From 742c3846e8f383965a87d16a9d17b0c0f6119a02 Mon Sep 17 00:00:00 2001 From: Guilherme Gallo Date: Thu, 19 Dec 2024 11:36:56 +0100 Subject: [PATCH] ci/container: set up S3_JWT_FILE also for container jobs Set up "${S3_JWT_FILE}" also for container jobs, this can be useful in case some jobs want to save something to S3. Note that for container jobs setting the file /s3_swt in the `default:before_script` section would not work: this wold be "too early" because, when using ci-templates, the cbuild invocation switches the root filesystem before executing FDO_DISTRIBUTION_EXEC, resulting in the file becoming unavailable after the switch. So set up the file exactly in FDO_DISTRIBUTION_EXEC, before launching the actual container script. Do this using a new trampoline script .gitlab-ci/container/container_job_trampoline.sh so that in the future other tasks common to all container jobs can be added there. Part-of: --- .gitlab-ci.yml | 8 ++++--- .../container/container_job_trampoline.sh | 22 +++++++++++++++++++ .gitlab-ci/container/gitlab-ci.yml | 2 +- 3 files changed, 28 insertions(+), 4 deletions(-) create mode 100755 .gitlab-ci/container/container_job_trampoline.sh diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 12d1e2a67cb..7e99ee91132 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -68,6 +68,9 @@ variables: rm download-git-cache.sh set +o xtrace S3_JWT_FILE: /s3_jwt + S3_JWT_FILE_SCRIPT: |- + echo -n '${S3_JWT}' > '${S3_JWT_FILE}' && + unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables S3_HOST: s3.freedesktop.org # This bucket is used to fetch the kernel image S3_KERNEL_BUCKET: mesa-rootfs @@ -112,9 +115,8 @@ default: - > export SCRIPTS_DIR=$(mktemp -d) && curl -L -s --retry 4 -f --retry-all-errors --retry-delay 60 -O --output-dir "${SCRIPTS_DIR}" "${CI_PROJECT_URL}/-/raw/${CI_COMMIT_SHA}/.gitlab-ci/setup-test-env.sh" && - . ${SCRIPTS_DIR}/setup-test-env.sh && - echo -n "${S3_JWT}" > "${S3_JWT_FILE}" && - unset CI_JOB_JWT S3_JWT # Unsetting vulnerable env variables + . ${SCRIPTS_DIR}/setup-test-env.sh + - eval "$S3_JWT_FILE_SCRIPT" after_script: # Work around https://gitlab.com/gitlab-org/gitlab/-/issues/20338 diff --git a/.gitlab-ci/container/container_job_trampoline.sh b/.gitlab-ci/container/container_job_trampoline.sh new file mode 100755 index 00000000000..78625ad7073 --- /dev/null +++ b/.gitlab-ci/container/container_job_trampoline.sh @@ -0,0 +1,22 @@ +#!/usr/bin/env bash + +# When changing this file, check if the *_BUIL_TAG tags in +# .gitlab-ci/image-tags.yml need updating. + +set -eu + +# Early check for required env variables, relies on `set -u` +: "$S3_JWT_FILE_SCRIPT" + +if [ -z "$1" ]; then + echo "usage: $(basename "$0") " 1>&2 + exit 1 +fi + +CONTAINER_CI_JOB_NAME="$1" + +# Tasks to perform before executing the script of a container job +eval "$S3_JWT_FILE_SCRIPT" +unset S3_JWT_FILE_SCRIPT + +bash ".gitlab-ci/container/${CONTAINER_CI_JOB_NAME}.sh" diff --git a/.gitlab-ci/container/gitlab-ci.yml b/.gitlab-ci/container/gitlab-ci.yml index 09d042a4d5b..7e82abd13f7 100644 --- a/.gitlab-ci/container/gitlab-ci.yml +++ b/.gitlab-ci/container/gitlab-ci.yml @@ -57,7 +57,7 @@ - .incorporate-templates-commit variables: FDO_REPO_SUFFIX: $CI_JOB_NAME - FDO_DISTRIBUTION_EXEC: 'bash .gitlab-ci/container/${CI_JOB_NAME}.sh' + FDO_DISTRIBUTION_EXEC: 'bash .gitlab-ci/container/container_job_trampoline.sh "${CI_JOB_NAME}"' # no need to pull the whole repo to build the container image GIT_STRATEGY: none