ci: add Gitlab CI

This is an inital commit that enables the use of Gitlab CI.

.github/workflows/trigger-gitlab.yml

@@ -0,0 +1,55 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+on: [push, pull_request_target]
+
+jobs:
+  pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Query author repository permissions
+        uses: octokit/request-action@v2.x
+        id: user_permission
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # restrict running of tests to users with admin or write permission for the repository
+      # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
+      # store output if user is allowed in allowed_user job output so it has to be checked in downstream job
+      - name: Check if user does have correct permissions
+        if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission)
+        id: check_user_perm
+        run: |
+          echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'"
+          echo "::set-output name=allowed_user::true"
+    outputs:
+      allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }}
+
+  trigger-gitlab:
+    needs: pr-info
+    if: needs.pr-info.outputs.allowed_user == 'true'
+    runs-on: ubuntu-latest
+    env:
+      SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+        with:
+          # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${SCHUTZBOT_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:osbuild/ci/osbuild.git
+          if [ ${{ github.event.pull_request.number }} ]; then
+            git checkout -b PR-${{ github.event.pull_request.number }}
+          fi
+          git push -f ci

.gitlab-ci.yml

@@ -0,0 +1,67 @@
+stages:
+  - init
+  - rpmbuild
+  - test
+  - finish
+
+.terraform:
+  after_script:
+    - schutzbot/update_github_status.sh update
+    - schutzbot/save_journal.sh
+  tags:
+    - terraform
+  artifacts:
+    paths:
+      - journal-log
+    when: always
+
+init:
+  stage: init
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+RPM:
+  stage: rpmbuild
+  extends: .terraform
+  script:
+    - sh "schutzbot/mockbuild.sh"
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-33-x86_64
+          - aws/fedora-33-aarch64
+          - aws/centos-stream-8-x86_64
+          - aws/centos-stream-8-aarch64
+      - RUNNER:
+          - aws/rhel-8-x86_64
+          - aws/rhel-8-aarch64
+        REGISTER: "true"
+      - RUNNER:
+          - aws/rhel-8.5-x86_64
+        INTERNAL_NETWORK: "true"
+
+Testing:
+  stage: test
+  extends: .terraform
+  script:
+    - schutzbot/deploy.sh
+    - /usr/libexec/tests/osbuild-composer/image_tests.sh
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-33-x86_64
+        INTERNAL_NETWORK: "true"
+      - RUNNER:
+          - aws/rhel-8-x86_64
+        REGISTER: "true"
+        DISTRO_CODE: "rhel_8"
+        INTERNAL_NETWORK: "true"
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish

schutzbot/deploy.sh

@@ -1,18 +1,19 @@
 #!/bin/bash
 set -euxo pipefail
 
-DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com
+DNF_REPO_BASEURL=http://osbuild-composer-repos.s3.amazonaws.com
 
 # The osbuild-composer commit to run reverse-dependency test against.
-# Currently: osbuild-composer 29
-OSBUILD_COMPOSER_COMMIT=bb235deb6279a0886c0324d61a2511485e6b44f8
+# Currently: ci: remove EXTRA_REPO_PATH_SEGMENT
+OSBUILD_COMPOSER_COMMIT=cca5c9fd4002a02ae509416a6cbc3e60e697e6dd
 
 # Get OS details.
 source /etc/os-release
 ARCH=$(uname -m)
 
-# Register RHEL if we are provided with a registration script.
-if [[ -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
+# Register RHEL if we are provided with a registration script and intend to do that.
+REGISTER="${REGISTER:-'false'}"
+if [[ $REGISTER == "true" && -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
     sudo chmod +x $RHN_REGISTRATION_SCRIPT
     sudo $RHN_REGISTRATION_SCRIPT
 fi
@@ -23,8 +24,8 @@ cat schutzbot/team_ssh_keys.txt | tee -a ~/.ssh/authorized_keys > /dev/null
 # Set up dnf repositories with the RPMs we want to test
 sudo tee /etc/yum.repos.d/osbuild.repo << EOF
 [osbuild]
-name=osbuild ${GIT_COMMIT}
-baseurl=${DNF_REPO_BASEURL}/osbuild/${ID}-${VERSION_ID}/${ARCH}/${GIT_COMMIT}
+name=osbuild ${CI_COMMIT_SHA}
+baseurl=${DNF_REPO_BASEURL}/osbuild/${ID}-${VERSION_ID}/${ARCH}/${CI_COMMIT_SHA}
 enabled=1
 gpgcheck=0
 # Default dnf repo priority is 99. Lower number means higher priority.

schutzbot/mockbuild.sh

@@ -24,7 +24,7 @@ COMMIT=$(git rev-parse HEAD)
 REPO_BUCKET=osbuild-composer-repos
 
 # Public URL for the S3 bucket with our artifacts.
-MOCK_REPO_BASE_URL="http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com"
+MOCK_REPO_BASE_URL="http://osbuild-composer-repos.s3.amazonaws.com"
 
 # Relative path of the repository – used for constructing both the local and
 # remote paths below, so that they're consistent.
@@ -50,8 +50,9 @@ if [[ $ID == rhel || $ID == centos ]] && ! rpm -q epel-release; then
     sudo rpm -Uvh /tmp/epel.rpm
 fi
 
-# Register RHEL if we are provided with a registration script.
-if [[ -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
+# Register RHEL if we are provided with a registration script and intend to do that.
+REGISTER="${REGISTER:-'false'}"
+if [[ $REGISTER == "true" && -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
     greenprint "🪙 Registering RHEL instance"
     sudo chmod +x "$RHN_REGISTRATION_SCRIPT"
     sudo "$RHN_REGISTRATION_SCRIPT"

schutzbot/save_journal.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# use tee, otherwise shellcheck complains
+sudo journalctl --boot | tee journal-log >/dev/null

schutzbot/terraform

@@ -0,0 +1 @@
+a4d1b9df8d720649b5c9a69b0a04f069eed37611

schutzbot/update_github_status.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [[ $1 == "start" ]]; then
+  GITHUB_NEW_STATE="pending"
+  GITHUB_NEW_DESC="I'm currently testing this commit, be patient."
+elif [[ $1 == "finish" ]]; then
+  GITHUB_NEW_STATE="success"
+  GITHUB_NEW_DESC="I like this commit!"
+elif [[ $1 == "update" ]]; then
+  if [[ $CI_JOB_STATUS == "canceled" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="Someone told me to cancel this test run."
+  elif [[ $CI_JOB_STATUS == "failed" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="I'm sorry, something is odd about this commit."
+  else
+    exit 0
+  fi
+else
+  echo "unknown command"
+  exit 1
+fi
+
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/osbuild/osbuild/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"'"${GITHUB_NEW_STATE}"'", "description": "'"${GITHUB_NEW_DESC}"'", "context": "Schutzbot on GitLab", "target_url": "'"${CI_PIPELINE_URL}"'"}'