diff --git a/ghaf-nightly-pipeline.groovy b/ghaf-nightly-pipeline.groovy index 138ba12..a09494d 100644 --- a/ghaf-nightly-pipeline.groovy +++ b/ghaf-nightly-pipeline.groovy @@ -15,10 +15,78 @@ properties([ githubProjectProperty(displayName: '', projectUrlStr: REPO_URL), ]) +def targets = [ + // docs + [ system: "x86_64-linux", target: "doc", + archive: false + ], + [ system: "aarch64-linux", target: "doc", + archive: false + ], + + // lenovo x1 + [ system: "x86_64-linux", target: "lenovo-x1-carbon-gen11-debug", + archive: true, scs: true, hwtest_device: "lenovo-x1" + ], + [ system: "x86_64-linux", target: "lenovo-x1-carbon-gen11-debug-installer", + archive: true, scs: true + ], + [ system: "x86_64-linux", target: "lenovo-x1-carbon-gen11-release", + archive: true, scs: true + ], + [ system: "x86_64-linux", target: "lenovo-x1-carbon-gen11-release-installer", + archive: true, scs: true + ], + + // nvidia orin + [ system: "aarch64-linux", target: "nvidia-jetson-orin-agx-debug", + archive: true, scs: true, hwtest_device: "orin-agx" + ], + [ system: "aarch64-linux", target: "nvidia-jetson-orin-nx-debug", + archive: true, scs: true, hwtest_device: "orin-nx" + ], + [ system: "x86_64-linux", target: "nvidia-jetson-orin-agx-debug-from-x86_64", + archive: true, scs: true, hwtest_device: "orin-agx" + ], + [ system: "x86_64-linux", target: "nvidia-jetson-orin-nx-debug-from-x86_64", + archive: true, scs: true, hwtest_device: "orin-nx" + ], + + // others + [ system: "x86_64-linux", target: "generic-x86_64-debug", + archive: true, hwtest_device: "nuc" + ], + [ system: "x86_64-linux", target: "microchip-icicle-kit-debug-from-x86_64", + archive: true, scs: true, hwtest_device: "riscv" + ], + [ system: "x86_64-linux", target: "nxp-imx8mp-evk-debug", + archive: true, scs: true + ], +] + +hydrajobs_targets = [ + // nvidia orin with bpmp enabled + [ system: "aarch64-linux",target: "nvidia-jetson-orin-agx-debug-bpmp", + archive: true + ], + [ system: "aarch64-linux",target: "nvidia-jetson-orin-nx-debug-bpmp", + archive: true + ], + [ system: "x86_64-linux", target: "nvidia-jetson-orin-agx-debug-bpmp-from-x86_64", + archive: true + ], + [ system: "x86_64-linux", target: "nvidia-jetson-orin-nx-debug-bpmp-from-x86_64", + archive: true + ], +] + +target_jobs = [:] + //////////////////////////////////////////////////////////////////////////////// pipeline { agent { label 'built-in' } + triggers { // We could use something like cron('@midnight') here, but since we // archive the images, this pipeline would then generate many @@ -27,12 +95,15 @@ pipeline { // we trigger based one-time daily poll at 23:00 instead: pollSCM('0 23 * * *') } + options { disableConcurrentBuilds() timestamps () buildDiscarder(logRotator(numToKeepStr: '100')) } + stages { + stage('Checkout') { steps { script { utils = load "utils.groovy" } @@ -50,106 +121,145 @@ pipeline { } } } - stage('Build x86_64') { - steps { - dir(WORKDIR) { - script { - utils.nix_build('.#packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64', 'archive') - utils.nix_build('.#packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64', 'archive') - utils.nix_build('.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug', 'archive') - utils.nix_build('.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug-installer', 'archive') - utils.nix_build('.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release', 'archive') - utils.nix_build('.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release-installer', 'archive') - utils.nix_build('.#packages.x86_64-linux.generic-x86_64-debug', 'archive') - utils.nix_build('.#packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64', 'archive') - utils.nix_build('.#hydraJobs.nvidia-jetson-orin-agx-debug-bpmp-from-x86_64.x86_64-linux', 'archive') - utils.nix_build('.#hydraJobs.nvidia-jetson-orin-nx-debug-bpmp-from-x86_64.x86_64-linux', 'archive') - utils.nix_build('.#packages.x86_64-linux.doc') - } - } - } - } - stage('Build aarch64') { - steps { - dir(WORKDIR) { - script { - utils.nix_build('.#packages.aarch64-linux.nxp-imx8mp-evk-debug', 'archive') - utils.nix_build('.#packages.aarch64-linux.nvidia-jetson-orin-agx-debug', 'archive') - utils.nix_build('.#packages.aarch64-linux.nvidia-jetson-orin-nx-debug', 'archive') - utils.nix_build('.#hydraJobs.nvidia-jetson-orin-agx-debug-bpmp.aarch64-linux', 'archive') - utils.nix_build('.#hydraJobs.nvidia-jetson-orin-nx-debug-bpmp.aarch64-linux', 'archive') - utils.nix_build('.#packages.aarch64-linux.doc') - } - } - } - } - stage('Provenance') { - steps { - dir(WORKDIR) { - script { - utils.sbomnix('provenance', '.#packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64') - utils.sbomnix('provenance', '.#packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64') - utils.sbomnix('provenance', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug') - utils.sbomnix('provenance', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug-installer') - utils.sbomnix('provenance', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release') - utils.sbomnix('provenance', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release-installer') - utils.sbomnix('provenance', '.#packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64') - utils.sbomnix('provenance', '.#packages.aarch64-linux.nxp-imx8mp-evk-debug') - utils.sbomnix('provenance', '.#packages.aarch64-linux.nvidia-jetson-orin-agx-debug') - utils.sbomnix('provenance', '.#packages.aarch64-linux.nvidia-jetson-orin-nx-debug') - } - } - } - } - stage('SBOM') { - steps { - dir(WORKDIR) { - script { - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug-installer') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release-installer') - utils.sbomnix('sbomnix', '.#packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64') - utils.sbomnix('sbomnix', '.#packages.aarch64-linux.nxp-imx8mp-evk-debug') - utils.sbomnix('sbomnix', '.#packages.aarch64-linux.nvidia-jetson-orin-agx-debug') - utils.sbomnix('sbomnix', '.#packages.aarch64-linux.nvidia-jetson-orin-nx-debug') - } - } - } - } - stage('Vulnxscan') { + + stage('Evaluate') { steps { dir(WORKDIR) { script { - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug-installer') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.lenovo-x1-carbon-gen11-release-installer') - utils.sbomnix('vulnxscan', '.#packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64') - utils.sbomnix('vulnxscan', '.#packages.aarch64-linux.nxp-imx8mp-evk-debug') - utils.sbomnix('vulnxscan', '.#packages.aarch64-linux.nvidia-jetson-orin-agx-debug') - utils.sbomnix('vulnxscan', '.#packages.aarch64-linux.nvidia-jetson-orin-nx-debug') + utils.nix_eval_hydrajobs(hydrajobs_targets) + return + // targets = utils.nix_eval_jobs(targets, "packages") + // targets = targets + utils.nix_eval_jobs(hydrajobs_targets, "hydraJobs") + + targets.each { + def timestampBegin = "" + def timestampEnd = "" + def scsdir = "scs/${target}/scs" + def target = it.system + "." + it.target + + target_jobs["${it.target} (${it.system})"] = { + stage("Build ${target}") { + def opts = "" + if (it.archive) { + opts = "--out-link archive/${target}" + } else { + opts = "--no-link" + } + try { + if (drvPath) { + timestampBegin = sh(script: "date +%s", returnStdout: true).trim() + sh "nix build -L ${drvPath}\\^* ${opts}" + timestampEnd = sh(script: "date +%s", returnStdout: true).trim() + + // only attempt signing if there is something to sign + if (it.archive) { + def img_relpath = find_img_relpath(target, "archive") + sign_file("archive/${img_relpath}", "sig/${img_relpath}.sig", "INT-Ghaf-Devenv-Image") + }; + } else { + error("Target \"${target}\" was not found in ${flakeAttr}") + } + } catch (InterruptedException e) { + throw e + } catch (Exception e) { + unstable("FAILED: ${target}") + currentBuild.result = "FAILURE" + println "Error: ${e.toString()}" + } + } + + if (scs) { + stage("Provenance (${target})") { + def externalParams = """ + { + "target": { + "name": "#packages.${target}", + "repository": "${env.TARGET_REPO}", + "ref": "${env.TARGET_COMMIT}" + }, + "workflow": { + "name": "${env.JOB_NAME}", + "repository": "${env.GIT_URL}", + "ref": "${env.GIT_COMMIT}" + }, + "job": "${env.JOB_NAME}", + "jobParams": ${JsonOutput.toJson(params)}, + "buildRun": "${env.BUILD_ID}" + } + """ + // this environment block is only valid for the scope of this stage, + // preventing timestamp collision when provenances are built in parallel + withEnv([ + 'PROVENANCE_BUILD_TYPE="https://github.com/tiiuae/ghaf-infra/blob/ea938e90/slsa/v1.0/L1/buildtype.md"', + "PROVENANCE_BUILDER_ID=${env.JENKINS_URL}", + "PROVENANCE_INVOCATION_ID=${env.BUILD_URL}", + "PROVENANCE_TIMESTAMP_BEGIN=${timestampBegin}", + "PROVENANCE_TIMESTAMP_FINISHED=${timestampEnd}", + "PROVENANCE_EXTERNAL_PARAMS=${externalParams}" + ]) { + catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { + def outpath = "${scsdir}/provenance.json" + sh """ + mkdir -p ${scsdir} + sh "provenance ${drvPath} --recursive --out ${outpath} + """ + sign_file(outpath, "sig/${outpath}.sig", "INT-Ghaf-Devenv-Provenance") + } + } + } + + stage("SBOM (${target})") { + catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { + sh """ + mkdir -p ${scsdir} + cd ${scsdir} + sbomnix ${drvPath} + cd .. + """ + } + } + + stage("Vulnxscan (${target})") { + catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { + sh """ + mkdir -p ${scsdir} + vulnxscan ${drvPath} --out vulns.csv + csvcut vulns.csv --not-columns sortcol | csvlook -I >${scsdir}/vulns.txt + """ + } + } + } + + if (it.archive) { + stage("Archive ${target}") { + script { + archive_artifacts("archive", target) + archive_artifacts("sig", target) + if (it.scs) { + archive_artifacts("scs", target) + } + } + } + } + + if (it.hwtest_device != null) { + stage("Test ${target}") { + script { + ghaf_parallel_hw_test(target, it.hwtest_device, '_boot_bat_perf_') + } + } + } + } + } } } } } - stage('HW test') { + + stage('Build targets') { steps { - dir(WORKDIR) { - script { - testset = "_boot_bat_perf_" - utils.ghaf_hw_test('.#packages.x86_64-linux.nvidia-jetson-orin-agx-debug-from-x86_64', 'orin-agx', testset) - utils.ghaf_hw_test('.#packages.aarch64-linux.nvidia-jetson-orin-agx-debug', 'orin-agx', testset) - utils.ghaf_hw_test('.#packages.x86_64-linux.nvidia-jetson-orin-nx-debug-from-x86_64', 'orin-nx', testset) - utils.ghaf_hw_test('.#packages.aarch64-linux.nvidia-jetson-orin-nx-debug', 'orin-nx', testset) - utils.ghaf_hw_test('.#packages.x86_64-linux.lenovo-x1-carbon-gen11-debug', 'lenovo-x1', testset) - utils.ghaf_hw_test('.#packages.x86_64-linux.generic-x86_64-debug', 'nuc', testset) - utils.ghaf_hw_test('.#packages.x86_64-linux.microchip-icicle-kit-debug-from-x86_64', 'riscv', testset) - } + script { + parallel target_jobs } } } diff --git a/utils.groovy b/utils.groovy index 0a598bb..f9cfb3d 100644 --- a/utils.groovy +++ b/utils.groovy @@ -304,6 +304,19 @@ def ghaf_parallel_hw_test(String flakeref, String device_config, String testset= archive_artifacts("ghaf-parallel-hw-test", flakeref_trimmed) } +def nix_eval_hydrajobs(List targets) { + def targetList = "\"${targets.join('" "')}\"" + def object = readJSON text: sh(script: """ + nix-eval-jobs --gc-roots-dir gcroots --force-recurse --expr ' \ + let \ + flake = builtins.getFlake ("git+file://" + toString ./.); \ + lib = (import flake.inputs.nixpkgs { }).lib; \ + in lib.getAttrs [ ${targetList} ] flake.hydraJobs;' + """, returnStdout: true).trim() + + println "${object}" +} + def nix_eval_jobs(List targets) { // transform target names into valid nix arrays to be plugged into the expression below def x86_targets = "\"${targets.findAll { it.system == "x86_64-linux" }.target.join('" "')}\"" @@ -325,6 +338,10 @@ def nix_eval_jobs(List targets) { // target's name and derivation path are read from jobs.json and written into into jobs.txt sh "jq -r '.attr + \" \" + .drvPath' < jobs.json > jobs.txt" + // row that matches this target is grepped from jobs.txt, extracting the pre-evaluated derivation path + def drvPath = sh (script: "cat jobs.txt | grep ${target} | cut -d ' ' -f 2", returnStdout: true).trim() + + } return this