mirrors
/
mesa
mirror of https://gitlab.freedesktop.org/mesa/mesa
1
0
Fork 0
Code Issues 9 Packages Projects Releases Wiki Activity

ci: Use id_tokens for JWT auth 

Fixes: #9180

Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/28916>
This commit is contained in:
Guilherme Gallo 2024-04-24 16:40:18 -03:00 committed by Marge Bot
parent 2639c91052
commit 7101aecc53
13 changed files with 21 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
.gitlab-ci.yml
View File

@ -72,7 +72,7 @@ variables:
bash download-git-cache.sh bash download-git-cache.sh
rm download-git-cache.sh rm download-git-cache.sh
set +o xtrace set +o xtrace
CI_JOB_JWT_FILE: /minio_jwt S3_JWT_FILE: /s3_jwt
S3_HOST: s3.freedesktop.org S3_HOST: s3.freedesktop.org
# per-pipeline artifact storage on MinIO # per-pipeline artifact storage on MinIO
PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID} PIPELINE_ARTIFACTS_BASE: ${S3_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}
@ -101,8 +101,8 @@ default:
export SCRIPTS_DIR=$(mktemp -d) && export SCRIPTS_DIR=$(mktemp -d) &&
curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" && curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" &&
. ${SCRIPTS_DIR}/setup-test-env.sh && . ${SCRIPTS_DIR}/setup-test-env.sh &&
echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}" && echo -n "${S3_JWT}" > "${S3_JWT_FILE}" &&
unset CI_JOB_JWT # Unsetting vulnerable env variables unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables
after_script: after_script:
# Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338 # Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338
@ -111,9 +111,9 @@ default:
- > - >
set +x set +x
test -e "${CI_JOB_JWT_FILE}" && test -e "${S3_JWT_FILE}" &&
export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" && export S3_JWT="$(<${S3_JWT_FILE})" &&
rm "${CI_JOB_JWT_FILE}" rm "${S3_JWT_FILE}"
# Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports: # Retry when job fails. Failed jobs can be found in the Mesa CI Daily Reports:
# https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily # https://gitlab.freedesktop.org/mesa/mesa/-/issues/?sort=created_date&state=opened&label_name%5B%5D=CI%20daily
@ -266,8 +266,7 @@ make git archive:
# compress the current folder # compress the current folder
- tar -cvzf ../$CI_PROJECT_NAME.tar.gz . - tar -cvzf ../$CI_PROJECT_NAME.tar.gz .
- ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz - ci-fairy s3cp --token-file "${S3_JWT_FILE}" ../$CI_PROJECT_NAME.tar.gz https://$S3_HOST/git-cache/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME/$CI_PROJECT_NAME.tar.gz
# Sanity checks of MR settings and commit logs # Sanity checks of MR settings and commit logs
sanity: sanity:

2
.gitlab-ci/bare-metal/rootfs-setup.sh
View File

@ -13,7 +13,7 @@ date +'%F %T'
# Make JWT token available as file in the bare-metal storage to enable access # Make JWT token available as file in the bare-metal storage to enable access
# to MinIO # to MinIO
cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}" cp "${S3_JWT_FILE}" "${rootfs_dst}${S3_JWT_FILE}"
date +'%F %T' date +'%F %T'

2
.gitlab-ci/common/generate-env.sh
View File

@ -10,7 +10,7 @@ VARS=(
CI_COMMIT_REF_NAME CI_COMMIT_REF_NAME
CI_COMMIT_TITLE CI_COMMIT_TITLE
CI_JOB_ID CI_JOB_ID
CI_JOB_JWT_FILE S3_JWT_FILE
CI_JOB_STARTED_AT CI_JOB_STARTED_AT
CI_JOB_NAME CI_JOB_NAME
CI_JOB_URL CI_JOB_URL

2
.gitlab-ci/common/init-stage2.sh
View File

@ -217,7 +217,7 @@ cleanup
# upload artifacts # upload artifacts
if [ -n "$S3_RESULTS_UPLOAD" ]; then if [ -n "$S3_RESULTS_UPLOAD" ]; then
tar --zstd -cf results.tar.zst results/; tar --zstd -cf results.tar.zst results/;
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst; ci-fairy s3cp --token-file "${S3_JWT_FILE}" results.tar.zst https://"$S3_RESULTS_UPLOAD"/results.tar.zst;
fi fi
# We still need to echo the hwci: mesa message, as some scripts rely on it, such # We still need to echo the hwci: mesa message, as some scripts rely on it, such

4
.gitlab-ci/container/lava_build.sh
View File

@ -365,8 +365,8 @@ popd
. .gitlab-ci/container/container_post_build.sh . .gitlab-ci/container/container_post_build.sh
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \ ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/"${ROOTFSTAR}" \
https://${S3_PATH}/"${ROOTFSTAR}" https://${S3_PATH}/"${ROOTFSTAR}"
touch /lava-files/done touch /lava-files/done
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" /lava-files/done https://${S3_PATH}/done ci-fairy s3cp --token-file "${S3_JWT_FILE}" /lava-files/done https://${S3_PATH}/done

4
.gitlab-ci/lava/lava-submit.sh
View File

@ -30,7 +30,7 @@ artifacts/ci-common/generate-env.sh | tee results/job-rootfs-overlay/set-job-env
section_end variables section_end variables
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ . tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}" ci-fairy s3cp --token-file "${S3_JWT_FILE}" job-rootfs-overlay.tar.gz "https://${JOB_ROOTFS_OVERLAY_PATH}"
ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst" ARTIFACT_URL="${FDO_HTTP_CACHE_URI:-}https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME:?}.tar.zst"
@ -50,7 +50,7 @@ PYTHONPATH=artifacts/ artifacts/lava/lava_job_submitter.py \
--ci-project-dir "${CI_PROJECT_DIR}" \ --ci-project-dir "${CI_PROJECT_DIR}" \
--device-type "${DEVICE_TYPE}" \ --device-type "${DEVICE_TYPE}" \
--dtb-filename "${DTB}" \ --dtb-filename "${DTB}" \
--jwt-file "${CI_JOB_JWT_FILE}" \ --jwt-file "${S3_JWT_FILE}" \
--kernel-image-name "${KERNEL_IMAGE_NAME}" \ --kernel-image-name "${KERNEL_IMAGE_NAME}" \
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \ --kernel-image-type "${KERNEL_IMAGE_TYPE}" \
--boot-method "${BOOT_METHOD}" \ --boot-method "${BOOT_METHOD}" \

2
.gitlab-ci/lava/utils/lava_job_definition.py
View File

@ -193,7 +193,7 @@ class LAVAJobDefinition:
"set +x # HIDE_START", "set +x # HIDE_START",
f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"', f'echo -n "{jwt_file.read()}" > "{self.job_submitter.jwt_file}"',
"set -x # HIDE_END", "set -x # HIDE_END",
f'echo "export CI_JOB_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh', f'echo "export S3_JWT_FILE={self.job_submitter.jwt_file}" >> /set-job-env-vars.sh',
] ]
else: else:
download_steps += [ download_steps += [

2
.gitlab-ci/piglit/piglit-traces.sh
View File

@ -8,7 +8,7 @@ set -ex
export PAGER=cat # FIXME: export everywhere export PAGER=cat # FIXME: export everywhere
INSTALL=$(realpath -s "$PWD"/install) INSTALL=$(realpath -s "$PWD"/install)
S3_ARGS="--token-file ${CI_JOB_JWT_FILE}" S3_ARGS="--token-file ${S3_JWT_FILE}"
RESULTS=$(realpath -s "$PWD"/results) RESULTS=$(realpath -s "$PWD"/results)
mkdir -p "$RESULTS" mkdir -p "$RESULTS"

2
.gitlab-ci/prepare-artifacts.sh
View File

@ -60,7 +60,7 @@ if [ -n "$S3_ARTIFACT_NAME" ]; then
# Pass needed files to the test stage # Pass needed files to the test stage
S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst" S3_ARTIFACT_NAME="$S3_ARTIFACT_NAME.tar.zst"
zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME} zstd artifacts/install.tar -o ${S3_ARTIFACT_NAME}
ci-fairy s3cp --token-file "${CI_JOB_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME} ci-fairy s3cp --token-file "${S3_JWT_FILE}" ${S3_ARTIFACT_NAME} https://${PIPELINE_ARTIFACTS_BASE}/${S3_ARTIFACT_NAME}
fi fi
section_end prepare-artifacts section_end prepare-artifacts

2
.gitlab-ci/test/gitlab-ci.yml
View File

@ -158,7 +158,7 @@ python-test:
exclude: exclude:
- results/*.shader_cache - results/*.shader_cache
variables: variables:
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${CI_JOB_JWT_FILE} PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-public --jwt-file=${S3_JWT_FILE}
# until we overcome Infrastructure issues, give traces extra 5 min before timeout # until we overcome Infrastructure issues, give traces extra 5 min before timeout
DEVICE_HANGING_TIMEOUT_SEC: 600 DEVICE_HANGING_TIMEOUT_SEC: 600
script: script:

2
src/amd/ci/gitlab-ci.yml
View File

@ -89,7 +89,7 @@ radv-raven-traces-restricted:x86_64:
PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1" PIGLIT_REPLAY_ANGLE_TAG: "2023-02-10-1"
PIGLIT_TRACES_FILE: restricted-traces-amd.yml PIGLIT_TRACES_FILE: restricted-traces-amd.yml
PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}" PIGLIT_REPLAY_DEVICE_NAME: "vk-${GPU_VERSION}"
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE} PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
FDO_CI_CONCURRENT: 10 FDO_CI_CONCURRENT: 10
radeonsi-raven-piglit-quick_gl:x86_64: radeonsi-raven-piglit-quick_gl:x86_64:

2
src/freedreno/ci/gitlab-ci.yml
View File

@ -268,7 +268,7 @@ a630-traces-restricted:
- .google-freedreno-rules-restricted - .google-freedreno-rules-restricted
variables: variables:
PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml PIGLIT_TRACES_FILE: restricted-traces-freedreno.yml
PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE}" PIGLIT_REPLAY_EXTRA_ARGS: "--download-caching-proxy-url=http://10.42.0.1:8888/cache/?uri= --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}"
allow_failure: true allow_failure: true
a630-traces-performance: a630-traces-performance:

2
src/gallium/drivers/zink/ci/gitlab-ci.yml
View File

@ -78,7 +78,7 @@ zink-anv-tgl-traces-restricted:
- .zink-anv-rules-restricted - .zink-anv-rules-restricted
variables: variables:
PIGLIT_TRACES_FILE: traces-zink-restricted.yml PIGLIT_TRACES_FILE: traces-zink-restricted.yml
PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${CI_JOB_JWT_FILE} PIGLIT_REPLAY_EXTRA_ARGS: --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_bucket=mesa-tracie-private --jwt-file=${S3_JWT_FILE}
allow_failure: true allow_failure: true
zink-tu-a618: zink-tu-a618: