COMMIT_TAG#v}-linux-x86.tar.gz external: true link_type: package - name: Linux x64 GZIP Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/GridTracker-${CI_COMMIT_TAG#v}-linux-x64.tar.gz external: true link_type: package - name: Debian Linux Package for $CI_COMMIT_TAG url: https://downloads.gridtracker.org/$CI_COMMIT_TAG/gridtracker-${CI_COMMIT_TAG#v}_all.deb external: true link_type: package script: - echo 'Release for $CI_COMMIT_TAG' virustotal_push: stage: publish rules: - if: '$CI_COMMIT_TAG =~ /^(v|test_|win_).*/' script: - | echo "Pushing release URLs to VirusTotal" VER=`node version.js` BASEURL="http://downloads.gridtracker.org/${CI_COMMIT_TAG}/" curl --request POST --url "https://www.virustotal.com/api/v3/urls" --form url="${BASEURL}GridTracker-Installer.${VER}.exe" --header "x-apikey: ${VT_API_KEY}" discord_notify: stage: publish rules: - if: '$CI_COMMIT_TAG =~ /^(v|test_|win_|mac_|lin_).*/' script: - | echo "Notifying Discord #developer-den that a release has built" BASEURL="http://downloads.gridtracker.org/${CI_COMMIT_TAG}/" VER=`node version.js` if [[ ${CI_COMMIT_TAG} = v* ]] || [[ ${CI_COMMIT_TAG} = test_* ]] || [[ ${CI_COMMIT_TAG} = win_* ]] then WIN_MD5=($(md5sum artifacts/GridTracker-Installer.${VER}.exe)) WIN_STRING="**GridTracker-Installer.${VER}.exe**\nmd5: ${WIN_MD5}\n${BASEURL}GridTracker-Installer.${VER}.exe\n\n" fi if [[ ${CI_COMMIT_TAG} = v* ]] || [[ ${CI_COMMIT_TAG} = test_* ]] || [[ ${CI_COMMIT_TAG} = mac_* ]] then MAC_MD5=($(md5sum artifacts/GridTracker-${VER}-mac-x64.zip)) MAC_STRING="**GridTracker-${VER}-mac-x64.zip**\nMD5: ${MAC_MD5}\n${BASEURL}GridTracker-${VER}-mac-x64.zip\n\n" fi if [[ ${CI_COMMIT_TAG} = v* ]] || [[ ${CI_COMMIT_TAG} = test_* ]] || [[ ${CI_COMMIT_TAG} = lin_* ]] then LINARM32_MD5=($(md5sum artifacts/GridTracker-${VER}-linux-arm32.tar.gz)) LINARM32_STRING="**GridTracker-${VER}-linux-arm32.tar.gz**\nMD5: ${LINARM32_MD5}\n${BASEURL}GridTracker-${VER}-linux-arm32.tar.gz\n${BASEURL}GridTracker-${VER}-linux-arm32.tar.gz.asc\n\n" LINARM64_MD5=($(md5sum artifacts/GridTracker-${VER}-linux-arm64.tar.gz)) LINARM64_STRING="**GridTracker-${VER}-linux-arm64.tar.gz**\nMD5: ${LINARM64_MD5}\n${BASEURL}GridTracker-${VER}-linux-arm64.tar.gz\n${BASEURL}GridTracker-${VER}-linux-arm64.tar.gz.asc\n\n" LINx86_MD5=($(md5sum artifacts/GridTracker-${VER}-linux-x86.tar.gz)) LINx86_STRING="**GridTracker-${VER}-linux-x86.tar.gz**\nMD5: ${LINx86_MD5}\n${BASEURL}GridTracker-${VER}-linux-x86.tar.gz\n${BASEURL}GridTracker-${VER}-linux-x86.tar.gz.asc\n\n" LINx64_MD5=($(md5sum artifacts/GridTracker-${VER}-linux-x64.tar.gz)) LINx64_STRING="**GridTracker-${VER}-linux-x64.tar.gz**\nMD5: ${LINx64_MD5}\n${BASEURL}GridTracker-${VER}-linux-x64.tar.gz\n${BASEURL}GridTracker-${VER}-linux-x86.tar.gz.asc\n\n" DEB_MD5=($(md5sum artifacts/gridtracker_${VER}_all.deb)) DEB_STRING="**gridtracker_${VER}_all.deb**\nMD5: ${DEB_MD5} - ${BASEURL}gridtracker_${VER}_all.deb" fi curl -H "Content-Type: application/json" -X POST $DISCORD_WEBHOOK --data-binary @- << EOM { "content": "${CI_COMMIT_TAG_MESSAGE}\n\n${WIN_STRING}${MAC_STRING}${LINARM32_STRING}${LINARM64_STRING}${LINx86_STRING}${LINx64_STRING}${DEB_STRING}", "tts": false, "embeds": [], "components": {}, "username": "GridTracker Release Bot", "avatar_url": "http://gridtracker.org/images/icons/gridtracker32.png" } EOM echo "Discord notified"