digital-asset/daml
1
1
Fork 0
mirror of https://github.com/digital-asset/daml.git synced 2024-11-10 10:46:11 +03:00
Code Issues Projects Releases Wiki Activity
5d88c08832
daml/ci/cron/daily-compat.yml

315 lines
12 KiB
YAML
Raw Normal View History

update copyright notices for 2021 (#8257) * update copyright notices for 2021 To be merged on 2021-01-01. CHANGELOG_BEGIN CHANGELOG_END * patch-bazel-windows & da-ghc-lib
2021-01-01 21:49:51 +03:00
# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
# SPDX-License-Identifier: Apache-2.0
# Do not run on PRs
pr: none
rename master to main (#8245) As we strive for more inclusiveness, we are becoming less comfortable with historically-charged terms being used in our everyday work. This is targeted for merge on Dec 26, _after_ the necessary corresponding changes at both the GitHub and Azure Pipelines levels. CHANGELOG_BEGIN - DAML Connect development is now conducted from the `main` branch, rather than the `master` one. If you had any dependency on the digital-asset/daml repository, you will need to update this parameter. CHANGELOG_END
2020-12-27 16:19:07 +03:00
# Do not run on merge to main
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
trigger: none
# Do run on a schedule (daily)
#
# Note: machines are killed every day at 4AM UTC, so we need to either:
# - run sufficiently before that that this doesn't get killed, or
# - run sufficiently after that that machines are initialized.
#
# Targeting 6AM UTC seems to fit that.
schedules:
- cron: "0 6 * * *"
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
displayName: daily checks and reporting
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
branches:
include:
rename master to main (#8245) As we strive for more inclusiveness, we are becoming less comfortable with historically-charged terms being used in our everyday work. This is targeted for merge on Dec 26, _after_ the necessary corresponding changes at both the GitHub and Azure Pipelines levels. CHANGELOG_BEGIN - DAML Connect development is now conducted from the `main` branch, rather than the `master` one. If you had any dependency on the digital-asset/daml repository, you will need to update this parameter. CHANGELOG_END
2020-12-27 16:19:07 +03:00
- main
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
always: true
jobs:
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
- job: compatibility_ts_libs
timeoutInMinutes: 60
pool:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
name: ubuntu_20_04
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
demands: assignment -equals default
steps:
- checkout: self
ci: clean-up hard drive more often (#8582) CHANGELOG_BEGIN CHANGELOG_END
2021-01-20 19:22:53 +03:00
- template: ../clean-up.yml
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
- template: ../compatibility_ts_libs.yml
daily run: warn on master only (#6177) Currently the message to Slack is always triggered by running the daily checks. This means that it gets very noisy to: 1. Run the check on PRs affecting the check (like this one), 2. Rerun the check multiple times to ascertain that a given failure is flaky. With this PR, the message to Slack is replaced with a simple `echo` when these checks are not run from the `master` branch, so whoever (manually) triggered them can still get feedback on the result, but other people don't get spurious `@here` mentions. CHANGELOG_BEGIN CHANGELOG_END
2020-06-03 17:36:05 +03:00
- template: ../daily_tell_slack.yml
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
- job: compatibility
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
dependsOn: compatibility_ts_libs
Bump timeouts in compat tests (#6689) This bumps the timeout of the compat tests on PRs to 360 minutes matching other jobs on a PR (we mainly hit this if ghc-lib is rebuilt) and the timeout on the daily jobs to 720 minutes (we hit this if _everything_ is rebuilt). I am slightly worried about the timeout on the daily job. After having taken a look at it, there are a few reasons how we ended up here: 1. We started including more tests, e.g., sandbox-classic. Not much we can do here, those tests are useful. 2. We have a very large number of snapshots for 1.3.0. There are a few reasons for this: 1. Timing: We branched off early for the 1.2.0 release so the first snapshot for 1.3 was on June 3th. For 1.4 it looks like the first snapshot will be on July 15th so that’s roughly 2 extra snapshots just due to timing. 2. Additional snapshots: We had one broken snapshot due to a broken VSCode extension that we didn’t delete (probably not worth doing at this point). We also had to backport to an old snapshot which resulted in another extra snapshot. We also had one extra snapshot which was supposed to be the RC but wasn’t since the ANF revert needed to go in. The only thing that is clearly useless is the one broken snapshot but that doesn’t change things that much. I see 2 orthogonal options for improving this assuming we agree that the current runtime is worryingly high. 1. Prune snapshots more aggressively, e.g., only include the last 3 snapshots. That’s a pretty arbitrary decision but it would enforce a hard limit. 2. Reduce test combinations. E.g., only test snapshots vs stable releases but not snapshots vs snapshots. 3. We end up forcing a full build quite frequently. Here are just 2 examples of how we’ve done that so far. 1. Upgrade rules_haskell. Basically all tests are run by a Haskell binary so this forces a full rebuild. 2. Change runfiles of `daml`. I don’t think there is much we can do about 1 or 3 which leaves us with 2. One not entirely unreasonable option is to just do nothing. We did have periods where things went pretty smoothly for the most part and each month we reset to a much smaller number of releases (we also have to start throwing out old stable releases at some point). Otherwise reducing the number of test combinations seems the most promising option to me. changelog_begin changelog_end
2020-07-10 15:34:53 +03:00
timeoutInMinutes: 720
switch back to hosted macOS nodes (#5935) CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 23:59:33 +03:00
strategy:
matrix:
linux:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
pool: ubuntu_20_04
switch back to hosted macOS nodes (#5935) CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 23:59:33 +03:00
macos:
pool: macOS-pool
add empty daily CI run (#5675) This is meant to be filled once we have a better idea of what exactly we want to test. See #5665 for current thinking about it. CHANGELOG_BEGIN CHANGELOG_END
2020-04-23 11:36:20 +03:00
pool:
switch back to hosted macOS nodes (#5935) CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 23:59:33 +03:00
name: $(pool)
add default capability to macos (#5915) This is the macOS part of #5912, which I have separated because our macOS nodes have a different deployment process so it seemed easier to track the deployment of the change separately. CHANGELOG_BEGIN CHANGELOG_END
2020-11-25 17:34:33 +03:00
demands: assignment -equals default
switch back to Azure-provided macos nodes (#5920) This is temporary. It looks like the macOS nodes are dead; @nycnewman is looking into it, but in case he doesn't fix it in time, at least we have a backup plan so we're not completely blocked on Monday. CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 10:28:40 +03:00
steps:
- checkout: self
clear shared memory segment on macOS (#6530) For a while now we've had errors along the line of ``` FATAL: could not create shared memory segment: No space left on device DETAIL: Failed system call was shmget(key=5432001, size=56, 03600). HINT: This error does *not* mean that you have run out of disk space. It occurs either if all available shared memory IDs have been taken, in which case you need to raise the SHMMNI parameter in your kernel, or because the system's overall limit for shared memory has been reached. The PostgreSQL documentation contains more information about shared memory configuration. child process exited with exit code 1 ``` on macOS CI nodes, which we were not able to reproduce locally. Today I managed to, sort of by accident, and that allowed me to dig a bit further. The root cause seems to be that PostgreSQL, as run by Bazel, does not always seem to properly unlink the shared memory segment it uses to communicate with itself. On my machine, running: ``` bazel test -t- --runs_per_test=100 //ledger/sandbox:conformance-test-wall-clock-postgresql ``` and eyealling the results of ``` watch ipcs -mcopt ``` I would say about one in three runs leaks its memory segment. After much googling and some head scratching trying to figure out the C APIs for managing shared memory segments on macOS, I kind of stumbled on a reference to `pcirm` in a comment to some low-ranking StackOverflow answer. It looks like it's working very well on my machine, even if I run it while a test (and therefore an instance of pg) is running. I believe this is because the command does not actually remove the shared memory segments, but simply marks them for removal once the last process stops using it. (At least that's what the manpage describes.) CHANGELOG_BEGIN CHANGELOG_END
2020-06-30 02:40:16 +03:00
- ${{ if eq(variables['pool'], 'macos-pool') }}:
add explanation for clearing shared segments (#6545) As requested on #6530. CHANGELOG_BEGIN CHANGELOG_END
2020-06-30 16:21:32 +03:00
- template: ../clear-shared-segments-macos.yml
ci: clean-up hard drive more often (#8582) CHANGELOG_BEGIN CHANGELOG_END
2021-01-20 19:22:53 +03:00
- template: ../clean-up.yml
switch back to Azure-provided macos nodes (#5920) This is temporary. It looks like the macOS nodes are dead; @nycnewman is looking into it, but in case he doesn't fix it in time, at least we have a backup plan so we're not completely blocked on Monday. CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 10:28:40 +03:00
- template: ../compatibility.yml
daily run: warn on master only (#6177) Currently the message to Slack is always triggered by running the daily checks. This means that it gets very noisy to: 1. Run the check on PRs affecting the check (like this one), 2. Rerun the check multiple times to ascertain that a given failure is flaky. With this PR, the message to Slack is replaced with a simple `echo` when these checks are not run from the `master` branch, so whoever (manually) triggered them can still get feedback on the result, but other people don't get spurious `@here` mentions. CHANGELOG_BEGIN CHANGELOG_END
2020-06-03 17:36:05 +03:00
- template: ../daily_tell_slack.yml
switch back to Azure-provided macos nodes (#5920) This is temporary. It looks like the macOS nodes are dead; @nycnewman is looking into it, but in case he doesn't fix it in time, at least we have a backup plan so we're not completely blocked on Monday. CHANGELOG_BEGIN CHANGELOG_END
2020-05-11 10:28:40 +03:00
Make compat tests work on windows (#5732) * Make compat tests work on windows This required some changes to the daml_sdk rule since the read-only installation by the assistant breaks Bazel completely. We could only apply those changes on Windows but I think I prefer the consistency across platforms here over trying to stay close to how the SDK is installed on user machines given that the SDK installation is not something we’ve had issues with. I’ve excluded the postgresql tests for now. I don’t expect them to be particularly hard to fix but I’ve already spent almost 2 days on this and having some tests run on Windows seems like a clear improvement over running no tests on Windows :) changelog_begin changelog_end * Remove todo changelog_begin changelog_end
2020-04-28 17:06:36 +03:00
- job: compatibility_windows
Include create-daml-app tests in compatibility tests (#5945) This is the first part of #5700 It adds tests that build create-daml-app using `daml build` and then run the codegen and build the UI. Contrary to our main tests these also run on Windows. This is actually reasonably simple by first building the typescript libraries on Linux and then downloading them on Windows. There are two parts that are still missing from the tests in the main workspace: 1. Building the extra feature. This should be fairly easy to add. 2. Running the pupeeter tests. At least MacOS and Linux should be reasonably easy. I don’t know what horrors Windows will throw at us. This step is what actually makes this a compatibility test. Currently it doesn’t actually launch Sandbox and the JSON API. Since this PR is already pretty large, I’d like to tackle those things separately. changelog_begin changelog_end
2020-05-13 11:39:51 +03:00
dependsOn: compatibility_ts_libs
Bump timeouts in compat tests (#6689) This bumps the timeout of the compat tests on PRs to 360 minutes matching other jobs on a PR (we mainly hit this if ghc-lib is rebuilt) and the timeout on the daily jobs to 720 minutes (we hit this if _everything_ is rebuilt). I am slightly worried about the timeout on the daily job. After having taken a look at it, there are a few reasons how we ended up here: 1. We started including more tests, e.g., sandbox-classic. Not much we can do here, those tests are useful. 2. We have a very large number of snapshots for 1.3.0. There are a few reasons for this: 1. Timing: We branched off early for the 1.2.0 release so the first snapshot for 1.3 was on June 3th. For 1.4 it looks like the first snapshot will be on July 15th so that’s roughly 2 extra snapshots just due to timing. 2. Additional snapshots: We had one broken snapshot due to a broken VSCode extension that we didn’t delete (probably not worth doing at this point). We also had to backport to an old snapshot which resulted in another extra snapshot. We also had one extra snapshot which was supposed to be the RC but wasn’t since the ANF revert needed to go in. The only thing that is clearly useless is the one broken snapshot but that doesn’t change things that much. I see 2 orthogonal options for improving this assuming we agree that the current runtime is worryingly high. 1. Prune snapshots more aggressively, e.g., only include the last 3 snapshots. That’s a pretty arbitrary decision but it would enforce a hard limit. 2. Reduce test combinations. E.g., only test snapshots vs stable releases but not snapshots vs snapshots. 3. We end up forcing a full build quite frequently. Here are just 2 examples of how we’ve done that so far. 1. Upgrade rules_haskell. Basically all tests are run by a Haskell binary so this forces a full rebuild. 2. Change runfiles of `daml`. I don’t think there is much we can do about 1 or 3 which leaves us with 2. One not entirely unreasonable option is to just do nothing. We did have periods where things went pretty smoothly for the most part and each month we reset to a much smaller number of releases (we also have to start throwing out old stable releases at some point). Otherwise reducing the number of test combinations seems the most promising option to me. changelog_begin changelog_end
2020-07-10 15:34:53 +03:00
timeoutInMinutes: 720
Make compat tests work on windows (#5732) * Make compat tests work on windows This required some changes to the daml_sdk rule since the read-only installation by the assistant breaks Bazel completely. We could only apply those changes on Windows but I think I prefer the consistency across platforms here over trying to stay close to how the SDK is installed on user machines given that the SDK installation is not something we’ve had issues with. I’ve excluded the postgresql tests for now. I don’t expect them to be particularly hard to fix but I’ve already spent almost 2 days on this and having some tests run on Windows seems like a clear improvement over running no tests on Windows :) changelog_begin changelog_end * Remove todo changelog_begin changelog_end
2020-04-28 17:06:36 +03:00
pool:
name: windows-pool
add default machine capability (#5912) add default machine capability We semi-regularly need to do work that has the potential to disrupt a machine's local cache, rendering it broken for other streams of work. This can include upgrading nix, upgrading Bazel, debugging caching issues, or anything related to Windows. Right now we do not have any good solution for these situations. We can either not do those streams of work, or we can proceed with them and just accept that all other builds may get affected depending on which machine they get assigned to. Debugging broken nodes is particularly tricky as we do not have any way to force a build to run on a given node. This PR aims at providing a better alternative by (ab)using an Azure Pipelines feature called [capabilities](https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#capabilities). The idea behind capabilities is that you assign a set of tags to a machine, and then a job can express its [demands](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/demands?view=azure-devops&tabs=yaml), i.e. specify a set of tags machines need to have in order to run it. Support for this is fairly badly documented. We can gather from the documentation that a job can specify two things about a capability (through its `demands`): that a given tag exists, and that a given tag has an exact specified value. In particular, a job cannot specify that a capability should _not_ be present, meaning we cannot rely on, say, adding a "broken" tag to broken machines. Documentation on how to set capabilities for an agent is basically nonexistent, but [looking at the code](https://github.com/microsoft/azure-pipelines-agent/blob/master/src/Microsoft.VisualStudio.Services.Agent/Capabilities/UserCapabilitiesProvider.cs) indicates that they can be set by using a simple `key=value`-formatted text file, provided we can find the right place to put this file. This PR adds this file to our Linux, macOS and Windows node init scripts to define an `assignment` capability and adds a demand for a `default` value on each job. From then on, when we hit a case where we want a PR to run on a specific node, and to prevent other PRs from running on that node, we can manually override the capability from the Azure UI and update the demand in the relevant YAML file in the PR. CHANGELOG_BEGIN CHANGELOG_END
2020-05-09 19:21:42 +03:00
demands: assignment -equals default
Make compat tests work on windows (#5732) * Make compat tests work on windows This required some changes to the daml_sdk rule since the read-only installation by the assistant breaks Bazel completely. We could only apply those changes on Windows but I think I prefer the consistency across platforms here over trying to stay close to how the SDK is installed on user machines given that the SDK installation is not something we’ve had issues with. I’ve excluded the postgresql tests for now. I don’t expect them to be particularly hard to fix but I’ve already spent almost 2 days on this and having some tests run on Windows seems like a clear improvement over running no tests on Windows :) changelog_begin changelog_end * Remove todo changelog_begin changelog_end
2020-04-28 17:06:36 +03:00
steps:
- checkout: self
- template: ../compatibility-windows.yml
Publish execution logs from Windows compatibility jobs (#5834) Hopefully, this helps diagnose the Windows CI failures. changelog_begin changelog_end
2020-05-05 13:23:11 +03:00
- task: PublishBuildArtifacts@1
condition: succeededOrFailed()
inputs:
pathtoPublish: '$(Build.StagingDirectory)'
artifactName: 'Bazel Compatibility Logs'
daily run: warn on master only (#6177) Currently the message to Slack is always triggered by running the daily checks. This means that it gets very noisy to: 1. Run the check on PRs affecting the check (like this one), 2. Rerun the check multiple times to ascertain that a given failure is flaky. With this PR, the message to Slack is replaced with a simple `echo` when these checks are not run from the `master` branch, so whoever (manually) triggered them can still get feedback on the result, but other people don't get spurious `@here` mentions. CHANGELOG_BEGIN CHANGELOG_END
2020-06-03 17:36:05 +03:00
- template: ../daily_tell_slack.yml
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
- job: perf_speedy
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
timeoutInMinutes: 120
pool:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
name: "ubuntu_20_04"
add default machine capability (#5912) add default machine capability We semi-regularly need to do work that has the potential to disrupt a machine's local cache, rendering it broken for other streams of work. This can include upgrading nix, upgrading Bazel, debugging caching issues, or anything related to Windows. Right now we do not have any good solution for these situations. We can either not do those streams of work, or we can proceed with them and just accept that all other builds may get affected depending on which machine they get assigned to. Debugging broken nodes is particularly tricky as we do not have any way to force a build to run on a given node. This PR aims at providing a better alternative by (ab)using an Azure Pipelines feature called [capabilities](https://docs.microsoft.com/en-us/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser#capabilities). The idea behind capabilities is that you assign a set of tags to a machine, and then a job can express its [demands](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/demands?view=azure-devops&tabs=yaml), i.e. specify a set of tags machines need to have in order to run it. Support for this is fairly badly documented. We can gather from the documentation that a job can specify two things about a capability (through its `demands`): that a given tag exists, and that a given tag has an exact specified value. In particular, a job cannot specify that a capability should _not_ be present, meaning we cannot rely on, say, adding a "broken" tag to broken machines. Documentation on how to set capabilities for an agent is basically nonexistent, but [looking at the code](https://github.com/microsoft/azure-pipelines-agent/blob/master/src/Microsoft.VisualStudio.Services.Agent/Capabilities/UserCapabilitiesProvider.cs) indicates that they can be set by using a simple `key=value`-formatted text file, provided we can find the right place to put this file. This PR adds this file to our Linux, macOS and Windows node init scripts to define an `assignment` capability and adds a demand for a `default` value on each job. From then on, when we hit a case where we want a PR to run on a specific node, and to prevent other PRs from running on that node, we can manually override the capability from the Azure UI and update the demand in the relevant YAML file in the PR. CHANGELOG_BEGIN CHANGELOG_END
2020-05-09 19:21:42 +03:00
demands: assignment -equals default
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
steps:
- checkout: self
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- bash: ci/configure-bazel.sh
displayName: 'Configure Bazel for root workspace'
env:
IS_FORK: $(System.PullRequest.IsFork)
# to upload to the bazel cache
GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
- template: ../bash-lib.yml
parameters:
var_name: bash_lib
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade assist)"
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
source $(bash_lib)
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
BASELINE="cebc26af88efef4a7c81c62b0c14353f829b755e"
more flexible perf test check (#5891) This PR separates the "last known valid perf test" commit from the "baseline speedy implementation" commit. It is important for the perf test to be meaningful that the changes between those two commits are benign, say minor API adjustments, so that the perf measurement remains meaningful. This also adds a check on merging to master that tells Slack if the perf test has changed and the `test_sha` file needs updating. The Slack message is conditional on the current commit to avoid excessive noise. CHANGELOG_BEGIN CHANGELOG_END
2020-05-07 14:53:22 +03:00
TEST_SHA=$(cat ci/cron/perf/test_sha)
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
OUT="$(Build.StagingDirectory)/perf-results.json"
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
START=$(date -u +%Y%m%d_%H%M%SZ)
more flexible perf test check (#5891) This PR separates the "last known valid perf test" commit from the "baseline speedy implementation" commit. It is important for the perf test to be meaningful that the changes between those two commits are benign, say minor API adjustments, so that the perf measurement remains meaningful. This also adds a check on merging to master that tells Slack if the perf test has changed and the `test_sha` file needs updating. The Slack message is conditional on the current commit to avoid excessive noise. CHANGELOG_BEGIN CHANGELOG_END
2020-05-07 14:53:22 +03:00
if git diff --exit-code $TEST_SHA -- daml-lf/scenario-interpreter/src/perf >&2; then
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
# no changes, all good
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
ci/cron/perf/compare.sh $BASELINE > "$OUT"
cat "$OUT"
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
else
# the tests have changed, we need to figure out what to do with
# the baseline.
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
echo "Baseline no longer valid, needs manual correction." > "$OUT"
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
fi
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
ci/bash_lib: generalize save_gcp_data (#7599) This PR extends the existing `save_gcp_data` function to handle any `gsutil` command. This is done to support existence checking using `gsutil ls` for private artifacts in release checking (`ci/cron`). CHANGELOG_BEGIN CHANGELOG_END
2020-10-08 19:37:14 +03:00
gcs "$GCRED" cp "$OUT" gs://daml-data/perf/speedy/$START.json
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
add daily perf report (#5843) This PR adds a simple daily job that runs the performance test on a chosen "baseline" commit and then runs the same benchmark on latest master. This should allow us to track overall performance improvements. CHANGELOG_BEGIN CHANGELOG_END
2020-05-06 14:50:35 +03:00
displayName: measure perf
save daily perf results (#7396) It's a real shame I forgot to do this sooner, but better late than never I suppose. CHANGELOG_BEGIN CHANGELOG_END
2020-09-14 21:38:31 +03:00
env:
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
daily run: warn on master only (#6177) Currently the message to Slack is always triggered by running the daily checks. This means that it gets very noisy to: 1. Run the check on PRs affecting the check (like this one), 2. Rerun the check multiple times to ascertain that a given failure is flaky. With this PR, the message to Slack is replaced with a simple `echo` when these checks are not run from the `master` branch, so whoever (manually) triggered them can still get feedback on the result, but other people don't get spurious `@here` mentions. CHANGELOG_BEGIN CHANGELOG_END
2020-06-03 17:36:05 +03:00
- template: ../daily_tell_slack.yml
parameters:
fix perf_speedy report (escaping ") (#8655) The report currently chokes on quotes in the commit message (see 550aa48fc52cb6dfa19de6b86e27b481d3835048). Rather than trying to correctly excape things in Bash, this PR delegates the quote handling to jq, because having to deal with Bash embedded in YAML is hard enough. CHANGELOG_BEGIN CHANGELOG_END
2021-02-03 21:47:27 +03:00
success-message: $(jq --arg stats "$(cat $(Build.StagingDirectory)/perf-results.json)" --arg link "$COMMIT_LINK" -n '"perf for " + $link + ":```" + $stats + "```"')
JSON API daily perf test cron job (#7406) * Add http-json-perf daily cron job changelog_begin changelog_end * commenting out other jobs so we can manually test the new one * commenting out other jobs so we can manually test the new one * Fix the shell script * Fixing the gs bucket, `gs://http-json bucket does not exist` * uncomment the other jobs * timestamp from git log * get rid of DAR copying * comment out the other jobs, so we can test it * uncomment the other jobs
2020-09-16 20:02:02 +03:00
- job: perf_http_json
timeoutInMinutes: 120
pool:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
name: "ubuntu_20_04"
JSON API daily perf test cron job (#7406) * Add http-json-perf daily cron job changelog_begin changelog_end * commenting out other jobs so we can manually test the new one * commenting out other jobs so we can manually test the new one * Fix the shell script * Fixing the gs bucket, `gs://http-json bucket does not exist` * uncomment the other jobs * timestamp from git log * get rid of DAR copying * comment out the other jobs, so we can test it * uncomment the other jobs
2020-09-16 20:02:02 +03:00
demands: assignment -equals default
steps:
- checkout: self
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- bash: ci/configure-bazel.sh
displayName: 'Configure Bazel for root workspace'
env:
IS_FORK: $(System.PullRequest.IsFork)
# to upload to the bazel cache
GOOGLE_APPLICATION_CREDENTIALS_CONTENT: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
- template: ../bash-lib.yml
parameters:
var_name: bash_lib
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade assist)"
source $(bash_lib)
SCENARIOS="\
com.daml.http.perf.scenario.CreateCommand \
com.daml.http.perf.scenario.ExerciseCommand \
com.daml.http.perf.scenario.CreateAndExerciseCommand \
com.daml.http.perf.scenario.AsyncQueryConstantAcs \
com.daml.http.perf.scenario.SyncQueryConstantAcs \
com.daml.http.perf.scenario.SyncQueryNewAcs \
com.daml.http.perf.scenario.SyncQueryVariableAcs \
"
bazel build //docs:quickstart-model
DAR="${PWD}/bazel-bin/docs/quickstart-model.dar"
JWT="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwczovL2RhbWwuY29tL2xlZGdlci1hcGkiOnsibGVkZ2VySWQiOiJNeUxlZGdlciIsImFwcGxpY2F0aW9uSWQiOiJmb29iYXIiLCJhY3RBcyI6WyJBbGljZSJdfX0.VdDI96mw5hrfM5ZNxLyetSVwcD7XtLT4dIdHIOa9lcU"
START=$(git log -n1 --format=%cd --date=format:%Y%m%d).$(git rev-list --count HEAD).$(Build.BuildId).$(git log -n1 --format=%h --abbrev=8)
REPORT_ID="http_json_perf_results_${START}"
OUT="$(Build.StagingDirectory)/${REPORT_ID}"
for scenario in $SCENARIOS; do
bazel run //ledger-service/http-json-perf:http-json-perf-binary -- \
--scenario=${scenario} \
--dars=${DAR} \
--reports-dir=${OUT} \
--jwt=${JWT}
done
perf_json_http: compress results (#8123) I wanted to suggest that on the PR but caught it after it was merged. So I made a note of it, which promptly got lost. As the end of the year approaches I've started trying to clean up a little. CHANGELOG_BEGIN CHANGELOG_END
2020-12-01 19:44:43 +03:00
GZIP=-9 tar -zcvf ${OUT}.tgz ${OUT}
JSON API daily perf test cron job (#7406) * Add http-json-perf daily cron job changelog_begin changelog_end * commenting out other jobs so we can manually test the new one * commenting out other jobs so we can manually test the new one * Fix the shell script * Fixing the gs bucket, `gs://http-json bucket does not exist` * uncomment the other jobs * timestamp from git log * get rid of DAR copying * comment out the other jobs, so we can test it * uncomment the other jobs
2020-09-16 20:02:02 +03:00
ci/bash_lib: generalize save_gcp_data (#7599) This PR extends the existing `save_gcp_data` function to handle any `gsutil` command. This is done to support existence checking using `gsutil ls` for private artifacts in release checking (`ci/cron`). CHANGELOG_BEGIN CHANGELOG_END
2020-10-08 19:37:14 +03:00
gcs "$GCRED" cp "$OUT.tgz" "gs://daml-data/perf/http-json/${REPORT_ID}.tgz"
JSON API daily perf test cron job (#7406) * Add http-json-perf daily cron job changelog_begin changelog_end * commenting out other jobs so we can manually test the new one * commenting out other jobs so we can manually test the new one * Fix the shell script * Fixing the gs bucket, `gs://http-json bucket does not exist` * uncomment the other jobs * timestamp from git log * get rid of DAR copying * comment out the other jobs, so we can test it * uncomment the other jobs
2020-09-16 20:02:02 +03:00
displayName: measure http-json performance
env:
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
periodically check signatures (#7543) This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
2020-10-01 22:01:42 +03:00
- job: check_releases
bump check_releases timeout (#8812) It's become quite flaky at just 4h. Yes, I do plan to actually fix it, but it may take a while. CHANGELOG_BEGIN CHANGELOG_END
2021-02-11 01:45:25 +03:00
timeoutInMinutes: 360
periodically check signatures (#7543) This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
2020-10-01 22:01:42 +03:00
pool:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
name: ubuntu_20_04
periodically check signatures (#7543) This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
2020-10-01 22:01:42 +03:00
demands: assignment -equals default
steps:
- checkout: self
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- template: ../bash-lib.yml
parameters:
var_name: bash_lib
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade assist)"
ci/cron: move Bash cron inside Haskell script (#7585) Yes, this is how I write Haskell. I'm told it's an improvement over Bash. Jokes aside, plan is to chip away at the Bash script, starting with replacing the outermost loop with a proper "get _all_ releases" call from Haskell, but I like keeping things working in small steps, and even long-term I have no desire to reimplement the gpg signature checking code in Haskell. I have tested that things still work (on my machine); the only difference is that we now only get the full output all at once at the end, rather than one signature at a time. I don't think anyone is looking at the output in real-time, so this should not be a huge issue. CHANGELOG_BEGIN CHANGELOG_END
2020-10-06 19:45:29 +03:00
bazel build //ci/cron:cron
ci/cron: upload artifact to daml-data if missing (#7616) If we don't already have a copy of an artifact in our "disaster recovery" storage box, put one. Note: as implemented, this upload mechanism happens only if the release was successfully verified signature-wise, so this should not result in us saving broken artifacts. Also, CI does not have deletion or overwrite access to this bucket, so overall this should be pretty safe. CHANGELOG_BEGIN CHANGELOG_END
2020-10-09 15:55:37 +03:00
bazel-bin/ci/cron/cron check --bash-lib $(bash_lib) --gcp-creds "$GCRED"
periodically check signatures (#7543) This is a first, very incomplete step in the spirit of small, incremental PRs. Known missing features: - Should check all versions, not just the 30 most recent ones. - Should also download from GCP backup and compare. - Should alert on Slack if anything is unexpected. - Should handle versions prior to us starting to sign (and do what?). - Should also check artifacts in Artifactory, not just GitHub Releases. - Optionally should save to GCP if we don't have a backup already. So at the moment it's just downloading the artifacts for the 30 most recent releases and printing a message stating whether we have a signature and whether it's valid. CHANGELOG_BEGIN CHANGELOG_END
2020-10-01 22:01:42 +03:00
displayName: check releases
env:
GCRED: $(GOOGLE_APPLICATION_CREDENTIALS_CONTENT)
signature check: report to Slack (#7568) If a tree falls in the forest and all that. CHANGELOG_BEGIN CHANGELOG_END
2020-10-05 18:31:11 +03:00
- template: ../daily_tell_slack.yml
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
- job: blackduck_scan
timeoutInMinutes: 1200
limit blackduck scans to main (#8647) CHANGELOG_BEGIN CHANGELOG_END
2021-01-27 19:29:27 +03:00
condition: eq(variables['Build.SourceBranchName'], 'main')
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
pool:
Upgrade linux nodes to 20.04 (#8617) CHANGELOG_BEGIN - Our Linux binaries are now built on Ubuntu 20.04 instead of 16.04. We do not expect any user-level impact, but please reach out if you do notice any issue that might be caused by this. CHANGELOG_END
2021-01-27 19:38:34 +03:00
name: ubuntu_20_04
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
demands: assignment -equals default
steps:
- checkout: self
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
persistCredentials: true
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
- bash: ci/dev-env-install.sh
displayName: 'Build/Install the Developer Environment'
- bash: |
set -euo pipefail
eval "$(dev-env/bin/dade assist)"
export LC_ALL=en_US.UTF-8
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
bazel build //...
# Make sure that Bazel query works
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
bazel query 'deps(//...)' >/dev/null
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
displayName: 'Build'
- bash: |
set -euo pipefail
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
eval "$(dev-env/bin/dade-assist)"
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
#needs to be specified since blackduck can not scan all bazel
#dependency types in one go, haskell has to be scanned separatey and
#code location name uniquely identified to avoid stomping
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
BAZEL_DEPENDENCY_TYPE="haskell_cabal_library"
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
ci-build digital-asset_daml $(Build.SourceBranchName) \
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
--logging.level.com.synopsys.integration=DEBUG \
--detect.tools=BAZEL \
--detect.bazel.target=//... \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
--detect.bazel.dependency.type=${BAZEL_DEPENDENCY_TYPE} \
--detect.policy.check.fail.on.severities=MAJOR,CRITICAL,BLOCKER \
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
--detect.notices.report=true \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
replace deprecated blackduck property (#8811) CHANGELOG_BEGIN CHANGELOG_END
2021-02-10 22:54:31 +03:00
--detect.timeout=1500
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
displayName: 'Blackduck Haskell Scan'
env:
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
- bash: |
set -euo pipefail
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
eval "$(dev-env/bin/dade-assist)"
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
#avoid stomping any previous bazel haskell scans for this repository
#by qualifying as a maven_install (aka jvm) bazel blackduck scan
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
BAZEL_DEPENDENCY_TYPE="maven_install"
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
bash <(curl -s https://raw.githubusercontent.com/DACH-NY/security-blackduck/master/synopsys-detect) \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
ci-build digital-asset_daml $(Build.SourceBranchName) \
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
--logging.level.com.synopsys.integration=DEBUG \
--detect.npm.include.dev.dependencies=false \
--detect.excluded.detector.types=NUGET \
--detect.excluded.detector.types=GO_MOD \
--detect.yarn.prod.only=true \
--detect.python.python3=true \
--detect.tools=DETECTOR,BAZEL,DOCKER \
--detect.bazel.target=//... \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
--detect.bazel.dependency.type=${BAZEL_DEPENDENCY_TYPE} \
--detect.detector.search.exclusion.paths=.bazel-cache,language-support/ts/codegen/tests/ts,language-support/ts,language-support/scala/examples/iou-no-codegen,language-support/scala/examples/quickstart-scala,docs/source/app-dev/bindings-java/code-snippets,docs/source/app-dev/bindings-java/quickstart/template-root,language-support/scala/examples/quickstart-scala,language-support/scala/examples/iou-no-codegen \
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
--detect.cleanup=false \
--detect.policy.check.fail.on.severities=MAJOR,CRITICAL,BLOCKER \
--detect.notices.report=true \
--detect.cleanup.bdio.files=true \
Avoid haskell and jvm bazel blackduck scan stomping (#8247) * Run bazel scan for all but haskell first, then haskell at end so they do not stomp on each other CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * use common prefix between runs so results are aggregated, get branch name from running job rather than assuming master * DO NOT MERGE: disable all jobs except for blackduck scan * haskell before full scan * parens instead of braces * differentiate haskell and jvm bazel runs with unique code location * unique code location prefix * fix syntax * unique code location to avoid clashing bazel runs * Use master security-blackduck script helper * reenable all jobs to make mergeable * cleanup whitespace * Use Build.SourceBranchName for branch * Update ci/cron/daily-compat.yml Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * DO NOT MERGE: skip all jobs but blackduck, skip update notices file step * reenable all jobs to make mergeable Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-11 15:56:05 +03:00
--detect.code.location.name=digital-asset_daml_${BAZEL_DEPENDENCY_TYPE} \
replace deprecated blackduck property (#8811) CHANGELOG_BEGIN CHANGELOG_END
2021-02-10 22:54:31 +03:00
--detect.timeout=4500
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
displayName: 'Blackduck Scan'
env:
BLACKDUCK_HUBDETECT_TOKEN: $(BLACKDUCK_HUBDETECT_TOKEN)
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
- template: ../bash-lib.yml
parameters:
var_name: bash_lib
- bash: |
set -euo pipefail
eval "$(./dev-env/bin/dade-assist)"
source $(bash_lib)
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
branch="notices-update-$(Build.BuildId)"
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
tr -d '\015' <*_Black_Duck_Notices_Report.txt | grep -v digital-asset_daml >NOTICES
if git diff --exit-code -- NOTICES; then
echo "NOTICES file already up-to-date."
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
setvar need_to_build false
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
else
git add NOTICES
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
open_pr "$branch" "update NOTICES file"
setvar need_to_build true
blackduck: open PR on NOTICES file change (#8215) CHANGELOG_BEGIN CHANGELOG_END
2020-12-10 12:08:28 +03:00
fi
only update NOTICES from main daily compats (#8473) See #8468 for failure mode of current config. CHANGELOG_BEGIN CHANGELOG_END
2021-01-12 15:10:27 +03:00
displayName: open PR
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
name: out
add blackduck scan to run on master (#6130) (#8161) * add blackduck scan to run on master (#6130) * add blackduck scan * disable go scanning exclude entire language-support/ts directory for node scanning break to multiple lines to make command line params easier to parse * Increase timeout for blackduck binary scan * update blackduck scan config * remove some exclusions, force python3 * exclude GO until path to go executable can be resolved * added readme explanation of why we want this file * fail in case of policy violation * ensure haskell bazel scan completes before running second round scan for bazel jvm and node and other langs * trigger notices file gen to ensure BOM complete * remove trailing end of lines * run with latest detect version and unique code location name changes to wrapper script * Add blackduck to daily compat job * DO NOT MERGE: condition false to disable other jobs for testing * remove parameters not available to cronjob * Revert changes to regular CI pipeline CHANGELOG_BEGIN CHANGELOG_END Signed-off-by: Brian Healey <brian.healey@digitalasset.com> * Do not get branch name from variable * Upgrade com.fasterxml.jackson.core:jackson-databind to 2.12.0 to address security vulnerability * Remove disabling of other jobs, set to branch to be used on prod runs * Apply suggestions from code review Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com> * Address code review comments * Updated NOTICES file * Run bazel build, update NOTICES file * Correct dade-assist * do not have perms to pipe to dev/null * Add md file explaining how to update NOTICES file * Add instructions for running blackduck locally * Add a link to full security-blackduck readme Co-authored-by: Gary Verhaegen <gary.verhaegen@digitalasset.com>
2020-12-07 22:59:39 +03:00
- template: ../daily_tell_slack.yml
run PR builds on NOTICES updates (#8931) CHANGELOG_BEGIN CHANGELOG_END
2021-02-24 16:36:51 +03:00
- job: run_notices_pr_build
timeoutInMinutes: 60
dependsOn: ["blackduck_scan"]
pool:
vmImage: ubuntu-20.04
variables:
need_to_build: $[ dependencies.blackduck_scan.outputs['out.need_to_build'] ]
steps:
- bash: |
if [ "$(need_to_build)" == "true" ]; then
branch="notices-update-$(Build.BuildId)"
az extension add --name azure-devops
trap "az devops logout" EXIT
echo "$(System.AccessToken)" | az devops login --org "https://dev.azure.com/digitalasset"
az pipelines build queue --branch "$branch" \
--definition-name "PRs" \
--org "https://dev.azure.com/digitalasset" \
--project daml
fi
Reference in New Issue Copy Permalink