mirror of https://gitlab.freedesktop.org/mesa/mesa
ci: Use id_tokens for JWT auth
Fixes: #9180 Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com> Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28916>
This commit is contained in:
parent
2639c91052
commit
7101aecc53
|
@ -72,7 +72,7 @@ variables:
|
||||||
bash download-git-cache.sh
|
bash download-git-cache.sh
|
||||||
rm download-git-cache.sh
|
rm download-git-cache.sh
|
||||||
set +o xtrace
|
set +o xtrace
|
||||||
CI_JOB_JWT_FILE: /minio_jwt
|
S3_JWT_FILE: /s3_jwt
|
||||||
S3_HOST: s3.freedesktop.org
|
S3_HOST: s3.freedesktop.org
|
||||||
# per-pipeline artifact storage on MinIO
|
# per-pipeline artifact storage on MinIO
|
||||||
PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
|
PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
|
||||||
|
@ -101,8 +101,8 @@ default:
|
||||||
export SCRIPTS_DIR=$(mktemp -d) &&
|
export SCRIPTS_DIR=$(mktemp -d) &&
|
||||||
curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
|
curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
|
||||||
. ${SCRIPTS_DIR}/setup-test-env.sh &&
|
. ${SCRIPTS_DIR}/setup-test-env.sh &&
|
||||||
echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}" &&
|
echo -n "${S3_JWT}" > "${S3_JWT_FILE}" &&
|
||||||
unset CI_JOB_JWT # Unsetting vulnerable env variables
|
unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables
|
||||||
|
|
||||||
after_script:
|
after_script:
|
||||||
# Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338
|
# Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338
|
||||||
|
@ -111,9 +111,9 @@ default:
|
||||||
- >
|
- >
|
||||||
set +x
|
set +x
|
||||||
|
|
||||||
test -e "${CI_JOB_JWT_FILE}" &&
|
test -e "${S3_JWT_FILE}" &&
|
||||||
export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
|
export S3_JWT="$(<${S3_JWT_FILE})" &&
|
||||||
rm "${CI_JOB_JWT_FILE}"
|
rm "${S3_JWT_FILE}"
|
||||||
|
|
||||||
# Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports:
|
# Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports:
|
||||||
# https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily
|
# https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily
|
||||||
|
@ -266,8 +266,7 @@ make git archive:
|
||||||
# compress the current folder
|
# compress the current folder
|
||||||
- tar -cvzf ../$CI_PROJECT_NAME.tar.gz .
|
- tar -cvzf ../$CI_PROJECT_NAME.tar.gz .
|
||||||
|
|
||||||
- ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
|
- ci-fairy s3cp --token-file "${S3_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
|
||||||
|
|
||||||
|
|
||||||
# Sanity checks of MR settings and commit logs
|
# Sanity checks of MR settings and commit logs
|
||||||
sanity:
|
sanity:
|
||||||
|
|
|
@ -13,7 +13,7 @@ date +'%F %T'
|
||||||
|
|
||||||
# Make JWT token available as file in the bare-metal storage to enable access
|
# Make JWT token available as file in the bare-metal storage to enable access
|
||||||
# to MinIO
|
# to MinIO
|
||||||
cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}"
|
cp "${S3_JWT_FILE}" "${rootfs_dst}${S3_JWT_FILE}"
|
||||||
|
|
||||||
date +'%F %T'
|
date +'%F %T'
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,7 @@ VARS=(
|
||||||
CI_COMMIT_REF_NAME
|
CI_COMMIT_REF_NAME
|
||||||
CI_COMMIT_TITLE
|
CI_COMMIT_TITLE
|
||||||
CI_JOB_ID
|
CI_JOB_ID
|
||||||
CI_JOB_JWT_FILE
|
S3_JWT_FILE
|
||||||
CI_JOB_STARTED_AT
|
CI_JOB_STARTED_AT
|
||||||
CI_JOB_NAME
|
CI_JOB_NAME
|
||||||
CI_JOB_URL
|
CI_JOB_URL
|
||||||
|
|
|
@ -217,7 +217,7 @@ cleanup
|
||||||
# upload artifacts
|
# upload artifacts
|
||||||
if [ -n "$S3_RESULTS_UPLOAD" ]; then
|
if [ -n "$S3_RESULTS_UPLOAD" ]; then
|
||||||
tar --zstd -cf results.tar.zst results/;
|
tar --zstd -cf results.tar.zst results/;
|
||||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
|
ci-fairy s3cp --token-file "${S3_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# We still need to echo the hwci: mesa message, as some scripts rely on it, such
|
# We still need to echo the hwci: mesa message, as some scripts rely on it, such
|
||||||
|
|
|
@ -365,8 +365,8 @@ popd
|
||||||
|
|
||||||
. .gitlab-ci/container/container_post_build.sh
|
. .gitlab-ci/container/container_post_build.sh
|
||||||
|
|
||||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
|
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
|
||||||
https://${S3_PATH}/"${ROOTFSTAR}"
|
https://${S3_PATH}/"${ROOTFSTAR}"
|
||||||
|
|
||||||
touch /lava-files/done
|
touch /lava-files/done
|
||||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/done https://${S3_PATH}/done
|
ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/done https://${S3_PATH}/done
|
||||||
|
|
|
@ -30,7 +30,7 @@ artifacts/ci-common/generate-env.sh | tee results/job-rootfs-overlay/set-job-env
|
||||||
section_end variables
|
section_end variables
|
||||||
|
|
||||||
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
|
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
|
||||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
|
ci-fairy s3cp --token-file "${S3_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
|
||||||
|
|
||||||
ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst"
|
ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst"
|
||||||
|
|
||||||
|
@ -50,7 +50,7 @@ PYTHONPATH=artifacts/ artifacts/lava/lava_job_submitter.py \
|
||||||
--ci-project-dir "${CI_PROJECT_DIR}" \
|
--ci-project-dir "${CI_PROJECT_DIR}" \
|
||||||
--device-type "${DEVICE_TYPE}" \
|
--device-type "${DEVICE_TYPE}" \
|
||||||
--dtb-filename "${DTB}" \
|
--dtb-filename "${DTB}" \
|
||||||
--jwt-file "${CI_JOB_JWT_FILE}" \
|
--jwt-file "${S3_JWT_FILE}" \
|
||||||
--kernel-image-name "${KERNEL_IMAGE_NAME}" \
|
--kernel-image-name "${KERNEL_IMAGE_NAME}" \
|
||||||
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
|
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
|
||||||
--boot-method "${BOOT_METHOD}" \
|
--boot-method "${BOOT_METHOD}" \
|
||||||
|
|
|
@ -193,7 +193,7 @@ class LAVAJobDefinition:
|
||||||
"set +x # HIDE_START",
|
"set +x # HIDE_START",
|
||||||
f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"',
|
f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"',
|
||||||
"set -x # HIDE_END",
|
"set -x # HIDE_END",
|
||||||
f'echo "export CI_JOB_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
|
f'echo "export S3_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
|
||||||
]
|
]
|
||||||
else:
|
else:
|
||||||
download_steps += [
|
download_steps += [
|
||||||
|
|
|
@ -8,7 +8,7 @@ set -ex
|
||||||
export PAGER=cat # FIXME: export everywhere
|
export PAGER=cat # FIXME: export everywhere
|
||||||
|
|
||||||
INSTALL=$(realpath -s "$PWD"/install)
|
INSTALL=$(realpath -s "$PWD"/install)
|
||||||
S3_ARGS="--token-file ${CI_JOB_JWT_FILE}"
|
S3_ARGS="--token-file ${S3_JWT_FILE}"
|
||||||
|
|
||||||
RESULTS=$(realpath -s "$PWD"/results)
|
RESULTS=$(realpath -s "$PWD"/results)
|
||||||
mkdir -p "$RESULTS"
|
mkdir -p "$RESULTS"
|
||||||
|
|
|
@ -60,7 +60,7 @@ if [ -n "$S3_ARTIFACT_NAME" ]; then
|
||||||
# Pass needed files to the test stage
|
# Pass needed files to the test stage
|
||||||
S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst"
|
S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst"
|
||||||
zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME}
|
zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME}
|
||||||
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
|
ci-fairy s3cp --token-file "${S3_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
section_end prepare-artifacts
|
section_end prepare-artifacts
|
||||||
|
|
|
@ -158,7 +158,7 @@ python-test:
|
||||||
exclude:
|
exclude:
|
||||||
- results/*.shader_cache
|
- results/*.shader_cache
|
||||||
variables:
|
variables:
|
||||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${CI_JOB_JWT_FILE}
|
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${S3_JWT_FILE}
|
||||||
# until we overcome Infrastructure issues, give traces extra 5 min before timeout
|
# until we overcome Infrastructure issues, give traces extra 5 min before timeout
|
||||||
DEVICE_HANGING_TIMEOUT_SEC: 600
|
DEVICE_HANGING_TIMEOUT_SEC: 600
|
||||||
script:
|
script:
|
||||||
|
|
|
@ -89,7 +89,7 @@ radv-raven-traces-restricted:x86_64:
|
||||||
PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1"
|
PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1"
|
||||||
PIGLIT_TRACES_FILE: restricted-traces-amd.yml
|
PIGLIT_TRACES_FILE: restricted-traces-amd.yml
|
||||||
PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}"
|
PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}"
|
||||||
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
|
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
|
||||||
FDO_CI_CONCURRENT: 10
|
FDO_CI_CONCURRENT: 10
|
||||||
|
|
||||||
radeonsi-raven-piglit-quick_gl:x86_64:
|
radeonsi-raven-piglit-quick_gl:x86_64:
|
||||||
|
|
|
@ -268,7 +268,7 @@ a630-traces-restricted:
|
||||||
- .google-freedreno-rules-restricted
|
- .google-freedreno-rules-restricted
|
||||||
variables:
|
variables:
|
||||||
PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml
|
PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml
|
||||||
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}"
|
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}"
|
||||||
allow_failure: true
|
allow_failure: true
|
||||||
|
|
||||||
a630-traces-performance:
|
a630-traces-performance:
|
||||||
|
|
|
@ -78,7 +78,7 @@ zink-anv-tgl-traces-restricted:
|
||||||
- .zink-anv-rules-restricted
|
- .zink-anv-rules-restricted
|
||||||
variables:
|
variables:
|
||||||
PIGLIT_TRACES_FILE: traces-zink-restricted.yml
|
PIGLIT_TRACES_FILE: traces-zink-restricted.yml
|
||||||
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}
|
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
|
||||||
allow_failure: true
|
allow_failure: true
|
||||||
|
|
||||||
zink-tu-a618:
|
zink-tu-a618:
|
||||||
|
|
Loading…
Reference in New Issue