Add CI for Base Browser

.gitlab-ci.yml

+stages:
+  - lint
+
+variables:
+  IMAGE_PATH: containers.torproject.org/tpo/applications/tor-browser/base:latest
+
+include:
+  - local: '.gitlab/ci/lint.yml'

.gitlab/ci/docker/base/Dockerfile

+FROM debian:latest
+
+# Base image which includes all* dependencies checked by ./mach configure.
+#
+# * Actually not all dependencies. WASM sandboxed depencies were left out for now.
+# This installs all dependencies checked by `./mach configure --without-wasm-sandboxed-libraries`.
+#
+# # Building and publishing
+#
+# Whenever this file changes, the updated Docker image must be built and published _manually_ to
+# the tor-browser container registry (https://gitlab.torproject.org/tpo/applications/tor-browser/container_registry/185).
+#
+# This image copies a script from the taskcluster/ folder, which requires it
+# to be built from a folder which is a parent of the taskcluster/ folder.
+#
+# To build, run:
+#
+# ```bash
+# docker build \
+#   -f <PATH_TO_DOCKERFILE> \
+#   -t <REGISTRY_URL>/<IMAGE_NAME>:<IMAGE_TAG>
+#   .
+# ```
+#
+# For example, when building from the root of this repository to the main tor-browser repository
+# and assuming image name to be "base" and tag "latest" -- which is the current terminology:
+#
+# ```bash
+# docker build \
+#   -f .gitlab/ci/docker/Dockerfile \
+#   -t containers.torproject.org/tpo/applications/tor-browser/base:latest
+#   .
+# ```
+
+RUN apt-get update && apt-get install -y \
+    clang \
+    curl \
+    git \
+    libasound2-dev \
+    libdbus-glib-1-dev \
+    libgtk-3-dev \
+    libpango1.0-dev \
+    libpulse-dev \
+    libx11-xcb-dev \
+    libxcomposite-dev \
+    libxcursor-dev \
+    libxdamage-dev \
+    libxi-dev \
+    libxrandr-dev \
+    libxtst-dev \
+    m4 \
+    mercurial \
+    nasm \
+    pkg-config \
+    python3 \
+    python3-pip \
+    unzip \
+    wget
+
+COPY taskcluster/docker/recipes/install-node.sh /scripts/install-node.sh
+RUN chmod +x /scripts/install-node.sh
+RUN /scripts/install-node.sh
+
+RUN curl https://sh.rustup.rs -sSf | sh -s -- -y
+RUN $HOME/.cargo/bin/cargo install cbindgen
+
+WORKDIR /app
+
+CMD ["/bin/bash"]

.gitlab/ci/lint.yml

+.base:
+  stage: lint
+  interruptible: true
+  variables:
+    MOZBUILD_STATE_PATH: "$CI_PROJECT_DIR/.cache/mozbuild"
+  cache:
+    paths:
+      - node_modules
+      - .cache/mozbuild
+    # Store the cache regardless on job outcome
+    when: 'always'
+    # Share the cache throughout all pipelines running for a given branch
+    key: $CI_COMMIT_REF_SLUG
+
+eslint:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py eslint
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        # Files that are likely audited.
+        - '**/*.js'
+        - '**/*.jsm'
+        - '**/*.json'
+        - '**/*.jsx'
+        - '**/*.mjs'
+        - '**/*.sjs'
+        - '**/*.html'
+        - '**/*.xhtml'
+        - '**/*.xml'
+        - 'tools/lint/eslint.yml'
+        # Run when eslint policies change.
+        - '**/.eslintignore'
+        - '**/*eslintrc*'
+        # The plugin implementing custom checks.
+        - 'tools/lint/eslint/eslint-plugin-mozilla/**'
+        - 'tools/lint/eslint/eslint-plugin-spidermonkey-js/**'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+stylelint:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py stylelint
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        # Files that are likely audited.
+        - '**/*.css'
+        - 'tools/lint/styleint.yml'
+        # Run when stylelint policies change.
+        - '**/.stylelintignore'
+        - '**/*stylelintrc*'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+py-black:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py black
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        # The list of extensions should match tools/lint/black.yml
+        - '**/*.py'
+        - '**/moz.build'
+        - '**/*.configure'
+        - '**/*.mozbuild'
+        - 'pyproject.toml'
+        - 'tools/lint/black.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+py-ruff:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py ruff
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.py'
+        - '**/*.configure'
+        - '**/.ruff.toml'
+        - 'pyproject.toml'
+        - 'tools/lint/ruff.yml'
+        - 'tools/lint/python/ruff.py'
+        - 'tools/lint/python/ruff_requirements.txt'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+yaml:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py yaml
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.yml'
+        - '**/*.yaml'
+        - '**/.ymllint'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+shellcheck:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py shellcheck
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.sh'
+        - 'tools/lint/shellcheck.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+clang-format:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - ./mach configure --without-wasm-sandboxed-libraries --with-base-browser-version=0.0.0
+    - .gitlab/ci/scripts/run_linters.py clang-format
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.cpp'
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.h'
+        - '**/*.m'
+        - '**/*.mm'
+        - 'tools/lint/clang-format.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+rustfmt:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py rustfmt
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.rs'
+        - 'tools/lint/rustfmt.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+fluent-lint:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py fluent-lint
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.ftl'
+        - 'tools/lint/fluent-lint.yml'
+        - 'tools/lint/fluent-lint/exclusions.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+localization:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py l10n
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/locales/en-US/**'
+        - '**/l10n.toml'
+        - 'third_party/python/compare-locales/**'
+        - 'third_party/python/fluent/**'
+        - 'tools/lint/l10n.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+mingw-capitalization:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py mingw-capitalization
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.cpp'
+        - '**/*.cc'
+        - '**/*.c'
+        - '**/*.h'
+        - 'tools/lint/mingw-capitalization.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+mscom-init:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py mscom-init
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.cpp'
+        - '**/*.cc'
+        - '**/*.c'
+        - '**/*.h'
+        - 'tools/lint/mscom-init.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+file-whitespace:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py file-whitespace
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.css'
+        - '**/*.dtd'
+        - '**/*.idl'
+        - '**/*.ftl'
+        - '**/*.h'
+        - '**/*.html'
+        - '**/*.md'
+        - '**/*.properties'
+        - '**/*.py'
+        - '**/*.rs'
+        - '**/*.rst'
+        - '**/*.webidl'
+        - '**/*.xhtml'
+        - 'tools/lint/file-whitespace.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+test-manifest:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py test-manifest-alpha test-manifest-disable test-manifest-skip-if
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.ini'
+        - 'python/mozlint/**'
+        - 'tools/lint/**'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'
+
+trojan-source:
+  extends: .base
+  image: $IMAGE_PATH
+  script:
+    - .gitlab/ci/scripts/run_linters.py trojan-source
+  rules:
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      changes:
+        # List copied from: taskcluster/ci/source-test/mozlint.yml
+        #
+        - '**/*.c'
+        - '**/*.cc'
+        - '**/*.cpp'
+        - '**/*.h'
+        - '**/*.py'
+        - '**/*.rs'
+        - 'tools/lint/trojan-source.yml'
+    # Run job whenever a commit is merged to a protected branch
+    - if: $CI_COMMIT_REF_PROTECTED == 'true'

.gitlab/ci/scripts/run_linters.py

+#!/usr/bin/env python3
+
+import argparse
+import os
+import re
+import shlex
+import subprocess
+import sys
+
+
+def git(command):
+    result = subprocess.run(
+        ["git"] + shlex.split(command), check=True, capture_output=True, text=True
+    )
+    return result.stdout.strip()
+
+
+def get_firefox_tag_from_branch_name(branch_name):
+    """Extracts the Firefox tag associated with a branch name.
+
+       The "firefox tag" is the tag that marks
+       the end of the Mozilla commits and the start of the Tor Project commits.
+
+       Know issue: If ever there is more than one tag per Firefox ESR version,
+       this function may return the incorrect reference number.
+
+    Args:
+        branch_name: The branch name to extract the tag from.
+        Expected format is tor-browser-91.2.0esr-11.0-1,
+        where 91.2.0esr is the Firefox version.
+
+    Returns:
+        The reference specifier of the matching Firefox tag.
+        An exception wil be raised if anything goes wrong.
+    """
+
+    # Extracts the version number from a branch name.
+    firefox_version = ""
+    match = re.search(r"(?<=browser-)([^-]+)", branch_name)
+    if match:
+        # TODO: Validate that what we got is actually a valid semver string?
+        firefox_version = match.group(1)
+    else:
+        raise ValueError(f"Failed to extract version from branch name '{branch_name}'.")
+
+    tag = f"FIREFOX_{firefox_version.replace('.', '_')}_"
+    remote_tags = git("ls-remote --tags")
+
+    # Each line looks like:
+    # 9edd658bfd03a6b4743ecb75fd4a9ad968603715  refs/tags/FIREFOX_91_9_0esr_BUILD1
+    pattern = rf"(.*){re.escape(tag)}(.*)$"
+    match = re.search(pattern, remote_tags, flags=re.MULTILINE)
+    if match:
+        return match.group(0).split()[0]
+    else:
+        raise ValueError(
+            f"Failed to find reference specifier for Firefox tag '{tag}' in branch '{branch_name}'."
+        )
+
+
+def get_list_of_changed_files():
+    """Gets a list of files changed in the working directory.
+
+       This function is meant to be run inside the Gitlab CI environment.
+
+       When running in a default branch, get the list of changed files since the last Firefox tag.
+       When running for a new MR commit, get a list of changed files in the current MR.
+
+    Returns:
+        A list of filenames of changed files (excluding deleted files).
+        An exception wil be raised if anything goes wrong.
+    """
+
+    base_reference = ""
+
+    if os.getenv("CI_PIPELINE_SOURCE") == "merge_request_event":
+        # For merge requests, the base_reference is the common ancestor between the MR and the target branch.
+        base_reference = os.getenv("CI_MERGE_REQUEST_DIFF_BASE_SHA")
+    else:
+        # When not in merge requests, the base reference is the Firefox tag
+        base_reference = get_firefox_tag_from_branch_name(os.getenv("CI_COMMIT_BRANCH"))
+
+    if not base_reference:
+        raise RuntimeError("No base reference found. There might be more errors above.")
+
+    # Fetch the tag reference
+    git(f"fetch origin {base_reference} --depth=1 --filter=blob:none")
+    # Return the list of changed files
+    return git(f"diff --diff-filter=d --name-only {base_reference} HEAD").split("\n")
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Run ./mach linters in CI. Warning: if you run this in your local environment it might mess up your git history."
+    )
+    parser.add_argument(
+        "linters", metavar="L", type=str, nargs="+", help="A list of linters to run."
+    )
+    args = parser.parse_args()
+
+    changed_files = get_list_of_changed_files()
+    if changed_files:
+        command = ["./mach", "lint", "-v"]
+        for linter in args.linters:
+            command.extend(["-l", linter])
+        command.extend(changed_files)
+        result = subprocess.run(command, text=True)
+        sys.exit(result.returncode)
+    else:
+        print("No files changed, skipping linting.")