# vim: filetype=yaml sw=2 debug: '[% GET ! ENV.RBM_NO_DEBUG %]' compress_tar: gz output_dir: "out/[% project %]" tmp_dir: '[% c("basedir") %]/tmp' build_log: '[% GET ENV.RBM_LOGS_DIR ? ENV.RBM_LOGS_DIR : "logs" %]/[% project %][% IF c("var/osname") %]-[% c("var/osname") %][% END %].log' pkg_type: build steps: src-tarballs: compress_tar: xz src-tarballs: | #!/bin/bash set -e mkdir -p '[% dest_dir %]' mv -vf '[% project %]-[% c("version") %].tar.xz' '[% dest_dir %]/[% c("filename") %]' # buildconf contains build options that the user can change in rbm.local.conf # When adding a new option to buildconf, a default value should be defined # in var/build_id, so that changing this option does not affect the build_id. buildconf: num_procs: '[% GET ENV.RBM_NUM_PROCS ? ENV.RBM_NUM_PROCS : "4" %]' git_signtag_opt: '-s' var: ncdns_version: '[% pc("ncdns", "version") %]' ncdns_build: 'build1' ncdns_incremental_from: - 10.5a8 project_name: tor-browser multi_lingual: 0 build_mar: 1 # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed # in the same order. In the cases where the installation order is # important, sort_deps should be set to 0. sort_deps: 1 build_id: '[% sha256(c("var/build_id_txt", { buildconf => { num_procs => 4 } })).substr(0, 6) %]' build_id_txt: | [% c("version") %] [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] [% IF c("var/container/use_container") && ! c("var/container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] [% END -%] input_files: [% c("input_files_id") %] build: [% SET step = c("step") -%] [% c(step, { filename => 'f', output_dir => '/out', norec => {} }) %] container: dir: '[% c("rbm_tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]' user: rbm disable_network: # disable network in the build scripts build: 1 input_files_list: | [% FOREACH file IN c("input_files_by_name").keys.sort -%] [% c("input_files_by_name/" _ file) %] [% END -%] faketime: "faketime -f \"[% USE date; GET date.format(c('timestamp'), format = '%Y-%m-%d %H:%M:%S') %]\"" touch: "[% USE date %]touch -m -t [% date.format(c('timestamp'), format = '%Y%m%d%H%M') %]" locale_ja: ja locales: - ar - ca - cs - da - de - el - es-AR - es-ES - fa - fr - ga-IE - he - hu - id - is - it - '[% c("var/locale_ja") %]' - ka - ko - lt - mk - ms - nb-NO - nl - pl - pt-BR - ro - ru - sv-SE - th - tr - vi - zh-CN - zh-TW locales_mobile: - ar - ca - cs - da - de - el - es-rAR - es-rES - fa - fr - ga-rIE - hu - in - is - it - iw - ja - ka - ko - lt - nb-rNO - nl - pl - pt-rBR - ro - ru - sv-rSE - th - tr - vi - zh-rCN - zh-rTW sign_build: '[% ENV.RBM_SIGN_BUILD %]' sign_build_gpg_opts: '[% ENV.RBM_GPG_OPTS %]' rezip: | rezip_tmpdir=$(mktemp -d) mkdir -p "$rezip_tmpdir/z" unzip -d "$rezip_tmpdir/z" -- [% c("rezip_file") %] || [ $? -lt 3 ] pushd "$rezip_tmpdir/z" [% c("zip", { zip_src => [ '.' ], zip_args => '$rezip_tmpdir/new.zip', }) %] popd mv -f -- "$rezip_tmpdir/new.zip" [% c("rezip_file") %] rm -Rf "$rezip_tmpdir" set_default_env: | set -e [% FOREACH env = c('ENV') -%] export [% env.key %]="[% env.value %]" [% END -%] rootdir=$(pwd) export SHELL=/bin/bash export HOME=$rootdir umask 0022 [% IF c("var/container/global_disable") -%] rm -Rf /var/tmp/build /var/tmp/dist [% END -%] DOCSDIR_project: '[% project %]' set_PTDIR_DOCSDIR: | PTDIR="$distdir/TorBrowser/Tor/PluggableTransports" DOCSDIR="$distdir/TorBrowser/Docs/[% c("var/DOCSDIR_project") %]" targets: notarget: linux-x86_64 noint: debug: 0 release: var: release: 1 channel: release alpha: var: alpha: 1 channel: alpha nightly: fetch: 1 var: nightly: 1 channel: nightly ncdns_version: | [% IF ENV.TORBROWSER_NIGHTLY_VERSION; GET ENV.TORBROWSER_NIGHTLY_VERSION; ELSIF c("var/testbuild"); GET "testbuild"; ELSE; GET c("var_p/nightly_ncdns_version"); END; -%] # For nightly builds, we support updates for a limited set of locales mar_locales: - de - es-ES - fr - ru max_ncdns_incremental_from: 2 build_infos_json: 1 ncdns-testbuild: - testbuild - alpha testbuild: var: testbuild: 1 # Don't create mar files to save time build_mar: 0 # The common-buster target is used to build components that are common to all # platforms, using Debian Buster. common-buster: var: common: 1 container: suite: buster arch: amd64 pre_pkginst: '' deps: - build-essential - python - automake - libtool - zip - unzip ncdns-android-armv7: - android-armv7 - android android-armv7: arch: armv7 var: android-armv7: 1 osname: android-armv7 toolchain_arch: arm abi: armeabi-v7a cross_prefix: armv7a-linux-androideabi ncdns-android-x86: - android-x86 - android android-x86: arch: x86 var: android-x86: 1 osname: android-x86 toolchain_arch: x86 abi: x86 cross_prefix: i686-linux-android ncdns-android-x86_64: - android-x86_64 - android android-x86_64: arch: x86_64 var: android-x86_64: 1 osname: android-x86_64 toolchain_arch: x86_64 abi: x86_64 cross_prefix: x86_64-linux-android ncdns-android-aarch64: - android-aarch64 - android android-aarch64: arch: aarch64 var: android-aarch64: 1 osname: android-aarch64 toolchain_arch: arm64 abi: arm64-v8a cross_prefix: aarch64-linux-android android: var: android: 1 compiler: android-toolchain android_min_api: '[% GET c("var/android_min_api_" _ c("arch")) %]' CC: '[% c("var/cross_prefix") %][% c("var/android_min_api") %]-clang' CXX: '[% c("var/cross_prefix") %][% c("var/android_min_api") %]-clang' # API 16 is the minimum we currently support for 32 bit on Android android_min_api_armv7: 16 android_min_api_x86: 16 # API 21 is the minimum we currently support for 64 bit on Android android_min_api_x86_64: 21 android_min_api_aarch64: 21 # This is needed to get the offline build part for Glean right. glean_parser: 1.29.0 # We only build snowflake on the alpha and nightly # channels for now. snowflake: '[% c("var/alpha") || c("var/nightly") %]' container: suite: buster arch: amd64 disable_network: # Disable network in the script for merging GeckoView .aar files merge_aars: 1 deps: - build-essential - python - automake - libtool - zip - unzip - libtinfo5 configure_opt: '--host=[% c("var/cross_prefix") %] CC=[% c("var/CC") %] [% c("var/configure_opt_project") %]' pre_pkginst: | SNAPSHOT_VERSION=20191201T212855Z OPENJDK_URL=https://snapshot.debian.org/archive/debian/$SNAPSHOT_VERSION/pool/main/o/openjdk-8 JDK_VERSION=8u232-b09-1~deb9u1_amd64 apt-get install -y -q wget ca-certificates-java wget $OPENJDK_URL/openjdk-8-jdk-headless_$JDK_VERSION.deb wget $OPENJDK_URL/openjdk-8-jre-headless_$JDK_VERSION.deb echo 92b4f8fb77d793a86e0b03b3b0750592b40a26a5d75956d10dd984a7b3aad4c9 openjdk-8-jdk-headless_$JDK_VERSION.deb | sha256sum -c echo 84bf52b6cce20ead08b0d5b9fd9b81b4aa3da385ca951b313fe11d5cb1aa4d17 openjdk-8-jre-headless_$JDK_VERSION.deb | sha256sum -c dpkg -i ./openjdk-8-jre-headless_$JDK_VERSION.deb ./openjdk-8-jdk-headless_$JDK_VERSION.deb ncdns-linux-x86_64: - linux-x86_64 - linux ncdns-linux-x86_64-asan: - linux-asan - linux-x86_64 - linux ncdns-linux-i686: - linux-i686 - linux linux-x86_64: arch: x86_64 var: linux-x86_64: 1 osname: linux-x86_64 # We only support RLBox on the nightly channel and x86_64 for now rlbox: '[% c("var/nightly") %]' linux-i686: arch: i686 var: linux-i686: 1 osname: linux-i686 configure_opt: '--host=i686-linux-gnu CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32 [% c("var/configure_opt_project") %]' linux: var: linux: 1 compiler: gcc configure_opt: '[% c("var/configure_opt_project") %]' # We only build snowflake on the alpha and nightly # channels for now. snowflake: '[% c("var/alpha") || c("var/nightly") %]' # Only build Namecoin for linux on nightly namecoin: '[% c("var/nightly") %]' container: suite: jessie arch: amd64 pre_pkginst: dpkg --add-architecture i386 deps: - libc6-dev-i386 - lib32stdc++6 - build-essential - python - bison - hardening-wrapper - automake - libtool - zip - unzip linux-asan: var: asan: 1 # RLBox needs clang to create .wasm files but we use mostly GCC for our # ASan builds. Thus, the compilation currently breaks with RLBox enabled. # See: tor-browser-build#40063. rlbox: 0 ncdns-windows-i686: - windows-i686 - windows ncdns-windows-x86_64: - windows-x86_64 - windows windows-x86_64: arch: x86_64 var: windows-x86_64: 1 windows-i686: 0 osname: windows-x86_64 # HEASLR is 64 bit only (see bug 12968) flag_HEASLR: '-Wl,--high-entropy-va' windows-i686: arch: i686 var: windows-i686: 1 windows-x86_64: 0 osname: windows-i686 # mingw-w64 does not support SEH on 32bit systems. Be explicit about that. flag_noSEH: '-Wl,--no-seh' windows: var: windows: 1 container: suite: buster arch: amd64 configure_opt: '--host=[% c("arch") %]-w64-mingw32 CFLAGS="[% c("var/CFLAGS") %]" LDFLAGS="[% c("var/LDFLAGS") %]" [% c("var/configure_opt_project") %]' CFLAGS: '-fstack-protector-strong -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security [% c("var/flag_mwindows") %]' LDFLAGS: '-Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -Wl,--no-insert-timestamp -lssp -L$gcclibs [% c("var/flag_HEASLR") %] [% c("var/flag_noSEH") %] [% c("var/flag_mwindows") %]' flag_mwindows: '-mwindows' compiler: mingw-w64 faketime_path: /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 # We only build snowflake on the alpha and nightly # channels for now. snowflake: '[% c("var/alpha") || c("var/nightly") %]' deps: - build-essential - python - bison - automake - libtool - zip - unzip ncdns-osx-x86_64: - osx-x86_64 osx-x86_64: arch: x86_64 var: osx: 1 osname: osx-x86_64 container: suite: buster arch: amd64 compiler: 'macosx-toolchain' configure_opt: '--host=x86_64-apple-darwin CC="x86_64-apple-darwin-clang [% c("var/FLAGS") %]" CXX="x86_64-apple-darwin-clang++ [% c("var/FLAGS") %]" [% c("var/configure_opt_project") %]' FLAGS: "-target x86_64-apple-darwin -B $cctoolsdir -isysroot $sysrootdir" LDFLAGS: "-Wl,-syslibroot,$sysrootdir -Wl,-dead_strip -Wl,-pie" macosx_deployment_target: '10.9' locale_ja: ja-JP-mac # We only support RLBox on the nightly channel for now rlbox: '[% c("var/nightly") %]' # We only build snowflake on the alpha and nightly # channels for now. snowflake: '[% c("var/alpha") || c("var/nightly") %]' deps: - build-essential - python - automake - libtool - zip - unzip faketime_path: /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 set_PTDIR_DOCSDIR: | PTDIR="$distdir/Contents/MacOS/Tor/PluggableTransports" DOCSDIR="$distdir/Contents/Resources/TorBrowser/Docs/[% c("var/DOCSDIR_project") %]" # The no_build_id target can be useful if you want to quickly display # a build template or other option but don't want to spend time to # compute the various build ids no_build_id: # The defaut timestamp value will use the commit time of the # selected commit for the project, which will require cloning the # git repository if it is not present. When we use the no_build_id # target to display a script, we usually don't care about such # details, so we set timestamp to 0 to avoid unnecessary cloning. timestamp: 0 var: build_id: 1 no_containers: var: container: global_disable: 1 # change the default gpg_wrapper to allow git tag signed using an # expired key. # https://bugs.torproject.org/19737 gpg_wrapper: | #!/bin/bash export LC_ALL=C [% IF c('gpg_keyring'); SET gpg_kr = '--keyring ' _ path(c('gpg_keyring'), path(c('gpg_keyring_dir'))) _ ' --no-default-keyring'; END; -%] gpg_verify=0 for opt in "$@" do test "$opt" = '--verify' && gpg_verify=1 done if [ $gpg_verify = 1 ] then [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' exit ${PIPESTATUS[0]} else exec [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@" fi remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_start") %][% END %]' remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_exec") %][% END %]' remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_put") %][% END %]' remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_get") %][% END %]' remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_finish") %][% END %]' runc: remote_start: | #!/bin/sh set -e # Handle SIGINT case if [ -d '[% c("rbm_tmp_dir") %]'/../interrupted_dirs/'[% sha256(dest_dir _ '/' _ c("filename")) %]' ] then # We previously did this build but it was manually interrupted. # Restore the container's saved state instead of making a new container. mkdir -p '[% c("var/container/dir") %]' rmdir '[% c("var/container/dir") %]' mv '[% c("rbm_tmp_dir") %]'/../interrupted_dirs/'[% sha256(dest_dir _ '/' _ c("filename")) %]' '[% c("var/container/dir") %]' exit fi if [ $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'* | wc -l) -ne 1 ] then echo "Can't find container image in input files" >&2 ls -l '[% c("remote_srcdir") %]' >&2 exit 1 fi mkdir -p '[% c("var/container/dir") %]'/rootfs/rbm sudo tar -C '[% c("var/container/dir") %]'/rootfs -xf $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*) [% SET user = c("var/container/user") -%] [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'id ' _ user _ ' >/dev/null 2>&1 || adduser -m ' _ user _ ' || useradd -m ' _ user }) %] remote_exec: | #!/bin/sh set -e [% IF c("interactive") -%] echo Container directory: [% shell_quote(c("var/container/dir")) %] [% END -%] mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/rbm echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/cmd echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rootfs/rbm/cmd echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/run [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %] echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rootfs/rbm/run chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/cmd chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/run cat > '[% c("var/container/dir") %]'/config.json << EOF [% INCLUDE 'runc-config.json' %] EOF [% IF c("var/container/disable_network/" _ c("exec_name")) -%] sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' # make sure the lo interface is up (see bug 31293) sudo ip netns exec 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' ip link set lo up [% END -%] sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %] [% IF c("var/container/disable_network/" _ c("exec_name")) -%] sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' [% END -%] remote_put: | #!/bin/sh set -e [% SET src = shell_quote(c('put_src', { error_if_undef => 1 })); SET dst = shell_quote(c('put_dst', { error_if_undef => 1 })); -%] sudo mkdir -p '[% c("var/container/dir") %]'/rootfs/[% dst %] sudo cp -aP [% src %] '[% c("var/container/dir") %]'/rootfs/[% dst %] # On Ubuntu, the /root/.profile file contains a `mesg n` line which is # producing some `stdin: is not a tty` messages. To hide them, we hide # stderr from this part by setting runc_hide_stderr. [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'chown -R ' _ c("var/container/user") _ ' ' _ dst, runc_hide_stderr => 1 }) %] remote_get: | #!/bin/sh set -e [% SET src = shell_quote(c('get_src', { error_if_undef => 1 })); SET dst = shell_quote(c('get_dst', { error_if_undef => 1 })); -%] mkdir -p [% dst %] srcdir='[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/[% src %] sudo chown -R $(whoami) "$srcdir" if [ $(ls -1 "$srcdir"/* 2> /dev/null | wc -l) -gt 0 ] then for file in "$srcdir"/* do bname="$(basename "$file")" test -e [% dst %]/"$bname" && rm -Rf [% dst %]/"$bname" mv -f "$file" [% dst %]/ done fi remote_finish: | #!/bin/sh set -e # Handle SIGINT case if [ -e '[% c("rbm_tmp_dir") %]'/../interrupted ] then # This build was manually interrupted via tools/container-interrupt.sh. # Save the container's state instead of deleting, so we can resume # the build later. mkdir -p '[% c("rbm_tmp_dir") %]'/../interrupted_dirs mv '[% c("var/container/dir") %]' '[% c("rbm_tmp_dir") %]'/../interrupted_dirs/'[% sha256(dest_dir _ '/' _ c("filename")) %]' rm '[% c("rbm_tmp_dir") %]'/../interrupted exit fi sudo rm -Rf '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs '[% c("var/container/dir", { error_if_undef => 1 }) %]'/config.json rmdir '[% c("var/container/dir") %]' ENV: TZ: UTC LC_ALL: C --- | # This part of the file contains options written in perl use IO::CaptureOutput qw(capture_exec); ( var_p => { # runc100 is true if we are using runc >= 1.0.0 # we assume that any version that is not 0.1.1 is >= 1.0.0 runc100 => sub { my ($out) = capture_exec('sudo', 'runc', '--version'); return !($out =~ m/^runc version 0.1.1/); }, # runc_spec100 is true if runc spec is at least 1.0.0 # We will need to update this when there is a new spec version available runc_spec100 => sub { my ($out) = capture_exec('sudo', 'runc', '--version'); return $out =~ m/^.*spec: 1\.[0-9]+\.[0-9]+(?:-dev)?$/m; }, nightly_ncdns_version => sub { state $version = ''; return $version if $version; my (undef, undef, undef, $day, $mon, $year) = gmtime; $version = sprintf("tbb-nightly.%u.%02u.%02u", $year + 1900, $mon + 1, $day); return $version; }, nightly_ncdns_incremental_from => sub { my ($project, $options) = @_; my $nightly_dir = project_config($project, 'basedir', $options) . '/nightly'; my $current_version = project_config($project, 'var/ncdns_version', $options); use Path::Tiny; return [] unless -d $nightly_dir; my @dirs = sort map { $_->basename } path($nightly_dir)->children(qr/^tbb-nightly\./); my $nb_incr = project_config($project, ['var', 'max_ncdns_incremental_from'], $options); my @res; while ($nb_incr > 0) { my $dir = pop @dirs; last unless $dir; next if $dir eq $current_version; $nb_incr--; push @res, $dir; } return [@res]; }, }, )