Add tar+upload to builds.lokinet.dev of static build

Relies on an SSH_KEY secret being set in the repository. Also move the linked library check to a bash script because escaping a value in jsonnet (escape once) that gets passed through yaml (escape twice) and then bash (escape again) is too painful.
4 years ago · f54beadaa9
parent 861f83c9cc
commit f54beadaa9
3 changed files with 81 additions and 7 deletions
--- a/.drone.jsonnet
+++ b/.drone.jsonnet
@ -22,6 +22,7 @@ local debian_pipeline(name, image,
            name: 'build',
            image: image,
            [if allow_fail then "failure"]: "ignore",
+            environment: { SSH_KEY: { from_secret: "SSH_KEY" } },
            commands: [
                'echo "man-db man-db/auto-update boolean false" | debconf-set-selections',
                'apt-get update',
@ -69,13 +70,6 @@ local debian_pipeline(name, image,
    debian_pipeline("Ubuntu focal (amd64)", "ubuntu:focal"),
    debian_pipeline("Ubuntu bionic (amd64)", "ubuntu:bionic", deps='g++-8 ' + default_deps_base,
                    cmake_extra='-DCMAKE_C_COMPILER=gcc-8 -DCMAKE_CXX_COMPILER=g++-8 -DDOWNLOAD_SODIUM=ON'),
-    debian_pipeline("Ubuntu bionic/static (amd64)", "ubuntu:bionic", deps='g++-8 python3-dev',
-                    cmake_extra='-DBUILD_SHARED_LIBS=OFF -DSTATIC_LINK=ON -DCMAKE_C_COMPILER=gcc-8 -DCMAKE_CXX_COMPILER=g++-8 ' +
-                        '-DDOWNLOAD_SODIUM=ON -DDOWNLOAD_CURL=ON -DDOWNLOAD_UV=ON -DWITH_SYSTEMD=OFF',
-                    extra_cmds=['if ldd daemon/lokinet | grep -Ev "(linux-vdso|ld-linux-x86-64|lib(pthread|dl|rt|stdc\\\\+\\\\+|gcc_s|c|m))\\\\.so"; ' +
-                                'then /bin/echo -e "\\\\e[31;1mlokinet links to unexpected libraries\\\\e[0m"; false; ' +
-                                'else /bin/echo -e "\\\\e[32;1mNo unexpected linked libraries found\\\\e[0m"; ' +
-                                'fi']),

    // ARM builds (ARM64 and armhf)
    debian_pipeline("Ubuntu bionic (ARM64)", "ubuntu:bionic", arch="arm64", deps='g++-8 ' + default_deps_base,
@ -83,6 +77,15 @@ local debian_pipeline(name, image,
    debian_pipeline("Debian sid (ARM64)", "debian:sid", arch="arm64"),
    debian_pipeline("Debian buster (armhf)", "arm32v7/debian:buster", arch="arm64", cmake_extra='-DDOWNLOAD_SODIUM=ON'),

+    // Static build (on bionic) which gets uploaded to builds.lokinet.dev:
+    debian_pipeline("Static (focal amd64)", "ubuntu:bionic", deps='g++-8 python3-dev', lto=true,
+                    cmake_extra='-DBUILD_SHARED_LIBS=OFF -DSTATIC_LINK=ON -DCMAKE_C_COMPILER=gcc-8 -DCMAKE_CXX_COMPILER=g++-8 ' +
+                        '-DDOWNLOAD_SODIUM=ON -DDOWNLOAD_CURL=ON -DDOWNLOAD_UV=ON -DWITH_SYSTEMD=OFF',
+                    extra_cmds=[
+                        '../contrib/ci/drone-check-static-libs.sh',
+                        '../contrib/ci/drone-static-upload.sh'
+                    ]),
+
    // Macos build
    {
        kind: 'pipeline',
--- a/contrib/ci/drone-check-static-libs.sh
+++ b/contrib/ci/drone-check-static-libs.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+
+# Script used with Drone CI to check that a statically build lokinet only links against the expected
+# base system libraries.  Expects to be run with pwd of the build directory.
+
+set -o errexit
+
+if ldd daemon/lokinet | grep -Ev '(linux-vdso|ld-linux-x86-64|lib(pthread|dl|rt|stdc\+\+|gcc_s|c|m))\.so'; then
+    echo -e "\n\n\n\n\e[31;1mlokinet links to unexpected libraries\e[0m\n\n\n"
+    exit 1
+fi
+
+echo -e "\n\n\n\n\e[32;1mNo unexpected linked libraries found\e[0m\n\n\n"
--- a/contrib/ci/drone-static-upload.sh
+++ b/contrib/ci/drone-static-upload.sh
@ -0,0 +1,58 @@
+#!/bin/bash
+
+# Script used with Drone CI to upload build artifacts (because specifying all this in
+# .drone.jsonnet is too painful).
+
+
+
+set -o errexit
+
+if [ -z "$SSH_KEY" ]; then
+    echo -e "\n\n\n\e[31;1mUnable to upload artifact: SSH_KEY not set\e[0m"
+    # Just warn but don't fail, so that this doesn't trigger a build failure for untrusted builds
+    exit 0
+fi
+
+echo "$SSH_KEY" >~/ssh_key
+
+set -o xtrace  # Don't start tracing until *after* we write the ssh key
+
+chmod 600 ~/ssh_key
+
+if [ -n "$DRONE_TAG" ]; then
+    # For a tag build use something like `lokinet-linux-amd64-v1.2.3`
+    base="lokinet-linux-$DRONE_STAGE_ARCH-$DRONE_TAG"
+else
+    # Otherwise build a length name from the datetime and commit hash, such as:
+    # lokinet-linux-amd64-20200522T212342Z-04d7dcc54
+    base="lokinet-linux-$DRONE_STAGE_ARCH-$(date --date=@$DRONE_BUILD_CREATED +%Y%m%dT%H%M%SZ)-${DRONE_COMMIT:0:9}"
+fi
+
+mkdir -v "$base"
+mv -v daemon/lokinet "$base"
+cp -av ../lokinet-bootstrap "$base"
+tar cJvf "${base}.tar.xz" "$base"
+
+upload_to="builds.lokinet.dev/${DRONE_REPO// /_}/${DRONE_BRANCH// /_}"
+
+# sftp doesn't have any equivalent to mkdir -p, so we have to split the above up into a chain of
+# -mkdir a/, -mkdir a/b/, -mkdir a/b/c/, ... commands.  The leading `-` allows the command to fail
+# without error.
+upload_dirs=(${upload_to//\// })
+mkdirs=
+dir_tmp=""
+for p in "${upload_dirs[@]}"; do
+    dir_tmp="$dir_tmp$p/"
+    mkdirs="$mkdirs
+-mkdir $dir_tmp"
+done
+
+sftp -i ~/ssh_key -b - -o StrictHostKeyChecking=off drone@builds.lokinet.dev <<SFTP
+$mkdirs
+put $base.tar.xz $upload_to
+SFTP
+
+set +o xtrace
+
+echo -e "\n\n\n\n\e[32;1mUploaded to https://${upload_to}/${base}.tar.xz\e[0m\n\n\n"
+