ops/pipelines/static-pipeline.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

# This file defines the static Buildkite pipeline which attempts to
# create the dynamic pipeline of all depot targets.
#
# If something fails during the creation of the pipeline, the fallback
# is executed instead which will simply report an error to Gerrit.
---
env:
  BUILDKITE_TOKEN_PATH: /run/agenix/buildkite-graphql-token
steps:
  # Run pipeline for tvl-kit when new commits arrive on canon. Since
  # it is not part of the depot build tree, this is a useful
  # verification to ensure we don't break external things (too much).
  - trigger: "tvl-kit"
    async: true
    label: ":fork:"
    branches: "refs/heads/canon"
    build:
      message: "Verification triggered by ${BUILDKITE_COMMIT}"

  # Run pipeline for tvix when new commits arrive on canon. Since
  # it is not part of the depot build tree, this is a useful
  # verification to ensure we don't break external things (too much).
  - trigger: "tvix"
    async: true
    label: ":fork:"
    branches: "refs/heads/canon"
    build:
      message: "Verification triggered by ${BUILDKITE_COMMIT}"

  # Create a revision number for the current commit for builds on
  # canon.
  #
  # This writes data back to Gerrit using the Buildkite agent
  # credentials injected through a git credentials helper.
  #
  # Revision numbers are defined as the number of commits in the
  # lineage of HEAD, following only the first parent of merges.
  #
  # Note that git does not fetch these refs by default, instead
  # you'll have to modify your git config using
  # `git config --add remote.origin.fetch '+refs/r/*:refs/r/*'`.
  # The refs are available after the next `git fetch`.
  - label: ":git:"
    branches: "refs/heads/canon"
    command: |
      git -c 'credential.helper=gerrit-creds' \
        push origin "HEAD:refs/r/$(git rev-list --count --first-parent HEAD)"

  # Generate & upload dynamic build steps
  - label: ":llama:"
    key: "pipeline-gen"
    concurrency_group: 'depot-nix-eval'
    concurrency: 5 # much more than this and whitby will OOM
    command: |
      set -ue

      if test -n "$${GERRIT_CHANGE_URL-}"; then
        echo "This is a build of [cl/$$GERRIT_CHANGE_ID]($$GERRIT_CHANGE_URL) (at patchset #$$GERRIT_PATCHSET)" | \
          buildkite-agent annotate --context cl-annotation
      fi

      # Attempt to fetch a target map from a parent commit on canon,
      # except on builds of canon itself.
      [ "${BUILDKITE_BRANCH}" != "refs/heads/canon" ] && \
        nix/buildkite/fetch-parent-targets.sh

      PIPELINE_ARGS=""
      if [[ -f tmp/parent-target-map.json ]]; then
        PIPELINE_ARGS="--arg parentTargetMap tmp/parent-target-map.json"
      fi

      nix-build --option restrict-eval true --include "depot=$${PWD}" \
        --include "store=/nix/store" \
        --allowed-uris 'https://' \
        -A ops.pipelines.depot \
        -o pipeline --show-trace $$PIPELINE_ARGS

      # Steps need to be uploaded in reverse order because pipeline
      # upload prepends instead of appending.
      ls pipeline/build-chunk-*.json | tac | while read chunk; do
        buildkite-agent pipeline upload $$chunk
      done

      buildkite-agent artifact upload "pipeline/*"

  # Wait for all previous steps to complete.
  - wait: null
    continue_on_failure: true

  # Exit with success or failure depending on whether any other steps
  # failed.
  #
  # This information is checked by querying the Buildkite GraphQL API
  # and fetching the count of failed steps.
  #
  # This step must be :duck: (yes, really!) because the post-command
  # hook will inspect this name.
  #
  # Note that this step has requirements for the agent environment, which
  # are enforced in our NixOS configuration:
  #
  #  * curl and jq must be on the $PATH of build agents
  #  * besadii configuration must be readable to the build agents
  - label: ":duck:"
    key: ":duck:"
    command: |
      set -ueo pipefail

      readonly FAILED_JOBS=$(curl 'https://graphql.buildkite.com/v1' \
        --silent \
        -H "Authorization: Bearer $(cat ${BUILDKITE_TOKEN_PATH})" \
        -d "{\"query\": \"query BuildStatusQuery { build(uuid: \\\"$BUILDKITE_BUILD_ID\\\") { jobs(passed: false) { count } } }\"}" | \
        jq -r '.data.build.jobs.count')

      echo "$$FAILED_JOBS build jobs failed."

      if (( $$FAILED_JOBS > 0 )); then
        exit 1
      fi

  # After duck, on success, upload and run any release steps that were
  # output by the dynamic pipeline.
  - label: ":arrow_heading_down:"
    depends_on:
      - step: ":duck:"
        allow_failure: false
    command: |
      set -ueo pipefail

      buildkite-agent artifact download "pipeline/*" .

      find ./pipeline -name 'release-chunk-*.json' | tac | while read chunk; do
        buildkite-agent pipeline upload $$chunk
      done