Commit d27b6051 authored by Ralf Jung's avatar Ralf Jung
Browse files

don't let users choose which branches are magic

parent 7be9733b
......@@ -154,7 +154,11 @@ on [our opam repo][opam]. Set the `OPAM_PKG` variable to the name of the
package to make that happen. This requires a per-project secret, see
[the private opam-updater documentation][opam-updater] for more details. Be
careful to only set `OPAM_PKG` in one job, or your builds will fail because the
same commit gets published several times!
same commit gets published several times.
To avoid the secret from leaking without any trace, absolutely make sure that
you have set up branch protection for the wildcard pattern `master*` in the
repository configuration!
[opam]: https://gitlab.mpi-sws.org/iris/opam
[opam-updater]: https://gitlab.mpi-sws.org/iris/opam-updater
......@@ -178,4 +182,8 @@ command="$HOME/rrsync /www/sws-websites/plv.mpi-sws.org/coqdoc/",no-port-forward
This restricts the key to only be able to run rsync for this particular
directory.
To avoid the secret from leaking without any trace, absolutely make sure that
you have set up branch protection for the wildcard pattern `master*` in the
repository configuration!
[coqdoc]: https://plv.mpi-sws.org/coqdoc
......@@ -11,28 +11,24 @@ set -eo pipefail
## - $CI_COQCHK: If non-empty, run `coqchk` via `make validate`
## - $MANGLE_NAMES: If non-empty, add `-mangle-names` parameter to Coq
## invocation.
## - $OPAM_PKG, $OPAM_UPDATE_SECRET, $OPAM_PKG_BRANCH: IF $OPAM_PKG is
## non-empty, release this commit as a new package on opam when done.
## Requires the $OPAM_UPDATE_SECRET variable to be set. This only happens if
## the current branch is $OPAM_PKG_BRANCH, or master if that variable is
## empty.
## - $OPAM_PKG, $OPAM_UPDATE_SECRET: IF $OPAM_PKG is non-empty, release this
## commit as a new package on opam when done. Requires the
## $OPAM_UPDATE_SECRET variable to be set. This only happens if the current
## branch is `master`.
## - $TIMING_PROJECT, $TIMING_CONF, $TIMING_SECRET: When running on the
## `coop-timing` runner, submit timing information to coq-speed with the given
## project name and configuration string. $TIMING_PROJECT defaults to the
## repository name. $TIMING_CONF defaults to the job name. Reqires the
## $TIMING_SECRET variable to be set.
## - $DOC_DIR, $DOC_BRANCH, $DOC_KEY, $DOC_OPTS: If $DOC_DIR is non-empty, run
## coqdoc and upload the results to the given directory. This only happens if
## the current branch is $DOC_BRANCH (defaults to master). Requires the
## $DOC_KEY variable to be set to the secret key for uploading. $DOC_OPTS can
## be set to pass additional flags to coqdoc (particularly useful for
## --external).
## - $DOC_DIR, $DOC_KEY, $DOC_OPTS: If $DOC_DIR is non-empty, run coqdoc and
## upload the results to the given directory. This only happens if the
## current branch is `master`. Requires the $DOC_KEY variable to be set to
## the secret key for uploading. $DOC_OPTS can be set to pass additional
## flags to coqdoc (particularly useful for --external).
status "[buildjob] Using CI branch $(cd ci && git rev-parse --abbrev-ref HEAD) ($(cd ci && git rev-parse HEAD))"
OCAML=${OCAML:-ocaml-base-compiler.4.07.1}
OPAM_PKG_BRANCH=${OPAM_PKG_BRANCH:-master}
DOC_BRANCH=${DOC_BRANCH:-master}
TIMING_PROJECT=${TIMING_PROJECT:-$CI_PROJECT_NAME}
TIMING_CONF=${TIMING_CONF:-$CI_JOB_NAME}
......@@ -83,7 +79,7 @@ if [[ "$CI_RUNNER_DESCRIPTION" == "coop-timing" ]]; then
fi
# maybe create opam package
if [[ -n "$OPAM_PKG" && "$CI_COMMIT_REF_NAME" == "$OPAM_PKG_BRANCH" ]]; then
if [[ -n "$OPAM_PKG" && "$CI_COMMIT_REF_NAME" == "master" ]]; then
# check if we have the secret
if [[ -z "$OPAM_UPDATE_SECRET" ]]; then
panic "[buildjob] OPAM_UPDATE_SECRET variable is missing"
......@@ -114,7 +110,7 @@ if [[ -n "$CI_COQCHK" ]]; then
fi
# maybe generate and upload documentation
if [[ -n "$DOC_DIR" && "$CI_COMMIT_REF_NAME" == "$DOC_BRANCH" ]]; then
if [[ -n "$DOC_DIR" && "$CI_COMMIT_REF_NAME" == "master" ]]; then
status "Publishing documentation from branch $CI_COMMIT_REF_NAME to $DOC_DIR"
# check if we have the secret
if [[ -z "$DOC_KEY" ]]; then
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment