1
0
mirror of https://github.com/trezor/trezor-firmware.git synced 2025-01-01 02:50:59 +00:00
trezor-firmware/ci/build.yml
Ondřej Vejpustek ccb242ee1c chore(core): introduce THP flag
[no changelog]
2024-05-10 20:05:37 +02:00

653 lines
19 KiB
YAML

# All builds are published as artifacts so they can be downloaded and used.
image: registry.gitlab.com/satoshilabs/trezor/trezor-firmware/trezor-firmware-env.nix
# Caching
.gitlab_caching: &gitlab_caching
cache:
key: "$CI_COMMIT_REF_SLUG"
paths:
- .venv/
variables:
SDL_VIDEODRIVER: "dummy"
XDG_RUNTIME_DIR: "/var/tmp"
# Core
# Build of Core into firmware. Regular version.
# **Are you looking for Trezor T firmware build? This is most likely it.**
core fw regular build:
stage: build
<<: *gitlab_caching
needs: []
script:
- $NIX_SHELL --run "poetry run make -C core build_boardloader"
- $NIX_SHELL --run "poetry run make -C core build_bootloader"
- $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
- $NIX_SHELL --run "poetry run make -C core build_prodtest"
- $NIX_SHELL --run "poetry run make -C core build_firmware"
- $NIX_SHELL --run "poetry run make -C core sizecheck"
- cp core/build/firmware/firmware.bin firmware-T2T1-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
- cp core/build/firmware/firmware.elf firmware.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware.elf
- firmware-T2T1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
# Build of Core into firmware with enabled _debug_ mode. In debug mode you can
# upload mnemonic seed, use debug link etc. which enables device tests. Storage
# on the device gets wiped on every start in this firmware.
core fw regular debug build:
stage: build
<<: *gitlab_caching
needs: []
script:
- $NIX_SHELL --run "PYOPT=0 poetry run make -C core build_firmware"
- cp core/build/firmware/firmware.bin firmware-T2T1-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
- cp core/build/firmware/firmware.elf firmware.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware.elf
- firmware-T2T1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw regular production build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
PRODUCTION: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_boardloader"
- $NIX_SHELL --run "poetry run make -C core build_bootloader"
- $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
- $NIX_SHELL --run "poetry run make -C core build_prodtest"
- $NIX_SHELL --run "poetry run make -C core build_firmware"
- $NIX_SHELL --run "poetry run make -C core sizecheck"
- cp core/build/firmware/firmware.bin firmware-T2T1-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T2T1-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
# Build of Core into firmware. Bitcoin-only version.
core fw btconly build:
stage: build
<<: *gitlab_caching
needs: []
variables:
BITCOIN_ONLY: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_firmware"
- mv core/build/firmware/firmware.bin core/build/firmware/firmware-bitcoinonly.bin
- $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware-bitcoinonly.bin"
- cp core/build/firmware/firmware-bitcoinonly.bin firmware-T2T1-btconly-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw btconly debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
BITCOIN_ONLY: "1"
PYOPT: "0"
script:
- $NIX_SHELL --run "poetry run make -C core build_firmware"
- cp core/build/firmware/firmware.bin firmware-T2T1-btconly-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
only: # currently used only for HW tests and deploys
- schedules # nightly build
- /^legacy\//
- /^release\//
- /^secfix\//
- /^hw\//
- /^core\//
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw btconly production build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
PRODUCTION: "1"
BITCOIN_ONLY: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_firmware"
- $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware.bin"
- cp core/build/firmware/firmware.bin firmware-T2T1-btconly-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T2T1-btconly-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw DISC1 build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
TREZOR_MODEL: "DISC1"
script:
- nix-shell --run "poetry run make -C core build_boardloader"
- nix-shell --run "poetry run make -C core build_bootloader"
- nix-shell --run "poetry run make -C core build_firmware"
- cp core/build/firmware/firmware.bin firmware-D001-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-D001-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw R debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
TREZOR_MODEL: "R"
PYOPT: "0"
script:
- nix-shell --run "poetry run make -C core build_firmware"
- cp core/build/firmware/firmware.bin trezor-fw-debug-tr-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
- cp core/build/firmware/firmware.elf firmware.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware.elf
- trezor-fw-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
core fw R build:
stage: build
<<: *gitlab_caching
needs: []
variables:
TREZOR_MODEL: "R"
script:
- nix-shell --run "poetry run make -C core build_firmware"
- cp core/build/firmware/firmware.bin trezor-fw-tr-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
- cp core/build/firmware/firmware.elf firmware.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware.elf
- trezor-fw-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
# Non-frozen emulator build. This means you still need Python files
# present which get interpreted.
core unix regular build:
stage: build
<<: *gitlab_caching
needs: []
variables:
THP: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/unix # most of it needed by test_rust
expire_in: 1 week
# Non-frozen emulator build for model R.
core unix regular R build:
stage: build
<<: *gitlab_caching
needs: []
variables:
TREZOR_MODEL: "R"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/unix # most of it needed by test_rust
expire_in: 1 week
core unix regular asan build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
ADDRESS_SANITIZER: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
- $NIX_SHELL --run "poetry run make -C core build_unix"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/bootloader_emu/bootloader.elf
- core/build/unix # most of it needed by test_rust
expire_in: 1 week
# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
core unix frozen regular build:
stage: build
<<: *gitlab_caching
needs: []
script:
- $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/bootloader_emu/bootloader.elf
- core/build/unix/trezor-emu-core
expire_in: 1 week
# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
# See [Emulator](../core/emulator/index.md) for more info.
# Debug mode enabled, Bitcoin-only version.
core unix frozen btconly debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
PYOPT: "0"
BITCOIN_ONLY: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
- mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/unix/trezor-emu-core-bitcoinonly
expire_in: 1 week
core unix frozen btconly debug asan build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
PYOPT: "0"
BITCOIN_ONLY: "1"
ADDRESS_SANITIZER: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
- mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- core/build/unix/trezor-emu-core-bitcoinonly
expire_in: 1 week
# Build of Core into UNIX emulator. Something you can run on your laptop.
# Frozen version. That means you do not need any other files to run it,
# it is just a single binary file that you can execute directly.
# **Are you looking for a Trezor T emulator? This is most likely it.**
core unix frozen debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
PYOPT: "0"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 1 week
core unix frozen R debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
PYOPT: "0"
TREZOR_MODEL: "R"
script:
- $NIX_SHELL --run "poetry run make -C core build_bootloader_emu"
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 10 weeks
core unix frozen T3T1 debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
PYOPT: "0"
TREZOR_MODEL: "T3T1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 10 weeks
core unix frozen R debug build arm:
image: nixos/nix
stage: build
<<: *gitlab_caching
needs: []
only:
- main
- tags
- /^release\//
- /^secfix\//
variables:
PYOPT: "0"
TREZOR_MODEL: "R"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
- mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 10 weeks
tags:
- docker_darwin_arm
core unix frozen T3T1 debug build arm:
image: nixos/nix
stage: build
<<: *gitlab_caching
needs: []
only:
- main
- tags
- /^release\//
- /^secfix\//
variables:
PYOPT: "0"
TREZOR_MODEL: "T3T1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
- mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 10 weeks
tags:
- docker_darwin_arm
core unix frozen debug asan build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
PYOPT: "0"
ADDRESS_SANITIZER: "1"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 1 week
core unix frozen debug build arm:
image: nixos/nix
stage: build
<<: *gitlab_caching
needs: []
only:
- main
- tags
- /^release\//
- /^secfix\//
variables:
PYOPT: "0"
script:
- $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
- mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
untracked: true
expire_in: 1 week
tags:
- docker_darwin_arm
core macos frozen regular build:
stage: build
<<: *gitlab_caching
needs: []
when: manual
tags:
- darwin_arm
script:
- $NIX_SHELL --option system x86_64-darwin --run "poetry run make -C core build_unix_frozen"
- export NAME="trezor-emu-core.darwin"
- cp -v core/build/unix/trezor-emu-core ./$NAME
- chmod +x $NAME
- echo '"$(dirname "$BASH_SOURCE")"/trezor-emu-core.darwin' > trezor-emulator.command
- chmod u+x trezor-emulator.command
allow_failure: true
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- trezor-emu-core.darwin
- trezor-emulator.command
expire_in: 1 week
# Crypto
# Build of our cryptographic library, which is then incorporated into the other builds.
crypto build:
stage: build
<<: *gitlab_caching
needs: []
variables:
ADDRESS_SANITIZER: "1"
CC: gcc
only:
changes:
- .gitlab-ci.yml
- ci/**
- crypto/**
script:
- cp -r crypto crypto_noasan
- $NIX_SHELL --run "poetry run make -C crypto"
- $NIX_SHELL --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan"
- mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- crypto/tests/aestst
- crypto/tests/libtrezor-crypto.so
- crypto/tests/test_check
- crypto/tests/test_check_noasan
- crypto/tests/test_openssl
expire_in: 1 week
# Legacy
legacy fw regular build:
stage: build
<<: *gitlab_caching
needs: []
script:
- $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run legacy/script/setup"
- $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run make -C legacy/demo"
- mv legacy/firmware/trezor.bin firmware-T1B1-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T1B1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
legacy fw regular debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
DEBUG_LINK: "1"
script:
- $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run legacy/script/setup"
- $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
- mv legacy/firmware/trezor.bin firmware-T1B1-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T1B1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
legacy fw btconly build:
stage: build
<<: *gitlab_caching
needs: []
variables:
BITCOIN_ONLY: "1"
script:
- $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run legacy/script/setup"
- $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
- mv legacy/firmware/trezor.bin legacy/firmware/trezor-bitcoinonly.bin
- $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor-bitcoinonly.bin"
- mv legacy/firmware/trezor-bitcoinonly.bin firmware-T1B1-btconly-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T1B1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
legacy fw btconly debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
BITCOIN_ONLY: "1"
DEBUG_LINK: "1"
script:
- $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run legacy/script/setup"
- $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
- $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor.bin"
- mv legacy/firmware/trezor.bin firmware-T1B1-btconly-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- firmware-T1B1-btconly-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
expire_in: 1 week
# Regular version (not only Bitcoin) of above.
# **Are you looking for a Trezor One emulator? This is most likely it.**
legacy emu regular debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
DEBUG_LINK: "1"
EMULATOR: "1"
script:
- $NIX_SHELL --run "poetry run legacy/script/cibuild"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- legacy/firmware/trezor.elf
expire_in: 1 week
legacy emu regular debug asan build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
DEBUG_LINK: "1"
EMULATOR: "1"
ADDRESS_SANITIZER: "1"
script:
- $NIX_SHELL --run "poetry run legacy/script/cibuild"
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- legacy/firmware/trezor.elf
expire_in: 1 week
legacy emu regular debug build arm:
image: nixos/nix
stage: build
<<: *gitlab_caching
needs: []
only:
- main
- tags
- /^release\//
- /^secfix\//
variables:
DEBUG_LINK: "1"
EMULATOR: "1"
script:
- $NIX_SHELL --run "poetry run legacy/script/cibuild"
- mv legacy/firmware/trezor.elf legacy/firmware/trezor-arm.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- legacy/firmware/trezor-arm.elf
expire_in: 1 week
tags:
- docker_darwin_arm
# Build of Legacy into UNIX emulator. Use keyboard arrows to emulate button presses.
# Bitcoin-only version.
legacy emu btconly debug build:
stage: build
<<: *gitlab_caching
needs: []
variables:
BITCOIN_ONLY: "1"
DEBUG_LINK: "1"
EMULATOR: "1"
script:
- $NIX_SHELL --run "poetry run legacy/script/cibuild"
- mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- legacy/firmware/trezor-bitcoinonly.elf
expire_in: 1 week
legacy emu btconly debug asan build:
stage: build
<<: *gitlab_caching
needs: []
only:
- schedules # nightly build
variables:
BITCOIN_ONLY: "1"
DEBUG_LINK: "1"
EMULATOR: "1"
ADDRESS_SANITIZER: "1"
script:
- $NIX_SHELL --run "poetry run legacy/script/cibuild"
- mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
artifacts:
name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
paths:
- legacy/firmware/trezor-bitcoinonly.elf
expire_in: 1 week