Mesa (main): ci/lava: Pass JWT separately from environment variables
GitLab Mirror
gitlab-mirror at kemper.freedesktop.org
Fri Jun 11 12:47:32 UTC 2021
Module: Mesa
Branch: main
Commit: f3d69923a10569ff8b9a1ee5e86136a3adeddd38
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=f3d69923a10569ff8b9a1ee5e86136a3adeddd38
Author: Daniel Stone <daniels at collabora.com>
Date: Thu Jun 10 11:26:38 2021 +0100
ci/lava: Pass JWT separately from environment variables
As the JWT is sensitive, we don't want to record or leak it anywhere.
Doing this lets us run --dump-yaml in normal execution so we can
artifact the result, as well as bringing us into line with bare-metal.
Signed-off-by: Daniel Stone <daniels at collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/11309>
---
.gitlab-ci/lava/lava-gitlab-ci.yml | 3 ++-
.gitlab-ci/lava/lava.yml.jinja2 | 1 +
.gitlab-ci/lava/lava_job_submitter.py | 10 +++++++---
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/.gitlab-ci/lava/lava-gitlab-ci.yml b/.gitlab-ci/lava/lava-gitlab-ci.yml
index f633019bc27..c7d001ca014 100644
--- a/.gitlab-ci/lava/lava-gitlab-ci.yml
+++ b/.gitlab-ci/lava/lava-gitlab-ci.yml
@@ -6,7 +6,7 @@
variables:
GIT_STRATEGY: none # testing doesn't build anything from source
ENV_VARS: "DEQP_PARALLEL=6"
- FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PAGES_DOMAIN=${CI_PAGES_DOMAIN} CI_PROJECT_NAME=${CI_PROJECT_NAME} CI_PROJECT_DIR=${CI_PROJECT_DIR} CI_PROJECT_PATH=${CI_PROJECT_PATH} CI_PROJECT_ROOT_NAMESPACE=${CI_PROJECT_ROOT_NAMESPACE} CI_JOB_JWT=${CI_JOB_JWT} CI_SERVER_URL=${CI_SERVER_URL} DRIVER_NAME=${DRIVER_NAME} FDO_UPSTREAM_REPO=${FDO_UPSTREAM_REPO} PIGLIT_NO_WINDOW=1 PIGLIT_REPLAY_UPLOAD_TO_MINIO=1 MINIO_HOST=${MINIO_HOST} LAVA_TEST_SCRIPT=${LAVA_TEST_SCRIPT} VK_DRIVER=${VK_DRIVER} FLAKES_CHANNEL=${FLAKES_CHANNEL}"
+ FIXED_ENV_VARS: "CI_PIPELINE_ID=${CI_PIPELINE_ID} CI_JOB_ID=${CI_JOB_ID} CI_PAGES_DOMAIN=${CI_PAGES_DOMAIN} CI_PROJECT_NAME=${CI_PROJECT_NAME} CI_PROJECT_DIR=${CI_PROJECT_DIR} CI_PROJECT_PATH=${CI_PROJECT_PATH} CI_PROJECT_ROOT_NAMESPACE=${CI_PROJECT_ROOT_NAMESPACE} CI_SERVER_URL=${CI_SERVER_URL} DRIVER_NAME=${DRIVER_NAME} FDO_UPSTREAM_REPO=${FDO_UPSTREAM_REPO} PIGLIT_NO_WINDOW=1 PIGLIT_REPLAY_UPLOAD_TO_MINIO=1 MINIO_HOST=${MINIO_HOST} LAVA_TEST_SCRIPT=${LAVA_TEST_SCRIPT} VK_DRIVER=${VK_DRIVER} FLAKES_CHANNEL=${FLAKES_CHANNEL}"
DEQP_VERSION: gles2
ARTIFACTS_PREFIX: "https://${MINIO_HOST}/mesa-lava"
MESA_URL: "http://caching-proxy/cache/?uri=https://${MINIO_HOST}/artifacts/${CI_PROJECT_PATH}/${CI_PIPELINE_ID}/mesa-${ARCH}.tar.gz"
@@ -29,6 +29,7 @@
--device-type ${DEVICE_TYPE} \
--dtb ${DTB} \
--env-vars "${ENV_VARS} ${FIXED_ENV_VARS}" \
+ --jwt "${CI_JOB_JWT}" \
--deqp-version ${DEQP_VERSION} \
--kernel-image-name ${KERNEL_IMAGE_NAME} \
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \
diff --git a/.gitlab-ci/lava/lava.yml.jinja2 b/.gitlab-ci/lava/lava.yml.jinja2
index 9c7a3794bee..f0f98a5b6ce 100644
--- a/.gitlab-ci/lava/lava.yml.jinja2
+++ b/.gitlab-ci/lava/lava.yml.jinja2
@@ -96,6 +96,7 @@ actions:
{% if env_vars %}
- export {{ env_vars }}
{% endif %}
+ - export CI_JOB_JWT="{{ jwt }}"
# runner script assumes some stuff is in pwd
- cd /
diff --git a/.gitlab-ci/lava/lava_job_submitter.py b/.gitlab-ci/lava/lava_job_submitter.py
index 0978c5cd150..5fee2d728ad 100755
--- a/.gitlab-ci/lava/lava_job_submitter.py
+++ b/.gitlab-ci/lava/lava_job_submitter.py
@@ -67,10 +67,13 @@ def generate_lava_yaml(args):
values['env_vars'] = env_vars
values['deqp_version'] = args.deqp_version
- yaml = template.render(values)
-
if args.dump_yaml:
- print(yaml)
+ dump_values = values
+ dump_values['jwt'] = 'xxx'
+ print(template.render(dump_values))
+
+ values['jwt'] = args.jwt
+ yaml = template.render(values)
return yaml
@@ -208,6 +211,7 @@ if __name__ == '__main__':
parser.add_argument("--boot-method")
parser.add_argument("--lava-tags", nargs='?', default="")
parser.add_argument("--env-vars", nargs='?', default="")
+ parser.add_argument("--jwt")
parser.add_argument("--deqp-version")
parser.add_argument("--ci-node-index")
parser.add_argument("--ci-node-total")
More information about the mesa-commit
mailing list