| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 1 | Monogon CI |
| 2 | ========== |
| 3 | |
| 4 | Monogon has a work-in-progress continuous integration / testing pipeline. |
| 5 | Because of historical reasons, some parts of this pipeline are defined in a |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 6 | separate non-public repository that is managed by Monogon SE. |
| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 7 | |
| 8 | In the long term, the entire infrastructure code relating to this will become |
| 9 | public and part of the Monogon repository. In the meantime, this document |
| 10 | should serve as a public reference that explains how that part works and how it |
| 11 | integrates with `//build/ci/...` and the project as a whole. |
| 12 | |
| 13 | Builder Image & Container |
| 14 | ------------------------- |
| 15 | |
| 16 | `//build/ci/Dockerfile` describes a 'builder image'. This image contains a |
| 17 | stable, Fedora-based build environment in which all Monogon components should |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 18 | be built. The Jenkins based CI uses the Builder image as a base to run Jenkins agents. |
| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 19 | |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 20 | A Monogon SE developer runs `//build/ci/build_ci_image`, which builds the |
| 21 | Builder Image and pushes it to a container registry. Then, in another |
| 22 | repository, that image is used as a base to overlay a Jenkins agent on top, |
| 23 | and then used to run all Jenkins actions. |
| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 24 | |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 25 | The build image contains only basic dependencies that are required to bootstrap |
| 26 | the sandbox sysroot and run the CI agents. All other build-time dependencies |
| 27 | are managed by Bazel via [third_party/sandboxroot](../../third_party/sandboxroot). |
| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 28 | |
| 29 | CI usage |
| 30 | -------- |
| 31 | |
| 32 | When a change on https://review.monogon.dev/ gets opened, it needs to either |
| 33 | be owned by a 'trusted user', or be vouched by one. This is because our current |
| 34 | CI setup is not designed to protect against malicious changes that might |
| 35 | attempt to take over the CI system, or change the CI scripts themselves to skip |
| 36 | tests. |
| 37 | |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 38 | Currently, all Monogon SE employees (thus, the core Monogon development team) |
| Serge Bazanski | 5aa494f | 2021-05-18 18:57:10 +0200 | [diff] [blame] | 39 | are marked as 'trusted users'. There is no formal process for community |
| 40 | contributors to become part of this group, but we are more than happy to |
| 41 | formalize such a process when needed, or appoint active community contributors |
| 42 | to this group. Ideally, though, the CI system should be rebuilt to allow any |
| 43 | external contributor to run CI in a secure and sandboxed fashion. |
| 44 | |
| 45 | CI implementation |
| 46 | ----------------- |
| 47 | |
| 48 | The CI system is currently made of a Jenkins instance running on |
| 49 | https://jenkins.monogon.dev/. It runs against open changes that have the |
| 50 | Allow-Run-CI label evaluated to 'ok' Gerrit Prolog rules, and executes the |
| 51 | `//build/ci/jenkins-presubmit.groovy` script on them. |
| 52 | |
| 53 | Currently, the Jenkins instance is not publicly available, and thus CI logs are |
| Leopold | 7fbf104 | 2023-01-06 19:57:37 +0100 | [diff] [blame^] | 54 | not publicly available either. This will be fixed soon. |