From 9aa5041a88e20ab24559091494bbd20944723225 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 13:08:44 +0100 Subject: [PATCH 01/10] Rename the "precheck" stage in CI to "quick-checks" Most jobs in the "precheck" stage spend more time setting up their environment than running the script (seconds), this allows us to add a small always on dedicated runner instead of the autoscaled ones. Hence, the stage is renamed to "quick-checks", and a tag "smalljob" is added to the anchor so that these jobs are picked by the dedicated runner. --- .gitlab-ci.yml | 47 +++++++++++++++++++++++------------------------ 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ac19283be0..8f9001b714 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -102,7 +102,7 @@ default: - runner_system_failure stages: - - precheck + - quick-checks - build - unit - system @@ -357,10 +357,12 @@ stages: - *rule_source_other_than_mr - *rule_mr_system_tests -.precheck: &precheck_job +.quick-check: &quick_checks_job <<: *default_triggering_rules <<: *base_image - stage: precheck + stage: quick-checks + tags: + - smalljob .configure: &configure - meson setup @@ -625,10 +627,10 @@ stages: ### Job Definitions -# Jobs in the precheck stage +# Jobs in the quick-checks stage misc: - <<: *precheck_job + <<: *quick_checks_job script: - sh util/checklibs.sh > checklibs.out - sh util/check-categories.sh @@ -645,7 +647,7 @@ misc: when: on_failure black: - <<: *precheck_job + <<: *quick_checks_job <<: *python_triggering_rules needs: [] script: @@ -659,14 +661,14 @@ black: when: on_failure vulture: - <<: *precheck_job + <<: *quick_checks_job <<: *python_triggering_rules needs: [] script: - vulture --exclude "*ans.py,conftest.py,re_compile_checker.py,isctest" --ignore-names "after_servers_start,bootstrap,pytestmark,autouse_*" bin/tests/system/ ci-variables: - <<: *precheck_job + <<: *quick_checks_job script: # When testing a .0 release, compare it against the previous development # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22). @@ -678,7 +680,7 @@ ci-variables: dotenv: ci_vars.env ci-orphaned-anchors: - <<: *precheck_job + <<: *quick_checks_job script: - *git_clone_bind9-qa - bind9-qa/ci-orphaned-anchors/check-orphaned-anchors-ci.py .gitlab-ci.yml @@ -689,7 +691,7 @@ ci-orphaned-anchors: - .gitlab-ci.yml clang-format: - <<: *precheck_job + <<: *quick_checks_job rules: - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' changes: @@ -712,7 +714,7 @@ clang-format: when: on_failure coccinelle: - <<: *precheck_job + <<: *quick_checks_job rules: - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' changes: @@ -729,7 +731,7 @@ coccinelle: - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi meson-format: - <<: *precheck_job + <<: *quick_checks_job rules: - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' changes: @@ -753,7 +755,7 @@ meson-format: - "**/meson.build" doctest: - <<: *precheck_job + <<: *quick_checks_job needs: [] # This script needs to: 1) fail if the doctest fails, 2) fail if # the junit.xml file is broken, 3) produce the junit.xml file even if @@ -780,7 +782,7 @@ doctest: - junit.xml pylint: - <<: *precheck_job + <<: *quick_checks_job <<: *python_triggering_rules needs: [] variables: @@ -791,7 +793,7 @@ pylint: - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --load-plugins re_compile_checker --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE '(ans\.py|vulture_ignore_list\.py)') reuse: - <<: *precheck_job + <<: *quick_checks_job needs: [] image: name: docker.io/fsfe/reuse:latest @@ -800,7 +802,7 @@ reuse: - reuse lint shfmt: - <<: *precheck_job + <<: *quick_checks_job <<: *shell_triggering_rules needs: [] script: @@ -814,7 +816,7 @@ shfmt: when: on_failure danger: - <<: *precheck_job + <<: *quick_checks_job needs: [] script: - pip install git+https://gitlab.isc.org/isc-projects/hazard.git @@ -823,21 +825,20 @@ danger: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' checkbashisms: - <<: *precheck_job + <<: *quick_checks_job <<: *shell_triggering_rules needs: [] script: - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print) mypy: - <<: *precheck_job + <<: *quick_checks_job <<: *python_triggering_rules - stage: precheck script: - mypy "bin/tests/system/isctest/" tarball-create: - stage: precheck + stage: quick-checks <<: *base_image <<: *default_triggering_rules script: @@ -2182,9 +2183,7 @@ shotgun:doh-get: # - *shotgun_rule_other generate-stress-test-configs: - <<: *base_image - <<: *default_triggering_rules - stage: precheck + <<: *quick_checks_job script: - *git_clone_bind9-qa - bind9-qa/stress/generate-stress-test-configs.py > stress-test-configs.yml From 6d442c4a06a35b6551a75e31e30254e47af2339f Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 14:49:59 +0100 Subject: [PATCH 02/10] Rename the "postcheck" stage to "other-checks" in CI Rename the "postcheck" CI stage to the more generic "other-checks". Slower jobs that still run in autoscaled runners belong here, as opposed to the lightweight ones in "quick-checks". --- .gitlab-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8f9001b714..c2de433574 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -108,7 +108,7 @@ stages: - system - performance - docs - - postcheck + - other-checks - postmerge - release @@ -1281,7 +1281,7 @@ gcc:trixie:amd64cross32: scan-build: <<: *default_triggering_rules <<: *base_image - stage: postcheck + stage: other-checks variables: CC: "${CLANG}" CFLAGS: "${CFLAGS_COMMON}" @@ -1592,7 +1592,7 @@ generate-tsan-stress-test-configs: tsan:stress: <<: *default_triggering_rules - stage: postcheck + stage: other-checks variables: PARENT_PIPELINE_ID: $CI_PIPELINE_ID trigger: @@ -2046,7 +2046,7 @@ customer-git:tag: coverity: <<: *base_image - stage: postcheck + stage: other-checks variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" @@ -2217,7 +2217,7 @@ stress-test-child-pipeline: reproducible-build: <<: *default_triggering_rules <<: *alpine_3_23_amd64_image - stage: postcheck + stage: other-checks needs: [] variables: CC: gcc @@ -2243,7 +2243,7 @@ reproducible-build: # from using the "bind9" repo clone; we need to clone it ourselves. fsck: <<: *base_image - stage: postcheck + stage: other-checks variables: GIT_STRATEGY: none script: @@ -2257,7 +2257,7 @@ fsck: gcov: <<: *base_image <<: *default_triggering_rules - stage: postcheck + stage: other-checks needs: - job: system:gcc:trixie:amd64 artifacts: true From e61bc3ad72d65b57ae2a96c25c944a04fa447454 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 14:47:08 +0100 Subject: [PATCH 03/10] Create "other_checks_job" anchor in CI yaml Use an anchor for the common parts of "other-checks" jobs in CI yaml. --- .gitlab-ci.yml | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c2de433574..af423fea9f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -364,6 +364,12 @@ stages: tags: - smalljob +.other-check: &other_checks_job + <<: *default_triggering_rules + <<: *base_image + stage: other-checks + needs: [] + .configure: &configure - meson setup --libdir=lib @@ -1279,9 +1285,7 @@ gcc:trixie:amd64cross32: -o scan-build.reports ninja -C build scan-build: - <<: *default_triggering_rules - <<: *base_image - stage: other-checks + <<: *other_checks_job variables: CC: "${CLANG}" CFLAGS: "${CFLAGS_COMMON}" @@ -2045,8 +2049,7 @@ customer-git:tag: - grep -q 'Build successfully submitted' curl-response.txt coverity: - <<: *base_image - stage: other-checks + <<: *other_checks_job variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" @@ -2215,9 +2218,8 @@ stress-test-child-pipeline: # Simple reproductibilty test, needs an image with meson >=1.6.0 reproducible-build: - <<: *default_triggering_rules + <<: *other_checks_job <<: *alpine_3_23_amd64_image - stage: other-checks needs: [] variables: CC: gcc @@ -2242,8 +2244,7 @@ reproducible-build: # only in one branch, preferably "main". GitLab's clone strategy prevents us # from using the "bind9" repo clone; we need to clone it ourselves. fsck: - <<: *base_image - stage: other-checks + <<: *other_checks_job variables: GIT_STRATEGY: none script: @@ -2255,9 +2256,7 @@ fsck: needs: [] gcov: - <<: *base_image - <<: *default_triggering_rules - stage: other-checks + <<: *other_checks_job needs: - job: system:gcc:trixie:amd64 artifacts: true From ba5844a1de9a8ede9396112ae78e22d7dcfb95b7 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 15:50:28 +0100 Subject: [PATCH 04/10] Move slower CI jobs out of "quick-checks" stage Jobs with more than one minute of runtime are not considered for the small VM. The "tarball-create" job goes to the more appropriate "build" stage. "coccinelle" and "checkbashisms" are moved to the generic "other-checks". --- .gitlab-ci.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index af423fea9f..9b066e6bfe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -720,7 +720,7 @@ clang-format: when: on_failure coccinelle: - <<: *quick_checks_job + <<: *other_checks_job rules: - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' changes: @@ -831,7 +831,7 @@ danger: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' checkbashisms: - <<: *quick_checks_job + <<: *other_checks_job <<: *shell_triggering_rules needs: [] script: @@ -844,9 +844,8 @@ mypy: - mypy "bin/tests/system/isctest/" tarball-create: - stage: quick-checks + <<: *build_job <<: *base_image - <<: *default_triggering_rules script: - *configure - meson dist -C build --no-tests From 4f89d32bff81935e9688b9664a68e517fb585194 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 17:01:58 +0100 Subject: [PATCH 05/10] Move CI stage "other-checks" right after "quick-checks" Move CI stage "other-checks" right after "quick-checks" and get the jobs in it as close to each other as possible in .gitlab-ci.yml. Since no job is allowed to depend (via "needs") on any job that is assigned to a stage later than its own, move the "tsan:stress" and "gcov" jobs to the "system" stage. --- .gitlab-ci.yml | 278 +++++++++++++++++++++++++------------------------ 1 file changed, 141 insertions(+), 137 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9b066e6bfe..5d3714654f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -103,12 +103,12 @@ default: stages: - quick-checks + - other-checks - build - unit - system - performance - docs - - other-checks - postmerge - release @@ -719,23 +719,6 @@ clang-format: expire_in: "1 week" when: on_failure -coccinelle: - <<: *other_checks_job - rules: - - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' - changes: - - '**/*.c' - - '**/*.h' - - 'cocci/**' - - 'util/check-cocci.sh' - - *rule_mr_manual - - *rule_tag - - *rule_source_other_than_mr - needs: [] - script: - - util/check-cocci.sh - - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi - meson-format: <<: *quick_checks_job rules: @@ -830,6 +813,14 @@ danger: rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' +mypy: + <<: *quick_checks_job + <<: *python_triggering_rules + script: + - mypy "bin/tests/system/isctest/" + +# Jobs in the other-checks stage + checkbashisms: <<: *other_checks_job <<: *shell_triggering_rules @@ -837,11 +828,135 @@ checkbashisms: script: - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print) -mypy: - <<: *quick_checks_job - <<: *python_triggering_rules +coccinelle: + <<: *other_checks_job + rules: + - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null' + changes: + - '**/*.c' + - '**/*.h' + - 'cocci/**' + - 'util/check-cocci.sh' + - *rule_mr_manual + - *rule_tag + - *rule_source_other_than_mr + needs: [] script: - - mypy "bin/tests/system/isctest/" + - util/check-cocci.sh + - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + +# Jobs for scan-build builds on Debian 13 "trixie" (amd64) + +.scan_build: &scan_build + - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" + --keep-cc + --status-bugs + --keep-going + -o scan-build.reports ninja -C build + +scan-build: + <<: *other_checks_job + variables: + CC: "${CLANG}" + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "-Didn=enabled --native-file ci/clang-trixie.ini" + before_script: + - *list_installed_package_versions + script: + - *configure + - *scan_build + needs: [] + artifacts: + paths: + - scan-build.reports/ + when: on_failure + +# Coverity Scan analysis upload + +.coverity_prep: &coverity_prep + - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form md5=1 + - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 + --form project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" + - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp + - test -d /tmp/cov-analysis-linux64-* + +.coverity_build: &coverity_build + - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'ninja -C ./build -v' + - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int + - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME + --form token=$COVERITY_SCAN_TOKEN + --form email=bind-changes@isc.org + --form file=@/tmp/cov-int.tar.gz + --form version="$(git rev-parse --short HEAD)" + --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 + | tee curl-response.txt + - grep -q 'Build successfully submitted' curl-response.txt + +coverity: + <<: *other_checks_job + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + EXTRA_CONFIGURE: "-Doptimization=g -Ddoc=disabled -Didn=enabled" + script: + - *coverity_prep + - *configure + - *coverity_build + after_script: + - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ + needs: [] + artifacts: + paths: + - curl-response.txt + - cov-int.tar.gz + expire_in: "1 week" + when: on_failure + rules: + - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null' + +# Simple reproductibilty test, needs an image with meson >=1.6.0 +reproducible-build: + <<: *other_checks_job + <<: *alpine_3_23_amd64_image + needs: [] + variables: + CC: gcc + CFLAGS: "${CFLAGS_COMMON}" + before_script: + - *list_installed_package_versions + script: + # dnstap produces an intermediate .a file, and meson considers all .a + # files to be final results independently of whether they are installed or + # not. But the content of the .a file might be unstable under LTO due to + # -ffat-lto-objects. Hence we disable dnstap for reproducibility tests. + - meson reprotest + -- + -Ddnstap=disabled + -Ddoc=disabled + -Doptimization=1 + artifacts: + untracked: true + when: on_failure + +# git fsck operates over the whole repository and is sufficient to schedule it +# only in one branch, preferably "main". GitLab's clone strategy prevents us +# from using the "bind9" repo clone; we need to clone it ourselves. +fsck: + <<: *other_checks_job + variables: + GIT_STRATEGY: none + script: + - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone + - cd bind9-full-clone/ + - git fsck + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + needs: [] tarball-create: <<: *build_job @@ -1274,32 +1389,6 @@ gcc:trixie:amd64cross32: <<: *debian_trixie_amd64cross32_image <<: *build_job -# Jobs for scan-build builds on Debian 13 "trixie" (amd64) - -.scan_build: &scan_build - - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)" - --keep-cc - --status-bugs - --keep-going - -o scan-build.reports ninja -C build - -scan-build: - <<: *other_checks_job - variables: - CC: "${CLANG}" - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "-Didn=enabled --native-file ci/clang-trixie.ini" - before_script: - - *list_installed_package_versions - script: - - *configure - - *scan_build - needs: [] - artifacts: - paths: - - scan-build.reports/ - when: on_failure - # Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "trixie" (amd64) # Run with pkcs11-provider tests @@ -1595,7 +1684,7 @@ generate-tsan-stress-test-configs: tsan:stress: <<: *default_triggering_rules - stage: other-checks + stage: system variables: PARENT_PIPELINE_ID: $CI_PIPELINE_ID trigger: @@ -2021,54 +2110,6 @@ customer-git:tag: script: - bind9-qa/releng/push_to_customer_repository.py --tag "$CI_COMMIT_TAG" --entitlements isc-customer-settings/entitlements.yaml --force -# Coverity Scan analysis upload - -.coverity_prep: &coverity_prep - - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64 - --form project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - --form md5=1 - - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64 - --form project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)" - - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp - - test -d /tmp/cov-analysis-linux64-* - -.coverity_build: &coverity_build - - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'ninja -C ./build -v' - - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int - - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME - --form token=$COVERITY_SCAN_TOKEN - --form email=bind-changes@isc.org - --form file=@/tmp/cov-int.tar.gz - --form version="$(git rev-parse --short HEAD)" - --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1 - | tee curl-response.txt - - grep -q 'Build successfully submitted' curl-response.txt - -coverity: - <<: *other_checks_job - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - EXTRA_CONFIGURE: "-Doptimization=g -Ddoc=disabled -Didn=enabled" - script: - - *coverity_prep - - *configure - - *coverity_build - after_script: - - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ - needs: [] - artifacts: - paths: - - curl-response.txt - - cov-int.tar.gz - expire_in: "1 week" - when: on_failure - rules: - - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null' - # Respdiff tests respdiff: @@ -2215,47 +2256,10 @@ stress-test-child-pipeline: - job: generate-stress-test-configs artifacts: true -# Simple reproductibilty test, needs an image with meson >=1.6.0 -reproducible-build: - <<: *other_checks_job - <<: *alpine_3_23_amd64_image - needs: [] - variables: - CC: gcc - CFLAGS: "${CFLAGS_COMMON}" - before_script: - - *list_installed_package_versions - script: - # dnstap produces an intermediate .a file, and meson considers all .a - # files to be final results independently of whether they are installed or - # not. But the content of the .a file might be unstable under LTO due to - # -ffat-lto-objects. Hence we disable dnstap for reproducibility tests. - - meson reprotest - -- - -Ddnstap=disabled - -Ddoc=disabled - -Doptimization=1 - artifacts: - untracked: true - when: on_failure - -# git fsck operates over the whole repository and is sufficient to schedule it -# only in one branch, preferably "main". GitLab's clone strategy prevents us -# from using the "bind9" repo clone; we need to clone it ourselves. -fsck: - <<: *other_checks_job - variables: - GIT_STRATEGY: none - script: - - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone - - cd bind9-full-clone/ - - git fsck - rules: - - if: '$CI_PIPELINE_SOURCE == "schedule"' - needs: [] - gcov: - <<: *other_checks_job + <<: *default_triggering_rules + <<: *base_image + stage: system needs: - job: system:gcc:trixie:amd64 artifacts: true From ae7682915712e7abbfb3cbfefc837f0505b68bd0 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 17:19:28 +0100 Subject: [PATCH 06/10] Add faster CI jobs to the "quick-checks" stage Given the short runtime (<1min) of the "linkcheck" and "generate-tsan-stress-test-configs" CI jobs, move them to the "quick-checks" stage. --- .gitlab-ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5d3714654f..2430567ba3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -993,8 +993,7 @@ changelog: untracked: true linkcheck: - <<: *base_image - stage: docs + <<: *quick_checks_job script: # Some domains tested by linkchecker may think that we connect to them too # often and will refuse connection or reply with and error code, which @@ -1671,9 +1670,7 @@ unit:clang:tsan: artifacts: true generate-tsan-stress-test-configs: - <<: *base_image - <<: *default_triggering_rules - stage: system + <<: *quick_checks_job script: - util/generate-tsan-stress-jobs.py > tsan-stress-test-configs.yml artifacts: From b3ac6b47d9bd347a2a008cd834a8553d585e9308 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Mon, 15 Dec 2025 17:21:27 +0100 Subject: [PATCH 07/10] Group CI jobs in "quick-checks" stage together Move the jobs in the "quick-checks" stage to the same place in .gitlab-ci.yml. --- .gitlab-ci.yml | 70 +++++++++++++++++++++++++------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2430567ba3..96b8417076 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -819,6 +819,41 @@ mypy: script: - mypy "bin/tests/system/isctest/" +linkcheck: + <<: *quick_checks_job + script: + # Some domains tested by linkchecker may think that we connect to them too + # often and will refuse connection or reply with and error code, which + # makes this job fail. Let's check links only on Wednesdays. + - if [ "$(date +%w)" != "3" ]; then exit 0; fi + - pushd doc/arm/ > /dev/null && sphinx-build -b linkcheck . linkcheck_output/ + artifacts: + paths: + - doc/arm/linkcheck_output/ + rules: + - if: '$CI_PIPELINE_SOURCE == "schedule"' + needs: [] + +generate-stress-test-configs: + <<: *quick_checks_job + script: + - *git_clone_bind9-qa + - bind9-qa/stress/generate-stress-test-configs.py > stress-test-configs.yml + artifacts: + paths: + - stress-test-configs.yml + needs: [] + +generate-tsan-stress-test-configs: + <<: *quick_checks_job + script: + - util/generate-tsan-stress-jobs.py > tsan-stress-test-configs.yml + artifacts: + paths: + - tsan-stress-test-configs.yml + needs: [] + when: manual + # Jobs in the other-checks stage checkbashisms: @@ -992,21 +1027,6 @@ changelog: artifacts: untracked: true -linkcheck: - <<: *quick_checks_job - script: - # Some domains tested by linkchecker may think that we connect to them too - # often and will refuse connection or reply with and error code, which - # makes this job fail. Let's check links only on Wednesdays. - - if [ "$(date +%w)" != "3" ]; then exit 0; fi - - pushd doc/arm/ > /dev/null && sphinx-build -b linkcheck . linkcheck_output/ - artifacts: - paths: - - doc/arm/linkcheck_output/ - rules: - - if: '$CI_PIPELINE_SOURCE == "schedule"' - needs: [] - docs: <<: *default_triggering_rules <<: *base_image @@ -1669,16 +1689,6 @@ unit:clang:tsan: - job: clang:tsan artifacts: true -generate-tsan-stress-test-configs: - <<: *quick_checks_job - script: - - util/generate-tsan-stress-jobs.py > tsan-stress-test-configs.yml - artifacts: - paths: - - tsan-stress-test-configs.yml - needs: [] - when: manual - tsan:stress: <<: *default_triggering_rules stage: system @@ -2222,16 +2232,6 @@ shotgun:doh-get: # - *shotgun_rule_tag # - *shotgun_rule_other -generate-stress-test-configs: - <<: *quick_checks_job - script: - - *git_clone_bind9-qa - - bind9-qa/stress/generate-stress-test-configs.py > stress-test-configs.yml - artifacts: - paths: - - stress-test-configs.yml - needs: [] - stress-test-child-pipeline: <<: *default_triggering_rules stage: performance From 432b7d7954bc37175c5db20c2f5894214ca0661d Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Fri, 19 Dec 2025 11:55:30 +0100 Subject: [PATCH 08/10] Move "needs: []" to the "quick_checks_job" anchor Most jobs in this stage have it by default, so it makes sense to add it to their common anchor. Jobs with different "needs:" will override it. --- .gitlab-ci.yml | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 96b8417076..7cfe536f5c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -361,6 +361,7 @@ stages: <<: *default_triggering_rules <<: *base_image stage: quick-checks + needs: [] tags: - smalljob @@ -646,7 +647,6 @@ misc: # Check dangling symlinks in the repository - if find . -xtype l | grep .; then exit 1; fi - muon-meson analyze -Werror - needs: [] artifacts: paths: - checklibs.out @@ -655,7 +655,6 @@ misc: black: <<: *quick_checks_job <<: *python_triggering_rules - needs: [] script: - black $(git ls-files '*.py') - git diff > black.patch @@ -669,7 +668,6 @@ black: vulture: <<: *quick_checks_job <<: *python_triggering_rules - needs: [] script: - vulture --exclude "*ans.py,conftest.py,re_compile_checker.py,isctest" --ignore-names "after_servers_start,bootstrap,pytestmark,autouse_*" bin/tests/system/ @@ -690,7 +688,6 @@ ci-orphaned-anchors: script: - *git_clone_bind9-qa - bind9-qa/ci-orphaned-anchors/check-orphaned-anchors-ci.py .gitlab-ci.yml - needs: [] rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' changes: @@ -708,7 +705,6 @@ clang-format: - *rule_mr_manual - *rule_tag - *rule_source_other_than_mr - needs: [] script: - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi - git diff > clang-format.patch @@ -728,7 +724,6 @@ meson-format: - *rule_mr_manual - *rule_tag - *rule_source_other_than_mr - needs: [] script: - git ls-files "*meson.build" | xargs muon-meson fmt -i - git diff > meson-format.patch @@ -745,7 +740,6 @@ meson-format: doctest: <<: *quick_checks_job - needs: [] # This script needs to: 1) fail if the doctest fails, 2) fail if # the junit.xml file is broken, 3) produce the junit.xml file even if # the doctest fails. Therefore, $RET is used to "cache" the @@ -773,7 +767,6 @@ doctest: pylint: <<: *quick_checks_job <<: *python_triggering_rules - needs: [] variables: PYTHONPATH: "${CI_PROJECT_DIR}/bin/tests/system" script: @@ -783,7 +776,6 @@ pylint: reuse: <<: *quick_checks_job - needs: [] image: name: docker.io/fsfe/reuse:latest entrypoint: [""] @@ -793,7 +785,6 @@ reuse: shfmt: <<: *quick_checks_job <<: *shell_triggering_rules - needs: [] script: - shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in") - git diff > shfmt.patch @@ -806,7 +797,6 @@ shfmt: danger: <<: *quick_checks_job - needs: [] script: - pip install git+https://gitlab.isc.org/isc-projects/hazard.git - hazard @@ -832,7 +822,6 @@ linkcheck: - doc/arm/linkcheck_output/ rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' - needs: [] generate-stress-test-configs: <<: *quick_checks_job @@ -842,7 +831,6 @@ generate-stress-test-configs: artifacts: paths: - stress-test-configs.yml - needs: [] generate-tsan-stress-test-configs: <<: *quick_checks_job @@ -851,7 +839,6 @@ generate-tsan-stress-test-configs: artifacts: paths: - tsan-stress-test-configs.yml - needs: [] when: manual # Jobs in the other-checks stage From 66175b448cbc0db5b26095dae47333549e82c325 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Tue, 13 Jan 2026 16:32:45 +0100 Subject: [PATCH 09/10] De-duplicate yaml for "other-checks" jobs In .gitlab-ci.yml, since "&other_checks_job" has "needs: []", remove that line from the jobs that use that anchor. --- .gitlab-ci.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7cfe536f5c..ee6c6391b6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -846,7 +846,6 @@ generate-tsan-stress-test-configs: checkbashisms: <<: *other_checks_job <<: *shell_triggering_rules - needs: [] script: - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print) @@ -862,7 +861,6 @@ coccinelle: - *rule_mr_manual - *rule_tag - *rule_source_other_than_mr - needs: [] script: - util/check-cocci.sh - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi @@ -887,7 +885,6 @@ scan-build: script: - *configure - *scan_build - needs: [] artifacts: paths: - scan-build.reports/ @@ -931,7 +928,6 @@ coverity: - *coverity_build after_script: - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/ - needs: [] artifacts: paths: - curl-response.txt @@ -945,7 +941,6 @@ coverity: reproducible-build: <<: *other_checks_job <<: *alpine_3_23_amd64_image - needs: [] variables: CC: gcc CFLAGS: "${CFLAGS_COMMON}" @@ -978,7 +973,6 @@ fsck: - git fsck rules: - if: '$CI_PIPELINE_SOURCE == "schedule"' - needs: [] tarball-create: <<: *build_job From e9f2b7944e6d9ad3e93357046828e92d61e15108 Mon Sep 17 00:00:00 2001 From: Andoni Duarte Pintado Date: Thu, 15 Jan 2026 12:16:30 +0100 Subject: [PATCH 10/10] Add smalljob tag to small jobs not in the quick-checks stage Jobs using the "post_merge" and "manual_release_job_qa" anchors also complete in less than a minute, so they now include the "smalljob" tag. Since the "release" job is also a fast one, but without an anchor, the "smalljob" tag is added to its definition. --- .gitlab-ci.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ee6c6391b6..ba30f9e402 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1833,6 +1833,8 @@ release: artifacts: true - job: docs artifacts: true + tags: + - smalljob rules: - *rule_tag artifacts: @@ -1963,6 +1965,8 @@ publish: needs: - job: staging artifacts: false + tags: + - smalljob # Setting the FORCE_CVE_IDS environment variable to a comma-separated # list of CVE IDs enables overriding the autodetected ones. @@ -2277,6 +2281,8 @@ pairwise: <<: *base_image stage: postmerge needs: [] + tags: + - smalljob # post-merge processes should run even if another MR was merged while the job was running (or queued) interruptible: false variables: