libvirt/ci/README.rst
Daniel P. Berrangé 491d918502 ci: refresh with latest lcitool manifest
This refresh switches the CI for contributors to be triggered by merge
requests. Pushing to a branch in a fork will no longer run CI pipelines,
in order to avoid consuming CI minutes. To regain the original behaviour
contributors can opt-in to a pipeline on push

   git push <remote> -o ci.variable=RUN_PIPELINE=1

This variable can also be set globally on the repository, through the
web UI options Settings -> CI/CD -> Variables, though this is not
recommended. Upstream repo pushes to branches will run CI.

The use of containers has changed in this update, with only the upstream
repo creating containers, in order to avoid consuming contributors'
limited storage quotas. A fork with existing container images may delete
them. Containers will be rebuilt upstream when pushing commits with CI
changes to the default branch. Any other scenario with CI changes will
simply install build pre-requisite packages in a throaway environment,
using the ci/buildenv/ scripts. These scripts may also be used on a
contributor's local machines.

With pipelines triggered by merge requests, it is also now possible to
workaround the inability of contributors to run pipelines if they have
run out of CI quota. A project member can trigger a pipeline from the
merge request, which will run in context of upstream, however, note
this should only be done after reviewing the code for any malicious
CI changes.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-10-06 05:15:54 -04:00

3.5 KiB

CI for libvirt

This document provides some information related to the CI capabilities for the libvirt project.

GitLab CI tuning

The behaviour of GitLab CI can be tuned through a number of variables which can be set at push time, or through the UI. See ci/gitlab.yml for further details.

Cirrus CI integration

libvirt currently supports three non-Linux operating systems: Windows, FreeBSD and macOS. Windows cross-builds can be prepared on Linux by using MinGW-w64, but for both FreeBSD and macOS we need to use the actual operating system, and unfortunately GitLab shared runners are currently not available for either.

To work around this limitation, we take advantage of Cirrus CI's free offering: more specifically, we use the cirrus-run script to trigger Cirrus CI jobs from GitLab CI jobs so that the workaround is almost entirely transparent to users and there's no need to constantly check two separate CI dashboards.

There is, however, some one-time setup required. If you want FreeBSD and macOS builds to happen when you push to your GitLab repository, you need to

  • set up a GitHub repository for the project, eg. yourusername/libvirt. This repository needs to exist for cirrus-run to work, but it doesn't need to be kept up to date, so you can create it and then forget about it;

  • enable the Cirrus CI GitHub app for your GitHub account;

  • sign up for Cirrus CI. It's enough to log into the website using your GitHub account;

  • grab an API token from the Cirrus CI settings page;

  • it may be necessary to push an empty .cirrus.yml file to your github fork for Cirrus CI to properly recognize the project. You can check whether Cirrus CI knows about your project by navigating to:

    https://cirrus-ci.com/yourusername/libvirt

  • in the CI/CD / Variables section of the settings page for your GitLab repository, create two new variables:

    • CIRRUS_GITHUB_REPO, containing the name of the GitHub repository created earlier, eg. yourusername/libvirt;
    • CIRRUS_API_TOKEN, containing the Cirrus CI API token generated earlier. This variable must be marked as Masked, because anyone with knowledge of it can impersonate you as far as Cirrus CI is concerned.

    Neither of these variables should be marked as Protected, because in general you'll want to be able to trigger Cirrus CI builds from non-protected branches.

Once this one-time setup is complete, you can just keep pushing to your GitLab repository as usual and you'll automatically get the additional CI coverage.

Coverity scan integration

This will be used only by the main repository for master branch by running scheduled pipeline in GitLab.

The service is proved by Coverity Scan and requires that the project is registered there to get free coverity analysis which we already have for libvirt project.

To run the coverity job it requires two new variables: