151 lines
4.7 KiB
YAML
151 lines
4.7 KiB
YAML
# You can override the included template(s) by including variable overrides
|
|
# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
|
|
# Note that environment variables can be set in several places
|
|
# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
|
|
|
|
stages:
|
|
- test
|
|
- build
|
|
- push_local
|
|
- release
|
|
- push_dockerhub
|
|
|
|
.docker_base:
|
|
image: docker:24.0.5
|
|
services:
|
|
- name: docker:24.0.5-dind
|
|
#command: ["--tls=false"]
|
|
variables:
|
|
DOCKER_DRIVER: overlay2
|
|
DOCKER_HOST: tcp://docker:2376
|
|
DOCKER_TLS_CERTDIR: "/certs"
|
|
DOCKER_TLS_VERIFY: 1
|
|
DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
|
|
IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
|
|
FF_GITLAB_REGISTRY_HELPER_IMAGE: 1
|
|
before_script:
|
|
- docker version
|
|
- docker info
|
|
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
|
|
|
build:
|
|
extends:
|
|
- .docker_base
|
|
stage: build
|
|
script:
|
|
- docker pull $CI_REGISTRY_IMAGE:latest || true
|
|
- >
|
|
docker build
|
|
--pull
|
|
--cache-from $CI_REGISTRY_IMAGE:latest
|
|
--tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
|
|
--build-arg VCS_REF=$CI_COMMIT_SHORT_SHA
|
|
./Docker/
|
|
- docker login -u $CI_REGISTRY_USER -p $CI_JOB_TOKEN $CI_REGISTRY
|
|
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
|
|
push local:
|
|
extends:
|
|
- .docker_base
|
|
stage: push_local
|
|
variables:
|
|
GIT_STRATEGY: none
|
|
only:
|
|
- master
|
|
script:
|
|
- docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
|
|
- docker push $CI_REGISTRY_IMAGE:latest
|
|
|
|
push dockerhub:
|
|
extends:
|
|
- .docker_base
|
|
stage: push_dockerhub
|
|
variables:
|
|
GIT_STRATEGY: none
|
|
CI_DOCKERHUB_IMAGE: index.docker.io/evanrich/py-eagle-mqtt
|
|
CI_DOCKERHUB_REGISTRY: docker.io
|
|
only:
|
|
- tags
|
|
script:
|
|
- docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:$CI_COMMIT_REF_NAME
|
|
- docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:latest
|
|
- docker login -u "$CI_DOCKERHUB_USER" -p "$CI_DOCKERHUB_PASSWORD" $CI_DOCKERHUB_REGISTRY
|
|
- docker push $CI_DOCKERHUB_IMAGE --all-tags
|
|
|
|
release:
|
|
image: node:19-alpine3.15
|
|
stage: release
|
|
only:
|
|
refs:
|
|
- master
|
|
- alpha
|
|
# This matches maintenance branches
|
|
- /^(([0-9]+)\.)?([0-9]+)\.x/
|
|
# This matches pre-releases
|
|
- /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/
|
|
except:
|
|
refs:
|
|
- tags
|
|
script:
|
|
- touch CHANGELOG.md
|
|
- apk add --no-cache git
|
|
- npm install @semantic-release/gitlab@10.1.4 @semantic-release/changelog@6.0.2
|
|
@semantic-release/git@10.0.1 conventional-changelog-eslint@3.0.9
|
|
- npx semantic-release
|
|
artifacts:
|
|
paths:
|
|
- CHANGELOG.md
|
|
|
|
sast:
|
|
stage: test
|
|
include:
|
|
- template: Security/SAST.gitlab-ci.yml
|
|
|
|
#sonarqube-check:
|
|
# stage: test
|
|
# image:
|
|
# name: sonarsource/sonar-scanner-cli:4.7
|
|
# entrypoint: [""]
|
|
# variables:
|
|
# SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
|
|
# GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
|
|
# cache:
|
|
# key: "${CI_JOB_NAME}"
|
|
# paths:
|
|
# - .sonar/cache
|
|
# script:
|
|
# - sonar-scanner
|
|
# allow_failure: true
|
|
# only:
|
|
# - master # or the name of your main branch
|
|
# - branches
|
|
|
|
trivy:
|
|
stage: test
|
|
extends:
|
|
- .docker_base
|
|
before_script:
|
|
- export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
|
|
- echo $TRIVY_VERSION
|
|
- wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
|
|
allow_failure: true
|
|
script:
|
|
# Build image
|
|
- docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ./Docker/
|
|
# Build report
|
|
- ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
# Print report
|
|
- ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
# Fail on severe vulnerabilities
|
|
- ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
|
|
cache:
|
|
paths:
|
|
- .trivycache/
|
|
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
|
|
artifacts:
|
|
reports:
|
|
container_scanning: gl-container-scanning-report.json
|