File: .gitlab-ci.yml

package info (click to toggle)
ruby-spamcheck 1.10.1-2
  • links: PTS, VCS
  • area: contrib
  • in suites: sid, trixie
  • size: 668 kB
  • sloc: python: 1,261; ruby: 484; makefile: 54; sh: 13
file content (149 lines) | stat: -rw-r--r-- 4,299 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
 
stages:
  - test
  - build
  - deploy
  - release

variables:
  DOCKER_TLS_CERTDIR: "/certs"
  CONTAINER_IMAGE_COMMIT: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA
  CONTAINER_IMAGE_LATEST: $CI_REGISTRY_IMAGE:latest
  CONTAINER_IMAGE_TEST: $CI_REGISTRY_IMAGE:integration-tests
  IMAGE_TAG: $CI_COMMIT_SHORT_SHA # Image tag for deployment pipeline

# GitLab Secure
# https://docs.gitlab.com/ee/user/application_security/

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

# Templates

# Identify if source code changes. This is used to avoid triggering
# a new build or deployment if only documentation or CI files change.
.source_changes: &source_changes
  changes:
    - "Dockerfile"
    - "**/*.py"
    - "**/*.proto"
    - "Pipfile*"

.docker_job:
  image: docker:dind
  services:
    - docker:dind
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY

# Only test/build if source code has changed.
# Unfortunately, due to limitations of "changes" this will always run when a branch
# is first pushed so we only build once an MR is opened or running on $CI_DEFAULT_BRANCH.
#
# see: https://docs.gitlab.com/ee/ci/jobs/job_control.html#jobs-or-pipelines-run-unexpectedly-when-using-changes
.test:
  image: python:3.9
  stage: test
  rules:
    - if: $FORCE_DEPLOY != null
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      <<: *source_changes

.build:
  extends: .docker_job
  stage: build
  rules:
    - if: $FORCE_DEPLOY != null
    - !reference [.test, rules]

# Only deploy if on default branch
.deploy:
  stage: deploy
  rules:
    - if: $DEPLOY_STOP != null
      when: never
    - if: $FORCE_DEPLOY != null
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      <<: *source_changes

# Same rules as deploy but in different stage
.release:
  stage: release
  extends: .deploy

# Jobs

# Ensure VERSION file is updated if source code changes
check version:
  stage: test
  image:
    name: registry.gitlab.com/gitlab-com/gl-security/engineering-and-research/automation-team/docker/check-version:latest
    entrypoint: ['']
  script:
    - git fetch origin $CI_DEFAULT_BRANCH:$CI_DEFAULT_BRANCH
    - check-version
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      <<: *source_changes

lint:
  extends: .test
  script:
    - make lint

test:
  extends: .test
  script:
    - make test
  coverage: '/^TOTAL.+?(\d+\%)$/'

build:
  extends: .build
  script:
    - docker context create spamcheck
    - docker buildx create --use spamcheck
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then PUSH="--push"; else PUSH="${FORCE_DEPLOY:+--push}"; fi
    - docker buildx build --provenance=false $PUSH --pull --platform linux/arm64/v8,linux/amd64 --tag $CONTAINER_IMAGE_COMMIT .

build test image:
  extends: .build
  script:
    - docker build --pull --tag $CONTAINER_IMAGE_TEST -f Dockerfile.test .
    - docker push $CONTAINER_IMAGE_TEST
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      changes:
        - tests/integration/run.rb
        - Dockerfile.test

deploy:
  extends: .deploy
  trigger:
    project: gitlab-private/gl-security/engineering-and-research/automation-team/kubernetes/spamcheck/spamcheck-py
    strategy: depend

release image:
  extends:
    - .docker_job
    - .release
  script:
    - VERSION="$(head -n1 VERSION | xargs)"
    - docker context create spamcheck
    - docker buildx create --use spamcheck
    - docker buildx build --provenance=false --cache-from $CONTAINER_IMAGE_COMMIT --push --platform linux/arm64/v8,linux/amd64 --tag $CONTAINER_IMAGE_LATEST --tag $CI_REGISTRY_IMAGE:$VERSION .

tag branch:
  extends: .release
  script:
    - VERSION="v$(head -n1 VERSION | xargs)"
    - git config user.name "gitlab-securitybot"
    - git config user.email "securitybot@gitlab.com"
    - git remote set-url origin "https://oauth2:${GITLAB_REPOSITORY_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
    - git tag "$VERSION"
    - git push --tags