Move CI stage "other-checks" right after "quick-checks"

Move CI stage "other-checks" right after "quick-checks" and get the jobs in it as close to each other as possible in .gitlab-ci.yml. Since no job is allowed to depend (via "needs") on any job that is assigned to a stage later than its own, move the "tsan:stress" and "gcov" jobs to the "system" stage. (cherry picked from commit 4f89d32bff)
2026-06-11 02:29:59 -04:00 · 2025-12-15 17:01:58 +01:00 · 2025-12-15 17:01:58 +01:00 · 9694a1a06e
commit 9694a1a06e
parent 00e7621cd1
1 changed files with 122 additions and 118 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -102,12 +102,12 @@ default:
 stages:
  - autoconf
  - quick-checks
+  - other-checks
  - build
  - unit
  - system
  - performance
  - docs
-  - other-checks
  - postmerge
  - release

@ -766,23 +766,6 @@ clang-format:
    expire_in: "1 week"
    when: on_failure

-coccinelle:
-  <<: *other_checks_job
-  rules:
-    - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
-      changes:
-        - '**/*.c'
-        - '**/*.h'
-        - 'cocci/**'
-        - 'util/check-cocci.sh'
-    - *rule_mr_manual
-    - *rule_tag
-    - *rule_source_other_than_mr
-  needs: []
-  script:
-    - util/check-cocci.sh
-    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
-
 doctest:
  <<: *quick_checks_job
  # This script needs to: 1) fail if the doctest fails, 2) fail if
@ -855,6 +838,14 @@ danger:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'

+mypy:
+  <<: *quick_checks_job
+  <<: *python_triggering_rules
+  script:
+    - mypy "bin/tests/system/isctest/"
+
+# Jobs in the other-checks stage
+
 checkbashisms:
  <<: *other_checks_job
  <<: *shell_triggering_rules
@ -862,11 +853,116 @@ checkbashisms:
  script:
    - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print)

-mypy:
-  <<: *quick_checks_job
-  <<: *python_triggering_rules
+coccinelle:
+  <<: *other_checks_job
+  rules:
+    - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
+      changes:
+        - '**/*.c'
+        - '**/*.h'
+        - 'cocci/**'
+        - 'util/check-cocci.sh'
+    - *rule_mr_manual
+    - *rule_tag
+    - *rule_source_other_than_mr
+  needs: []
  script:
-    - mypy "bin/tests/system/isctest/"
+    - util/check-cocci.sh
+    - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
+
+# Jobs for scan-build builds on Debian 13 "trixie" (amd64)
+
+.scan_build: &scan_build
+  - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
+                  --keep-cc
+                  --status-bugs
+                  --keep-going
+                  -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1
+
+scan-build:
+  <<: *other_checks_job
+  variables:
+    CC: "${CLANG}"
+    CFLAGS: "${CFLAGS_COMMON}"
+    CONFIGURE: "${SCAN_BUILD} ./configure"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  before_script:
+    - *list_installed_package_versions
+  script:
+    - *configure
+    - *scan_build
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - scan-build.reports/
+    when: on_failure
+
+# Coverity Scan analysis upload
+
+.coverity_prep: &coverity_prep
+  - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN
+         --form md5=1
+  - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
+         --form project=$COVERITY_SCAN_PROJECT_NAME
+         --form token=$COVERITY_SCAN_TOKEN
+  - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)"
+  - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp
+  - test -d /tmp/cov-analysis-linux64-*
+
+.coverity_build: &coverity_build
+  - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1'
+  - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int
+  - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
+        --form token=$COVERITY_SCAN_TOKEN
+        --form email=bind-changes@isc.org
+        --form file=@/tmp/cov-int.tar.gz
+        --form version="$(git rev-parse --short HEAD)"
+        --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1
+        | tee curl-response.txt
+  - grep -q 'Build successfully submitted' curl-response.txt
+
+coverity:
+  <<: *other_checks_job
+  variables:
+    CC: gcc
+    CFLAGS: "${CFLAGS_COMMON} -Og"
+    EXTRA_CONFIGURE: "--with-libidn2"
+  script:
+    - *coverity_prep
+    - *configure
+    - *coverity_build
+  after_script:
+    - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/
+  needs:
+    - job: autoreconf
+      artifacts: true
+  artifacts:
+    paths:
+      - curl-response.txt
+      - cov-int.tar.gz
+    expire_in: "1 week"
+    when: on_failure
+  rules:
+    - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null'
+
+# git fsck operates over the whole repository and is sufficient to schedule it
+# only in one branch, preferably "main". GitLab's clone strategy prevents us
+# from using the "bind9" repo clone; we need to clone it ourselves.
+fsck:
+  <<: *other_checks_job
+  variables:
+    GIT_STRATEGY: none
+  script:
+    - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone
+    - cd bind9-full-clone/
+    - git fsck
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "schedule"'
+  needs: []

 tarball-create:
  <<: *build_job
@ -1321,35 +1417,6 @@ gcc:trixie:amd64cross32:
  <<: *debian_trixie_amd64cross32_image
  <<: *build_job

-# Jobs for scan-build builds on Debian 13 "trixie" (amd64)
-
-.scan_build: &scan_build
-  - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
-                  --keep-cc
-                  --status-bugs
-                  --keep-going
-                  -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1
-
-scan-build:
-  <<: *other_checks_job
-  variables:
-    CC: "${CLANG}"
-    CFLAGS: "${CFLAGS_COMMON}"
-    CONFIGURE: "${SCAN_BUILD} ./configure"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  before_script:
-    - *list_installed_package_versions
-  script:
-    - *configure
-    - *scan_build
-  needs:
-    - job: autoreconf
-      artifacts: true
-  artifacts:
-    paths:
-      - scan-build.reports/
-    when: on_failure
-
 # Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "trixie" (amd64)
 # Run with pkcs11-provider tests

@ -1687,7 +1754,7 @@ generate-tsan-stress-test-configs:

 tsan:stress:
  <<: *default_triggering_rules
-  stage: other-checks
+  stage: system
  variables:
    PARENT_PIPELINE_ID: $CI_PIPELINE_ID
  trigger:
@ -2114,56 +2181,6 @@ customer-git:tag:
  script:
    - bind9-qa/releng/push_to_customer_repository.py --tag "$CI_COMMIT_TAG" --entitlements isc-customer-settings/entitlements.yaml --force

-# Coverity Scan analysis upload
-
-.coverity_prep: &coverity_prep
-  - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64
-         --form project=$COVERITY_SCAN_PROJECT_NAME
-         --form token=$COVERITY_SCAN_TOKEN
-         --form md5=1
-  - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
-         --form project=$COVERITY_SCAN_PROJECT_NAME
-         --form token=$COVERITY_SCAN_TOKEN
-  - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)"
-  - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp
-  - test -d /tmp/cov-analysis-linux64-*
-
-.coverity_build: &coverity_build
-  - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1'
-  - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int
-  - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
-        --form token=$COVERITY_SCAN_TOKEN
-        --form email=bind-changes@isc.org
-        --form file=@/tmp/cov-int.tar.gz
-        --form version="$(git rev-parse --short HEAD)"
-        --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1
-        | tee curl-response.txt
-  - grep -q 'Build successfully submitted' curl-response.txt
-
-coverity:
-  <<: *other_checks_job
-  variables:
-    CC: gcc
-    CFLAGS: "${CFLAGS_COMMON} -Og"
-    EXTRA_CONFIGURE: "--with-libidn2"
-  script:
-    - *coverity_prep
-    - *configure
-    - *coverity_build
-  after_script:
-    - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/
-  needs:
-    - job: autoreconf
-      artifacts: true
-  artifacts:
-    paths:
-      - curl-response.txt
-      - cov-int.tar.gz
-    expire_in: "1 week"
-    when: on_failure
-  rules:
-    - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null'
-
 # Respdiff tests

 respdiff:
@ -2309,23 +2326,10 @@ stress-test-child-pipeline:
    - job: generate-stress-test-configs
      artifacts: true

-# git fsck operates over the whole repository and is sufficient to schedule it
-# only in one branch, preferably "main". GitLab's clone strategy prevents us
-# from using the "bind9" repo clone; we need to clone it ourselves.
-fsck:
-  <<: *other_checks_job
-  variables:
-    GIT_STRATEGY: none
-  script:
-    - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone
-    - cd bind9-full-clone/
-    - git fsck
-  rules:
-    - if: '$CI_PIPELINE_SOURCE == "schedule"'
-  needs: []
-
 gcov:
-  <<: *other_checks_job
+  <<: *default_triggering_rules
+  <<: *base_image
+  stage: system
  needs:
    - job: system:gcc:trixie:amd64
      artifacts: true