CI system for PR builds

[Ryan Schmidt]

On Mar 15, 2018, at 07:00, db wrote:
> On 15 Mar 2018, at 05:13, Ryan Schmidt wrote:
>> Because PRs come from untrusted sources, we have to assume their contents are tainted. So after any PR is finished building, the VM is tainted and we have to throw it away and make a new one from our template for the next PR build.
> 
>> On Mar 14, 2018, at 07:25, db wrote:
>>> Otherwise, you could make the machines sync to the packages public server for the distributable, and to a private server for the non-distributable binaries.
>> I can't find an interpretation of that sentence that helps to solve the prepopulation problem.
> 
> I didn't know how you handled the templating.

We have nothing set up for this yet, so currently we don't handle it at all. I was merely mentioning some of the issues that have occurred to me since I've been thinking about this problem.

> Couldn't you just prepopulate the cloned VM, take a snapshot, build the PR, restore the snapshot, eventually, delete the snapshot, update outdated, then retake it?

I don't know. I had not considered snapshots as part of the solution.

If we use snapshots, we may not need to use templates. We just take a snapshot of a clean fully set-up VM and start the build from there. Then restore to that snapshot after the build.

If you're suggesting that periodically updating that VM should be automated, there's a lot to think about. If there is to be an automated (e.g. daily) task that deletes the snapshot, updates outdated ports, and makes a new snapshot, that would have to happen while no PR builds are building. If we made this daily update a buildbot task, it can probably arrange for that. We would also have to either automate or allow for the possibility of manually updating the OS, Xcode, Java.