about summary refs log tree commit diff
path: root/ops/pipelines/static-pipeline.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'ops/pipelines/static-pipeline.yaml')
-rw-r--r--ops/pipelines/static-pipeline.yaml79
1 files changed, 79 insertions, 0 deletions
diff --git a/ops/pipelines/static-pipeline.yaml b/ops/pipelines/static-pipeline.yaml
new file mode 100644
index 000000000000..f366afe24cca
--- /dev/null
+++ b/ops/pipelines/static-pipeline.yaml
@@ -0,0 +1,79 @@
+# This file defines the static Buildkite pipeline which attempts to
+# create the dynamic pipeline of all depot targets.
+#
+# If something fails during the creation of the pipeline, the fallback
+# is executed instead which will simply report an error to Gerrit.
+---
+steps:
+  - label: ":llama:"
+    command: |
+      set -ue
+      nix-build -A ops.pipelines.depot -o depot.yaml --show-trace && \
+        buildkite-agent pipeline upload depot.yaml
+
+  # Wait for all previous steps to complete.
+  - wait: null
+    continue_on_failure: true
+
+  # Exit with success or failure depending on whether any other steps
+  # failed.
+  #
+  # This information is checked by querying the Buildkite GraphQL API
+  # and fetching the count of failed steps.
+  #
+  # This step must be :duck: (yes, really!) because the post-command
+  # hook will inspect this name.
+  #
+  # Note that this step has requirements for the agent environment, which
+  # are enforced in our NixOS configuration:
+  #
+  #  * curl and jq must be on the $PATH of build agents
+  #  * besadii configuration must be readable to the build agents
+  - label: ":duck:"
+    key: ":duck:"
+    command: |
+      set -ueo pipefail
+
+      readonly FAILED_JOBS=$(curl 'https://graphql.buildkite.com/v1' \
+        --silent \
+        -H "Authorization: Bearer $(cat /run/agenix/buildkite-graphql-token)" \
+        -d "{\"query\": \"query BuildStatusQuery { build(uuid: \\\"$BUILDKITE_BUILD_ID\\\") { jobs(passed: false) { count } } }\"}" | \
+        jq -r '.data.build.jobs.count')
+
+      echo "$$FAILED_JOBS build jobs failed."
+
+      if (( $$FAILED_JOBS > 0 )); then
+        exit 1
+      fi
+
+  # After duck, on success, create a gcroot if the build branch is
+  # canon.
+  #
+  # We care that this anchors *most* of the depot, in practice it's
+  # unimportant if there is a build race and we get +-1 of the
+  # targets.
+  #
+  # Unfortunately this requires a third evaluation of the graph, but
+  # since it happens after :duck: it should not affect the timing of
+  # status reporting back to Gerrit.
+  - label: ":anchor:"
+    if: "build.branch == 'refs/heads/canon'"
+    command: |
+      nix-instantiate -A ci.gcroot --add-root /nix/var/nix/gcroots/depot/canon
+    depends_on:
+      - step: ":duck:"
+        allow_failure: false
+
+  # Create a revision number for the current commit for builds on
+  # canon.
+  #
+  # This writes data back to Gerrit using the Buildkite agent
+  # credentials injected through a git credentials helper.
+  #
+  # Revision numbers are defined as the number of commits in the
+  # lineage of HEAD, following only the first parent of merges.
+  - label: ":git:"
+    if: "build.branch == 'refs/heads/canon'"
+    command: |
+      git -c 'credential.helper=gerrit-creds' \
+        push origin "HEAD:refs/r/$(git rev-list --count --first-parent HEAD)"
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-09-19T15ยท20+0000