git published an advisory Yesterday, which (as a counter-measure)
requires the git repository's directory to be owned by the current
user, and otherwise produce an error:
fatal: unsafe repository ('/workspace' is owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory /workspace
The DCO check is run within a container, which is running as `root`
(to allow packages to be installed), but because of this, the user
does not match the files that are bind-mounted from the host (as they
are checked out by Jenkins, using a different user).
To work around this issue, this patch configures git to consider the
`/workspace` directory as "safe". We configure it in the `--system`
configuration so that it takes effect for "all users" inside the
container.
More details on the advisory can be found on GitHub's blog:
https://github.blog/2022-04-12-git-security-vulnerability-announced/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit efe03aa2d8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It was already disabled by default, but removing it now that it reached
end of the line.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9326ea5b99)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This changes CI to skip these platforms by default. The ppc64le and s390x
machines are "pet machines", configuration may be outdated, and these
machines are known to be flaky.
Building and verifying packages for these platforms is being handed
over to the IBM team.
We can still run these platforms for specific pull requests by selecting
the checkboxes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 82c7e906ea)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Thanks to Stefan Scherer for setting up the Jenkins nodes.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c23b99f4db)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image that's built is not pushed anywhere, and is just
building the same as the main image already builds, so didn't
add value.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The latest `ltsc2019` image (`10.0.17763.1039`) appear to be broken,
and even a `RUN Write-Host hello` hangs.
Temporarily switching back to an older version so that CI doesn't fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Dockerfile.Windows modified to build gotestsum.exe
2. Use gotestsum.exe in invoking the execution of:
(a) Unit tests (run in containers),
(b) Integration tests (run outside containers)
(c) Integration-cli (run outside containers)
No changes made to other categories of tests (e.g.
LCOW).
3. Copy .xml files produced by gotestsum in
appropriate paths where Jenkins can ingest them
4. Modify Jenkinsfile to mark results output as
being jUnit "type" as well as to archive the
.xml test result files as artifacts.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
On master ("non-pull-request"), force running some validation checks
(such as vendor, swagger), even if no files were changed. This allows
catching problems caused by pull-requests that were merged out-of-sequence.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously it was a negative parameter for skiping the DCO check, but
this is different from other checks. It was requested that I change this
in #40023 but I'm factoring it out as an unrelated change.
Signed-off-by: Sam Whited <sam@samwhited.com>
Commit 1be2cc2568 updated the
Makefile to force the use of BuildKit, if `USE_BUILDX` was
not set.
As a side-effect, Jenkins now started using BuildKit on
s390x and ppc64le as well, because it overwrote the
`DOCKER_BUILDKIT=0` that was set.
This commit forces the use of buildx on s390x and ppc64le.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 7019b60d0d added these
env-vars to other stages, but forgot to update the DCO stage,
which also does a diff to validate commits that are in a PR.
Also adding openssh-client, for situations where the upstream
needs to be accessed through an ssh connection.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is a continuation of 2a08f33166247da9d4c09d4c6c72cbb8119bf8df;
When running CI in other repositories (e.g. Docker's downstream
docker/engine repository), or other branches, the validation
scripts were calculating the list of changes based on the wrong
information.
This lead to weird failures in CI in a branch where these values
were not updated ':-) (CI on a pull request failed because it detected
that new tests were added to the deprecated `integration-cli` test-suite,
but the pull request did not actually make changes in that area).
This patch uses environment variables set by Jenkins to sets the
correct target repository (and branch) to compare to.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
By convention, containers spawned by jenkins jobs have the name:
docker-pr${BUILD_NUMBER}
That works fine for jobs with a single container. This commit cleans up
when multiple containers are spawned with the convention that their names
share the same "docker-pr${BUILD_NUMBER}-" prefix.
Signed-off-by: Tibor Vass <tibor@docker.com>
Essentially, run on merge to target branch which may or may not be
master branch. Could be 19.03 branch, for example.
See: https://jenkins.io/doc/book/pipeline/syntax/
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
'Namespace' parallel runs by bind-mounting a different directory
in the container, instead of making the tests running inside
the container aware of the namespaced location.
This makes it transparent to the tests, and slightly reduces
complexity.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Blue Ocean UI truncates names, which makes it possible to distinguish
which Windows stage is RS1 or RS5. This patch shortens those names so that they
fit in the Blue Ocean UI.
Other stages and parameters were renamed as well to better reflect what they're running;
Before | After
-------------------|--------------------------------
janky | amd64
power | ppc64le
power-master | ppc64le integration-cli
windowsRS1 | win-RS1
windowsRS5-process | win-RS5
z | s390x
z-master | x390x integration-cli
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
WIP renames
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
