.system_test_common: &system_test_job
<<: *default_triggering_rules
stage: system
- before_script:
- - *setup_interfaces
# This script needs to: 1) fail if the system tests fail, 2) fail if
# the junit.xml file is broken, 3) produce the junit.xml file even if
# the system tests fail. Therefore, $RET is used to "cache" the
# system tests fail would make checking the contents of the junit.xml
# file impossible (GitLab Runner uses "set -o pipefail").
script:
+ - *setup_interfaces
- *fips_feature_test
- *find_pytest
- *find_python
- cd bin/tests/system
- RET=0
- >
- ("$PYTEST" --junit-xml="$CI_PROJECT_DIR"/junit.xml -n "$TEST_PARALLEL_JOBS" | tee pytest.out.txt) || RET=1
+ (python3.12 -m pytest -W ignore::pytest.PytestRemovedIn9Warning --junit-xml="$CI_PROJECT_DIR"/junit.xml -n "$TEST_PARALLEL_JOBS" | tee pytest.out.txt) || RET=1
- *check_for_junit_xml
- (exit $RET)
- '( ! grep -F "grep: warning:" pytest.out.txt )'
- *display_pytest_failures
- *parse_tsan
-.unit_test_common: &unit_test_job
- <<: *default_triggering_rules
- stage: unit
- # This script needs to: 1) fail if the unit tests fail, 2) fail if the
- # junit.xml file is broken, 3) produce the junit.xml file even if the
- # unit tests fail. Therefore, $RET is used to "cache" the result of
- # running "meson test" as interrupting the script immediately when
- # unit tests fail would make checking the contents of the junit.xml
- # file impossible (GitLab Runner uses "set -o pipefail").
- script:
- - *fips_feature_test
- - RET=0
- - meson test -C build --no-rebuild --no-suite flaky || RET=1
- - cp build/meson-logs/testlog.junit.xml $CI_PROJECT_DIR/junit.xml
- - meson test -C build --no-rebuild --suite flaky --logbase testlog-flaky || meson test -C build --no-rebuild --suite flaky --logbase testlog-flaky || RET=1
- - *check_for_junit_xml
- - (exit $RET)
- - test "$CLEAN_BUILD_ARTIFACTS_ON_SUCCESS" -eq 0 || ninja -C build clean >/dev/null 2>&1
- artifacts:
- untracked: true
- when: always
- reports:
- junit:
- - junit.xml
- - build/meson-logs/testlog-flaky.junit.xml
-
-.unit_test_tsan: &unit_test_tsan_job
- <<: *unit_test_job
- after_script:
- - *parse_tsan
-
-.docs: &docs_job
- stage: docs
- script:
- - *configure
- - test -z "${DOC_CHECK_MISC_CHANGE}" || ninja -C build doc-misc
- - test -z "${DOC_CHECK_MISC_CHANGE}" || cp build/doc/misc/options build/doc/misc/rndc.grammar build/doc/misc/*.zoneopt doc/misc/
- - test -z "${DOC_CHECK_MISC_CHANGE}" || git diff > doc-misc.patch
- - test -z "${DOC_CHECK_MISC_CHANGE}" || if test "$(git status --porcelain --untracked-files=no | wc -l)" -gt "0"; then git status --short; exit 1; fi
- - meson compile -C build arm arm-epub man
- - find build/man/ -maxdepth 2 -name "*.[0-9]" -exec mandoc -T lint "{}" \; | ( ! grep -v -e "skipping paragraph macro. sp after" -e "unknown font, skipping request. ft C" -e "input text line longer than 80 bytes" )
-
-.respdiff: &respdiff_job
- <<: *code_triggering_rules
- stage: system
- before_script:
- - *configure
- - meson compile -C build
- - *setup_interfaces
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- - cd bind9-qa/respdiff
- needs: []
- artifacts:
- paths:
- - bind9-qa/respdiff
- exclude:
- - bind9-qa/respdiff/rspworkdir/data.mdb # Exclude a 10 GB file.
- untracked: true
- when: always
-
-### Job Definitions
-
-# Jobs in the precheck stage
-
-misc:
- <<: *precheck_job
- script:
- - sh util/checklibs.sh > checklibs.out
- - sh util/check-categories.sh
- - sh util/check-gitignore.sh
- - sh util/check-trailing-whitespace.sh
- - bash util/unused-headers.sh
- # Check dangling symlinks in the repository
- - if find . -xtype l | grep .; then exit 1; fi
- - muon-meson analyze -Werror
- needs: []
- artifacts:
- paths:
- - checklibs.out
- when: on_failure
-
-black:
- <<: *precheck_job
- <<: *python_triggering_rules
- needs: []
- script:
- - black $(git ls-files '*.py')
- - git diff > black.patch
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- artifacts:
- paths:
- - black.patch
- expire_in: "1 week"
- when: on_failure
-
-vulture:
- <<: *precheck_job
- <<: *python_triggering_rules
- needs: []
- script:
- - vulture --exclude "*ans.py,conftest.py,re_compile_checker.py,isctest" --ignore-names "after_servers_start,bootstrap,pytestmark" bin/tests/system/
-
-ci-variables:
- <<: *precheck_job
- script:
- # When testing a .0 release, compare it against the previous development
- # release (e.g., 9.19.0 and 9.18.0 should both be compared against 9.17.22).
- - export BIND_BASELINE_TAG=$(meson introspect meson.build --projectinfo | ./util/select-baseline-version.jq)
- - BIND_BASELINE_VERSION="$(curl -s -G -d "version=^${BIND_BASELINE_TAG}" -d "order_by=version" "https://gitlab.isc.org/api/v4/projects/1/repository/tags" | jq -r '.[0].name')"
- - echo "BIND_BASELINE_VERSION=$BIND_BASELINE_VERSION" >> ci_vars.env
- artifacts:
- reports:
- dotenv: ci_vars.env
-
-ci-orphaned-anchors:
- <<: *precheck_job
- script:
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- - bind9-qa/ci-orphaned-anchors/check-orphaned-anchors-ci.py .gitlab-ci.yml
- needs: []
- rules:
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
- changes:
- - .gitlab-ci.yml
-
-clang-format:
- <<: *precheck_job
- rules:
- - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
- changes:
- - '**/*.c'
- - '**/*.h'
- - '**/.clang-format'
- - '**/.clang-format.headers'
- - *rule_mr_manual
- - *rule_tag
- - *rule_source_other_than_mr
- needs: []
- script:
- - if [ -r .clang-format ]; then "${CLANG_FORMAT}" -i -style=file $(git ls-files '*.c' '*.h'); fi
- - git diff > clang-format.patch
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- artifacts:
- paths:
- - clang-format.patch
- expire_in: "1 week"
- when: on_failure
-
-coccinelle:
- <<: *precheck_job
- rules:
- - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
- changes:
- - '**/*.c'
- - '**/*.h'
- - 'cocci/**'
- - 'util/check-cocci.sh'
- - *rule_mr_manual
- - *rule_tag
- - *rule_source_other_than_mr
- needs: []
- script:
- - util/check-cocci.sh
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
-
-meson-format:
- <<: *precheck_job
- rules:
- - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
- changes:
- - '**/meson.build'
- - *rule_mr_manual
- - *rule_tag
- - *rule_source_other_than_mr
- needs: []
- script:
- - git ls-files "*meson.build" | xargs muon-meson fmt -i
- - git diff > meson-format.patch
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- artifacts:
- paths:
- - meson-format.patch
- expire_in: "1 week"
- when: on_failure
- rules:
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
- changes:
- - "**/meson.build"
-
-doctest:
- <<: *precheck_job
- needs: []
- script:
- - *configure
- - meson compile -C build system-test-init
- - *find_pytest
- - cd bin/tests/system/isctest
- - >
- "$PYTEST" --noconftest --doctest-modules
-
-pylint:
- <<: *precheck_job
- <<: *python_triggering_rules
- needs: []
- variables:
- PYTHONPATH: "${CI_PROJECT_DIR}/bin/tests/system"
- script:
- - pylint --rcfile $CI_PROJECT_DIR/.pylintrc $(git ls-files '*.py' | grep -vE '(ans\.py|dangerfile\.py|^bin/tests/system/|^contrib/)')
- # Ignore Pylint wrong-import-position error in system test to enable use of pytest.importorskip
- - pylint --rcfile $CI_PROJECT_DIR/.pylintrc --load-plugins re_compile_checker --disable=wrong-import-position $(git ls-files 'bin/tests/system/*.py' | grep -vE '(ans\.py|vulture_ignore_list\.py)')
-
-reuse:
- <<: *precheck_job
- needs: []
- image:
- name: docker.io/fsfe/reuse:latest
- entrypoint: [""]
- script:
- - reuse lint
-
-shfmt:
- <<: *precheck_job
- <<: *shell_triggering_rules
- needs: []
- script:
- - shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in")
- - git diff > shfmt.patch
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
- artifacts:
- paths:
- - shfmt.patch
- expire_in: "1 week"
- when: on_failure
-
-danger:
- <<: *precheck_job
- needs: []
- script:
- - pip install git+https://gitlab.isc.org/isc-projects/hazard.git
- - hazard
- rules:
- - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-
-checkbashisms:
- <<: *precheck_job
- <<: *shell_triggering_rules
- needs: []
- script:
- - checkbashisms $(find . -path './.git' -prune -o -type f -exec sh -c 'head -n 1 "{}" | grep -qsF "#!/bin/sh"' \; -print)
-
-mypy:
- <<: *precheck_job
- <<: *python_triggering_rules
- stage: precheck
- script:
- - mypy "bin/tests/system/isctest/"
-
-tarball-create:
- stage: precheck
- <<: *base_image
- <<: *default_triggering_rules
- script:
- - *configure
- - meson dist -C build --no-tests
- - if test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; git diff > diff.patch; exit 1; fi
- artifacts:
- paths:
- - diff.patch
- - build/meson-dist/*.tar.xz
- needs: []
-
-# Jobs for doc builds on Debian 13 "trixie" (amd64)
-
-changelog:
- <<: *base_image
- <<: *docs_job
- rules:
- - if: '$CI_MERGE_REQUEST_TITLE =~ /\s(dev|usr|pkg):/'
- before_script:
- - echo -e "$CI_MERGE_REQUEST_TITLE\n" > commitmsg
- - sed -i 's/^Draft:\s*//' commitmsg
- - echo -e "$CI_MERGE_REQUEST_DESCRIPTION" >> commitmsg
- - git commit --allow-empty -F commitmsg
- - export CHANGELOG=$(ls doc/changelog/changelog-9.* | sort --version-sort | tail -n 1)
- - printf "\n" >> $CHANGELOG
- - ./contrib/gitchangelog/gitchangelog.py HEAD^..HEAD >> $CHANGELOG
- after_script:
- - git diff
- needs: []
- artifacts:
- untracked: true
-
-linkcheck:
- <<: *base_image
- stage: docs
- script:
- # Some domains tested by linkchecker may think that we connect to them too
- # often and will refuse connection or reply with and error code, which
- # makes this job fail. Let's check links only on Wednesdays.
- - if [ "$(date +%w)" != "3" ]; then exit 0; fi
- - pushd doc/arm/ > /dev/null && sphinx-build -b linkcheck . linkcheck_output/
- artifacts:
- paths:
- - doc/arm/linkcheck_output/
- rules:
- - if: '$CI_PIPELINE_SOURCE == "schedule"'
- needs: []
-
-docs:
- <<: *default_triggering_rules
- <<: *base_image
- <<: *docs_job
- before_script:
- - *list_installed_package_versions
- variables:
- DOC_CHECK_MISC_CHANGE: 1
- needs: []
- artifacts:
- untracked: true
- when: always
-
-docs:tarball:
- <<: *default_triggering_rules
- <<: *base_image
- <<: *docs_job
- before_script:
- - *unpack_release_tarball
- needs:
- - job: tarball-create
- artifacts: true
-
-# Job detecting named.conf breakage introduced since the previous point release
-
-cross-version-config-tests:
- stage: system
- <<: *base_image
- <<: *default_triggering_rules
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- script:
- - *configure
- - *setup_interfaces
- - meson compile -C build system-test-init system-test-dependencies
- - meson compile -C build
- - *find_pytest
- - git clone --branch "${BIND_BASELINE_VERSION}" --depth 1 https://gitlab.isc.org/isc-projects/bind9.git "bind-${BIND_BASELINE_VERSION}"
- - cd "bind-${BIND_BASELINE_VERSION}"
- # The cross-version-config-tests job would fail when a system test is
- # removed from the upcoming release. To avoid this, remove the system test
- # also from the $BIND_BASELINE_VERSION.
- - find bin/tests/system/ -mindepth 1 -maxdepth 1 -type d -exec sh -c 'test -e ../"$0" || rm -rfv -- "$0"' {} \;
- # @DYLIB@ is missing
- - cp ../bin/tests/system/isctest/vars/basic.py ./bin/tests/system/isctest/vars/basic.py
- - cp ../bin/tests/system/isctest/vars/.build_vars/TOP_BUILDDIR ./bin/tests/system/isctest/vars/.build_vars/TOP_BUILDDIR
- - echo "${CI_PROJECT_DIR}/bind-${BIND_BASELINE_VERSION}" > ../build/bin/tests/system/isctest/vars/.build_vars/TOP_SRCDIR
- - cd ./bin/tests/system
- # System tests that employ binary drivers will fail on ABI change and
- # should not be run.
- - rm -r dlzexternal
- - rm -r dyndb
- - >
- "$PYTEST" --setup-only --junit-xml="$CI_PROJECT_DIR"/junit.xml -n "${TEST_PARALLEL_JOBS:-1}"
- needs:
- - job: ci-variables
- artifacts: true
- artifacts:
- reports:
- junit: junit.xml
- paths:
- - bind-*
- - junit.xml
- untracked: true
- expire_in: "1 day"
- when: always
- allow_failure: true
-
-# Jobs for regular GCC builds on Alpine Linux 3.23 (amd64)
-
-gcc:alpine3.23:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "${WITHOUT_LIBEDIT}"
- <<: *alpine_3_23_amd64_image
- <<: *build_job
-
-system:gcc:alpine3.23:amd64:
- <<: *alpine_3_23_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:alpine3.23:amd64
- artifacts: true
-
-unit:gcc:alpine3.23:amd64:
- <<: *alpine_3_23_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:alpine3.23:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Alma Linux 8 (amd64)
-
-gcc:almalinux8:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled"
- <<: *almalinux_8_amd64_image
- <<: *build_job
-
-system:gcc:almalinux8:amd64:
- <<: *almalinux_8_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: gcc:almalinux8:amd64
- artifacts: true
-
-unit:gcc:almalinux8:amd64:
- <<: *almalinux_8_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: gcc:almalinux8:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Alma Linux 9 (amd64)
-
gcc:almalinux9:amd64:
variables:
CC: gcc
system:gcc:almalinux9:amd64:
<<: *almalinux_9_amd64_image
<<: *system_test_job
+ before_script:
+ - python3.12 -m pip install dnspython jinja2 pytest pytest-timeout pytest-xdist requests
+ - echo "/usr/bin/python3.12" > build/bin/tests/system/isctest/vars/.build_vars/PYTHON
needs:
- job: gcc:almalinux9:amd64
artifacts: true
-
-unit:gcc:almalinux9:amd64:
- <<: *almalinux_9_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:almalinux9:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Alma Linux 10 (amd64)
-
-gcc:almalinux10:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled"
- <<: *almalinux_10_amd64_image
- <<: *build_job
-
-system:gcc:almalinux10:amd64:
- <<: *almalinux_10_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:almalinux10:amd64
- artifacts: true
-
-unit:gcc:almalinux10:amd64:
- <<: *almalinux_10_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:almalinux10:amd64
- artifacts: true
-
-# Jobs for scheduled GCC builds on AlmaLinux 8 & 9 FIPS-aware images with FIPS
-# mode in BIND 9 enabled
-
-gcc:8fips:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled -Dfips=enabled -Dtracing=disabled"
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- <<: *almalinux_8fips_amd64_image
- <<: *build_job
-
-system:gcc:8fips:amd64:
- <<: *almalinux_8fips_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:8fips:amd64
- artifacts: true
-
-unit:gcc:8fips:amd64:
- <<: *almalinux_8fips_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:8fips:amd64
- artifacts: true
-
-gcc:9fips:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled -Dfips=enabled -Dleak-detection=disabled"
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- <<: *almalinux_9fips_amd64_image
- <<: *build_job
-
-system:gcc:9fips:amd64:
- <<: *almalinux_9fips_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:9fips:amd64
- artifacts: true
-
-unit:gcc:9fips:amd64:
- <<: *almalinux_9fips_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:9fips:amd64
- artifacts: true
-
-gcc:10fips:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled -Dfips=enabled -Dleak-detection=disabled"
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- <<: *almalinux_10fips_amd64_image
- <<: *build_job
-
-system:gcc:10fips:amd64:
- <<: *almalinux_10fips_amd64_image
- <<: *system_test_job
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:10fips:amd64
- artifacts: true
-
-unit:gcc:10fips:amd64:
- <<: *almalinux_10fips_amd64_image
- <<: *unit_test_job
- variables:
- GIT_CLONE_PATH: "${GIT_CLONE_PATH_INSTANCE_EXECUTOR}"
- needs:
- - job: gcc:10fips:amd64
- artifacts: true
-
-gcc:tarball:nosphinx:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled -Ddeveloper=disabled"
- RUN_MESON_INSTALL: 1
- <<: *almalinux_9_amd64_image
- <<: *build_job
- before_script:
- - *list_installed_package_versions
- - (! command -v sphinx-build >/dev/null)
- - *unpack_release_tarball
- needs:
- - job: tarball-create
- artifacts: true
-
-# Jobs for regular GCC builds on Debian 12 "bookworm" (amd64)
-
-gcc:bookworm:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled"
- <<: *debian_bookworm_amd64_image
- <<: *build_job
-
-system:gcc:bookworm:amd64:
- <<: *debian_bookworm_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:bookworm:amd64
- artifacts: true
-
-unit:gcc:bookworm:amd64:
- <<: *debian_bookworm_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:bookworm:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Debian 13 "trixie" (amd64)
-
-gcc:trixie:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- # Tracing needs to be disabled otherwise gcovr fails
- EXTRA_CONFIGURE: "-Doptimization=0 -Db_coverage=true -Dtracing=disabled -Didn=enabled ${WITH_LIBEDIT}"
- RUN_MESON_INSTALL: 1
- <<: *debian_trixie_amd64_image
- <<: *build_job
-
-system:gcc:trixie:amd64:
- <<: *debian_trixie_amd64_image
- <<: *system_test_job
- variables:
- CI_ENABLE_LONG_TESTS: 1
- CLEAN_BUILD_ARTIFACTS_ON_SUCCESS: 0
- TZ: Australia/Sydney
- # using artifacts from unit test job is required for gcov
- needs:
- - job: unit:gcc:trixie:amd64
- artifacts: true
- rules:
- - if: '$CI_PIPELINE_SOURCE == "schedule"'
- variables:
- CI_ENABLE_LIVE_INTERNET_TESTS: 1
- - *default_triggering_rules_list
-
-unit:gcc:trixie:amd64:
- <<: *debian_trixie_amd64_image
- <<: *unit_test_job
- variables:
- CI_ENABLE_LONG_TESTS: 1
- CLEAN_BUILD_ARTIFACTS_ON_SUCCESS: 0
- needs:
- - job: gcc:trixie:amd64
- artifacts: true
-
-# Build job for cross-compiled GCC builds on 64-bit Debian 13 "trixie"
-# (amd64) with 32-bit BIND 9.
-
-gcc:trixie:amd64cross32:
- variables:
- CFLAGS: "${CFLAGS_COMMON}"
- CROSS_COMPILATION: 1
- EXTRA_CONFIGURE: "--cross-file ci/amd64cross32.ini -Didn=enabled -Dgssapi=disabled -Dtracing=disabled ${WITH_LIBEDIT}"
- <<: *debian_trixie_amd64cross32_image
- <<: *build_job
-
-# Jobs for scan-build builds on Debian 13 "trixie" (amd64)
-
-.scan_build: &scan_build
- - ${SCAN_BUILD} --html-title="BIND 9 ($CI_COMMIT_SHORT_SHA)"
- --keep-cc
- --status-bugs
- --keep-going
- -o scan-build.reports ninja -C build
-
-scan-build:
- <<: *default_triggering_rules
- <<: *base_image
- stage: postcheck
- variables:
- CC: "${CLANG}"
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled --native-file ci/clang-trixie.ini"
- before_script:
- - *list_installed_package_versions
- script:
- - *configure
- - *scan_build
- needs: []
- artifacts:
- paths:
- - scan-build.reports/
- when: on_failure
-
-# Jobs for strict OpenSSL 3.x (no deprecated) GCC builds on Debian "trixie" (amd64)
-# Run with pkcs11-provider tests
-
-gcc:ossl3:trixie:amd64:
- <<: *debian_trixie_amd64_image
- <<: *build_job
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON} -DOPENSSL_NO_DEPRECATED=1 -DOPENSSL_API_COMPAT=30000"
- # See https://gitlab.isc.org/isc-projects/bind9/-/issues/3444
- EXTRA_CONFIGURE: "-Doptimization=3 -Djemalloc=disabled -Dleak-detection=disabled"
- RUN_MESON_INSTALL: 1
-
-system:gcc:ossl3:trixie:amd64:
- # Set up environment variables to run pkcs11-provider based system tests
- variables:
- OPENSSL_CONF: "/var/tmp/etc/openssl-provider.cnf"
- SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
- <<: *debian_trixie_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:ossl3:trixie:amd64
- artifacts: true
-
-unit:gcc:ossl3:amd64:
- <<: *debian_trixie_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:ossl3:trixie:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Debian "sid" (amd64)
-# Also tests configration option: -Dlmdb=disabled
-
-gcc:sid:amd64:
- <<: *debian_sid_amd64_image
- <<: *build_job
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Doptimization=3 -Didn=enabled -Dlmdb=disabled"
-
-system:gcc:sid:amd64:
- <<: *debian_sid_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: gcc:sid:amd64
- artifacts: true
-
-unit:gcc:sid:amd64:
- <<: *debian_sid_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: gcc:sid:amd64
- artifacts: true
-
-# Jobs for tarball GCC builds on Debian 13 "trixie" (amd64)
-
-gcc:tarball:
- variables:
- CC: gcc
- EXTRA_CONFIGURE: "-Didn=enabled"
- RUN_MESON_INSTALL: 1
- <<: *base_image
- <<: *build_job
- before_script:
- - *list_installed_package_versions
- - *unpack_release_tarball
- needs:
- - job: tarball-create
- artifacts: true
-
-system:gcc:tarball:
- <<: *base_image
- <<: *system_test_job
- before_script:
- - cd bind-*
- - *setup_interfaces
- after_script:
- - cd bind-*
- - *display_pytest_failures
- needs:
- - job: gcc:tarball
- artifacts: true
-
-unit:gcc:tarball:
- <<: *base_image
- <<: *unit_test_job
- before_script:
- - cd bind-*
- needs:
- - job: gcc:tarball
- artifacts: true
-
-# Jobs for debug GCC builds on openSUSE Tumbleweed (amd64)
-
-gcc:tumbleweed:amd64:
- <<: *tumbleweed_latest_amd64_image
- <<: *build_job
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON} -DDEBUG"
- EXTRA_CONFIGURE: "-Didn=enabled -Dgssapi=disabled ${WITH_LIBEDIT}"
-
-system:gcc:tumbleweed:amd64:
- <<: *tumbleweed_latest_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:tumbleweed:amd64
- artifacts: true
-
-unit:gcc:tumbleweed:amd64:
- <<: *tumbleweed_latest_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:tumbleweed:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Ubuntu 22.04 Jammy Jellyfish (amd64)
-
-gcc:jammy:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Dgeoip=disabled -Didn=enabled -Ddoh=disabled -Dcmocka=disabled -Ddnstap=disabled -Dgssapi=disabled"
- <<: *ubuntu_jammy_amd64_image
- <<: *build_job
-
-system:gcc:jammy:amd64:
- <<: *ubuntu_jammy_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: gcc:jammy:amd64
- artifacts: true
-
-unit:gcc:jammy:amd64:
- <<: *ubuntu_jammy_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: gcc:jammy:amd64
- artifacts: true
-
-# Jobs for regular GCC builds on Ubuntu 24.04 Noble Numbat (amd64)
-
-gcc:noble:amd64:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Didn=enabled"
- <<: *ubuntu_noble_amd64_image
- <<: *build_job
-
-system:gcc:noble:amd64:
- <<: *ubuntu_noble_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:noble:amd64
- artifacts: true
-
-unit:gcc:noble:amd64:
- <<: *ubuntu_noble_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:noble:amd64
- artifacts: true
-
-# Jobs for ASAN builds on Fedora 43 (amd64)
-
-gcc:asan:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Db_sanitize=address,undefined -Didn=enabled -Djemalloc=disabled -Dtracing=disabled"
- <<: *fedora_43_amd64_image
- <<: *build_job
-
-system:gcc:asan:
- variables:
- LSAN_OPTIONS: "suppressions=$CI_PROJECT_DIR/suppr-lsan.txt"
- <<: *fedora_43_amd64_image
- <<: *system_test_job
- needs:
- - job: gcc:asan
- artifacts: true
-
-unit:gcc:asan:
- <<: *fedora_43_amd64_image
- <<: *unit_test_job
- needs:
- - job: gcc:asan
- artifacts: true
-
-clang:asan:
- variables:
- CC: ${CLANG}
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Db_sanitize=address,undefined -Db_lundef=false -Didn=enabled -Djemalloc=disabled -Dtracing=disabled --native-file ci/clang-trixie.ini"
- <<: *base_image
- <<: *build_job
-
-system:clang:asan:
- variables:
- LSAN_OPTIONS: "suppressions=$CI_PROJECT_DIR/suppr-lsan.txt"
- <<: *base_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: clang:asan
- artifacts: true
-
-unit:clang:asan:
- <<: *base_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: clang:asan
- artifacts: true
-
-# Jobs for TSAN builds on Fedora 43 (amd64)
-
-gcc:tsan:
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON} -Wno-stringop-overread"
- LDFLAGS: "-Wl,--disable-new-dtags"
- EXTRA_CONFIGURE: "${TSAN_CONFIGURE_FLAGS_COMMON}"
- <<: *tsan_fedora_43_amd64_image
- <<: *build_job
-
-system:gcc:tsan:
- variables:
- TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}"
- <<: *tsan_fedora_43_amd64_image
- <<: *system_test_tsan_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: gcc:tsan
- artifacts: true
-
-unit:gcc:tsan:
- variables:
- TSAN_OPTIONS: "${TSAN_OPTIONS_FEDORA}"
- <<: *tsan_fedora_43_amd64_image
- <<: *unit_test_tsan_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: gcc:tsan
- artifacts: true
-
-clang:tsan:
- <<: *tsan_debian_trixie_amd64_image
- <<: *build_job
- variables:
- CC: "${CLANG}"
- CFLAGS: "${CFLAGS_COMMON}"
- LDFLAGS: "-Wl,--disable-new-dtags"
- EXTRA_CONFIGURE: "${TSAN_CONFIGURE_FLAGS_COMMON} -Db_lundef=false -Dnamed-lto=disabled --native-file ci/clang-trixie.ini"
- <<: *build_job
-
-system:clang:tsan:
- variables:
- TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
- <<: *tsan_debian_trixie_amd64_image
- <<: *system_test_tsan_job
- needs:
- - job: clang:tsan
- artifacts: true
-
-unit:clang:tsan:
- variables:
- TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
- <<: *tsan_debian_trixie_amd64_image
- <<: *unit_test_tsan_job
- needs:
- - job: clang:tsan
- artifacts: true
-
-generate-tsan-stress-test-configs:
- <<: *base_image
- <<: *default_triggering_rules
- stage: system
- script:
- - util/generate-tsan-stress-jobs.py > tsan-stress-test-configs.yml
- artifacts:
- paths:
- - tsan-stress-test-configs.yml
- needs: []
- when: manual
-
-tsan:stress:
- <<: *default_triggering_rules
- stage: postcheck
- variables:
- PARENT_PIPELINE_ID: $CI_PIPELINE_ID
- trigger:
- include:
- - artifact: tsan-stress-test-configs.yml
- job: generate-tsan-stress-test-configs
- needs:
- - job: generate-tsan-stress-test-configs
- artifacts: true
- - job: gcc:tsan
- artifacts: true
- - job: clang:tsan
- artifacts: true
-
-# Jobs for Clang builds on Debian 13 "trixie" (amd64)
-
-clang:trixie:amd64:
- variables:
- CC: ${CLANG}
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "--native-file ci/clang-trixie.ini"
- RUN_MESON_INSTALL: 1
- <<: *debian_trixie_amd64_image
- <<: *build_job
-
-system:clang:trixie:amd64:
- <<: *debian_trixie_amd64_image
- <<: *system_test_job
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: clang:trixie:amd64
- artifacts: true
-
-unit:clang:trixie:amd64:
- <<: *debian_trixie_amd64_image
- <<: *unit_test_job
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: clang:trixie:amd64
- artifacts: true
-
-# Jobs for Clang builds on FreeBSD 13 (amd64)
-
-clang:freebsd13:amd64:
- <<: *build_job
- <<: *freebsd_autoscaler_13_amd64
-
-system:clang:freebsd13:amd64:
- <<: *system_test_job
- <<: *freebsd_autoscaler_13_amd64
- <<: *extra_system_tests_triggering_rules
- needs:
- - job: clang:freebsd13:amd64
- artifacts: true
-
-unit:clang:freebsd13:amd64:
- <<: *unit_test_job
- <<: *freebsd_autoscaler_13_amd64
- <<: *api_pipelines_schedules_tags_triggers_web_triggering_rules
- needs:
- - job: clang:freebsd13:amd64
- artifacts: true
-
-# Jobs for Clang builds on FreeBSD 14 (amd64)
-
-clang:freebsd14:amd64:
- <<: *build_job
- <<: *freebsd_autoscaler_14_amd64
-
-system:clang:freebsd14:amd64:
- <<: *system_test_job
- <<: *freebsd_autoscaler_14_amd64
- needs:
- - job: clang:freebsd14:amd64
- artifacts: true
-
-unit:clang:freebsd14:amd64:
- <<: *unit_test_job
- <<: *freebsd_autoscaler_14_amd64
- needs:
- - job: clang:freebsd14:amd64
- artifacts: true
- retry: 1 # GL #4924
-
-# Job producing a release directory
-
-release:
- <<: *base_image
- stage: release
- script:
- - export RELEASE_DIRECTORY="bind-${CI_COMMIT_TAG}-release"
- - export BIND_VERSION="bind-${CI_COMMIT_TAG#v}"
- # Prepare release tarball contents (tarballs + documentation)
- - mkdir -p "${RELEASE_DIRECTORY}/doc/arm"
- - pushd "${RELEASE_DIRECTORY}"
- - mv "../build/meson-dist/${BIND_VERSION}.tar.xz" .
- - tar --extract --file="${BIND_VERSION}.tar.xz" --strip-components=1 "${BIND_VERSION}"/{COPYRIGHT,LICENSE,README.md,srcid}
- - mv ../build/arm/ doc/arm/html/
- - mv ../build/arm-epub/Bv9ARM.epub doc/arm/
- - echo '<!DOCTYPE HTML><html lang="en"><meta http-equiv="refresh" content="0; url=doc/arm/html/notes.html"><title>Redirect</title></html>' > "RELEASE-NOTES-${BIND_VERSION}.html"
- - echo '<!DOCTYPE HTML><html lang="en"><meta http-equiv="refresh" content="0; url=doc/arm/html/changelog.html"><title>Redirect</title></html>' > "CHANGELOG-${BIND_VERSION}.html"
- - popd
- needs:
- - job: tarball-create
- artifacts: true
- - job: docs
- artifacts: true
- rules:
- - *rule_tag
- artifacts:
- paths:
- - bind-${CI_COMMIT_TAG}-release
- expire_in: "1 month"
-
-.manual_release_job: &manual_release_job
- stage: release
- when: manual
-
-.signer-ssh-job: &signer_ssh_job
- <<: *manual_release_job
- allow_failure: false
- tags:
- - signer
- script:
- - ( rm -f "/tmp/${CI_JOB_NAME}.log" "/tmp/${CI_JOB_NAME}-done" && umask 111 && touch "/tmp/${CI_JOB_NAME}.log" "/tmp/${CI_JOB_NAME}-done" )
- - |
- cat > "/tmp/${CI_JOB_NAME}.sh" <<EOF
- #!/bin/sh
- set -e -x
- {
- ${SSH_SCRIPT_CLIENT}
- echo "${CI_COMMIT_TAG}" > "/tmp/${CI_JOB_NAME}-done"
- } 2>&1 | tee "/tmp/${CI_JOB_NAME}.log"
- EOF
- - chmod +x "/tmp/${CI_JOB_NAME}.sh"
- - /bin/sh -c "set -e -x; ${SSH_SCRIPT_RUNNER_PRE}"
- - echo -e "\e[31m*** Sleeping until /tmp/${CI_JOB_NAME}.sh is executed over SSH... ⌛\e[0m"
- - while [ "$(cat "/tmp/${CI_JOB_NAME}-done")" != "${CI_COMMIT_TAG}" ]; do sleep 10; done
- - /bin/sh -c "set -e -x; ${SSH_SCRIPT_RUNNER_POST}"
- - cp "/tmp/${CI_JOB_NAME}.log" "${CI_PROJECT_DIR}/${CI_JOB_NAME}-${CI_COMMIT_TAG}.log"
- - rm -f "/tmp/${CI_JOB_NAME}.log" "/tmp/${CI_JOB_NAME}-done" "/tmp/${CI_JOB_NAME}.sh"
-
-# Job signing the source tarballs in the release directory
-
-sign:
- <<: *signer_ssh_job
- before_script:
- - export SOURCE_TARBALL="bind-${CI_COMMIT_TAG#v}.tar.xz"
- variables:
- RELEASE_DIRECTORY: bind-${CI_COMMIT_TAG}-release
- SSH_SCRIPT_RUNNER_PRE: |-
- ( umask 111 && cat "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}" > "/tmp/${CI_COMMIT_TAG}.bin" )
- SSH_SCRIPT_CLIENT: |-
- gpg2 --local-user "$${SIGNING_KEY_FINGERPRINT}" --armor --digest-algo SHA512 --detach-sign --output "/tmp/${CI_COMMIT_TAG}.asc" "/tmp/${CI_COMMIT_TAG}.bin"
- SSH_SCRIPT_RUNNER_POST: |-
- cat "/tmp/${CI_COMMIT_TAG}.asc" > "${RELEASE_DIRECTORY}/$${SOURCE_TARBALL}.asc"
- tar --create --file="${RELEASE_DIRECTORY}".tar.gz --gzip "${RELEASE_DIRECTORY}"
- rm -f "/tmp/${CI_COMMIT_TAG}.bin" "/tmp/${CI_COMMIT_TAG}.asc"
- artifacts:
- paths:
- - bind-${CI_COMMIT_TAG}-release.tar.gz
- - sign-${CI_COMMIT_TAG}.log
- expire_in: never
- needs:
- - job: release
- artifacts: true
- rules:
- - *rule_tag
-
-# Job staging the signed tarballs
-
-staging:
- <<: *signer_ssh_job
- variables:
- RELEASE_TARBALL: bind-${CI_COMMIT_TAG}-release.tar.gz
- SSH_SCRIPT_RUNNER_PRE: |-
- mv "${RELEASE_TARBALL}" "/tmp/${RELEASE_TARBALL}"
- SSH_SCRIPT_CLIENT: |-
- scp "/tmp/${RELEASE_TARBALL}" "${STAGING_USER_UPLOAD}@${STAGING_HOST}:${STAGING_DIR}"
- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "unpack ${CI_COMMIT_TAG}"
- SSH_SCRIPT_RUNNER_POST: |-
- rm -f "/tmp/${RELEASE_TARBALL}"
- artifacts:
- paths:
- - staging-${CI_COMMIT_TAG}.log
- expire_in: "1 month"
- needs:
- - job: sign
- artifacts: true
- rules:
- - *rule_tag
-
-# Job copying a staged release to a secret location
-
-publish-private:
- <<: *signer_ssh_job
- variables:
- SSH_SCRIPT_CLIENT: |-
- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish-private ${CI_COMMIT_TAG}"
- SSH_SCRIPT_RUNNER_POST: |-
- awk '/^Public Use URL:/ {print $$NF}' "/tmp/${CI_JOB_NAME}.log" > "url-${CI_COMMIT_TAG}.txt"
- artifacts:
- paths:
- - publish-private-${CI_COMMIT_TAG}.log
- - url-${CI_COMMIT_TAG}.txt
- expire_in: "1 month"
- needs:
- - job: staging
- artifacts: false
- rules:
- - *rule_tag_security_or_subscription
-
-# Job copying a staged release to a well-known location
-
-publish:
- <<: *signer_ssh_job
- variables:
- SSH_SCRIPT_CLIENT: |-
- ssh "${STAGING_USER_ACTIONS}@${STAGING_HOST}" "publish ${CI_COMMIT_TAG}"
- artifacts:
- paths:
- - publish-${CI_COMMIT_TAG}.log
- expire_in: "1 month"
- needs:
- - job: staging
- artifacts: false
- rules:
- - *rule_tag_open_source
-
-.manual_release_job_qa: &manual_release_job_qa
- <<: *manual_release_job
- <<: *base_image
- before_script:
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- needs:
- - job: staging
- artifacts: false
-
-# Setting the FORCE_CVE_IDS environment variable to a comma-separated
-# list of CVE IDs enables overriding the autodetected ones.
-#
-# Setting the FORCE_SECURITY_RELEASES environment variable to a
-# comma-separated list of BIND 9 versions enables overriding the
-# autodetected ones.
-.printing_press_job: &printing_press_job
- <<: *manual_release_job_qa
- variables:
- GIT_DEPTH: 1
- script:
- - bind9-qa/releng/printing_press_mr.py --document "${DOCUMENT}" --metadata bind9-qa/releng/metadata.json ${FORCE_CVE_IDS:+--force-cve-ids ${FORCE_CVE_IDS}} ${FORCE_SECURITY_RELEASES:+--force-security-releases ${FORCE_SECURITY_RELEASES}}
- artifacts:
- paths:
- - printing-press/
- when: on_failure
-
-# Job creating the release announcement MR in Printing Press
-
-prepare-release-announcement:
- <<: *printing_press_job
- variables:
- DOCUMENT: release-announcement
- rules:
- - *rule_tag_open_source
-
-# Job preparing an EVN MR in Printing Press
-
-prepare-evn:
- <<: *printing_press_job
- variables:
- DOCUMENT: evn
- rules:
- - *rule_tag_security
-
-# Job preparing a security pre-announcement MR in Printing Press
-
-prepare-preannouncement:
- <<: *printing_press_job
- variables:
- DOCUMENT: security-preannouncement
- rules:
- - *rule_tag_security
-
-# Job preparing a packager notification MR in Printing Press
-
-prepare-package-notification:
- <<: *printing_press_job
- variables:
- DOCUMENT: packager-notification
- rules:
- - *rule_tag_security
-
-# Job preparing a post-disclosure notification MR in Printing Press
-
-prepare-post-disclosure-notification:
- <<: *printing_press_job
- variables:
- DOCUMENT: post-disclosure-notification
- rules:
- - *rule_tag_security
-
-# Job merging the tag back into its base branch
-
-merge-tag:
- <<: *manual_release_job_qa
- variables:
- GIT_DEPTH: 100
- script:
- - bind9-qa/releng/merge_tag.py --tag "$CI_COMMIT_TAG"
- rules:
- - *rule_tag_open_source
- artifacts:
- paths:
- - bind9/
- when: on_failure
-
-.customer-git: &customer_git
- <<: *base_image
- stage: release
- when: manual
- variables: # ensure clean git environment and sufficient history
- GIT_STRATEGY: clone
- GIT_DEPTH: 1000
-
-# To trigger this job and push a branch to a customer, you must set the
-# CUSTOMER job variable by clicking on the manual job (not the play button) and
-# set it to the name of the target customer.
-customer-git:branch:
- <<: *customer_git
- needs: []
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE == "merge_request_event"'
- variables:
- BRANCH: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME'
- - if: '$CI_PROJECT_NAMESPACE == "isc-private" && $CI_PIPELINE_SOURCE =~ /^(api|pipeline|trigger|web)$/ && $REBASE_ONLY != "1"'
- variables:
- BRANCH: '$CI_COMMIT_BRANCH'
- before_script:
- - test -n "$CUSTOMER"
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- script:
- - git checkout -b "$BRANCH" # ensure refs/heads/$BRANCH exists; GitLab clones with detached HEAD
- - bind9-qa/releng/push_to_customer_repository.py --branch "$BRANCH" --customer "$CUSTOMER" --force
-
-customer-git:tag:
- <<: *customer_git
- needs:
- - job: release
- artifacts: false
- rules:
- - *rule_tag
- before_script:
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- - git clone --depth 1 "https://token:${ISC_CUSTOMERS_WRITE_TOKEN}@gitlab.isc.org/isc-customers/isc-customer-settings.git"
- script:
- - bind9-qa/releng/push_to_customer_repository.py --tag "$CI_COMMIT_TAG" --entitlements isc-customer-settings/entitlements.yaml --force
-
-# Coverity Scan analysis upload
-
-.coverity_prep: &coverity_prep
- - curl --output /tmp/cov-analysis-linux64.md5 https://scan.coverity.com/download/linux64
- --form project=$COVERITY_SCAN_PROJECT_NAME
- --form token=$COVERITY_SCAN_TOKEN
- --form md5=1
- - curl --output /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
- --form project=$COVERITY_SCAN_PROJECT_NAME
- --form token=$COVERITY_SCAN_TOKEN
- - test "$(md5sum /tmp/cov-analysis-linux64.tgz | awk '{ print $1 }')" = "$(cat /tmp/cov-analysis-linux64.md5)"
- - tar --extract --gzip --file=/tmp/cov-analysis-linux64.tgz --directory=/tmp
- - test -d /tmp/cov-analysis-linux64-*
-
-.coverity_build: &coverity_build
- - /tmp/cov-analysis-linux64-*/bin/cov-build --dir /tmp/cov-int sh -c 'ninja -C ./build -v'
- - tar --create --gzip --file=/tmp/cov-int.tar.gz --directory /tmp cov-int
- - curl -v https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
- --form token=$COVERITY_SCAN_TOKEN
- --form email=bind-changes@isc.org
- --form file=@/tmp/cov-int.tar.gz
- --form version="$(git rev-parse --short HEAD)"
- --form description="$(git rev-parse --short HEAD) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID" 2>&1
- | tee curl-response.txt
- - grep -q 'Build successfully submitted' curl-response.txt
-
-coverity:
- <<: *base_image
- stage: postcheck
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Doptimization=g -Ddoc=disabled -Didn=enabled"
- script:
- - *coverity_prep
- - *configure
- - *coverity_build
- after_script:
- - mv -v /tmp/cov-int.tar.gz ${CI_PROJECT_DIR}/
- needs: []
- artifacts:
- paths:
- - curl-response.txt
- - cov-int.tar.gz
- expire_in: "1 week"
- when: on_failure
- rules:
- - if: '$COVERITY_SCAN_PROJECT_NAME != null && $COVERITY_SCAN_TOKEN != null'
-
-# Respdiff tests
-
-respdiff:
- <<: *respdiff_job
- <<: *base_image
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON} -DISC_TRACK_PTHREADS_OBJECTS"
- EXTRA_CONFIGURE: "-Doptimization=g"
- MAX_DISAGREEMENTS_PERCENTAGE: "0.3"
- script:
- - bash respdiff.sh -m /usr/lib/x86_64-linux-gnu/libjemalloc.so.2 -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
- - cd ../.. && ninja -C build clean >/dev/null 2>&1
-
-respdiff:asan:
- <<: *respdiff_job
- <<: *base_image
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Doptimization=g -Db_sanitize=address,undefined -Djemalloc=disabled"
- MAX_DISAGREEMENTS_PERCENTAGE: "0.3"
- script:
- - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
- - cd ../.. && ninja -C build clean >/dev/null 2>&1
-
-respdiff:tsan:
- <<: *respdiff_job
- <<: *tsan_debian_trixie_amd64_image
- variables:
- CC: "${CLANG}"
- CFLAGS: "${CFLAGS_COMMON}"
- LDFLAGS: "-Wl,--disable-new-dtags"
- EXTRA_CONFIGURE: "${TSAN_CONFIGURE_FLAGS_COMMON} -Dnamed-lto=disabled -Db_lundef=false"
- MAX_DISAGREEMENTS_PERCENTAGE: "0.3"
- TSAN_OPTIONS: "${TSAN_OPTIONS_DEBIAN}"
- script:
- - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}" "/usr/local/respdiff-reference-bind/sbin/named"
- - cd ../.. && ninja -C build clean >/dev/null 2>&1
- after_script:
- - *parse_tsan
-
-respdiff-third-party:
- <<: *respdiff_job
- <<: *base_image
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- EXTRA_CONFIGURE: "-Doptimization=g"
- MAX_DISAGREEMENTS_PERCENTAGE: "0.4"
- script:
- - bash respdiff.sh -s third_party -q "${PWD}/100k_mixed.txt" -c 1 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}"
- - cd ../.. && ninja -C build clean >/dev/null 2>&1
-
-.respdiff-recent-named: &respdiff_recent_named
- <<: *respdiff_job
- <<: *base_image
- needs:
- - job: ci-variables
- artifacts: true
- script:
- - cd ${CI_PROJECT_DIR}
- - mkdir version-under-test
- - mv build version-under-test/
- - BASELINE=${CI_MERGE_REQUEST_TARGET_BRANCH_NAME:-$BIND_BASELINE_VERSION}
- - git fetch --unshallow origin ${BASELINE}
- - git checkout FETCH_HEAD
- - *configure
- - meson compile -C build
- - cd bind9-qa/respdiff
- - bash respdiff.sh -s named -q "${PWD}/100k_mixed.txt" -c 3 -w "${PWD}/rspworkdir" "${CI_PROJECT_DIR}/version-under-test" "${CI_PROJECT_DIR}/build/named"
-
-respdiff:recent-named:
- <<: *respdiff_recent_named
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON} -DISC_TRACK_PTHREADS_OBJECTS"
- EXTRA_CONFIGURE: "-Doptimization=g"
- MAX_DISAGREEMENTS_PERCENTAGE: "0.1"
- allow_failure: true # GL!11293
-
-# Performance tests
-
-shotgun:udp:
- <<: *shotgun_job
- variables:
- SHOTGUN_SCENARIO: udp
- SHOTGUN_TRAFFIC_MULTIPLIER: 15
-
-shotgun:tcp:
- <<: *shotgun_job
- variables:
- SHOTGUN_SCENARIO: tcp
- SHOTGUN_TRAFFIC_MULTIPLIER: 12
-
-shotgun:dot:
- <<: *shotgun_job
- variables:
- SHOTGUN_SCENARIO: dot
- SHOTGUN_TRAFFIC_MULTIPLIER: 5
- rules: # FIXME disabled shotgun jobs temporarily due to infra issue
- - *shotgun_rule_mr_manual
- # - *shotgun_rule_tag
- # - *shotgun_rule_other
-
-shotgun:doh-get:
- <<: *shotgun_job
- variables:
- SHOTGUN_SCENARIO: doh-get
- SHOTGUN_TRAFFIC_MULTIPLIER: 2
- SHOTGUN_EVAL_THRESHOLD_LATENCY_PCTL_MAX: 0.4 # bump from the default due to increased tail-end jitter
- rules: # FIXME disabled shotgun jobs temporarily due to infra issue
- - *shotgun_rule_mr_manual
- # - *shotgun_rule_tag
- # - *shotgun_rule_other
-
-generate-stress-test-configs:
- <<: *base_image
- <<: *default_triggering_rules
- stage: precheck
- script:
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
- - bind9-qa/stress/generate-stress-test-configs.py > stress-test-configs.yml
- artifacts:
- paths:
- - stress-test-configs.yml
- needs: []
-
-stress-test-child-pipeline:
- <<: *default_triggering_rules
- stage: performance
- rules:
- - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
- changes:
- - '**/*.c'
- - '**/*.h'
- - if: '$CI_MERGE_REQUEST_DIFF_BASE_SHA != null'
- when: manual # don't run on each MR unless requested
- allow_failure: true
- - *rule_tag
- - if: '$CI_PIPELINE_SOURCE =~ /^(api|pipeline|schedule|trigger|web)$/ && $REBASE_ONLY != "1"'
- trigger:
- include:
- - artifact: stress-test-configs.yml
- job: generate-stress-test-configs
- needs:
- - job: generate-stress-test-configs
- artifacts: true
-
-# Simple reproductibilty test, needs an image with meson >=1.6.0
-reproducible-build:
- <<: *default_triggering_rules
- <<: *alpine_3_23_amd64_image
- stage: postcheck
- needs: []
- variables:
- CC: gcc
- CFLAGS: "${CFLAGS_COMMON}"
- before_script:
- - *list_installed_package_versions
- script:
- # dnstap produces an intermediate .a file, and meson considers all .a
- # files to be final results independently of whether they are installed or
- # not. But the content of the .a file might be unstable under LTO due to
- # -ffat-lto-objects. Hence we disable dnstap for reproducibility tests.
- - meson reprotest
- --
- -Ddnstap=disabled
- -Ddoc=disabled
- -Doptimization=1
- artifacts:
- untracked: true
- when: on_failure
-
-# git fsck operates over the whole repository and is sufficient to schedule it
-# only in one branch, preferably "main". GitLab's clone strategy prevents us
-# from using the "bind9" repo clone; we need to clone it ourselves.
-fsck:
- <<: *base_image
- stage: postcheck
- variables:
- GIT_STRATEGY: none
- script:
- - git clone https://gitlab.isc.org/isc-projects/bind9.git bind9-full-clone
- - cd bind9-full-clone/
- - git fsck
- rules:
- - if: '$CI_PIPELINE_SOURCE == "schedule"'
- needs: []
-
-gcov:
- <<: *base_image
- <<: *default_triggering_rules
- stage: postcheck
- needs:
- - job: system:gcc:trixie:amd64
- artifacts: true
- script:
- # Ensure gcov files for unit tests are found via tests/ rather than
- # lib/*/tests/ to prevent confusing gcovr.
- # - find lib/ -name tests -type l -delete
- - ninja -C build coverage
- - tail -n 3 build/meson-logs/coverage.txt
- coverage: /^TOTAL.*\s+(\d+\%)$/
- artifacts:
- paths:
- - build/meson-logs/
- reports:
- coverage_report:
- coverage_format: cobertura
- path: build/meson-logs/coverage.xml
-
-# Pairwise testing of build options
-
-pairwise:
- <<: *base_image
- stage: build
- needs: []
- script:
- - util/pairwise-testing.sh
- artifacts:
- paths:
- - pairwise-commands.txt
- - pairwise-model.txt
- - pairwise-output.*.txt
- when: on_failure
- rules:
- - if: '$PAIRWISE_TESTING != null'
-
-.post_merge_template: &post_merge
- <<: *base_image
- stage: postmerge
- needs: []
- # post-merge processes should run even if another MR was merged while the job was running (or queued)
- interruptible: false
- variables:
- # avoid leftover branches from previous jobs
- GIT_STRATEGY: clone
- # assumed max depth of a MR for backport or a rebased force-push
- GIT_DEPTH: 1000
- before_script:
- # force-pushes should not trigger process automation (happens only in -sub branches)
- - >
- echo "previous branch tip: $CI_COMMIT_BEFORE_SHA"
- - set +o pipefail; git log --format='%H' | grep --silent "$CI_COMMIT_BEFORE_SHA" && PREVIOUS_TIP_REACHABLE=1
- - test "$PREVIOUS_TIP_REACHABLE" != "1" && echo "force-push detected, stop" && exit 0
- # non-fast-forward merges are disabled so we have to have merge commit on top
- - MERGE_REQUEST_ID="$(git log -1 --format='%b' | sed --silent -e "s|^See merge request ${CI_PROJECT_PATH}\!||p")"
- - >
- : stop if this is not a merge request in the current project\'s namespace
- - test -n "$MERGE_REQUEST_ID" || exit 0
- - git clone --depth 1 https://gitlab.isc.org/isc-projects/bind9-qa.git
-
-backports:
- <<: *post_merge
- rules:
- # -sub branches are handled manually
- - if: '$CI_PIPELINE_SOURCE == "push" && ($CI_COMMIT_REF_NAME =~ /^bind-9.[0-9]+$/ || $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH)'
- script:
- # CI job token is not sufficient for push operations
- - git remote get-url origin | sed -e "s/gitlab-ci-token:$CI_JOB_TOKEN/oauth2:$BIND_TEAM_WRITE_TOKEN/" | xargs git remote set-url --push origin
- - bind9-qa/releng/backport_mr.py $CI_PROJECT_ID "$MERGE_REQUEST_ID"
-
-merged-metadata:
- <<: *post_merge
- rules:
- - if: '$CI_PIPELINE_SOURCE == "push" && ($CI_COMMIT_REF_NAME =~ /^bind-9.[0-9]+(-sub)?$/ || $CI_COMMIT_REF_NAME =~ /^v9.[0-9]+.[0-9]+-release$/ || $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH)'
- script:
- - bind9-qa/releng/after_merge.py "$CI_PROJECT_ID" "$MERGE_REQUEST_ID"
-
-auto-rebase-trigger:
- stage: postmerge
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "isc-projects" && $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_REF_NAME =~ /^bind-9.[0-9]+$/'
- needs: []
- interruptible: true
- inherit:
- variables: false
- variables:
- REBASE_ONLY: 1
- trigger:
- project: isc-private/bind9
- branch: "${CI_COMMIT_BRANCH}-sub"
projects / thirdparty / bind9.git / commitdiff
