-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
138 lines (131 loc) · 3.77 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
stages:
- test
- build
- assets-deploy
- post-test
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/SAST-IaC.latest.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
build-api:
stage: build
image: docker.io/library/docker:git
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- cd api/
- docker build -t "$CI_REGISTRY_IMAGE/api:latest" -f "./Dockerfile" --no-cache --pull "./"
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- docker image push --all-tags "$CI_REGISTRY_IMAGE/api"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
exists:
- api/Dockerfile
changes:
- api/**/*
- api/*
- .gitlab-ci.yml
- docker-compose.yml
container_scanning:
stage: post-test
needs:
- build-api
variables:
CS_DISABLE_DEPENDENCY_LIST: "true"
CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/api:latest
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/api
CI_APPLICATION_TAG: latest
CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
CS_ANALYZER_IMAGE: registry.gitlab.com/security-products/container-scanning/grype:5
SECURE_LOG_LEVEL: debug
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
exists:
- api/Dockerfile
changes:
- api/**/*
- api/*
- .gitlab-ci.yml
- docker-compose.yml
build-web:
stage: build
image: docker.io/library/docker:git
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
script:
- cd web/
- docker build -t "$CI_REGISTRY_IMAGE/web:latest" -f "./Dockerfile" --no-cache --pull "./"
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
- docker image push --all-tags "$CI_REGISTRY_IMAGE/web"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
exists:
- web/Dockerfile
changes:
- web/**/*
- web/*
- .gitlab-ci.yml
- docker-compose.yml
deploy-storage:
stage: assets-deploy
image: docker.io/library/alpine:latest
needs:
- build-web
before_script:
- apk update && apk add ca-certificates && update-ca-certificates
- apk add --no-cache wget openssl bash
- apk add --update --no-cache nodejs npm
- npm install minify -g
- apk add --update --no-cache rclone
- echo -e "$RCLONE_CONFIG" > rclone.conf
script:
- bash scripts/prepareAndPushStorage.sh
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
changes:
- web/**/*
- web/*
- .gitlab-ci.yml
- scripts/prepareAndPushStorage.sh
sonarqube-check:
stage: test
image:
name: docker.io/sonarsource/sonar-scanner-cli:5
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"
GIT_DEPTH: "0"
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script:
- sonar-scanner
allow_failure: true
only:
- merge_requests
- master
- main
- develop
sonarqube-vulnerability-report:
stage: test
dependencies:
- sonarqube-check
image: docker.io/library/alpine:latest
before_script:
- apk update
- apk add --no-cache curl
script:
- 'curl -u "${SONAR_TOKEN}:" "${SONAR_HOST_URL}/api/issues/gitlab_sast_export?projectKey=tnaudc_thats_a_nice_argument_unfortunately_dot_com-website_AYwnzwA6UU5pSxiXRsi4&branch=${CI_COMMIT_BRANCH}&pullRequest=${CI_MERGE_REQUEST_IID}" -o gl-sast-sonar-report.json'
allow_failure: true
only:
- merge_requests
- main
artifacts:
expire_in: 1 day
reports:
sast: gl-sast-sonar-report.json