From 260fdb053f57a2da23fca49ce7b7bd9122bfdf5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Budai?= <ondrej@budai.cz>
Date: Fri, 26 Mar 2021 07:43:41 +0100
Subject: [PATCH] ci: add GitLab CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit adds an experimental GitLab-based CI. See the PR for more
information.

Signed-off-by: Ondřej Budai <ondrej@budai.cz>
---
 .github/workflows/trigger-gitlab.yml | 57 ++++++++++++++++++
 .gitlab-ci.yml                       | 89 ++++++++++++++++++++++++++++
 schutzbot/save_journal.sh            |  4 ++
 schutzbot/terraform                  |  1 +
 schutzbot/update_github_status.sh    | 29 +++++++++
 5 files changed, 180 insertions(+)
 create mode 100644 .github/workflows/trigger-gitlab.yml
 create mode 100644 .gitlab-ci.yml
 create mode 100755 schutzbot/save_journal.sh
 create mode 100644 schutzbot/terraform
 create mode 100755 schutzbot/update_github_status.sh

diff --git a/.github/workflows/trigger-gitlab.yml b/.github/workflows/trigger-gitlab.yml
new file mode 100644
index 000000000..2a60c3e9f
--- /dev/null
+++ b/.github/workflows/trigger-gitlab.yml
@@ -0,0 +1,57 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+on: [push, pull_request_target]
+
+jobs:
+  pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Query author repository permissions
+        uses: octokit/request-action@v2.x
+        id: user_permission
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # restrict running of tests to users with admin or write permission for the repository
+      # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
+      # store output if user is allowed in allowed_user job output so it has to be checked in downstream job
+      - name: Check if user does have correct permissions
+        if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission)
+        id: check_user_perm
+        run: |
+          echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'"
+          echo "::set-output name=allowed_user::true"
+
+    outputs:
+      allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }}
+
+  trigger-gitlab:
+    needs: pr-info
+    if: needs.pr-info.outputs.allowed_user == 'true'
+    runs-on: ubuntu-latest
+    env:
+      SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+        with:
+          # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${SCHUTZBOT_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:osbuild/ci/osbuild-composer.git
+          if [ ${{ github.event.pull_request.number }} ]; then
+            git checkout -b PR-${{ github.event.pull_request.number }}
+          fi
+
+          git push -f ci
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 000000000..221956b6d
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,89 @@
+stages:
+  - init
+  - rpmbuild
+  - test
+  - finish
+
+.terraform:
+  after_script:
+    - schutzbot/update_github_status.sh update
+    - schutzbot/save_journal.sh
+  tags:
+    - terraform
+  artifacts:
+    paths:
+      - journal-log
+    when: always
+
+init:
+  stage: init
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+RPM:
+  stage: rpmbuild
+  extends: .terraform
+  variables:
+    EXTRA_REPO_PATH_SEGMENT: "gitlab/"
+  script:
+    - sh "schutzbot/mockbuild.sh"
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-32-x86_64
+          - aws/fedora-33-x86_64
+          - aws/fedora-33-aarch64
+          - aws/fedora-34-x86_64
+          - aws/fedora-34-aarch64
+          - aws/rhel-8-x86_64
+          - aws/rhel-8-aarch64
+          - aws/centos-stream-8-x86_64
+          - aws/centos-stream-8-aarch64
+      - RUNNER:
+          - aws/rhel-8.4-x86_64
+        INTERNAL_NETWORK: ["true"]
+
+Base:
+  stage: test
+  extends: .terraform
+  variables:
+    EXTRA_REPO_PATH_SEGMENT: "gitlab/"
+  script:
+    - schutzbot/deploy.sh
+    - /usr/libexec/tests/osbuild-composer/base_tests.sh
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-32-x86_64
+          - aws/fedora-33-x86_64
+          - aws/fedora-33-aarch64
+          - aws/rhel-8-x86_64
+          - aws/rhel-8-aarch64
+          - aws/centos-stream-8-x86_64
+          - aws/centos-stream-8-aarch64
+      - RUNNER:
+          - aws/rhel-8.4-x86_64
+        INTERNAL_NETWORK: ["true"]
+
+OSTree:
+  stage: test
+  extends: .terraform
+  variables:
+    EXTRA_REPO_PATH_SEGMENT: "gitlab/"
+  script:
+    - schutzbot/deploy.sh
+    - /usr/libexec/tests/osbuild-composer/ostree.sh
+  parallel:
+    matrix:
+      - RUNNER:
+          - openstack/fedora-33-x86_64
+          - openstack/rhel-8-x86_64
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish
diff --git a/schutzbot/save_journal.sh b/schutzbot/save_journal.sh
new file mode 100755
index 000000000..7e708b15c
--- /dev/null
+++ b/schutzbot/save_journal.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# use tee, otherwise shellcheck complains
+sudo journalctl --boot | tee journal-log >/dev/null
diff --git a/schutzbot/terraform b/schutzbot/terraform
new file mode 100644
index 000000000..410a4a99b
--- /dev/null
+++ b/schutzbot/terraform
@@ -0,0 +1 @@
+f3f194fe1b176907baa60779b8b20d089326d8b6
diff --git a/schutzbot/update_github_status.sh b/schutzbot/update_github_status.sh
new file mode 100755
index 000000000..a59b63409
--- /dev/null
+++ b/schutzbot/update_github_status.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [[ $1 == "start" ]]; then
+  GITHUB_NEW_STATE="pending"
+  GITHUB_NEW_DESC="I'm currently testing this commit, be patient."
+elif [[ $1 == "finish" ]]; then
+  GITHUB_NEW_STATE="success"
+  GITHUB_NEW_DESC="I like this commit!"
+elif [[ $1 == "update" ]]; then
+  if [[ $CI_JOB_STATUS == "canceled" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="Someone told me to cancel this test run."
+  elif [[ $CI_JOB_STATUS == "failed" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="I'm sorry, something is odd about this commit."
+  else
+    exit 0
+  fi
+else
+  echo "unknown command"
+  exit 1
+fi
+
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/osbuild/osbuild-composer/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"'"${GITHUB_NEW_STATE}"'", "description": "'"${GITHUB_NEW_DESC}"'", "context": "Schutzbot on GitLab", "target_url": "'"${CI_PIPELINE_URL}"'"}'