This refresh switches the CI for contributors to be triggered by merge requests. Pushing to a branch in a fork will no longer run CI pipelines, in order to avoid consuming CI minutes. To regain the original behaviour contributors can opt-in to a pipeline on push git push <remote> -o ci.variable=RUN_PIPELINE=1 This variable can also be set globally on the repository, through the web UI options Settings -> CI/CD -> Variables, though this is not recommended. Upstream repo pushes to branches will run CI. The use of containers has changed in this update, with only the upstream repo creating containers, in order to avoid consuming contributors' limited storage quotas. A fork with existing container images may delete them. Containers will be rebuilt upstream when pushing commits with CI changes to the default branch. Any other scenario with CI changes will simply install build pre-requisite packages in a throaway environment, using the ci/buildenv/ scripts. These scripts may also be used on a contributor's local machines. With pipelines triggered by merge requests, it is also now possible to workaround the inability of contributors to run pipelines if they have run out of CI quota. A project member can trigger a pipeline from the merge request, which will run in context of upstream, however, note this should only be done after reviewing the code for any malicious CI changes. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
CI for libvirt
This document provides some information related to the CI capabilities for the libvirt project.
GitLab CI tuning
The behaviour of GitLab CI can be tuned through a number of variables which can be set at push time, or through the UI. See ci/gitlab.yml
for further details.
Cirrus CI integration
libvirt currently supports three non-Linux operating systems: Windows, FreeBSD and macOS. Windows cross-builds can be prepared on Linux by using MinGW-w64, but for both FreeBSD and macOS we need to use the actual operating system, and unfortunately GitLab shared runners are currently not available for either.
To work around this limitation, we take advantage of Cirrus CI's free offering: more specifically, we use the cirrus-run script to trigger Cirrus CI jobs from GitLab CI jobs so that the workaround is almost entirely transparent to users and there's no need to constantly check two separate CI dashboards.
There is, however, some one-time setup required. If you want FreeBSD and macOS builds to happen when you push to your GitLab repository, you need to
set up a GitHub repository for the project, eg.
yourusername/libvirt
. This repository needs to exist for cirrus-run to work, but it doesn't need to be kept up to date, so you can create it and then forget about it;enable the Cirrus CI GitHub app for your GitHub account;
sign up for Cirrus CI. It's enough to log into the website using your GitHub account;
grab an API token from the Cirrus CI settings page;
it may be necessary to push an empty
.cirrus.yml
file to your github fork for Cirrus CI to properly recognize the project. You can check whether Cirrus CI knows about your project by navigating to:https://cirrus-ci.com/yourusername/libvirt
in the CI/CD / Variables section of the settings page for your GitLab repository, create two new variables:
CIRRUS_GITHUB_REPO
, containing the name of the GitHub repository created earlier, eg.yourusername/libvirt
;CIRRUS_API_TOKEN
, containing the Cirrus CI API token generated earlier. This variable must be marked as Masked, because anyone with knowledge of it can impersonate you as far as Cirrus CI is concerned.
Neither of these variables should be marked as Protected, because in general you'll want to be able to trigger Cirrus CI builds from non-protected branches.
Once this one-time setup is complete, you can just keep pushing to your GitLab repository as usual and you'll automatically get the additional CI coverage.
Coverity scan integration
This will be used only by the main repository for master branch by running scheduled pipeline in GitLab.
The service is proved by Coverity Scan and requires that the project is registered there to get free coverity analysis which we already have for libvirt project.
To run the coverity job it requires two new variables:
COVERITY_SCAN_PROJECT_NAME
, containing the libvirt project name.COVERITY_SCAN_TOKEN
, token visible to admins of libvirt project