github &mdash; csantosb https://infosec.press/csantosb/tag:github Random thoughts Mon, 18 May 2026 11:16:48 +0000 ci (gitlab/hub) https://infosec.press/csantosb/ci-gitlab-hub <![CDATA[img br/ Remote #ci is the way to go in #modernhw digital design testing. In this #ciseries, let’s see it in practice with some detail using two of the most popular forges out there. !--more-- br/ Gitlab The gitlab #gitforge includes tones of features. Among these, a facility called the container registry, which stores per project container images. Guix pack allows the creation of custom #reproductible environments as images. In particular, it is possible to create a docker image out of our manifest and channels files with br/ guix time-machine -C channels.scm -- pack --compression=xz --save-provenance -f docker -m manifest.scm Check the documentation for options. br/ Remember that there are obviously alternative methods to produce docker images. The point on using guix resides on its reproducibility capabilities: you’ll be able to create a new, identical docker image, out of the manifest and channels files at any point in time. Even more: you’ll have the capacity to retrieve your manifest file out of the binary image in case your manifest file gets lost. br/ Then, this image must be loaded into the local docker store with br/ docker load < IMAGE and renamed to something meaningful br/ docker tag IMAGE:latest gitlab-registry.whatever.fr/domain/group/NAME:TAG go remote img br/ Finally, pushed to the remote container registry of your project with br/ docker push gitlab-registry.whatever.fr/domain/group/NAME:TAG At this point, you have an environment where you’ll run your tests using gitlab's ci features. You’ll set up your gitlab’s runners and manifest files to use this container to execute your jobs. br/ As an alternative, you could use a ssh executor running on your own fast and powerful hardware resources (dedicated machine, shared cluster, etc.). In this case, you’d rather produce an apptainer container image with: br/ guix time-machine -C channels.scm -- pack -f squashfs ... scp this container file to your computing resources and call it from the #gitlab runner. br/ Github The github is probably the most popular #gitforge out there. It follows a similar to #gitlab in its conception (pull requests and merge requests, you catch the idea ?). It also includes a container registry, and the set of features if offers may be exchanged with ease with any other #gitforge following the same paradigm. No need to go into more details. br/ There is a couple of interesting tips about using #github, though. It happens more usually than not that users encounter frequently problems of #reproducibility when using container images hosted on ghcr.io, the hosting service for user images. These images are usually employed for running #ci testing pipelines, and they usually break as upstream changes happen: updates, image definition changes, image packages upgrades, etc. If you read my dependencies hell post, this should ring a bell. br/ What can be done about in what concerns #modernhw ? Well, we have #guix. Let’s try a differente approach: building an image locally, and pushing it to #github registry. Let’s see how. br/ in practice An example repository shows tha way to proceed. Its contents allow to create a docker container image to be hosted remotely. It includes all that’s necessary to perform remote #ci testing of a #modernhw #vhdl design. br/ docker pull ghcr.io/csantosb/hdl docker images # check $ID docker run -ti $ID bash It includes a couple of #plaintext files to produce a #deterministic container. First, the channels.scm file with the list of guix chanels to use to pull packages from. Then, a manifest.scm, with the list of packages to be install within the container. br/ The image container may be build with br/ image=$(guix time-machine --channels=channels.scm -- \ pack -f docker \ -S /bin=bin \ --save-provenance \ -m manifest.scm) At this point, it is to be load to the docker store with br/ docker load < $image docker images Now it is time to tag the image br/ docker tag IMID ghcr.io/USER/REPO:RELEASE and login to ghcr.io br/ docker login -u USER -p PASSWORD ghcr.io Finally, the image is to be push remotely br/ docker push ghcr.io/USER/HDL:RELEASE test You’ll may test this image using the neorv32 project, for example, with: br/ docker pull ghcr.io/csantosb/hdl docker run -ti ID bash git clone --depth=1 https://github.com/stnolting/neorv32 cd neorv32 git clone --depth=1 https://github.com/stnolting/neorv32-vunit test cd test rm -rf neorv32 ln -sf ../../neorv32 neorv32 python3 sim/run.py --ci-mode -v `]]> img
Remote #ci is the way to go in #modernhw digital design testing. In this #ciseries, let’s see it in practice with some detail using two of the most popular forges out there.

Gitlab

The gitlab #gitforge includes tones of features. Among these, a facility called the container registry, which stores per project container images. Guix pack allows the creation of custom #reproductible environments as images. In particular, it is possible to create a docker image out of our manifest and channels files with 

guix time-machine -C channels.scm -- pack --compression=xz --save-provenance -f docker -m manifest.scm

Check the documentation for options.
Remember that there are obviously alternative methods to produce docker images. The point on using guix resides on its reproducibility capabilities: you’ll be able to create a new, identical docker image, out of the manifest and channels files at any point in time. Even more: you’ll have the capacity to retrieve your manifest file out of the binary image in case your manifest file gets lost.
Then, this image must be loaded into the local docker store with 

docker load < IMAGE

and renamed to something meaningful 

docker tag IMAGE:latest gitlab-registry.whatever.fr/domain/group/NAME:TAG

go remote

img
Finally, pushed to the remote container registry of your project with 

docker push gitlab-registry.whatever.fr/domain/group/NAME:TAG

At this point, you have an environment where you’ll run your tests using gitlab's ci features. You’ll set up your gitlab’s runners and manifest files to use this container to execute your jobs.
As an alternative, you could use a ssh executor running on your own fast and powerful hardware resources (dedicated machine, shared cluster, etc.). In this case, you’d rather produce an apptainer container image with: 

guix time-machine -C channels.scm -- pack -f squashfs ...

scp this container file to your computing resources and call it from the #gitlab runner.

Github

The github is probably the most popular #gitforge out there. It follows a similar to #gitlab in its conception (pull requests and merge requests, you catch the idea ?). It also includes a container registry, and the set of features if offers may be exchanged with ease with any other #gitforge following the same paradigm. No need to go into more details.
There is a couple of interesting tips about using #github, though. It happens more usually than not that users encounter frequently problems of #reproducibility when using container images hosted on ghcr.io, the hosting service for user images. These images are usually employed for running #ci testing pipelines, and they usually break as upstream changes happen: updates, image definition changes, image packages upgrades, etc. If you read my dependencies hell post, this should ring a bell.
What can be done about in what concerns #modernhw ? Well, we have #guix. Let’s try a differente approach: building an image locally, and pushing it to #github registry. Let’s see how.

in practice

An example repository shows tha way to proceed. Its contents allow to create a docker container image to be hosted remotely. It includes all that’s necessary to perform remote #ci testing of a #modernhw #vhdl design. 

docker pull ghcr.io/csantosb/hdl
docker images # check $ID
docker run -ti $ID bash

It includes a couple of #plaintext files to produce a #deterministic container. First, the channels.scm file with the list of guix chanels to use to pull packages from. Then, a manifest.scm, with the list of packages to be install within the container.
The image container may be build with 

image=$(guix time-machine --channels=channels.scm -- \
             pack -f docker \
             -S /bin=bin \
             --save-provenance \
             -m manifest.scm)

At this point, it is to be load to the docker store with 

docker load < $image
# docker images

Now it is time to tag the image 

docker tag IMID ghcr.io/USER/REPO:RELEASE

and login to ghcr.io 

docker login -u USER -p PASSWORD ghcr.io

Finally, the image is to be push remotely 

docker push ghcr.io/USER/HDL:RELEASE

test

You’ll may test this image using the neorv32 project, for example, with: 

docker pull ghcr.io/csantosb/hdl
docker run -ti ID bash
git clone --depth=1 https://github.com/stnolting/neorv32
cd neorv32
git clone --depth=1 https://github.com/stnolting/neorv32-vunit test
cd test
rm -rf neorv32
ln -sf ../../neorv32 neorv32
python3 sim/run.py --ci-mode -v
]]> https://infosec.press/csantosb/ci-gitlab-hub Wed, 11 Dec 2024 12:50:04 +0000