cirrus/ci: Add ubuntu22_spicy_task and ubuntu22_spicy_head_task

These tasks are meant to run nightly on the master branch. Currently,
the external dns, http and dhcp Spicy analyzers are installed via zkg
post building. The build artifact is uploaded to Cirrus and the benchmarker
API triggered.

For the spicy_head task, the auxil/spicy submodule is pulled to the latest
commit. This also provides a bit of a nightly integration test.

.cirrus.yml

@@ -74,6 +74,17 @@ skip_task_on_pr: &SKIP_TASK_ON_PR
   skip: >
     ($CIRRUS_PR != '' && $CIRRUS_PR_LABELS !=~ '.*fullci.*')
 
+
+benchmark_only_if_template: &BENCHMARK_ONLY_IF_TEMPLATE
+  # only_if condition for cron-triggered benchmarking tests.
+  # These currently do not run for release/.*
+  only_if: >
+    ( $CIRRUS_REPO_NAME == 'zeek' || $CIRRUS_REPO_NAME == 'zeek-security' ) &&
+    ( $CIRRUS_CRON == 'benchmark-nightly' ||
+      $CIRRUS_PR_LABELS =~ '.*fullci.*' ||
+      $CIRRUS_PR_LABELS =~ '.*benchmark.*' ||
+      $CIRRUS_BRANCH =~ 'topic/awelzel/ubuntu22-spicy-task' )
+
 ci_template: &CI_TEMPLATE
   << : *BUILDS_ONLY_IF_TEMPLATE
 
@@ -288,6 +299,37 @@ ubuntu22_task:
     path: build.tgz
   benchmark_script: ./ci/benchmark.sh
 
+ubuntu22_spicy_task:
+  container:
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CREATE_ARTIFACT: 1
+  test_script: true  # Don't run tests, these are redundant.
+  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
+  upload_binary_artifacts:
+    path: build.tgz
+  benchmark_script: ./ci/benchmark.sh
+  << : *BENCHMARK_ONLY_IF_TEMPLATE
+
+ubuntu22_spicy_head_task:
+  container:
+    # Ubuntu 22.04 EOL: April 2027
+    dockerfile: ci/ubuntu-22.04/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CREATE_ARTIFACT: 1
+    # Pull auxil/spicy to the latest head version. May or may not build.
+    ZEEK_CI_PREBUILD_COMMAND: 'cd auxil/spicy && git fetch && git reset --hard origin/main && git submodule update --init --recursive'
+  spicy_install_analyzers_script: ./ci/spicy-install-analyzers.sh
+  upload_binary_artifacts:
+    path: build.tgz
+  benchmark_script: ./ci/benchmark.sh
+  << : *BENCHMARK_ONLY_IF_TEMPLATE
+
 ubuntu20_task:
   container:
     # Ubuntu 20.04 EOL: April 2025

ci/spicy-install-analyzers.sh

@@ -0,0 +1,31 @@
+#! /usr/bin/env bash
+#
+# Shell script to install the latest version of certain
+# Spicy analyzers using zkg *and* repackages build.tgz.
+# This script should run after build.sh, but before the
+# artifact upload happens.
+set -eux
+
+test -d ${CIRRUS_WORKING_DIR}/install
+
+# Install prefix
+PREFIX=${CIRRUS_WORKING_DIR}/install
+
+export PATH=$PREFIX/bin:$PATH
+
+zkg --version
+
+ANALYZERS="
+https://github.com/zeek/spicy-dhcp
+https://github.com/zeek/spicy-dns
+https://github.com/zeek/spicy-http
+"
+
+for analyzer in $ANALYZERS; do
+    echo Y | zkg -vvvvv install "${analyzer}"
+done
+
+# After installing analyzers, package up build.tgz (representing
+# the contents of the installation directory). This overwrites any
+# existing artifact created by build.sh
+tar -czf ${CIRRUS_WORKING_DIR}/build.tgz ${CIRRUS_WORKING_DIR}/install

ci/ubuntu-22.04/Dockerfile

@@ -25,7 +25,9 @@ RUN apt-get update && apt-get -y install \
     make \
     python3 \
     python3-dev \
+    python3-git \
     python3-pip\
+    python3-semantic-version \
     ruby \
     sqlite3 \
     swig \