mirrors
/
mesa
mirror of https://gitlab.freedesktop.org/mesa/mesa
1
0
Fork 0
Code Issues 9 Packages Projects Releases Wiki Activity

ci: Use id_tokens for JWT auth 

Fixes: #9180

Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28916>
This commit is contained in:
Guilherme Gallo 2024-04-24 16:40:18 -03:00 committed by Marge Bot
parent 2639c91052
commit 7101aecc53
13 changed files with 21 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.gitlab-ci.yml
View File

@ -72,7 +72,7 @@ variables:
bash download-git-cache.sh
rm download-git-cache.sh
set +o xtrace
CI_JOB_JWT_FILE: /minio_jwt
S3_JWT_FILE: /s3_jwt
S3_HOST: s3.freedesktop.org
# per-pipeline artifact storage on MinIO
PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
@ -101,8 +101,8 @@ default:
export SCRIPTS_DIR=$(mktemp -d) &&
curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
. ${SCRIPTS_DIR}/setup-test-env.sh &&
echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}" &&
unset CI_JOB_JWT # Unsetting vulnerable env variables
echo -n "${S3_JWT}" > "${S3_JWT_FILE}" &&
unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables
after_script:
# Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338
@ -111,9 +111,9 @@ default:
- >
set +x
test -e "${CI_JOB_JWT_FILE}" &&
export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
rm "${CI_JOB_JWT_FILE}"
test -e "${S3_JWT_FILE}" &&
export S3_JWT="$(<${S3_JWT_FILE})" &&
rm "${S3_JWT_FILE}"
# Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports:
# https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily
@ -266,8 +266,7 @@ make git archive:
# compress the current folder
- tar -cvzf ../$CI_PROJECT_NAME.tar.gz .
- ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
- ci-fairy s3cp --token-file "${S3_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
# Sanity checks of MR settings and commit logs
sanity:

2
.gitlab-ci/bare-metal/rootfs-setup.sh
View File

@ -13,7 +13,7 @@ date +'%F %T'
# Make JWT token available as file in the bare-metal storage to enable access
# to MinIO
cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}"
cp "${S3_JWT_FILE}" "${rootfs_dst}${S3_JWT_FILE}"
date +'%F %T'

2
.gitlab-ci/common/generate-env.sh
View File

@ -10,7 +10,7 @@ VARS=(
CI_COMMIT_REF_NAME
CI_COMMIT_TITLE
CI_JOB_ID
CI_JOB_JWT_FILE
S3_JWT_FILE
CI_JOB_STARTED_AT
CI_JOB_NAME
CI_JOB_URL

2
.gitlab-ci/common/init-stage2.sh
View File

@ -217,7 +217,7 @@ cleanup
# upload artifacts
if [ -n "$S3_RESULTS_UPLOAD" ]; then
tar --zstd -cf results.tar.zst results/;
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
ci-fairy s3cp --token-file "${S3_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
fi
# We still need to echo the hwci: mesa message, as some scripts rely on it, such

4
.gitlab-ci/container/lava_build.sh
View File

@ -365,8 +365,8 @@ popd
. .gitlab-ci/container/container_post_build.sh
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
https://${S3_PATH}/"${ROOTFSTAR}"
touch /lava-files/done
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/done https://${S3_PATH}/done
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/done https://${S3_PATH}/done

4
.gitlab-ci/lava/lava-submit.sh
View File

@ -30,7 +30,7 @@ artifacts/ci-common/generate-env.sh | tee results/job-rootfs-overlay/set-job-env
section_end variables
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
ci-fairy s3cp --token-file "${S3_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst"
@ -50,7 +50,7 @@ PYTHONPATH=artifacts/ artifacts/lava/lava_job_submitter.py \
--ci-project-dir "${CI_PROJECT_DIR}" \
--device-type "${DEVICE_TYPE}" \
--dtb-filename "${DTB}" \
--jwt-file "${CI_JOB_JWT_FILE}" \
--jwt-file "${S3_JWT_FILE}" \
--kernel-image-name "${KERNEL_IMAGE_NAME}" \
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
--boot-method "${BOOT_METHOD}" \

2
.gitlab-ci/lava/utils/lava_job_definition.py
View File

@ -193,7 +193,7 @@ class LAVAJobDefinition:
"set +x # HIDE_START",
f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"',
"set -x # HIDE_END",
f'echo "export CI_JOB_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
f'echo "export S3_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
]
else:
download_steps += [

2
.gitlab-ci/piglit/piglit-traces.sh
View File

@ -8,7 +8,7 @@ set -ex
export PAGER=cat # FIXME: export everywhere
INSTALL=$(realpath -s "$PWD"/install)
S3_ARGS="--token-file ${CI_JOB_JWT_FILE}"
S3_ARGS="--token-file ${S3_JWT_FILE}"
RESULTS=$(realpath -s "$PWD"/results)
mkdir -p "$RESULTS"

2
.gitlab-ci/prepare-artifacts.sh
View File

@ -60,7 +60,7 @@ if [ -n "$S3_ARTIFACT_NAME" ]; then
# Pass needed files to the test stage
S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst"
zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME}
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
ci-fairy s3cp --token-file "${S3_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
fi
section_end prepare-artifacts

2
.gitlab-ci/test/gitlab-ci.yml
View File

@ -158,7 +158,7 @@ python-test:
exclude:
- results/*.shader_cache
variables:
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${CI_JOB_JWT_FILE}
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${S3_JWT_FILE}
# until we overcome Infrastructure issues, give traces extra 5 min before timeout
DEVICE_HANGING_TIMEOUT_SEC: 600
script:

2
src/amd/ci/gitlab-ci.yml
View File

@ -89,7 +89,7 @@ radv-raven-traces-restricted:x86_64:
PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1"
PIGLIT_TRACES_FILE: restricted-traces-amd.yml
PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}"
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
FDO_CI_CONCURRENT: 10
radeonsi-raven-piglit-quick_gl:x86_64:

2
src/freedreno/ci/gitlab-ci.yml
View File

@ -268,7 +268,7 @@ a630-traces-restricted:
- .google-freedreno-rules-restricted
variables:
PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}"
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}"
allow_failure: true
a630-traces-performance:

2
src/gallium/drivers/zink/ci/gitlab-ci.yml
View File

@ -78,7 +78,7 @@ zink-anv-tgl-traces-restricted:
- .zink-anv-rules-restricted
variables:
PIGLIT_TRACES_FILE: traces-zink-restricted.yml
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
allow_failure: true
zink-tu-a618: