esp-idf/.gitlab/ci
Frantisek Hrbata dbff74bee4 tools: add sbom information for submodules
This adds SBOM information for submodules, which are not managed
by Espressif. Meaning there is no fork for them in the espressif
namespace. Other submodules should add sbom.yml manifest file to
the root of their git repository.

The SBOM information for submodules is stored in the .gitmodules file.
Each SBOM related variable has the "sbom-" prefix and the following
variables may be used:

sbom-version:
   submodule version

sbom-cpe:
   CPE record if available in NVD. This will be used by the SBOM
   tool to check for possible submodule vulnerabilities. The
   version in the CPE can be replaced with the "{}" placeholder,
   which will be replaced by the "sbom-version" value from above.

sbom-supplier:
   Person or organization who is providing the submodule.
   It has to start with "Person:" or "Organization:" prefix
   as required by the SPDX-2.2 standard.

sbom-url:
   URL to the project if exists, e.g. github.

sbom-description:
   Project description.

sbom-hash:
   Submodule SHA as recorded in the git-tree. This field is used by
   CI to check that the submodule checkout hash and info in .gitmodules
   are in sync. IOW if submodule is updated and it has SBOM info in
   .gitmodules, the .gitmodules has to be updated too. The test is
   part of this commit. The checkout has of the submodule can be found
   by using "git submodule status".

Example for micro-ecc submodule
---8<---
[submodule "components/bootloader/subproject/components/micro-ecc/micro-ecc"]
	path = components/bootloader/subproject/components/micro-ecc/micro-ecc
	url = ../../kmackay/micro-ecc.git
	sbom-version = 1.0
	sbom-cpe = cpe:2.3🅰️micro-ecc_project:micro-ecc:{}:*:*:*:*:*:*:*
	sbom-supplier = Person: Ken MacKay
	sbom-url = https://github.com/kmackay/micro-ecc
	sbom-description = A small and fast ECDH and ECDSA implementation for 8-bit, 32-bit, and 64-bit processors
	sbom-hash = d037ec89546fad14b5c4d5456c2e23a71e554966
---8<---

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2023-06-14 12:38:12 +02:00
..
dependencies ci: small cleanup for the dependencies.yml 2023-05-04 11:21:40 +08:00
assign-test.yml ci: remove ttfw related info in tools/test_apps 2023-04-07 12:29:30 +08:00
build.yml esp32h4: remove esp32h4 target from ci 2023-04-26 18:53:12 +08:00
default-build-test-rules.yml esp32h2(ci): enable target test 2023-02-15 10:20:43 +08:00
deploy.yml ci: simplify the python env to idf venv only 2022-08-18 11:40:22 +08:00
docs.yml ci: build all docs if soc_caps.h changed 2023-04-24 10:18:11 +08:00
host-test.yml tools: add sbom information for submodules 2023-06-14 12:38:12 +02:00
pre_check.yml lwip: Remove AFL based fuzzer tests 2023-03-20 17:47:23 +00:00
README.md ci: add a more granular trigger for build docs jobs 2023-03-28 17:34:55 +08:00
rules.yml tools: add sbom information for submodules 2023-06-14 12:38:12 +02:00
static-code-analysis.yml ci: use brew runners by default for host test jobs 2023-01-18 07:41:35 +00:00
target-test.yml CI: Move all UT in driver to test_app 2023-05-16 16:42:28 +08:00
upload_cache.yml ci: use different tag for runners to run the cache jobs 2022-12-09 16:39:29 +08:00

IDF CI

General Workflow

  1. Push to a remote branch
  2. Create an MR, choose related labels (not required)
  3. A detached pipeline will be created.
  4. if you push a new commit, a new pipeline will be created automatically.

What if Expected Jobs ARE NOT Created?

  1. check the file patterns

    If you found a job that is not running as expected with some file changes, a git commit to improve the pattern will be appreciated.

  2. please add MR labels to run additional tests, currently we have to do this only for target-test jobs, please use it as few as possible. Our final goal is to remove all the labels and let the file changes decide everything!

MR labels for additional jobs

Supported MR Labels

  • build
  • build_docs
  • component_ut[_esp32/esp32s2/...]
  • custom_test[_esp32/esp32s2/...]
  • docker
  • docs
  • docs_full, triggers a full docs build, regardless of files changed
  • example_test[_esp32/esp32s2/...]
  • fuzzer_test
  • host_test
  • integration_test[_wifi/ble]
  • iperf_stress_test
  • macos
  • macos_test
  • nvs_coverage
  • submodule
  • unit_test[_esp32/esp32s2/...]
  • weekend_test
  • windows

There are two general labels (not recommended since these two labels will trigger a lot of jobs)

  • target_test: includes all target for example_test, custom_test, component_ut, unit_test, integration_test
  • all_test: includes all test labels

How to trigger a detached pipeline without pushing new commits?

Go to MR web page -> Pipelines tab -> click Run pipeline button.

In very rare case, this tab will not show up because no merge_request pipeline is created before. Please use web API then.

curl -X POST --header "PRIVATE-TOKEN: [YOUR PERSONAL ACCESS TOKEN]" [GITLAB_SERVER]/api/v4/projects/103/merge_requests/[MERGE_REQUEST_IID]/pipelines

How to Develop With rules.yml?

General Concepts

  • pattern: Defined in an array. A GitLab job will be created if the changed files in this MR matched one of the patterns. For example:

    .patterns-python-files: &patterns-python-files
      - "**/*.py"
    
  • label: Defined in an if clause, similar as the previous bot command. A GitLab job will be created if the pipeline variables contains variables in BOT_LABEL_xxx format (DEPRECATED) or included in the MR labels. For example:

    .if-label-build_docs: &if-label-build_docs
      if: '$BOT_LABEL_BUILD_DOCS || $CI_MERGE_REQUEST_LABELS =~ /^(?:[^,\n\r]+,)*build_docs(?:,[^,\n\r]+)*$/i'
    
  • rule: A combination of various patterns, and labels. It will be used by GitLab YAML extends keyword to tell GitLab in what conditions will this job be created. For example:

    .rules:build:docs:
      rules:
        - <<: *if-protected
        - <<: *if-label-build_docs
        - <<: *if-label-docs
        - <<: *if-dev-push
          changes: *patterns-docs
    

    An example for GitLab job on how to use extends:

    check_docs_lang_sync:
      extends:
        - .pre_check_template
        - .rules:build:docs
      script:
        - cd docs
        - ./check_lang_folder_sync.sh
    

How to Add a New Job?

check if there's a suitable .rules:<rules-you-need> template

  1. if there is, put this in the job extends. All done, now you can close this window. (extends could be array or string)
  2. if there isn't
    1. check How to Add a New Rules Template?, create a suitable one
    2. follow step 1

How to Add a New Rules Template?

check if this rule is related to labels, patterns

  1. if it is, please refer to dependencies/README.md and add new rules by auto-generating
  2. if it isn't, please continue reading

check if there's a suitable .if-<if-anchor-you-need> anchor

  1. if there is, create a rule following rules Template Naming Rules.For detail information, please refer to GitLab Documentation rules-if. Here's an example.

    .rules:dev:
      rules:
        - <<: *if-trigger
        - <<: *if-dev-push
    
  2. if there isn't

    1. check How to Add a New if Anchor?, create a suitable one
    2. follow step 1

How to Add a New if Anchor?

Create an if anchor following if Anchors Naming Rules. For detailed information about how to write the condition clause, please refer to GitLab Documentation `only/except (advanced). Here's an example.

.if-schedule: &if-schedule:
  if: '$CI_PIPELINE_SOURCE == "schedule"'

Naming Rules

Common Naming Rules

if a phrase has multi words, use _ to concatenate them.

e.g. regular_test

if a name has multi phrases, use - to concatenate them.

e.g. regular_test-example_test

if Anchors Naming Rules

  • if it's a label: .if-label-<label_name>

  • if it's a ref: .if-ref-<ref_name>

  • if it's a branch: .if-branch-<branch_name>

  • if it's a tag: .if-tag-<tag_name>

  • if it's multi-type combination: .if-ref-<release_name>-branch-<branch_name>

    Common Phrases/Abbreviations

    • no_label

      $BOT_TRIGGER_WITH_LABEL == null

    • protected

      ($CI_COMMIT_REF_NAME == "master" || $CI_COMMIT_BRANCH =~ /^release\/v/ || $CI_COMMIT_TAG =~ /^v\d+\.\d+(\.\d+)?($|-)/)

    • target_test

      a combination of example_test, custom_test, unit_test, component_ut, integration_test and all targets

rules Template Naming Rules

  • if it's tag related: .rules:tag:<tag_1>-<tag_2>
  • if it's label related: .rules:labels:<label_1>-<label_2>
  • if it's test related: .rules:test:<test_type>
  • if it's build related: .rules:build:<build_type>
  • if it's pattern related: .rules:patterns:<patterns>

Reusable Shell Script tools/ci/utils.sh

It is used to put all the reusable shell scripts as small functions. If you want to set before_script: [] for you job, now you can set extends: .before_script_slim instead. it will only run source tools/ci/utils.sh

If you're developing CI shell scripts, you can use these functions without source them. They're already included in all before_script

To run these commands in shell script locally, place source tools/ci/utils.sh at the very beginning.

Functions

  • add_gitlab_ssh_keys
  • add_github_ssh_keys
  • add_doc_server_ssh_keys
  • fetch_submodules
  • get_all_submodules
  • error: log in red color
  • warning: log in orange color
  • info: log in green color
  • run_cmd: run the command with duration seconds info
  • retry_failed: run the command with duration seconds info, retry when failed

Manifest File to Control the Build/Test apps

.build-test-rules.yml file is a manifest file to control if the CI is running the build and test job or not. The Supported Targets table in README.md for apps would be auto-generated by pre-commit from the app's .build-test-rules.yml.

Grammar

We're using the latest version of idf-build-apps. Please refer to their documentation