-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
119 lines (109 loc) · 3.54 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
include:
# https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Secret-Detection.latest.gitlab-ci.yml
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
when: never
- if: $CI_COMMIT_BRANCH
- if: $CI_COMMIT_TAG
# For some reason artifact upload does not work for this pipeline, so I implemented a manual cache.
stages:
- build
- unit_tests
- validate
- sonar
variables:
LC_ALL: "en_US.UTF-8"
LANG: "en_US.UTF-8"
GIT_STRATEGY: clone
# Gitlab Secret Detection
ENABLE_SECRET_DETECTION: "true"
default:
id_tokens:
ID_TOKEN:
aud: https://vault.dracoon.net
before_script:
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.dracoon.com/dracoon/cicd/pipeline/sdk-swift-crypto-sonar.git
- SONAR_BRANCH=$CI_COMMIT_REF_NAME
- sh sdk-swift-crypto-sonar/setup.sh "${SONAR_BRANCH}" "${CI_COMMIT_SHORT_SHA}"
build:
dependencies: []
stage: build
script:
- bundle exec fastlane build
#- sh /opt/gitlab/Library/cleanupArtifacts.sh
- if [ -d /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID} ]; then rm -rf /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}; fi
- mkdir /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}
- cp compile_commands.json /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}
#artifacts:
# paths:
# - $CI_PROJECT_DIR/compile_commands.json
tags:
- darwin/arm64
- ios-build
unit_tests:
dependencies: []
stage: unit_tests
#artifacts:
# paths:
# - TestResults/Logs/Test/*.xcresult
script:
- bundle exec fastlane runUnitTests
- cp sdk-swift-crypto-sonar/printCodeCoverage.sh TestResults/Logs/Test/
- sh TestResults/Logs/Test/printCodeCoverage.sh
- cp -r TestResults /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}
coverage: '/Code coverage: \d+\.\d+/'
tags:
- darwin/arm64
- ios-build
dependency_check:
stage: validate
secrets:
NVD_API_KEY:
vault: nist-nvd-ios/api-key@Build-Environment
file: false
needs:
- job: build
script:
- cp sdk-swift-crypto-sonar/update-package-version.sh .
- cp sdk-swift-crypto-sonar/Package.resolved .
- sh update-package-version.sh
- dependency-check --scan Package.resolved --nvdApiKey $NVD_API_KEY --enableExperimental --failOnCVSS 7
- rm -f update-package-version.sh Package.resolved
#retry: 2
# Temporarily allow failure until OWASP dependency check is fixed
allow_failure: true
tags:
- darwin/arm64
- ios-build
secret_detection:
stage: validate
before_script:
- git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.dracoon.com/dracoon/cicd/pipeline/sdk-swift-crypto-sonar.git
needs:
- job: build
rules:
- if: $ENABLE_SECRET_DETECTION != "true" ||
$SECRET_DETECTION_DISABLED == "true"
when: never
- when: on_success
allow_failure: false
sonar:
stage: sonar
secrets:
SONAR_TOKEN:
vault: Sonar/token@Build-Environment
file: false
dependencies:
- build
- unit_tests
script:
- cp /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}/compile_commands.json .
- cp -r /opt/gitlab/Library/Artifacts/${CI_PIPELINE_ID}/TestResults .
- if [ $CI_PIPELINE_SOURCE == "merge_request_event" ]; then SONAR_BRANCH=$CI_MERGE_REQUEST_TARGET_BRANCH_NAME; else SONAR_BRANCH=$CI_COMMIT_REF_NAME; fi
- bundle exec fastlane runSonar token:$SONAR_TOKEN gitBranch:$SONAR_BRANCH commitHash:$CI_COMMIT_SHORT_SHA
tags:
- darwin/arm64
- ios-build