From 9694a1a06e367110d7027f5bf44fe8ffa634c8e2 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 17:01:58 +0100 Subject: [PATCH] Move CI stage "other-checks" right after "quick-checks" Move CI stage "other-checks" right after "quick-checks" and get the jobs in it as close to each other as possible in .gitlab-ci.yml. Since no job is allowed to depend (via "needs") on any job that is assigned to a stage later than its own, move the "tsan:stress" and "gcov" jobs to the "system" stage. (cherry picked from commit 4f89d32bff81935e9688b9664a68e517fb585194) --- .gitlab-ci.yml | 240 +++++++++++++++++++++++++------------------------ 1 file changed, 122 insertions(+), 118 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8f9d8cf249..0608c247a9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -102,12 +102,12 @@ default: stages: - autoconf - quick-checks + - other-checks - build - unit - system - performance - docs - - other-checks - postmerge - release @@ -766,23 +766,6 @@ clang-format: expire_in: "1 week" when: on_failure -coccinelle: - <<: *other_checks_job - rules: - - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' - changes: - - '**/*.c' - - '**/*.h' - - 'cocci/**' - - 'util/check-cocci.sh' - - *rule_mr_manual - - *rule_tag - - *rule_source_other_than_mr - needs: [] - script: - - util/check-cocci.sh - - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi - doctest: <<: *quick_checks_job # This script needs to: 1) fail if the doctest fails, 2) fail if @@ -855,6 +838,14 @@ danger: rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' +mypy: + <<: *quick_checks_job + <<: *python_triggering_rules + script: + - mypy "bin/tests/system/isctest/" + +# Jobs in the other-checks stage + checkbashisms: <<: *other_checks_job <<: *shell_triggering_rules @@ -862,11 +853,116 @@ checkbashisms: script: - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print) -mypy: - <<: *quick_checks_job - <<: *python_triggering_rules +coccinelle: + <<: *other_checks_job + rules: + - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' + changes: + - '**/*.c' + - '**/*.h' + - 'cocci/**' + - 'util/check-cocci.sh' + - *rule_mr_manual + - *rule_tag + - *rule_source_other_than_mr + needs: [] script: - - mypy "bin/tests/system/isctest/" + - util/check-cocci.sh + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + +# Jobs for scan-build builds on Debian 13 "trixie" (amd64) + +.scan_build: &scan_build + - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" + --keep-cc + --status-bugs + --keep-going + -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1 + +scan-build: + <<: *other_checks_job + variables: + CC: "${CLANG}" + CFLAGS: "${CFLAGS_COMMON}" + CONFIGURE: "${SCAN_BUILD} ./configure" + EXTRA_CONFIGURE: "--with-libidn2" + before_script: + - *list_installed_package_versions + script: + - *configure + - *scan_build + needs: + - job: autoreconf + artifacts: true + artifacts: + paths: + - scan-build.reports/ + when: on_failure + +# Coverity Scan analysis upload + +.coverity_prep: &coverity_prep + - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form md5=1 + - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" + - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp + - test -d /tmp/cov-analysis-linux64-* + +.coverity_build: &coverity_build + - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' + - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int + - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form email=bind-changes@isc.org + --form file=@/tmp/cov-int.tar.gz + --form version="$(git rev-parse --short HEAD)" + --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 + | tee curl-response.txt + - grep -q 'Build successfully submitted' curl-response.txt + +coverity: + <<: *other_checks_job + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON} -Og" + EXTRA_CONFIGURE: "--with-libidn2" + script: + - *coverity_prep + - *configure + - *coverity_build + after_script: + - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ + needs: + - job: autoreconf + artifacts: true + artifacts: + paths: + - curl-response.txt + - cov-int.tar.gz + expire_in: "1 week" + when: on_failure + rules: + - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null' + +# git fsck operates over the whole repository and is sufficient to schedule it +# only in one branch, preferably "main". GitLab's clone strategy prevents us +# from using the "bind9" repo clone; we need to clone it ourselves. +fsck: + <<: *other_checks_job + variables: + GIT_STRATEGY: none + script: + - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone + - cd bind9-full-clone/ + - git fsck + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + needs: [] tarball-create: <<: *build_job @@ -1321,35 +1417,6 @@ gcc:trixie:amd64cross32: <<: *debian_trixie_amd64cross32_image <<: *build_job -# Jobs for scan-build builds on Debian 13 "trixie" (amd64) - -.scan_build: &scan_build - - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" - --keep-cc - --status-bugs - --keep-going - -o scan-build.reports make -j${BUILD_PARALLEL_JOBS:-1} all V=1 - -scan-build: - <<: *other_checks_job - variables: - CC: "${CLANG}" - CFLAGS: "${CFLAGS_COMMON}" - CONFIGURE: "${SCAN_BUILD} ./configure" - EXTRA_CONFIGURE: "--with-libidn2" - before_script: - - *list_installed_package_versions - script: - - *configure - - *scan_build - needs: - - job: autoreconf - artifacts: true - artifacts: - paths: - - scan-build.reports/ - when: on_failure - # Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "trixie" (amd64) # Run with pkcs11-provider tests @@ -1687,7 +1754,7 @@ generate-tsan-stress-test-configs: tsan:stress: <<: *default_triggering_rules - stage: other-checks + stage: system variables: PARENT_PIPELINE_ID: $CI_PIPELINE_ID trigger: @@ -2114,56 +2181,6 @@ customer-git:tag: script: - bind9-qa/releng/push_to_customer_repository.py --tag "$CI_COMMIT_TAG" --entitlements isc-customer-settings/entitlements.yaml --force -# Coverity Scan analysis upload - -.coverity_prep: &coverity_prep - - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 - --form project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - --form md5=1 - - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 - --form project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" - - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp - - test -d /tmp/cov-analysis-linux64-* - -.coverity_build: &coverity_build - - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'make -j${BUILD_PARALLEL_JOBS:-1} -k all V=1' - - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int - - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - --form email=bind-changes@isc.org - --form file=@/tmp/cov-int.tar.gz - --form version="$(git rev-parse --short HEAD)" - --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 - | tee curl-response.txt - - grep -q 'Build successfully submitted' curl-response.txt - -coverity: - <<: *other_checks_job - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON} -Og" - EXTRA_CONFIGURE: "--with-libidn2" - script: - - *coverity_prep - - *configure - - *coverity_build - after_script: - - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ - needs: - - job: autoreconf - artifacts: true - artifacts: - paths: - - curl-response.txt - - cov-int.tar.gz - expire_in: "1 week" - when: on_failure - rules: - - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null' - # Respdiff tests respdiff: @@ -2309,23 +2326,10 @@ stress-test-child-pipeline: - job: generate-stress-test-configs artifacts: true -# git fsck operates over the whole repository and is sufficient to schedule it -# only in one branch, preferably "main". GitLab's clone strategy prevents us -# from using the "bind9" repo clone; we need to clone it ourselves. -fsck: - <<: *other_checks_job - variables: - GIT_STRATEGY: none - script: - - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone - - cd bind9-full-clone/ - - git fsck - rules: - - if: '$CI_PIPELINE_SOURCE == "schedule"' - needs: [] - gcov: - <<: *other_checks_job + <<: *default_triggering_rules + <<: *base_image + stage: system needs: - job: system:gcc:trixie:amd64 artifacts: true