esp-idf/.gitlab/ci/pre_check.yml
Frantisek Hrbata 54f5ade84e ci: add sbom validation using pre-commit's post-commit stage
With 09ba070b7e ("fix: allow to use older pre-commit hook version")
and b93cc581a5 ("fix: set default pre-commit hook stages to pre-commit..")
we set the default pre-commit hook stage to commit/pre-commit, which avoids
running the pre-commit plugins/hooks multiple times for different stages.
Unfortunately this also affects "pre-commit run" used in CI and
now it runs only plugins which are by default using the
commit/pre-commit stage. Meaning the sbom validation, which uses
post-commit, is not run at all. This adds an explicit pre-commit command
for validate-sbom-manifest plugin, which needs to be started in
post-commit stage.

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
2024-01-02 16:30:34 +01:00

171 lines
5.3 KiB
YAML

.pre_check_template:
stage: pre_check
image: $ESP_ENV_IMAGE
tags:
- host_test
dependencies: []
.check_pre_commit_template:
extends:
- .pre_check_template
- .before_script_minimal
image: $PRE_COMMIT_IMAGE
check_pre_commit_master_release:
extends:
- .check_pre_commit_template
- .rules:protected
script:
- git diff-tree --no-commit-id --name-only -r $PIPELINE_COMMIT_SHA | xargs pre-commit run --files
- pre-commit run --hook-stage post-commit validate-sbom-manifest
check_pre_commit_MR:
extends:
- .check_pre_commit_template
- .rules:mr
script:
- python ${CI_PROJECT_DIR}/tools/ci/ci_get_mr_info.py files ${CI_MERGE_REQUEST_SOURCE_BRANCH_NAME} | xargs pre-commit run --files
- pre-commit run --hook-stage post-commit validate-sbom-manifest
check_version:
# Don't run this for feature/bugfix branches, so that it is possible to modify
# esp_idf_version.h in a branch before tagging the next version.
extends:
- .pre_check_template
- .rules:protected
script:
- export IDF_PATH=$PWD
- tools/ci/check_idf_version.sh
check_rom_api_header:
extends: .pre_check_template
script:
- tools/ci/check_examples_rom_header.sh
- tools/ci/check_api_violation.sh
test_check_kconfigs:
extends: .pre_check_template
artifacts:
when: on_failure
paths:
- components/*/Kconfig*.new
- examples/*/*/*/Kconfig*.new
- examples/*/*/*/*/Kconfig*.new
- tools/*/Kconfig*.new
- tools/*/*/Kconfig*.new
- tools/*/*/*/Kconfig*.new
expire_in: 1 week
script:
- python ${IDF_PATH}/tools/ci/test_check_kconfigs.py
check_blobs:
extends: .pre_check_template
tags:
- build
variables:
SUBMODULES_TO_FETCH: "components/esp_wifi/lib;components/esp_phy/lib"
script:
# Check if Wi-Fi library header files match between IDF and the version used when compiling the libraries
- IDF_TARGET=esp32 $IDF_PATH/components/esp_wifi/test_md5/test_md5.sh
- IDF_TARGET=esp32s2 $IDF_PATH/components/esp_wifi/test_md5/test_md5.sh
- IDF_TARGET=esp32s3 $IDF_PATH/components/esp_wifi/test_md5/test_md5.sh
- IDF_TARGET=esp32c3 $IDF_PATH/components/esp_wifi/test_md5/test_md5.sh
# Check if Wi-Fi, PHY, BT blobs contain references to specific symbols
- bash $IDF_PATH/tools/ci/check_blobs.sh
check_fuzzer_compilation:
extends: .pre_check_template
image: $AFL_FUZZER_TEST_IMAGE
script:
- cd ${IDF_PATH}/components/lwip/test_afl_host
- make MODE=dhcp_server
- make MODE=dhcp_client
- make MODE=dns
check_public_headers:
extends:
- .pre_check_template
- .rules:build
tags:
- build
script:
- IDF_TARGET=esp32 python tools/ci/check_public_headers.py --jobs 4 --prefix xtensa-esp32-elf-
- IDF_TARGET=esp32s2 python tools/ci/check_public_headers.py --jobs 4 --prefix xtensa-esp32s2-elf-
- IDF_TARGET=esp32s3 python tools/ci/check_public_headers.py --jobs 4 --prefix xtensa-esp32s3-elf-
- IDF_TARGET=esp32c3 python tools/ci/check_public_headers.py --jobs 4 --prefix riscv32-esp-elf-
- IDF_TARGET=esp32c2 python tools/ci/check_public_headers.py --jobs 4 --prefix riscv32-esp-elf-
check_chip_support_components:
extends:
- .pre_check_template
- .rules:build
tags:
- build
artifacts:
when: on_failure
paths:
- esp_hw_support_part.h
- bootloader_support_part.h
expire_in: 1 week
script:
- python tools/ci/check_soc_headers_leak.py
- find ${IDF_PATH}/components/soc/*/include/soc/ -name "*_struct.h" -print0 | xargs -0 -n1 ./tools/ci/check_soc_struct_headers.py
- tools/ci/check_esp_memory_utils_headers.sh
check_esp_err_to_name:
extends:
- .pre_check_template
- .rules:build
tags:
- build
artifacts:
when: on_failure
paths:
- components/esp_common/esp_err_to_name.c
expire_in: 1 week
script:
- cd ${IDF_PATH}/tools/
- ./gen_esp_err_to_name.py
- git diff --exit-code -- ../components/esp_common/src/esp_err_to_name.c || { echo 'Differences found. Please run gen_esp_err_to_name.py and commit the changes.'; exit 1; }
check_esp_system:
extends:
- .pre_check_template
- .rules:build
tags:
- build
script:
- python components/esp_system/check_system_init_priorities.py
# For release tag pipelines only, make sure the tag was created with 'git tag -a' so it will update
# the version returned by 'git describe'
check_version_tag:
extends:
- .pre_check_template
- .rules:tag:release
script:
- (git cat-file -t $CI_COMMIT_REF_NAME | grep tag) || (echo "ESP-IDF versions must be annotated tags." && exit 1)
check_artifacts_expire_time:
extends: .pre_check_template
script:
# check if we have set expire time for all artifacts
- python tools/ci/check_artifacts_expire_time.py
check_commit_msg:
extends: .pre_check_template
script:
- git status
- git log -n10 --oneline ${PIPELINE_COMMIT_SHA}
# commit start with "WIP: " need to be squashed before merge
- 'git log --pretty=%s origin/master..${PIPELINE_COMMIT_SHA} -- | grep -i "^WIP:" && exit 1 || exit 0'
check_test_scripts_build_test_rules:
extends:
- .pre_check_template
- .before_script_build_jobs
script:
# required pytest related packages
- run_cmd bash install.sh --enable-pytest
- python tools/ci/check_build_test_rules.py check-test-scripts examples/ tools/test_apps components