# All builds are published as artifacts so they can be downloaded and used. image: registry.gitlab.com/satoshilabs/trezor/trezor-firmware/trezor-firmware-env.nix # Caching .gitlab_caching: &gitlab_caching cache: key: "$CI_COMMIT_REF_SLUG" paths: - .venv/ variables: SDL_VIDEODRIVER: "dummy" XDG_RUNTIME_DIR: "/var/tmp" # Core # Build of Core into firmware. Regular version. # **Are you looking for Trezor T firmware build? This is most likely it.** core fw regular build: stage: build <<: *gitlab_caching needs: [] script: - $NIX_SHELL --run "poetry run make -C core build_boardloader" - $NIX_SHELL --run "poetry run make -C core build_bootloader" - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci" - $NIX_SHELL --run "poetry run make -C core build_prodtest" - $NIX_SHELL --run "poetry run make -C core build_firmware" - $NIX_SHELL --run "poetry run make -C core sizecheck" - cp core/build/firmware/firmware.bin firmware-T2T1-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week # Build of Core into firmware with enabled _debug_ mode. In debug mode you can # upload mnemonic seed, use debug link etc. which enables device tests. Storage # on the device gets wiped on every start in this firmware. core fw regular debug build: stage: build <<: *gitlab_caching needs: [] script: - $NIX_SHELL --run "PYOPT=0 poetry run make -C core build_firmware" - cp core/build/firmware/firmware.bin firmware-T2T1-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week core fw regular production build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: PRODUCTION: "1" script: - $NIX_SHELL --run "poetry run make -C core build_boardloader" - $NIX_SHELL --run "poetry run make -C core build_bootloader" - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci" - $NIX_SHELL --run "poetry run make -C core build_prodtest" - $NIX_SHELL --run "poetry run make -C core build_firmware" - $NIX_SHELL --run "poetry run make -C core sizecheck" - cp core/build/firmware/firmware.bin firmware-T2T1-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week # Build of Core into firmware. Bitcoin-only version. core fw btconly build: stage: build <<: *gitlab_caching needs: [] variables: BITCOIN_ONLY: "1" script: - $NIX_SHELL --run "poetry run make -C core build_firmware" - mv core/build/firmware/firmware.bin core/build/firmware/firmware-bitcoinonly.bin - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware-bitcoinonly.bin" - cp core/build/firmware/firmware-bitcoinonly.bin firmware-T2T1-btconly-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week core fw btconly debug build: stage: build <<: *gitlab_caching needs: [] variables: BITCOIN_ONLY: "1" PYOPT: "0" script: - $NIX_SHELL --run "poetry run make -C core build_firmware" - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin only: # currently used only for HW tests and deploys - schedules # nightly build - /^legacy\// - /^release\// - /^secfix\// - /^hw\// - /^core\// artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week core fw btconly production build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: PRODUCTION: "1" BITCOIN_ONLY: "1" script: - $NIX_SHELL --run "poetry run make -C core build_firmware" - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware.bin" - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T2T1-btconly-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week # Non-frozen emulator build. This means you still need Python files # present which get interpreted. core unix regular build: stage: build <<: *gitlab_caching needs: [] script: - $NIX_SHELL --run "poetry run make -C core build_unix" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - core/build/unix # most of it needed by test_rust expire_in: 1 week core unix regular asan build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: ADDRESS_SANITIZER: "1" script: - $NIX_SHELL --run "poetry run make -C core build_unix" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - core/build/unix # most of it needed by test_rust expire_in: 1 week # Build of Core into UNIX emulator. Something you can run on your laptop. # Frozen version. That means you do not need any other files to run it, # it is just a single binary file that you can execute directly. core unix frozen regular build: stage: build <<: *gitlab_caching needs: [] script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - core/build/unix/trezor-emu-core expire_in: 1 week # Build of Core into UNIX emulator. Something you can run on your laptop. # Frozen version. That means you do not need any other files to run it, # it is just a single binary file that you can execute directly. # See [Emulator](../core/emulator/index.md) for more info. # Debug mode enabled, Bitcoin-only version. core unix frozen btconly debug build: stage: build <<: *gitlab_caching needs: [] variables: PYOPT: "0" BITCOIN_ONLY: "1" script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - core/build/unix/trezor-emu-core-bitcoinonly expire_in: 1 week core unix frozen btconly debug asan build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: PYOPT: "0" BITCOIN_ONLY: "1" ADDRESS_SANITIZER: "1" script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - core/build/unix/trezor-emu-core-bitcoinonly expire_in: 1 week # Build of Core into UNIX emulator. Something you can run on your laptop. # Frozen version. That means you do not need any other files to run it, # it is just a single binary file that you can execute directly. # **Are you looking for a Trezor T emulator? This is most likely it.** core unix frozen debug build: stage: build <<: *gitlab_caching needs: [] variables: PYOPT: "0" script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" untracked: true expire_in: 1 week core unix frozen debug asan build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: PYOPT: "0" ADDRESS_SANITIZER: "1" script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" untracked: true expire_in: 1 week core unix frozen debug build arm: image: nixos/nix stage: build <<: *gitlab_caching needs: [] only: - master - tags - /^release\// - /^secfix\// variables: PYOPT: "0" NIX_SHELL: "nix-shell" script: - $NIX_SHELL --run "poetry run make -C core build_unix_frozen" - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" untracked: true expire_in: 1 week tags: - docker_darwin_arm core macos frozen regular build: stage: build <<: *gitlab_caching needs: [] when: manual tags: - darwin_arm script: - $NIX_SHELL --option system x86_64-darwin --run "poetry run make -C core build_unix_frozen" - export NAME="trezor-emu-core.darwin" - cp -v core/build/unix/trezor-emu-core ./$NAME - chmod +x $NAME - echo '"$(dirname "$BASH_SOURCE")"/trezor-emu-core.darwin' > trezor-emulator.command - chmod u+x trezor-emulator.command allow_failure: true artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - trezor-emu-core.darwin - trezor-emulator.command expire_in: 1 week # Crypto # Build of our cryptographic library, which is then incorporated into the other builds. crypto build: stage: build <<: *gitlab_caching needs: [] variables: ADDRESS_SANITIZER: "1" only: changes: - .gitlab-ci.yml - ci/** - crypto/** script: - cp -r crypto crypto_noasan - $NIX_SHELL --run "poetry run make -C crypto" - $NIX_SHELL --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan" - mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - crypto/tests/aestst - crypto/tests/libtrezor-crypto.so - crypto/tests/test_check - crypto/tests/test_check_noasan - crypto/tests/test_openssl expire_in: 1 week # Legacy legacy fw regular build: stage: build <<: *gitlab_caching needs: [] script: - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run legacy/script/setup" - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run make -C legacy/demo" - mv legacy/firmware/trezor.bin firmware-T1B1-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T1B1-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week legacy fw regular debug build: stage: build <<: *gitlab_caching needs: [] variables: DEBUG_LINK: "1" script: - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run legacy/script/setup" - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild" - mv legacy/firmware/trezor.bin firmware-T1B1-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T1B1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week legacy fw btconly build: stage: build <<: *gitlab_caching needs: [] variables: BITCOIN_ONLY: "1" script: - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run legacy/script/setup" - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild" - mv legacy/firmware/trezor.bin legacy/firmware/trezor-bitcoinonly.bin - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor-bitcoinonly.bin" - mv legacy/firmware/trezor-bitcoinonly.bin firmware-T1B1-btconly-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T1B1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week legacy fw btconly debug build: stage: build <<: *gitlab_caching needs: [] variables: BITCOIN_ONLY: "1" DEBUG_LINK: "1" script: - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run legacy/script/setup" - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild" - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor.bin" - mv legacy/firmware/trezor.bin firmware-T1B1-btconly-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - firmware-T1B1-btconly-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin expire_in: 1 week # Regular version (not only Bitcoin) of above. # **Are you looking for a Trezor One emulator? This is most likely it.** legacy emu regular debug build: stage: build <<: *gitlab_caching needs: [] variables: DEBUG_LINK: "1" EMULATOR: "1" script: - $NIX_SHELL --run "poetry run legacy/script/cibuild" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - legacy/firmware/trezor.elf expire_in: 1 week legacy emu regular debug asan build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: DEBUG_LINK: "1" EMULATOR: "1" ADDRESS_SANITIZER: "1" script: - $NIX_SHELL --run "poetry run legacy/script/cibuild" artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - legacy/firmware/trezor.elf expire_in: 1 week legacy emu regular debug build arm: image: nixos/nix stage: build <<: *gitlab_caching needs: [] only: - master - tags - /^release\// - /^secfix\// variables: DEBUG_LINK: "1" EMULATOR: "1" NIX_SHELL: "nix-shell" script: - $NIX_SHELL --run "poetry run legacy/script/cibuild" - mv legacy/firmware/trezor.elf legacy/firmware/trezor-arm.elf artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - legacy/firmware/trezor-arm.elf expire_in: 1 week tags: - docker_darwin_arm # Build of Legacy into UNIX emulator. Use keyboard arrows to emulate button presses. # Bitcoin-only version. legacy emu btconly debug build: stage: build <<: *gitlab_caching needs: [] variables: BITCOIN_ONLY: "1" DEBUG_LINK: "1" EMULATOR: "1" script: - $NIX_SHELL --run "poetry run legacy/script/cibuild" - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - legacy/firmware/trezor-bitcoinonly.elf expire_in: 1 week legacy emu btconly debug asan build: stage: build <<: *gitlab_caching needs: [] only: - schedules # nightly build variables: BITCOIN_ONLY: "1" DEBUG_LINK: "1" EMULATOR: "1" ADDRESS_SANITIZER: "1" script: - $NIX_SHELL --run "poetry run legacy/script/cibuild" - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf artifacts: name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA" paths: - legacy/firmware/trezor-bitcoinonly.elf expire_in: 1 week