Hi, the Nettle CI has been running at the mirror repository https://gitlab.com/gnutls/nettle for several years. However, the automatic mirroring stopped working during summer, related to bureaucracy for gitlab's "open source" program. This makes this mirror and CI a lot less useful, and it might be removed at some point.
Instead, CI has now been set up to run directly on git.lysator.liu.se. There's currently one runner serving the nettle project, managed by Simon, thanks!
For now, I have disabled the remote/s390x job, since I've not been able to mark it as conditional depending account variables, and I haven't yet setup new keys (since I want to retire the key used at gitlab.com). If anyone here is more familiar with .gitlab-ci.yml, help is appreciated. I tried using
rules: - if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != ""
but the job is started (and then fails) even though those variables are unset.
The gnutls job is also disabled for now, let me know when there's a branch in the gnutls repo that aims to be compatible with nettle-4, and I'll reenable this job.
Regards, /Niels
Niels Möller nisse@lysator.liu.se writes:
rules:
- if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != ""
Shouldn't that be something like this:
rules: - if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != "" when: never
Note that the following
rules: - if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != "" - when: never
means something completely different. Each '-' stanza is evaluated on its own, the first one to lead to a job start wins. The first 'if' line is evaluated, and then the default action of when:always applies since nothing else is present, and the job is run. So you actually get kind of the reverse results you wanted.
I'm just guessing, sorry for not catching this earlier.
/Simon
Simon Josefsson simon@josefsson.org writes:
Niels Möller nisse@lysator.liu.se writes:
rules:
- if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != ""
Shouldn't that be something like this:
rules:
- if: $SSH_PRIVATE_KEY != "" && $S390X_ACCOUNT != "" when: never
No, the intention was that in the current environment without the keys and settings needed for this job, $SSH_PRIVATE_KEY != "" should be false, and rule not match. The additional default rule "- when: never" is redundant, by my reading of the docs, I tried adding it only because I read some recommendation to be explicit about the default behavior (no rule matching).
But I think I really don't get quoting, in yaml in general and in these expressions. I suspected there might be that null != "" is evaluated as true, so to get null values treated as empty strings I tried adding quotes,
- if: "$SSH_PRIVATE_KEY" != "" && "$S390X_ACCOUNT" != ""
However, that results in syntax error from gitlab. Then I tried the opposite, removing both quotes and comparisons,
- if: $SSH_PRIVATE_KEY && $S390X_ACCOUNT
That appears to be syntactically correct, and it evaluates to false. I haven't yet tested what happens if those variables are assigned non-empty values, but I'd hope this is the right way to do it.
Regards, /Niels
On 9/09/25 18:07, Niels Möller wrote:
Simon Josefsson writes:
Niels Möller writes:
...
However, that results in syntax error from gitlab. Then I tried the opposite, removing both quotes and comparisons,
- if: $SSH_PRIVATE_KEY && $S390X_ACCOUNT
That appears to be syntactically correct, and it evaluates to false. I haven't yet tested what happens if those variables are assigned non-empty values, but I'd hope this is the right way to do it.
FWIW, that matches what I understand the github action syntax to require. It seems to like variables that evaluate directly to booleans, but not equivalencies between things.
Cheers AYJ
Niels Möller nisse@lysator.liu.se writes:
For now, I have disabled the remote/s390x job, since I've not been able to mark it as conditional depending account variables, and I haven't yet setup new keys (since I want to retire the key used at gitlab.com).
This is now running again.
I've changed the job conditions to
rules: - if: $SSH_PRIVATE_KEY && $S390X_ACCOUNT
and that seems to work. And I've configured those variables in the gitlab ui (so accessible to me, and with some effort to lysator admins and to Simon who's admin on the runner machine), and that let's the job login to an unprivileged account on a test s390x vm provided by IBM, and run tests. And the ssh key previously used in the same way for runners at gitlab.com no longer has access.
I think the mirror repos at https://gitlab.com/gnutls/nettle and https://gitlab.com/gnutls/nettle-build-images can be removed or archived now.
Regards, /Niels
Niels Möller nisse@lysator.liu.se writes:
I think the mirror repos at https://gitlab.com/gnutls/nettle and https://gitlab.com/gnutls/nettle-build-images can be removed or archived now.
I archived them now, cc'ing gnutls-devel for awareness. If nobody screams within a month I suggest to remove them to reduce confusion and resource usage.
/Simon
The github mirror https://github.com/gnutls/nettle is not working either. Will that be fixed or should that be archived as well?
fooapr@outlook.com writes:
The github mirror https://github.com/gnutls/nettle is not working either. Will that be fixed or should that be archived as well?
That appears to not have pulled any changes for long time, latest commit two and a half years ago. And status of the neighbor libtasn1 repo looks similar.
Archiving or removing makes sense to me, but I don't know anything about this mirror. It looks like maybe Daiki is managing it?
Regards, /Niels
Niels Möller nisse@lysator.liu.se writes:
fooapr@outlook.com writes:
The github mirror https://github.com/gnutls/nettle is not working either. Will that be fixed or should that be archived as well?
That appears to not have pulled any changes for long time, latest commit two and a half years ago. And status of the neighbor libtasn1 repo looks similar.
Archiving or removing makes sense to me, but I don't know anything about this mirror. It looks like maybe Daiki is managing it?
Yes, the current setup (though it's no longer working) is:
git.lysator.liu.se/nettle/nettle -- (1) pull mirroring --> gitlab.com/gnutls/nettle -- (2) push mirroring --> github.com/gnutls/nettle
(2) stopped working since GitHub changed their host key[1]. After that, I wasn't able to make it work again.
(1) has recently stopped working since the GnuTLS org was not able to renew the GitLab.com OSS program[2], as the pull mirroring is one of their premium features.
If anyone knows a better way to mirror git.lysator.liu.se/nettle/nettle to github.com/gnutls/nettle, I would be happy to try.
Regards,
Footnotes: [1] https://forum.gitlab.com/t/push-mirroring-to-github-stopped-working/84621
[2] https://gitlab.com/gitlab-org/gitlab/-/issues/543742
Hi, it seems both the GitLab and GitHub mirrors are working now. Will the Nettle CI move back to GitLab or stay at git.lysator.liu.se?
Cheers Foolbar
fooapr@outlook.com writes:
Hi, it seems both the GitLab and GitHub mirrors are working now. Will the Nettle CI move back to GitLab or stay at git.lysator.liu.se?
I think I'd prefer to keep some or all at lysator, to not have to store the secret key needed for the s390x remote job at gitlab.com, and not have the mirroring delay. But it would be nice to run at both places, if I can figure out what tag(s) to set to make that work.
Regards, /Niels
nettle-bugs@lists.lysator.liu.se
-
Amos Jeffries -
Daiki Ueno -
fooapr@outlook.com -
Niels Möller -
Simon Josefsson