meta-arm/.gitlab-ci.yml

image: ${MIRROR_GHCR}/siemens/kas/kas:4.3.2

variables:
  # These are needed as the k8s executor doesn't respect the container
  # entrypoint by default
  FF_KUBERNETES_HONOR_ENTRYPOINT: 1
  FF_USE_LEGACY_KUBERNETES_EXECUTION_STRATEGY: 0
  # The default value for KUBERNETES_CPU_REQUEST
  CPU_REQUEST: ""
  # The default machine tag for the build jobs
  DEFAULT_TAG: ""
  # The machine tag for the ACS test jobs
  ACS_TAG: ""
  # The directory to use as the persistent cache (the root for DL_DIR, SSTATE_DIR, etc)
  CACHE_DIR: $CI_BUILDS_DIR/persist
  # The container mirror to use
  MIRROR_GHCR: ghcr.io
  # Whether to run the SystemReady ACS tests
  ACS_TEST: 0
  # The list of extra Kas fragments to be used when building
  EXTRA_KAS_FILES: ""
  # The NVD API key to use when fetching CVEs
  NVDCVE_API_KEY: ""

stages:
  - prep
  - build

# Common job fragment to get a worker ready
.setup:
  when: manual
  tags:
    - $DEFAULT_TAG
  stage: build
  interruptible: true
  variables:
    KAS_WORK_DIR: $CI_PROJECT_DIR/work
    KAS_REPO_REF_DIR: $CACHE_DIR/repos
    SSTATE_DIR: $CACHE_DIR/sstate
    DL_DIR: $CACHE_DIR/downloads
    BB_LOGCONFIG: $CI_PROJECT_DIR/ci/logging.yml
    TOOLCHAIN_DIR: $CACHE_DIR/toolchains
    IMAGE_DIR: $CI_PROJECT_DIR/work/build/tmp/deploy/images
    TOOLCHAIN_LINK_DIR: $CI_PROJECT_DIR/work/build/toolchains
  before_script:
    - echo KAS_WORK_DIR = $KAS_WORK_DIR
    - echo SSTATE_DIR = $SSTATE_DIR
    - echo DL_DIR = $DL_DIR
    - rm -rf $KAS_WORK_DIR
    - mkdir --verbose --parents $KAS_WORK_DIR $KAS_REPO_REF_DIR $SSTATE_DIR $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR
    # Must do this here, as it's the only way to make sure the toolchain is installed on the same builder
    - ./ci/get-binary-toolchains $DL_DIR $TOOLCHAIN_DIR $TOOLCHAIN_LINK_DIR

# Generalised fragment to do a Kas build
.build:
  extends: .setup
  variables:
    KUBERNETES_CPU_REQUEST: $CPU_REQUEST
  rules:
    # Don't run MR pipelines
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: never
    # Don't run pipelines for tags
    - if: $CI_COMMIT_TAG
      when: never
    # Don't run if BUILD_ENABLE_REGEX is set, but the job doesn't match the regex
    - if: '$BUILD_ENABLE_REGEX != null && $CI_JOB_NAME !~ $BUILD_ENABLE_REGEX'
      when: never
    # Allow the dev kernels to fail and not fail the overall build
    - if: '$KERNEL == "linux-yocto-dev"'
      allow_failure: true
    # Catch all for everything else
    - if: '$KERNEL != "linux-yocto-dev"'
  script:
    - KASFILES=$(./ci/jobs-to-kas "$CI_JOB_NAME" $EXTRA_KAS_FILES):lockfile.yml
    - echo KASFILES=$KASFILES
    - kas dump --update --force-checkout --resolve-refs --resolve-env $KASFILES
    - kas build $KASFILES
    - ./ci/check-warnings $KAS_WORK_DIR/build/warnings.log
  artifacts:
    name: "logs"
    when: always
    paths:
      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/temp/log.do_*.*
      - $CI_PROJECT_DIR/work/build/tmp*/work*/**/testimage/*

#
# Prep stage, update repositories once.
# Set the CI variable CI_CLEAN_REPOS=1 to refetch the respositories from scratch
#
update-repos:
  extends: .setup
  when: on_success
  stage: prep
  allow_failure:
    exit_codes: 128
  script:
    - |
      flock --verbose --timeout 60 $KAS_REPO_REF_DIR ./ci/update-repos
      # Only generate if doesn't already exist, to allow feature branches to drop one in.
      if test -f lockfile.yml; then
        echo Using existing lockfile.yml
      else
        # Be sure that this is the complete list of layers being fetched
        kas dump --lock --update ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/clang.yml:ci/meta-virtualization.yml | tee lockfile.yml
      fi
  artifacts:
    name: "lockfile"
    paths:
      - lockfile.yml

#
# Build stage, the actual build jobs
#
# Available options for building are
#  DISTRO: [poky, poky-tiny]
#  KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
#  TOOLCHAINS: [gcc, clang, external-gccarm]
#  TCLIBC: [glibc, musl]
#  FIRMWARE: [u-boot, edk2]
#  TS: [none, trusted-services]
#  VIRT: [none, xen]
#  TESTING: testimage

arm-systemready-ir-acs:
  extends: .build
  timeout: 12h
  parallel:
    matrix:
      # arm-systemready-ir-acs must be specified after fvp-base for ordering
      # purposes for the jobs-to-kas output. It is not enough to just have it
      # in the job name because fvp-base.yml overwrites the target.
      - PLATFORM: fvp-base
        ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
  tags:
    - ${ACS_TAG}

# Validate layers are Yocto Project Compatible
check-layers:
  extends: .setup
  script:
    - kas shell --update --force-checkout ci/base.yml:ci/meta-openembedded.yml:lockfile.yml --command \
      "yocto-check-layer-wrapper $CI_PROJECT_DIR/$LAYER --dependency $CI_PROJECT_DIR/meta-* $KAS_WORK_DIR/meta-openembedded/meta-oe --no-auto-dependency"
  parallel:
    matrix:
      - LAYER: [meta-arm, meta-arm-bsp, meta-arm-toolchain]

corstone1000-fvp:
  extends: .build
  parallel:
    matrix:
      - FIRMWARE: corstone1000-firmware-only
        TESTING: [testimage, tftf]
      - FIRMWARE: none
        TESTING: testimage
      - SYSTEMREADY_FIRMWARE: arm-systemready-firmware

corstone1000-mps3:
  extends: .build
  parallel:
    matrix:
      - FIRMWARE: corstone1000-firmware-only
        TESTING: [none, tftf]
      - FIRMWARE: none

documentation:
  extends: .setup
  script:
    - |
      # This can be removed when the kas container has python3-venv installed
      sudo apt-get update && sudo apt-get install --yes python3-venv

      python3 -m venv venv
      . ./venv/bin/activate

      pip3 install -r meta-arm-bsp/documentation/requirements.txt

      for CONF in meta-*/documentation/*/conf.py ; do
        echo Building $CONF...
        SOURCE_DIR=$(dirname $CONF)
        MACHINE=$(basename $SOURCE_DIR)
        sphinx-build -vW $SOURCE_DIR build-docs/$MACHINE
      done
      test -d build-docs/
  artifacts:
    paths:
      - build-docs/

fvp-base:
  extends: .build
  parallel:
    matrix:
      - TS: [none, fvp-base-ts]
        TESTING: testimage
      - FIRMWARE: edk2
      - SYSTEMREADY_FIRMWARE: arm-systemready-firmware

arm-systemready-ir-acs:
  extends: .build
  timeout: 12h
  parallel:
    matrix:
      # arm-systemready-ir-acs must be specified after fvp-base for ordering
      # purposes for the jobs-to-kas output. It is not enough to just have it
      # in the job name because fvp-base.yml overwrites the target.
      - PLATFORM: [fvp-base, corstone1000-fvp]
        ARM_SYSTEMREADY_IR_ACS: arm-systemready-ir-acs
  tags:
    - ${ACS_TAG}

fvps:
  extends: .build

genericarm64:
  extends: .build
  parallel:
    matrix:
      - TOOLCHAINS: [gcc, clang]
        TESTING: testimage
      - KERNEL: linux-yocto-dev
        TESTING: testimage

juno:
  extends: .build
  parallel:
    matrix:
      - TOOLCHAINS: [gcc, clang]
        FIRMWARE: [u-boot, edk2]

# What percentage of machines in the layer do we build
machine-coverage:
  extends: .setup
  script:
    - ./ci/check-machine-coverage
  coverage: '/Coverage: \d+/'

metrics:
  extends: .setup
  artifacts:
    reports:
      metrics: metrics.txt
  script:
    - kas shell --update --force-checkout ci/base.yml --command \
      "$CI_PROJECT_DIR/ci/patchreview $CI_PROJECT_DIR/meta-* --verbose --metrics $CI_PROJECT_DIR/metrics.txt"

musca-b1:
  extends: .build

musca-s1:
  extends: .build

n1sdp:
  extends: .build
  parallel:
    matrix:
      - TESTING: [none, n1sdp-ts, n1sdp-optee, tftf]

pending-updates:
  extends: .setup
  artifacts:
    paths:
      - update-report
  script:
    - rm -fr update-report
    # This configuration has all of the layers we need enabled
    - kas shell --update --force-checkout ci/qemuarm64.yml:ci/meta-openembedded.yml:ci/meta-secure-core.yml:lockfile.yml --command \
      "$CI_PROJECT_DIR/scripts/machine-summary.py -t report -o $CI_PROJECT_DIR/update-report $($CI_PROJECT_DIR/ci/listmachines.py meta-arm meta-arm-bsp)"
  # Do this on x86 whilst the compilers are x86-only
  tags:
    - x86_64

qemuarm64-secureboot:
  extends: .build
  parallel:
    matrix:
      - KERNEL: [linux-yocto, linux-yocto-rt]
        TOOLCHAINS: [gcc, clang]
        TCLIBC: [glibc, musl]
        TS: [none, qemuarm64-secureboot-ts]
        TESTING: testimage
      - KERNEL: linux-yocto-dev
        TESTING: testimage

qemuarm64:
  extends: .build
  parallel:
    matrix:
      - DISTRO: poky
        KERNEL: [linux-yocto, linux-yocto-rt]
        TOOLCHAINS: [gcc, clang]
        FIRMWARE: [u-boot, edk2]
        TESTING: testimage
      - DISTRO: poky-tiny
        TESTING: testimage
      - VIRT: xen
      - KERNEL: linux-yocto-dev
        TESTING: testimage

qemuarm-secureboot:
  extends: .build
  parallel:
    matrix:
      - KERNEL: [linux-yocto, linux-yocto-rt]
        TOOLCHAINS: [gcc, clang]
        TCLIBC: [glibc, musl]
        TESTING: testimage
      - TOOLCHAINS: external-gccarm
        TESTING: testimage
      - KERNEL: linux-yocto-dev
        TESTING: testimage

qemuarm:
  extends: .build
  parallel:
    matrix:
      - DISTRO: poky
        KERNEL: [linux-yocto, linux-yocto-rt]
        TOOLCHAINS: [gcc, clang]
        FIRMWARE: [u-boot, edk2]
        TESTING: testimage
      - DISTRO: poky-tiny
        TESTING: testimage
      - VIRT: xen
      - KERNEL: linux-yocto-dev
        TESTING: testimage

qemuarmv5:
  extends: .build
  parallel:
    matrix:
      - DISTRO: poky
        KERNEL: [linux-yocto, linux-yocto-dev, linux-yocto-rt]
        TESTING: testimage
      - DISTRO: poky-tiny
        TESTING: testimage

sbsa-ref:
  extends: .build
  parallel:
    matrix:
      - KERNEL: [linux-yocto, linux-yocto-rt]
        TOOLCHAINS: [gcc, clang]
        TESTING: testimage
      - KERNEL: linux-yocto-dev
        TESTING: testimage

selftest:
  extends: .setup
  script:
    - KASFILES=./ci/qemuarm64.yml:./ci/selftest.yml:lockfile.yml
    - kas shell --update --force-checkout $KASFILES -c 'oe-selftest --num-processes 2 --select-tag meta-arm --run-all-tests'

sgi575:
  extends: .build

toolchains:
  extends: .build

gcs:
  when: on_success
  extends: .setup
  script:
    - kas build meta-arm-gcs/gcs-test.yml