Monogon has a work-in-progress continuous integration / testing pipeline. Because of historical reasons, some parts of this pipeline are defined in a separate non-public repository that is managed by Monogon Labs.
In the long term, the entire infrastructure code relating to this will become public and part of the Monogon repository. In the meantime, this document should serve as a public reference that explains how that part works and how it integrates with //build/ci/... and the project as a whole.
//build/ci/Dockerfile describes a 'builder image'. This image contains a stable, Fedora-based build environment in which all Monogon components should be built. It has currently two uses:
The build scripts at //scripts/{create_container.sh,destroy_container.sh,/bin/bazel}. These are used by developers to run Bazel against a controlled environment to develop Monogon code. The create_container.sh script builds the Builder image and starts a Builder container. The bin/bazel wrapper script launches Bazel in it. The destroy_container.sh script cleans everything up.
The Jenkins based CI uses the Builder image as a base to run Jenkins agents. A Monogon Labs developer runs //build/ci/build_ci_image, which builds the Builder Image and pushes it to a container registry. Then, in another repository, that image is used as a base to overlay a Jenkins agent on top, and then used to run all Jenkins actions.
As Monogon evolves and gets better build hermeticity using Bazel toolchains, the need for a Builder image should subdue. Meanwhile, using the same image ensures that we have the maximum possible reproducibility of builds across development and CI machines, and gets us a base level of build hermeticity and reproducibility.
When a change on https://review.monogon.dev/ gets opened, it needs to either be owned by a 'trusted user', or be vouched by one. This is because our current CI setup is not designed to protect against malicious changes that might attempt to take over the CI system, or change the CI scripts themselves to skip tests.
Currently, all Monogon Labs employees (thus, the core Monogon development team) are marked as 'trusted users'. There is no formal process for community contributors to become part of this group, but we are more than happy to formalize such a process when needed, or appoint active community contributors to this group. Ideally, though, the CI system should be rebuilt to allow any external contributor to run CI in a secure and sandboxed fashion.
The CI system is currently made of a Jenkins instance running on https://jenkins.monogon.dev/. It runs against open changes that have the Allow-Run-CI label evaluated to 'ok' Gerrit Prolog rules, and executes the //build/ci/jenkins-presubmit.groovy script on them.
Currently, the Jenkins instance is not publicly available, and thus CI logs are not publicly available either. This will be fixed very soon.