Verified Commit 08d54171 authored by Beatriz Rizental's avatar Beatriz Rizental Committed by Pier Angelo Vendrame
Browse files

Add CI for Base Browser

parent f7edea3c
Loading
Loading
Loading
Loading

.gitlab-ci.yml

0 → 100644
+9 −0
Original line number Diff line number Diff line
stages:
  - lint

variables:
  IMAGE_PATH: containers.torproject.org/tpo/applications/tor-browser/base:latest
  LOCAL_REPO_PATH: /srv/apps-repos/tor-browser.git

include:
  - local: '.gitlab/ci/jobs/lint/lint.yml'
+69 −0
Original line number Diff line number Diff line
FROM debian:latest

# Base image which includes all* dependencies checked by ./mach configure.
#
# * Actually not all dependencies. WASM sandboxed depencies were left out for now.
# This installs all dependencies checked by `./mach configure --without-wasm-sandboxed-libraries`.
#
# # Building and publishing
#
# Whenever this file changes, the updated Docker image must be built and published _manually_ to
# the tor-browser container registry (https://gitlab.torproject.org/tpo/applications/tor-browser/container_registry/185).
#
# This image copies a script from the taskcluster/ folder, which requires it
# to be built from a folder which is a parent of the taskcluster/ folder.
#
# To build, run:
#
# ```bash
# docker build \
#   -f <PATH_TO_DOCKERFILE> \
#   -t <REGISTRY_URL>/<IMAGE_NAME>:<IMAGE_TAG>
#   .
# ```
#
# For example, when building from the root of this repository to the main tor-browser repository
# and assuming image name to be "base" and tag "latest" -- which is the current terminology:
#
# ```bash
# docker build \
#   -f .gitlab/ci/docker/Dockerfile \
#   -t containers.torproject.org/tpo/applications/tor-browser/base:latest
#   .
# ```

RUN apt-get update && apt-get install -y \
    clang \
    curl \
    git \
    libasound2-dev \
    libdbus-glib-1-dev \
    libgtk-3-dev \
    libpango1.0-dev \
    libpulse-dev \
    libx11-xcb-dev \
    libxcomposite-dev \
    libxcursor-dev \
    libxdamage-dev \
    libxi-dev \
    libxrandr-dev \
    libxtst-dev \
    m4 \
    mercurial \
    nasm \
    pkg-config \
    python3 \
    python3-pip \
    unzip \
    wget

COPY taskcluster/docker/recipes/install-node.sh /scripts/install-node.sh
RUN chmod +x /scripts/install-node.sh
RUN /scripts/install-node.sh

RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
RUN $HOME/.cargo/bin/cargo install cbindgen

WORKDIR /app

CMD ["/bin/bash"]
+114 −0
Original line number Diff line number Diff line
#!/usr/bin/env python3

import argparse
import os
import re
import shlex
import subprocess


def git(command):
    result = subprocess.run(
        ["git"] + shlex.split(command), check=True, capture_output=True, text=True
    )
    return result.stdout.strip()


def get_firefox_tag(reference):
    """Extracts the Firefox tag associated with a branch or tag name.

       The "firefox tag" is the tag that marks
       the end of the Mozilla commits and the start of the Tor Project commits.

       Know issue: If ever there is more than one tag per Firefox ESR version,
       this function may return the incorrect reference number.

    Args:
        reference: The branch or tag name to extract the Firefox tag from.
        Expected format is tor-browser-91.2.0esr-11.0-1,
        where 91.2.0esr is the Firefox version.

    Returns:
        The reference specifier of the matching Firefox tag.
        An exception will be raised if anything goes wrong.
    """

    # Extracts the version number from a branch or tag name.
    firefox_version = ""
    match = re.search(r"(?<=browser-)([^-]+)", reference)
    if match:
        # TODO: Validate that what we got is actually a valid semver string?
        firefox_version = match.group(1)
    else:
        raise ValueError(f"Failed to extract version from reference '{reference}'.")

    tag = f"FIREFOX_{firefox_version.replace('.', '_')}_"
    remote_tags = git("ls-remote --tags origin")

    # Each line looks like:
    # 9edd658bfd03a6b4743ecb75fd4a9ad968603715  refs/tags/FIREFOX_91_9_0esr_BUILD1
    pattern = rf"(.*){re.escape(tag)}(.*)$"
    match = re.search(pattern, remote_tags, flags=re.MULTILINE)
    if match:
        return match.group(0).split()[0]
    else:
        raise ValueError(
            f"Failed to find reference specifier for Firefox tag '{tag}' from '{reference}'."
        )


def get_list_of_changed_files():
    """Gets a list of files changed in the working directory.

       This function is meant to be run inside the Gitlab CI environment.

       When running in a default branch, get the list of changed files since the last Firefox tag.
       When running for a new MR commit, get a list of changed files in the current MR.

    Returns:
        A list of filenames of changed files (excluding deleted files).
        An exception wil be raised if anything goes wrong.
    """

    base_reference = ""

    if os.getenv("CI_PIPELINE_SOURCE") == "merge_request_event":
        # For merge requests, the base_reference is the common ancestor between the MR and the target branch
        base_reference = os.getenv("CI_MERGE_REQUEST_DIFF_BASE_SHA")
    else:
        # When not in merge requests, the base reference is the Firefox tag
        base_reference = get_firefox_tag(os.getenv("CI_COMMIT_BRANCH"))

    if not base_reference:
        raise RuntimeError("No base reference found. There might be more errors above.")

    # Fetch the tag reference
    git(f"fetch origin {base_reference} --depth=1 --filter=blob:none")
    # Return but filter the issue_templates files because those file names have spaces which can cause issues
    return git("diff --diff-filter=d --name-only FETCH_HEAD HEAD").split("\n")


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="")

    parser.add_argument(
        "--get-firefox-tag",
        help="Get the Firefox tag related to a given (tor-mullvad-base)-browser tag or branch name.",
        type=str,
    )
    parser.add_argument(
        "--get-changed-files",
        help="Get list of changed files."
        "When running from a merge request get sthe list of changed files since the merge-base of the current branch."
        "When running from a protected branch i.e. any branch that starts with <something>-browser-, gets the list of files changed since the FIREFOX_ tag.",
        action="store_true",
    )

    args = parser.parse_args()

    if args.get_firefox_tag:
        print(get_firefox_tag(args.get_firefox_tag))
    elif args.get_changed_files:
        print("\n".join(get_list_of_changed_files()))
    else:
        print("No valid option provided.")
+310 −0
Original line number Diff line number Diff line
.base:
  stage: lint
  image: $IMAGE_PATH
  interruptible: true
  variables:
    MOZBUILD_STATE_PATH: "$CI_PROJECT_DIR/.cache/mozbuild"
    # A copy of the repository already is available in the runner.
    GIT_STRATEGY: "none"
  cache:
    paths:
      - node_modules
      - .cache/mozbuild
    # Store the cache regardless on job outcome
    when: 'always'
    # Share the cache throughout all pipelines running for a given branch
    key: $CI_COMMIT_REF_SLUG
  tags:
    # Run these jobs in the browser dedicated runners.
    - firefox
  before_script:
    - git init
    - git remote add local "$LOCAL_REPO_PATH"
    - git fetch --depth 500 local
    - git remote add origin "$CI_REPOSITORY_URL"
    - |
      if [ -z "${CI_COMMIT_BRANCH:-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}" ]; then
          echo "No branch specified. Stopping the pipeline."
          exit 1
      fi
    - echo "Fetching from remote branch ${CI_COMMIT_BRANCH:-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
    - git fetch origin "${CI_COMMIT_BRANCH:-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}"
    - git checkout origin/${CI_COMMIT_BRANCH:-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME}

eslint:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l eslint
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        # Files that are likely audited.
        - '**/*.js'
        - '**/*.jsm'
        - '**/*.json'
        - '**/*.jsx'
        - '**/*.mjs'
        - '**/*.sjs'
        - '**/*.html'
        - '**/*.xhtml'
        - '**/*.xml'
        - 'tools/lint/eslint.yml'
        # Run when eslint policies change.
        - '**/.eslintignore'
        - '**/*eslintrc*'
        # The plugin implementing custom checks.
        - 'tools/lint/eslint/eslint-plugin-mozilla/**'
        - 'tools/lint/eslint/eslint-plugin-spidermonkey-js/**'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

stylelint:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l stylelint
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        # Files that are likely audited.
        - '**/*.css'
        - 'tools/lint/styleint.yml'
        # Run when stylelint policies change.
        - '**/.stylelintignore'
        - '**/*stylelintrc*'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

py-black:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l black
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        # The list of extensions should match tools/lint/black.yml
        - '**/*.py'
        - '**/moz.build'
        - '**/*.configure'
        - '**/*.mozbuild'
        - 'pyproject.toml'
        - 'tools/lint/black.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

py-ruff:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l ruff
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.py'
        - '**/*.configure'
        - '**/.ruff.toml'
        - 'pyproject.toml'
        - 'tools/lint/ruff.yml'
        - 'tools/lint/python/ruff.py'
        - 'tools/lint/python/ruff_requirements.txt'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

yaml:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l yaml
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.yml'
        - '**/*.yaml'
        - '**/.ymllint'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

shellcheck:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l shellcheck
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.sh'
        - 'tools/lint/shellcheck.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

clang-format:
  extends: .base
  script:
    - ./mach configure --without-wasm-sandboxed-libraries --with-base-browser-version=0.0.0
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l clang-format
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.cpp'
        - '**/*.c'
        - '**/*.cc'
        - '**/*.h'
        - '**/*.m'
        - '**/*.mm'
        - 'tools/lint/clang-format.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

rustfmt:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l rustfmt
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.rs'
        - 'tools/lint/rustfmt.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

fluent-lint:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l fluent-lint
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.ftl'
        - 'tools/lint/fluent-lint.yml'
        - 'tools/lint/fluent-lint/exclusions.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

localization:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l l10n
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/locales/en-US/**'
        - '**/l10n.toml'
        - 'third_party/python/compare-locales/**'
        - 'third_party/python/fluent/**'
        - 'tools/lint/l10n.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

mingw-capitalization:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l mingw-capitalization
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.cpp'
        - '**/*.cc'
        - '**/*.c'
        - '**/*.h'
        - 'tools/lint/mingw-capitalization.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

mscom-init:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l mscom-init
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.cpp'
        - '**/*.cc'
        - '**/*.c'
        - '**/*.h'
        - 'tools/lint/mscom-init.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

file-whitespace:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l file-whitespace
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.c'
        - '**/*.cc'
        - '**/*.cpp'
        - '**/*.css'
        - '**/*.dtd'
        - '**/*.idl'
        - '**/*.ftl'
        - '**/*.h'
        - '**/*.html'
        - '**/*.md'
        - '**/*.properties'
        - '**/*.py'
        - '**/*.rs'
        - '**/*.rst'
        - '**/*.webidl'
        - '**/*.xhtml'
        - '**/*.java'
        - 'tools/lint/file-whitespace.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

test-manifest:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l test-manifest-alpha -l test-manifest-disable -l test-manifest-skip-if
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.ini'
        - 'python/mozlint/**'
        - 'tools/lint/**'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')

trojan-source:
  extends: .base
  script:
    - .gitlab/ci/jobs/lint/helpers.py --get-changed-files | xargs -d '\n' ./mach lint -l trojan-source
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      changes:
        # List copied from: taskcluster/ci/source-test/mozlint.yml
        #
        - '**/*.c'
        - '**/*.cc'
        - '**/*.cpp'
        - '**/*.h'
        - '**/*.py'
        - '**/*.rs'
        - 'tools/lint/trojan-source.yml'
    # Run job whenever a commit is merged to a protected branch
    - if: ($CI_COMMIT_BRANCH && $CI_COMMIT_REF_PROTECTED == 'true' && $CI_PIPELINE_SOURCE == 'push')