Simplify, run inside of a sandbox

Author: staticfloat

.buildkite/coverage-linux64/0_webui.yml

@@ -0,0 +1,16 @@
+# This file represents what is put into the webUI.
+# It is purely for keeping track of the changes we make to the webUI configuration; modifying this file has no effect.
+# We use the `cryptic` buildkite plugin to provide secrets management, which requires some integration into the WebUI's steps.
+agents:
+  queue: "julia"
+  sandbox.jl: "true"
+
+steps:
+  - label: ":unlock: Unlock secrets, launch pipelines"
+    plugins:
+      - staticfloat/cryptic:
+          # Our signed pipelines must have a `signature` or `signature_file` parameter that
+          # verifies the treehash of the pipeline itself and the inputs listed in `inputs`
+          signed_pipelines:
+            - pipeline: .buildkite/coverage-linux64/pipeline.yml
+              signature: "U2FsdGVkX1+/lr4O7tYOavO3zubp1KCSw0nbznj1mH354bH3UTM0HaDX2CpkmOYYxpE5klotf9mo366YvVeS/fbpazKlKDnetPgI8eWFLJh7ho9nbq9jPJUYscddla9R"

.buildkite/coverage-linux64/README.md

@@ -0,0 +1,6 @@
+# Coverage pipeline
+
+We run coverage on a separate pipeline, that uses a scheduled build rather than webhooks.
+The pipeline is here: https://buildkite.com/julialang/julia-coverage-linux64
+
+It contains [its own webui steps](0_webuiy.ml) (listed here in this repository for clarity) and its own [pipeline.yml](pipeline.yml).

.buildkite/coverage-linux64/pipeline.yml

@@ -1,24 +1,43 @@
+# These steps should only run on `sandbox.jl` machines, not `docker`-isolated ones
+# since we need nestable sandboxing.  The rootfs images being used here are built from
+# the `.buildkite/rootfs_images/llvm-passes.jl` file.
+agents:
+  queue: "julia"
+  # Only run on `sandbox.jl` machines (not `docker`-isolated ones) since we need nestable sandboxing
+  sandbox.jl: "true"
+  os: "linux"
+
 steps:
-  - label: "coverage-linux64"
-    commands:
-      - echo "--- Print the Git status"
-      - git status
-      - git log -n 1
-      - echo ""
-      - echo "--- Install build dependencies"
-      - apt-get update
-      - apt-get install -y build-essential cmake curl gfortran git libatomic1 m4 perl pkg-config python python3 wget
-      - echo "--- Build Julia from source"
-      - make -j 6
-      - echo "--- Print Julia version info"
-      - ./julia -e 'using InteractiveUtils; InteractiveUtils.versioninfo()'
-      - ./julia -e '@info "" Sys.CPU_THREADS'
-      - echo "--- Run Julia tests with code coverage enabled"
-      - git config --global init.defaultBranch master # this is necessary to make sure that the LibGit2 tests passes
-      - ./julia --code-coverage=all --sysimage-native-code=no .buildkite/coverage-linux64/run_tests_base.jl
-      - echo "--- Process and upload coverage information"
-      - ./julia .buildkite/coverage-linux64/upload_coverage.jl
-    agents:
-      queue: "juliacpu" # this should be julia -- also in pipeline settings
-      # os: linux # tag missing for juliacpu queue
-    timeout_in_minutes: 480 # 480 minutes = 8 hours
+  - label: ":unlock: :coverage: Run coverage test"
+    plugins:
+      - staticfloat/cryptic:
+          variables:
+            - CODECOV_TOKEN="U2FsdGVkX19l0fhdBabbuiEdysyEabkJLRHfxm7CNRkuGbnwPV365sxxC7Czs/CVcws0N1oB4pVwALRRMe36oA=="
+      - JuliaCI/julia#v1:
+          version: 1.6
+      - staticfloat/sandbox#v1:
+          rootfs_url: https://github.com/JuliaCI/rootfs-images/releases/download/v1/llvm-passes.tar.gz
+          rootfs_treehash: "f3ed53f159e8f13edfba8b20ebdb8ece73c1b8a8"
+          uid: 1000
+          gid: 1000
+    commands: |
+      echo "--- Build Julia from source"
+      make -j 6
+
+      echo "--- Print Julia version info"
+      ./julia -e 'using InteractiveUtils; InteractiveUtils.versioninfo()'
+      ./julia -e '@info "" Sys.CPU_THREADS'
+      # this is necessary to make sure that the LibGit2 tests passes
+      git config --global init.defaultBranch master
+
+      echo "--- Run Julia tests with code coverage enabled"
+      # Run the actual tests
+      ./julia --code-coverage=all --sysimage-native-code=no .buildkite/coverage-linux64/run_tests_base.jl
+
+      echo "--- Process and upload coverage information"
+      ./julia .buildkite/coverage-linux64/upload_coverage.jl
+    timeout_in_minutes: 600 # 600 minutes = 10 hours
+
+# We must accept the signed job id secret in order to propagate secrets
+env:
+  BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET: ${BUILDKITE_PLUGIN_CRYPTIC_BASE64_SIGNED_JOB_ID_SECRET?}