Merge pull request #41554 from JuliaLang/backports-release-1.6

Backports for julia-1.6.3

Author: KristofferC

.buildkite/README.md

@@ -0,0 +1,7 @@
+# Buildkite
+
+This directory contains the Buildkite configuration files for Base Julia CI.
+
+The rootfs image definitions are located in the [rootfs-images](https://github.com/JuliaCI/rootfs-images) repository.
+
+The documentation for the Base Julia CI setup is located in the [base-buildkite-docs](https://github.com/JuliaCI/base-buildkite-docs) repository.

.buildkite/llvm_passes.yml

@@ -0,0 +1,24 @@
+# This file represents what is put into the webUI.
+# It is purely for keeping track of the changes we make to the webUI configuration; modifying this file has no effect.
+# We use the `cryptic` buildkite plugin to provide secrets management, which requires some integration into the WebUI's steps.
+agents:
+  queue: "julia"
+  sandbox.jl: "true"
+
+steps:
+  - label: ":unlock: Unlock secrets, launch pipelines"
+    plugins:
+      - staticfloat/cryptic:
+          # Our list of pipelines that should be launched (but don't require a signature)
+          # These pipelines can be modified by any contributor and CI will still run.
+          # Build secrets will not be available in these pipelines (or their children)
+          # but some of our signed pipelines can wait upon the completion of these unsigned
+          # pipelines.
+          unsigned_pipelines:
+            - .buildkite/pipelines/experimental/launch_unsigned_builders.yml
+
+          # Our signed pipelines must have a `signature` or `signature_file` parameter that
+          # verifies the treehash of the pipeline itself and the inputs listed in `inputs`
+          # signed_pipelines:
+          #   - pipeline: .buildkite/pipelines/experimental/misc/foo_bar_baz.yml
+          #     signature: "my_signature"

.buildkite/pipeline.yml

@@ -0,0 +1,7 @@
+## Experimental pipeline (`master` branch only)
+
+This is the [`julia-master->experimental`](https://buildkite.com/julialang/julia-master-experimental) pipeline.
+
+We use this pipeline for builders that are not yet stable enough to go into the main pipeline.
+
+These builders are triggered by GitHub webhook events, such as pushes and pull requests.

.buildkite/pipelines/experimental/0_webui.yml

@@ -0,0 +1,6 @@
+steps:
+  - label: ":buildkite: Launch unsigned pipelines"
+    commands: |
+      buildkite-agent pipeline upload .buildkite/pipelines/experimental/misc/sanitizers.yml
+    agents:
+      queue: julia

.buildkite/pipelines/experimental/README.md

@@ -0,0 +1,31 @@
+agents:
+  queue: "julia"
+  # Only run on `sandbox.jl` machines (not `docker`-isolated ones) since we need nestable sandboxing
+  sandbox.jl: "true"
+  os: "linux"
+
+steps:
+  - label: "asan"
+    key: asan
+    plugins:
+      - JuliaCI/julia#v1:
+          version: 1.6
+      - staticfloat/sandbox#v1:
+          rootfs_url: https://github.com/JuliaCI/rootfs-images/releases/download/v3.1/llvm_passes.x86_64.tar.gz
+          rootfs_treehash: "9dd715500b117a16fcfa419ea0bca0c0ca902cee"
+          uid: 1000
+          gid: 1000
+          workspaces:
+            - "/cache/repos:/cache/repos"
+      # `contrib/check-asan.jl` needs a `julia` binary:
+      - JuliaCI/julia#v1:
+          version: 1.6
+    commands: |
+      echo "--- Build julia-debug with ASAN"
+      contrib/asan/build.sh ./tmp/test-asan -j$${JULIA_NUM_CORES} debug
+      echo "--- Test that ASAN is enabled"
+      contrib/asan/check.jl ./tmp/test-asan/asan/usr/bin/julia-debug
+    timeout_in_minutes: 120
+    # notify:                   # TODO: uncomment this line
+    #   - github_commit_status: # TODO: uncomment this line
+    #       context: "asan"     # TODO: uncomment this line

.buildkite/pipelines/experimental/launch_unsigned_builders.yml

@@ -15,10 +15,10 @@ steps:
           # but some of our signed pipelines can wait upon the completion of these unsigned
           # pipelines.
           unsigned_pipelines:
-            - .buildkite/pipeline.yml
+            - .buildkite/pipelines/main/launch_unsigned_builders.yml
 
           # Our signed pipelines must have a `signature` or `signature_file` parameter that
           # verifies the treehash of the pipeline itself and the inputs listed in `inputs`
           signed_pipelines:
-            - pipeline: .buildkite/signed_pipeline_test.yml
-              signature: "U2FsdGVkX18aZgryp6AJTArgD2uOnVWyFFGVOP5qsY4WbGQ/LVAcYiMEp9cweV+2iht+vmEF949CuuGTeQPA1fKlhPwkG3nZ688752DUB6en9oM2nuL31NoDKWHhpygZ"
+            - pipeline: .buildkite/pipelines/main/misc/signed_pipeline_test.yml
+              signature_file: .buildkite/pipelines/main/misc/signed_pipeline_test.yml.signature

.buildkite/pipelines/experimental/misc/sanitizers.yml

@@ -0,0 +1,15 @@
+## Main pipeline
+
+This is the main pipeline. It contains most of the builders. These builders are triggered by GitHub webhook events, such as pushes and pull requests.
+
+We have a different main pipeline for each permanent branch.
+
+For example:
+
+| Permanent Branch | Pipeline                                                                         |
+| ---------------- | -------------------------------------------------------------------------------- |
+| `master`         | [`julia-master`](https://buildkite.com/julialang/julia-master)                   |
+| `release-1.6`    | [`julia-release-1.6`](https://buildkite.com/julialang/julia-release-1-dot-6) |
+| `release-1.7`    | [`julia-release-1.7`](https://buildkite.com/julialang/julia-release-1-dot-7) |
+
+(This is not a complete list.)

.buildkite/0_webui.yml renamed to .buildkite/pipelines/main/0_webui.yml

@@ -0,0 +1,29 @@
+# This file launches all the build jobs that _don't_ require secrets access.
+# These jobs can pass their output off to jobs that do require secrets access,
+# but those privileged steps require signing before they can be run.
+#
+# Yes, this is creating another layer of indirection; the flow now looks like:
+#
+#   [webui] -> launch_unsigned_builders.yml -> misc/whitespace.yml
+#
+# when we could theoretically just have the `webui` launch `misc/whitespace.yml`,
+# however this raises the bar for contributors to add new (unsigned) steps to
+# our CI configuration, so I'd rather live with an extra layer of indirection
+# and only need to touch the webui configuration when we need to alter
+# something about the privileged steps.
+
+steps:
+  - label: ":buildkite: Launch unsigned builders"
+    commands: |
+      # First, we launch the `whitespace` builder, because we want that builder to finish as quickly as possible.
+      buildkite-agent pipeline upload .buildkite/pipelines/main/misc/whitespace.yml
+
+      # Next, we launch the miscellaneous builders in alphabetical order.
+      buildkite-agent pipeline upload .buildkite/pipelines/main/misc/doctest.yml
+      buildkite-agent pipeline upload .buildkite/pipelines/main/misc/embedding.yml
+      buildkite-agent pipeline upload .buildkite/pipelines/main/misc/llvmpasses.yml
+
+      # Finally, we launch the platform builders (`package_*`) and (`tester_*`) in alphabetical order.
+      buildkite-agent pipeline upload .buildkite/pipelines/main/platforms/linux64.yml
+    agents:
+      queue: julia