From e5d599d8eeeecb724ef3af3c0a002230658f5646 Mon Sep 17 00:00:00 2001
From: Jakub Rusz <jrusz@redhat.com>
Date: Tue, 1 Jun 2021 18:39:13 +0200
Subject: [PATCH] ci: add Gitlab CI

This is an inital commit that enables the use of Gitlab CI.
---
 .github/workflows/trigger-gitlab.yml | 55 +++++++++++++++++++++++
 .gitlab-ci.yml                       | 67 ++++++++++++++++++++++++++++
 schutzbot/deploy.sh                  | 15 ++++---
 schutzbot/mockbuild.sh               |  7 +--
 schutzbot/save_journal.sh            |  4 ++
 schutzbot/terraform                  |  1 +
 schutzbot/update_github_status.sh    | 29 ++++++++++++
 7 files changed, 168 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/trigger-gitlab.yml
 create mode 100644 .gitlab-ci.yml
 create mode 100755 schutzbot/save_journal.sh
 create mode 100644 schutzbot/terraform
 create mode 100755 schutzbot/update_github_status.sh

diff --git a/.github/workflows/trigger-gitlab.yml b/.github/workflows/trigger-gitlab.yml
new file mode 100644
index 00000000..a8ccc326
--- /dev/null
+++ b/.github/workflows/trigger-gitlab.yml
@@ -0,0 +1,55 @@
+# inspired by rhinstaller/anaconda
+
+name: Trigger GitLab CI
+on: [push, pull_request_target]
+
+jobs:
+  pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Query author repository permissions
+        uses: octokit/request-action@v2.x
+        id: user_permission
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # restrict running of tests to users with admin or write permission for the repository
+      # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
+      # store output if user is allowed in allowed_user job output so it has to be checked in downstream job
+      - name: Check if user does have correct permissions
+        if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission)
+        id: check_user_perm
+        run: |
+          echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'"
+          echo "::set-output name=allowed_user::true"
+    outputs:
+      allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }}
+
+  trigger-gitlab:
+    needs: pr-info
+    if: needs.pr-info.outputs.allowed_user == 'true'
+    runs-on: ubuntu-latest
+    env:
+      SCHUTZBOT_SSH_KEY: ${{ secrets.SCHUTZBOT_SSH_KEY }}
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+        with:
+          # otherwise we are testing target branch instead of the PR branch (see pull_request_target trigger)
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Push to gitlab
+        run: |
+          mkdir -p ~/.ssh
+          echo "${SCHUTZBOT_SSH_KEY}" > ~/.ssh/id_rsa
+          chmod 400 ~/.ssh/id_rsa
+          touch ~/.ssh/known_hosts
+          ssh-keyscan -t rsa gitlab.com >> ~/.ssh/known_hosts
+          git remote add ci git@gitlab.com:osbuild/ci/osbuild.git
+          if [ ${{ github.event.pull_request.number }} ]; then
+            git checkout -b PR-${{ github.event.pull_request.number }}
+          fi
+          git push -f ci
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..8fdc7326
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,67 @@
+stages:
+  - init
+  - rpmbuild
+  - test
+  - finish
+
+.terraform:
+  after_script:
+    - schutzbot/update_github_status.sh update
+    - schutzbot/save_journal.sh
+  tags:
+    - terraform
+  artifacts:
+    paths:
+      - journal-log
+    when: always
+
+init:
+  stage: init
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh start
+
+RPM:
+  stage: rpmbuild
+  extends: .terraform
+  script:
+    - sh "schutzbot/mockbuild.sh"
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-33-x86_64
+          - aws/fedora-33-aarch64
+          - aws/centos-stream-8-x86_64
+          - aws/centos-stream-8-aarch64
+      - RUNNER:
+          - aws/rhel-8-x86_64
+          - aws/rhel-8-aarch64
+        REGISTER: "true"
+      - RUNNER:
+          - aws/rhel-8.5-x86_64
+        INTERNAL_NETWORK: "true"
+
+Testing:
+  stage: test
+  extends: .terraform
+  script:
+    - schutzbot/deploy.sh
+    - /usr/libexec/tests/osbuild-composer/image_tests.sh
+  parallel:
+    matrix:
+      - RUNNER:
+          - aws/fedora-33-x86_64
+        INTERNAL_NETWORK: "true"
+      - RUNNER:
+          - aws/rhel-8-x86_64
+        REGISTER: "true"
+        DISTRO_CODE: "rhel_8"
+        INTERNAL_NETWORK: "true"
+
+finish:
+  stage: finish
+  tags:
+    - shell
+  script:
+    - schutzbot/update_github_status.sh finish
diff --git a/schutzbot/deploy.sh b/schutzbot/deploy.sh
index 9046ebdf..3ac756fc 100755
--- a/schutzbot/deploy.sh
+++ b/schutzbot/deploy.sh
@@ -1,18 +1,19 @@
 #!/bin/bash
 set -euxo pipefail
 
-DNF_REPO_BASEURL=http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com
+DNF_REPO_BASEURL=http://osbuild-composer-repos.s3.amazonaws.com
 
 # The osbuild-composer commit to run reverse-dependency test against.
-# Currently: osbuild-composer 29
-OSBUILD_COMPOSER_COMMIT=bb235deb6279a0886c0324d61a2511485e6b44f8
+# Currently: ci: remove EXTRA_REPO_PATH_SEGMENT
+OSBUILD_COMPOSER_COMMIT=cca5c9fd4002a02ae509416a6cbc3e60e697e6dd
 
 # Get OS details.
 source /etc/os-release
 ARCH=$(uname -m)
 
-# Register RHEL if we are provided with a registration script.
-if [[ -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
+# Register RHEL if we are provided with a registration script and intend to do that.
+REGISTER="${REGISTER:-'false'}"
+if [[ $REGISTER == "true" && -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
     sudo chmod +x $RHN_REGISTRATION_SCRIPT
     sudo $RHN_REGISTRATION_SCRIPT
 fi
@@ -23,8 +24,8 @@ cat schutzbot/team_ssh_keys.txt | tee -a ~/.ssh/authorized_keys > /dev/null
 # Set up dnf repositories with the RPMs we want to test
 sudo tee /etc/yum.repos.d/osbuild.repo << EOF
 [osbuild]
-name=osbuild ${GIT_COMMIT}
-baseurl=${DNF_REPO_BASEURL}/osbuild/${ID}-${VERSION_ID}/${ARCH}/${GIT_COMMIT}
+name=osbuild ${CI_COMMIT_SHA}
+baseurl=${DNF_REPO_BASEURL}/osbuild/${ID}-${VERSION_ID}/${ARCH}/${CI_COMMIT_SHA}
 enabled=1
 gpgcheck=0
 # Default dnf repo priority is 99. Lower number means higher priority.
diff --git a/schutzbot/mockbuild.sh b/schutzbot/mockbuild.sh
index e48c8a9f..4f31a976 100755
--- a/schutzbot/mockbuild.sh
+++ b/schutzbot/mockbuild.sh
@@ -24,7 +24,7 @@ COMMIT=$(git rev-parse HEAD)
 REPO_BUCKET=osbuild-composer-repos
 
 # Public URL for the S3 bucket with our artifacts.
-MOCK_REPO_BASE_URL="http://osbuild-composer-repos.s3-website.us-east-2.amazonaws.com"
+MOCK_REPO_BASE_URL="http://osbuild-composer-repos.s3.amazonaws.com"
 
 # Relative path of the repository – used for constructing both the local and
 # remote paths below, so that they're consistent.
@@ -50,8 +50,9 @@ if [[ $ID == rhel || $ID == centos ]] && ! rpm -q epel-release; then
     sudo rpm -Uvh /tmp/epel.rpm
 fi
 
-# Register RHEL if we are provided with a registration script.
-if [[ -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
+# Register RHEL if we are provided with a registration script and intend to do that.
+REGISTER="${REGISTER:-'false'}"
+if [[ $REGISTER == "true" && -n "${RHN_REGISTRATION_SCRIPT:-}" ]] && ! sudo subscription-manager status; then
     greenprint "🪙 Registering RHEL instance"
     sudo chmod +x "$RHN_REGISTRATION_SCRIPT"
     sudo "$RHN_REGISTRATION_SCRIPT"
diff --git a/schutzbot/save_journal.sh b/schutzbot/save_journal.sh
new file mode 100755
index 00000000..7e708b15
--- /dev/null
+++ b/schutzbot/save_journal.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# use tee, otherwise shellcheck complains
+sudo journalctl --boot | tee journal-log >/dev/null
diff --git a/schutzbot/terraform b/schutzbot/terraform
new file mode 100644
index 00000000..eaf2d5ad
--- /dev/null
+++ b/schutzbot/terraform
@@ -0,0 +1 @@
+a4d1b9df8d720649b5c9a69b0a04f069eed37611
diff --git a/schutzbot/update_github_status.sh b/schutzbot/update_github_status.sh
new file mode 100755
index 00000000..79d42cdf
--- /dev/null
+++ b/schutzbot/update_github_status.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+if [[ $1 == "start" ]]; then
+  GITHUB_NEW_STATE="pending"
+  GITHUB_NEW_DESC="I'm currently testing this commit, be patient."
+elif [[ $1 == "finish" ]]; then
+  GITHUB_NEW_STATE="success"
+  GITHUB_NEW_DESC="I like this commit!"
+elif [[ $1 == "update" ]]; then
+  if [[ $CI_JOB_STATUS == "canceled" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="Someone told me to cancel this test run."
+  elif [[ $CI_JOB_STATUS == "failed" ]]; then
+    GITHUB_NEW_STATE="failure"
+    GITHUB_NEW_DESC="I'm sorry, something is odd about this commit."
+  else
+    exit 0
+  fi
+else
+  echo "unknown command"
+  exit 1
+fi
+
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/osbuild/osbuild/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"'"${GITHUB_NEW_STATE}"'", "description": "'"${GITHUB_NEW_DESC}"'", "context": "Schutzbot on GitLab", "target_url": "'"${CI_PIPELINE_URL}"'"}'