# All builds are published as artifacts so they can be downloaded and used.

image: registry.gitlab.com/satoshilabs/trezor/trezor-firmware/trezor-firmware-env.nix

# Caching
.gitlab_caching: &gitlab_caching
  cache:
    key: "$CI_COMMIT_REF_SLUG"
    paths:
      - .venv/

variables:
  SDL_VIDEODRIVER: "dummy"
  XDG_RUNTIME_DIR: "/var/tmp"

# Core

# Build of Core into firmware. Regular version.
# **Are you looking for Trezor T firmware build? This is most likely it.**
core fw regular build:
  stage: build
  <<: *gitlab_caching
  needs: []
  script:
    - $NIX_SHELL --run "poetry run make -C core build_boardloader"
    - $NIX_SHELL --run "poetry run make -C core build_bootloader"
    - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
    - $NIX_SHELL --run "poetry run make -C core build_prodtest"
    - $NIX_SHELL --run "poetry run make -C core build_firmware"
    - $NIX_SHELL --run "poetry run make -C core sizecheck"
    - cp core/build/firmware/firmware.bin firmware-T2T1-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
    - cp core/build/firmware/firmware.elf firmware.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware.elf
      - firmware-T2T1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

# Build of Core into firmware with enabled _debug_ mode. In debug mode you can
# upload mnemonic seed, use debug link etc. which enables device tests. Storage
# on the device gets wiped on every start in this firmware.
core fw regular debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  script:
    - $NIX_SHELL --run "PYOPT=0 poetry run make -C core build_firmware"
    - cp core/build/firmware/firmware.bin firmware-T2T1-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
    - cp core/build/firmware/firmware.elf firmware.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware.elf
      - firmware-T2T1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw regular production build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    PRODUCTION: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_boardloader"
    - $NIX_SHELL --run "poetry run make -C core build_bootloader"
    - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
    - $NIX_SHELL --run "poetry run make -C core build_prodtest"
    - $NIX_SHELL --run "poetry run make -C core build_firmware"
    - $NIX_SHELL --run "poetry run make -C core sizecheck"
    - cp core/build/firmware/firmware.bin firmware-T2T1-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T2T1-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

# Build of Core into firmware. Bitcoin-only version.
core fw btconly build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    BITCOIN_ONLY: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_firmware"
    - mv core/build/firmware/firmware.bin core/build/firmware/firmware-bitcoinonly.bin
    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware-bitcoinonly.bin"
    - cp core/build/firmware/firmware-bitcoinonly.bin firmware-T2T1-btconly-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw btconly debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    BITCOIN_ONLY: "1"
    PYOPT: "0"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_firmware"
    - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
  only:  # currently used only for HW tests and deploys
    - schedules  # nightly build
    - /^legacy\//
    - /^release\//
    - /^secfix\//
    - /^hw\//
    - /^core\//
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw btconly production build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    PRODUCTION: "1"
    BITCOIN_ONLY: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_firmware"
    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware.bin"
    - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T2T1-btconly-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw DISC1 build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    TREZOR_MODEL: "DISC1"
  script:
    - nix-shell --run "poetry run make -C core build_boardloader"
    - nix-shell --run "poetry run make -C core build_bootloader"
    - nix-shell --run "poetry run make -C core build_firmware"
    - cp core/build/firmware/firmware.bin firmware-D001-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-D001-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw R debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    TREZOR_MODEL: "R"
    PYOPT: "0"
  script:
    - nix-shell --run "poetry run make -C core build_firmware"
    - cp core/build/firmware/firmware.bin trezor-fw-debug-tr-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
    - cp core/build/firmware/firmware.elf firmware.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware.elf
      - trezor-fw-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

core fw R build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    TREZOR_MODEL: "R"
  script:
    - nix-shell --run "poetry run make -C core build_firmware"
    - cp core/build/firmware/firmware.bin trezor-fw-tr-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
    - cp core/build/firmware/firmware.elf firmware.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware.elf
      - trezor-fw-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

# Non-frozen emulator build. This means you still need Python files
# present which get interpreted.
core unix regular build:
  stage: build
  <<: *gitlab_caching
  needs: []
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - core/build/unix  # most of it needed by test_rust
    expire_in: 1 week

core unix regular asan build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    ADDRESS_SANITIZER: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
    - $NIX_SHELL --run "poetry run make -C core build_unix"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - core/build/bootloader_emu/bootloader.elf
      - core/build/unix  # most of it needed by test_rust
    expire_in: 1 week

# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
core unix frozen regular build:
  stage: build
  <<: *gitlab_caching
  needs: []
  script:
    - $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - core/build/bootloader_emu/bootloader.elf
      - core/build/unix/trezor-emu-core
    expire_in: 1 week

# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
# See [Emulator](../core/emulator/index.md) for more info.
# Debug mode enabled, Bitcoin-only version.
core unix frozen btconly debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    PYOPT: "0"
    BITCOIN_ONLY: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
    - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - core/build/unix/trezor-emu-core-bitcoinonly
    expire_in: 1 week

core unix frozen btconly debug asan build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    PYOPT: "0"
    BITCOIN_ONLY: "1"
    ADDRESS_SANITIZER: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
    - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - core/build/unix/trezor-emu-core-bitcoinonly
    expire_in: 1 week

# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
# **Are you looking for a Trezor T emulator? This is most likely it.**
core unix frozen debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    PYOPT: "0"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    untracked: true
    expire_in: 1 week

core unix frozen R debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    PYOPT: "0"
    TREZOR_MODEL: "R"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    untracked: true
    expire_in: 10 weeks

core unix frozen R debug build arm:
  image: nixos/nix
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    PYOPT: "0"
    TREZOR_MODEL: "R"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
    - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    untracked: true
    expire_in: 10 weeks
  tags:
    - docker_darwin_arm

core unix frozen debug asan build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    PYOPT: "0"
    ADDRESS_SANITIZER: "1"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    untracked: true
    expire_in: 1 week

core unix frozen debug build arm:
  image: nixos/nix
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - main
    - tags
    - /^release\//
    - /^secfix\//
  variables:
    PYOPT: "0"
  script:
    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
    - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    untracked: true
    expire_in: 1 week
  tags:
    - docker_darwin_arm

core macos frozen regular build:
  stage: build
  <<: *gitlab_caching
  needs: []
  when: manual
  tags:
    - darwin_arm
  script:
    - $NIX_SHELL --option system x86_64-darwin --run "poetry run make -C core build_unix_frozen"
    - export NAME="trezor-emu-core.darwin"
    - cp -v core/build/unix/trezor-emu-core ./$NAME
    - chmod +x $NAME
    - echo '"$(dirname "$BASH_SOURCE")"/trezor-emu-core.darwin' > trezor-emulator.command
    - chmod u+x trezor-emulator.command
  allow_failure: true
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - trezor-emu-core.darwin
      - trezor-emulator.command
    expire_in: 1 week

# Crypto

# Build of our cryptographic library, which is then incorporated into the other builds.
crypto build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    ADDRESS_SANITIZER: "1"
    CC: gcc
  only:
    changes:
      - .gitlab-ci.yml
      - ci/**
      - crypto/**
  script:
    - cp -r crypto crypto_noasan
    - $NIX_SHELL --run "poetry run make -C crypto"
    - $NIX_SHELL --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan"
    - mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - crypto/tests/aestst
      - crypto/tests/libtrezor-crypto.so
      - crypto/tests/test_check
      - crypto/tests/test_check_noasan
      - crypto/tests/test_openssl
    expire_in: 1 week


# Legacy

legacy fw regular build:
  stage: build
  <<: *gitlab_caching
  needs: []
  script:
    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run legacy/script/setup"
    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run make -C legacy/demo"
    - mv legacy/firmware/trezor.bin firmware-T1B1-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T1B1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

legacy fw regular debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    DEBUG_LINK: "1"
  script:
    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run legacy/script/setup"
    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
    - mv legacy/firmware/trezor.bin firmware-T1B1-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T1B1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

legacy fw btconly build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    BITCOIN_ONLY: "1"
  script:
    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run legacy/script/setup"
    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
    - mv legacy/firmware/trezor.bin legacy/firmware/trezor-bitcoinonly.bin
    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor-bitcoinonly.bin"
    - mv legacy/firmware/trezor-bitcoinonly.bin firmware-T1B1-btconly-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T1B1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

legacy fw btconly debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    BITCOIN_ONLY: "1"
    DEBUG_LINK: "1"
  script:
    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run legacy/script/setup"
    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor.bin"
    - mv legacy/firmware/trezor.bin firmware-T1B1-btconly-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - firmware-T1B1-btconly-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
    expire_in: 1 week

# Regular version (not only Bitcoin) of above.
# **Are you looking for a Trezor One emulator? This is most likely it.**
legacy emu regular debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    DEBUG_LINK: "1"
    EMULATOR: "1"
  script:
    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - legacy/firmware/trezor.elf
    expire_in: 1 week

legacy emu regular debug asan build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    DEBUG_LINK: "1"
    EMULATOR: "1"
    ADDRESS_SANITIZER: "1"
  script:
    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - legacy/firmware/trezor.elf
    expire_in: 1 week

legacy emu regular debug build arm:
  image: nixos/nix
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - main
    - tags
    - /^release\//
    - /^secfix\//
  variables:
    DEBUG_LINK: "1"
    EMULATOR: "1"
  script:
    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
    - mv legacy/firmware/trezor.elf  legacy/firmware/trezor-arm.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - legacy/firmware/trezor-arm.elf
    expire_in: 1 week
  tags:
    - docker_darwin_arm

# Build of Legacy into UNIX emulator. Use keyboard arrows to emulate button presses.
# Bitcoin-only version.
legacy emu btconly debug build:
  stage: build
  <<: *gitlab_caching
  needs: []
  variables:
    BITCOIN_ONLY: "1"
    DEBUG_LINK: "1"
    EMULATOR: "1"
  script:
    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
    - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - legacy/firmware/trezor-bitcoinonly.elf
    expire_in: 1 week

legacy emu btconly debug asan build:
  stage: build
  <<: *gitlab_caching
  needs: []
  only:
    - schedules  # nightly build
  variables:
    BITCOIN_ONLY: "1"
    DEBUG_LINK: "1"
    EMULATOR: "1"
    ADDRESS_SANITIZER: "1"
  script:
    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
    - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
    paths:
      - legacy/firmware/trezor-bitcoinonly.elf
    expire_in: 1 week