- debian_pipeline
Workflow debian_pipeline
We want to provide a workflow coordinating all the steps that are typically run to build and test an upload to Debian, similar to the Salsa CI pipeline but (eventually) with more distribution-wide testing and the ability to handle the task of performing the upload.
This builds on the existing sbuild workflow.
task_data:source_artifact(Single lookup, required): the debian:source-package or debian:upload artifact representing the source package to testvendor(string, required): the distribution vendor on which to run testscodename(string, required): the distribution codename on which to run testsextra_repositories(optional): see PackageBuildarchitectures(list of strings, optional): if set, only run on any of these architecture namesarchitectures_allowlist(list of strings, optional, either concrete architecture names orall): if set, only run on any of these architecture names; whilearchitecturesis intended to be supplied by users, this field is intended to be provided via Task configurationarchitectures_denylist(list of strings, optional, either concrete architecture names orall): if set, do not run on any of these architecture names; this field is intended to be provided via Task configurationarch_all_host_architecture(string, defaults toamd64): concrete architecture on which to run tasks forArchitecture: allpackagessigning_template_names(dictionary, optional): mapping from architecture to list of names of binary packages that should be used as signing templates by the make_signed_source sub-workflowsbuild_backend(string, optional): see PackageBuildsbuild_environment_variant(string, optional): variant of the environment to build on, e.g.builddqa_suite(Single lookup, required ifenable_reverse_dependencies_autopkgtestorenable_debdiffis True): the debian:suite collection to search for reverse-dependencies or debdiff original packages. Once we have a good way to look up the primary suite for a vendor and codename, this could default to doing soenable_check_installability(boolean, defaults to True): whether to include installability-checking taskscheck_installability_suite(Single lookup, required ifenable_check_installabilityis True): the debian:suite collection to check installability against; once we have a good way to look up the primary suite for a vendor and codename, this could default to doing soenable_autopkgtest(boolean, defaults to True): whether to include autopkgtest tasksautopkgtest_backend(string, optional): see Autopkgtestenable_reverse_dependencies_autopkgtest(boolean, defaults to False): whether to include autopkgtest tasks for reverse-dependenciesenable_lintian(boolean, defaults to True): whether to include lintian taskslintian_backend(string, optional): see Lintianlintian_fail_on_severity(string, optional): see Lintianenable_piuparts(boolean, defaults to True): whether to include piuparts taskspiuparts_backend(string, optional): see Piupartspiuparts_environment(string, optional): the environment to run piuparts inenable_debdiff(boolean, defaults to False): whether to include debdiff for source and binary packages, comparing the supplied source package and the built binary packages against the packages available in the distribution identified byqa_suite.enable_blhc(boolean, defaults to True): whether to includeblhctasks for the logs associated to the buildsenable_make_signed_source(boolean, defaults to False): whether to sign the contents of builds and make a signed source packagemake_signed_source_purpose(string, required only ifenable_make_signed_sourceis True): the purpose of the key to sign with; see Signmake_signed_source_key(string, required only ifenable_make_signed_sourceis True): the fingerprint to sign with; must matchpurposeenable_confirmation(boolean, defaults to False): whether the generated workflow includes a confirmation step asking the user to double check what was built before the uploadenable_upload(boolean, defaults to False): whether to upload to an upload queueupload_key(Single lookup, optional): key used to sign uploadsupload_binary_key(Single lookup, optional): key used to sign binary uploadsupload_require_signature(boolean, defaults to True): whether uploads must be signed; if this is set and neitherupload_keynor (if applicable)upload_binary_keyis set, then the user will have to remotely sign the filesupload_include_source(boolean, defaults to True): include source with the uploadupload_include_binaries(boolean, defaults to True): include binaries with the uploadupload_merge_uploads(boolean, defaults to True): if True, merge the uploads for each source package and its binaries that are being uploaded, and create one PackageUpload task per source package to upload them all together; if False, create a separate PackageUpload task for each source and binary uploadupload_since_version(string, optional): ifsource_artifactis a debian:source-package, include changelog information from all versions strictly later than this version in the.changesfile; the default is to include only the topmost changelog entryupload_target_distribution(string, optional): ifsource_artifactis a debian:source-package, override the targetDistributionfield in the.changesfile to this value; the default is to use the distribution from the topmost changelog entryupload_target(string, defaults toftp://anonymous@ftp.upload.debian.org/pub/UploadQueue/): the upload queue, as anftp://orsftp://URLupload_delayed_days(integer, optional): the number of days to delay the upload; this assumes that the upload queue implements Debian’s convention of uploading delayed uploads to aDELAYED/{n}-dayqueuepublish_target(Single lookup, optional): a debian:suite collection to publish packages topublish_replace(boolean, defaults to False): if True, replace existing similar items, if the target suite allows it
The workflow computes dynamic metadata as:
subject: package name of
source_artifact
The effective set of architectures is {architectures} (defaulting to all
architectures supported by this Debusine instance and the
{vendor}:{codename} suite, plus all), intersecting
{architectures_allowlist} if set, and subtracting
{architectures_denylist} if set.
The workflow creates sub-workflows and tasks as follows, with substitutions based on its own task data:
an sbuild sub-workflow, with task data:
input.source_artifact:{source_artifact}target_distribution:{vendor}:{codename}backend:{sbuild_backend}architectures: the effective set of architecturesarch_all_host_architecture:{arch_all_host_architecture}, if setenvironment_variant:{sbuild_environment_variant}, if setsigning_template_names:{signing_template_names}, if set
if any of
enable_check_installability,enable_autopkgtest,enable_lintian,enable_piupartsandenable_debdiffare True, a qa sub-workflow, with task data copied from the items of the same name in this workflow’s task data, plus:binary_artifacts:internal@collections/name:build-{architecture}, for each available architecturearchitectures: the effective set of architectures
if
enable_confirmationis set, a Confirmif
enable_make_signed_sourceandsigning_template_namesare set, a make_signed_source sub-workflow, with task data:binary_artifacts:internal@collections/name:build-{architecture}, for each available architecturesigning_template_artifacts:internal@collections/name:signing-template-{architecture}-{binary_package_name}, for each architecture and binary package name fromsigning_template_namesvendor:{vendor}codename:{codename}architectures: the effective set of architecturespurpose:{make_signed_source_purpose}key:{make_signed_source_key}sbuild_backend:{sbuild_backend}
if
enable_uploadis set, a package_upload sub-workflow for each source package being uploaded (at least the top-levelsource_artifact, but also each assembled signed source package from the make_signed_source sub-workflow if one exists), configured to require a signature from the developer, with task data:source_artifact: the source artifact to upload (or unset if this upload is for the top-level source artifact andupload_include_sourceis False)binary_artifacts:internal@collections/name:{prefix}build-{architecture}, for each available architecture (or empty ifupload_include_binariesis False), whereprefixis empty if this upload is for the top-level source artifact orsigned-source-{architecture}-{binary_package_name}|if this upload is for an assembled signed source packagemerge_uploads:{upload_merge_uploads}since_version:{upload_since_version}target_distribution:{upload_target_distribution}key:{upload_key}require_signature:{upload_require_signature}target:{upload_target}vendor:{vendor}codename:{codename}arch_all_host_architecture:{arch_all_host_architecture}delayed_days:{upload_delayed_days}
if
publish_targetis set, a package_publish sub-workflow for each source package being uploaded (at least the top-levelsource_artifact, but also each assembled signed source package from the make_signed_source sub-workflow if one exists), with task data:source_artifact: the source artifact to upload (or unset if this upload is for the top-level source artifact andupload_include_sourceis False)binary_artifacts:internal@collections/name:{prefix}build-{architecture}, for each available architecture (or empty ifupload_include_binariesis False), whereprefixis empty if this upload is for the top-level source artifact orsigned-source-{architecture}-{binary_package_name}|if this upload is for an assembled signed source packagetarget_suite:{publish_target}replace:{publish_replace}
The first work request for each architecture in the make_signed_source sub-workflow depends on the Confirm task above, as do the first work requests in each of the package_upload and package_publish sub-workflows.
Todo
Not implemented:
enable_check_installability,check_installability_suite(see CheckInstallability)enable_confirmation(see Confirm)publish_target,publish_replace