/
.gitlab-ci.yml
249 lines (233 loc) · 9.7 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
image:
name: registry.gitlab.com/squey/container-images/squey_build:3d10714d
pull_policy: [if-not-present]
variables:
GIT_SUBMODULE_STRATEGY: recursive
CACHE_COMPRESSION_LEVEL: "fastest"
UPDATE_INSTALLERS_ONLY:
value: "false"
description: "Only update the various installers, do not build the software"
CODE_COVERAGE:
value: "false"
description: "Only update the code coverage report"
PUBLISH_CONTAINER_IMAGE:
value: "false"
description: "Publish container image to registry"
stages:
- test
- build
- pages
- publish
- stop
workflow:
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
- if: '$CI_PIPELINE_SOURCE == "schedule"'
- if: '$CI_PIPELINE_SOURCE == "web"'
- if: '$CI_COMMIT_TAG =~ /^release-\d+\.\d+\.\d+$/'
.build:
stage: build
tags:
- privileged-docker
before_script: |
export PUSH_ARTIFACTS=$([ `git diff --name-only $CI_COMMIT_BEFORE_SHA $CI_COMMIT_SHA buildstream | wc -l` -ne 0 ] && echo "true" || echo "false")
for f in .git/modules/*/config .git/config; do sed "s/gitlab-ci-token:[[:alnum:]]\+/gitlab-ci_read-repository:$GITLAB_DEPLOY_TOKEN_READ_REPOSITORY/g" -i "$f"; done
mkdir -p "$CI_PROJECT_DIR/public/flatpak"
cd buildstream
interruptible: true
build testsuite:
extends: .build
script:
- ./build.sh
--cxx-compiler=$([ "$CODE_COVERAGE" == true ] && echo "g++" || echo "clang++")
--branch="${CI_COMMIT_REF_NAME}"
--flatpak-export=$(echo $CI_MERGE_REQUEST_LABELS | grep -q "action::flatpak_export" && echo true || echo false)
--flatpak-repo="/srv/flatpak_repo"
--code-coverage=$CODE_COVERAGE
--push-artifacts="${PUSH_ARTIFACTS}"
coverage: '/lines\.+: (\d+\.\d+)% \(\d+ of \d+ lines\)/'
rules:
- if: '$CI_COMMIT_TAG =~ "/^$/" && $UPDATE_INSTALLERS_ONLY == "false"'
artifacts:
when: always
paths:
- junit.xml
- code_coverage_report
reports:
junit: junit.xml
build release:
extends: .build
script:
- if [ "$UPDATE_INSTALLERS_ONLY" = "false" ]; then
./build.sh
--user-target=customer
--cxx-compiler=g++
--branch="${CI_COMMIT_REF_NAME}"
--flatpak-export=true
--flatpak-repo="$CI_PROJECT_DIR/public/flatpak"
--gpg-private-key-path=$GPG_PRIVATE_KEY
--gpg-sign-key=ADAD28A413FCB239A979C83B7C828C315B98BC63
--upload-debug-symbols=true
--push-artifacts="${PUSH_ARTIFACTS}"
; fi
artifacts:
paths:
- public/flatpak
rules:
- if: $CI_COMMIT_TAG =~ /^release-\d+\.\d+\.\d+$/
when: manual
- if: '$UPDATE_INSTALLERS_ONLY == "true"'
allow_failure: false
build container image:
image: quay.io/buildah/stable:latest
stage: build
tags:
- privileged-docker
before_script: |
dnf install -y jq
VERSION=$(curl -s -L https://flathub.org/api/v2/appstream/org.squey.Squey | jq -r .releases[0].version)
VERSION_NOT_PUBLISHED=$([ $(curl -s -L -o /dev/null https://hub.docker.com/v2/repositories/squey/squey/tags/$VERSION -w "%{http_code}") -eq 404 ] && echo "true" || echo "false")
PUBLISH_CONTAINER_IMAGE=$([ $PUBLISH_CONTAINER_IMAGE -o $VERSION_NOT_PUBLISHED ] && echo "true" || echo "false")
cd docker
script: |
PRODUCTION=1 ./build.sh
if [ $PUBLISH_CONTAINER_IMAGE = "true" ] && [ $CI_COMMIT_REF_PROTECTED = "true" ]; then
echo $DOCKERHUB_TOKEN | buildah login -u squey --password-stdin registry-1.docker.io &&
buildah push localhost/squey/squey registry-1.docker.io/squey/squey:latest
buildah push localhost/squey/squey registry-1.docker.io/squey/squey:$VERSION
fi
echo $CI_REGISTRY_PASSWORD | buildah login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY_IMAGE &&
buildah push localhost/squey/squey $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
changes:
- docker/**/*
- if: '$PUBLISH_CONTAINER_IMAGE == "true" && $CI_COMMIT_REF_PROTECTED == "true"'
interruptible: true
environment:
on_stop: build container image stop
name: review/$CI_COMMIT_REF_SLUG
url: $CI_PROJECT_URL
build container image stop: # Retag merged branch container to $CI_DEFAULT_BRANCH
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
stage: stop
tags:
- privileged-docker
script: |
if [ "$PUBLISH_CONTAINER_IMAGE" = "false" ]; then
crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
crane tag $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME $CI_DEFAULT_BRANCH
wget "https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-amd64" -O ./reg
chmod a+x ./reg
./reg rm -d --auth-url $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_COMMIT_REF_NAME
fi
environment:
name: review/$CI_COMMIT_REF_SLUG
action: stop
rules:
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
changes:
- docker/**/*
when : manual
- if: '$PUBLISH_CONTAINER_IMAGE == "true" && $CI_COMMIT_REF_PROTECTED == "true"'
when : manual
allow_failure: true
pages:
stage: pages
tags:
- privileged-docker
before_script: |
cp nsis/resources/{AccessControl.dll,ExecDos.dll,INetC.dll,KillProcDLL.dll} /usr/share/nsis/Plugins/x86-unicode/
mkdir -p $CI_PROJECT_DIR/public/code_quality_report
script: |
VERSION=$(cat $CI_PROJECT_DIR/VERSION.txt | tr -d '\n')
PIPELINE_ID=`curl -s -X GET ${CI_API_V4_URL}/projects/squey%2Fsquey/pipelines?scope=tags | jq -r .[0].id`
JOB_ID=`curl -s -X GET ${CI_API_V4_URL}/projects/squey%2Fsquey/pipelines/${PIPELINE_ID}/jobs | jq -r '.[] | select(.stage=="pages") | .id'`
if [ $UPDATE_INSTALLERS_ONLY = "true" ] || [ $CODE_COVERAGE = "true" ]; then curl -XGET -L ${CI_PROJECT_URL}/-/jobs/${JOB_ID}/artifacts/download | bsdtar -xvf- || true; fi
if [ $CODE_COVERAGE = "true" ]; then rm -rf $CI_PROJECT_DIR/public/code_coverage_report && mv code_coverage_report $CI_PROJECT_DIR/public; exit 0; fi;
cd nsis && ./build.sh ; cd -
rm -rf $CI_PROJECT_DIR/public/squey_installer*.exe && osslsigncode sign -certs "$CODE_SIGNING_CERT" -key "$CODE_SIGNING_KEY" -n "Squey" -i "https://gitlab.com/squey/squey" -t "http://timestamp.comodoca.com/authenticode" -in nsis/squey_installer.exe -out "$CI_PROJECT_DIR/public/squey_installer.exe"
cp "public/squey_installer.exe" "public/squey_installer_$(md5sum public/squey_installer.exe | awk '{ print $1 }').exe"
cp buildstream/install.flatpakref public
cp -r docker squey_docker &&
zip -r public/squey_docker.zip squey_docker &&
rm -rf squey_docker
if [ $UPDATE_INSTALLERS_ONLY != "true" ]; then ostree checkout -U --repo=public/flatpak app/org.squey.Squey/x86_64/release-$VERSION public/flatpak_app && cd public/flatpak_app && XZ_OPT=-9T0 tar Jcvf "$CI_PROJECT_DIR/public/squey_flatpak_$VERSION.tar.xz" . && cd - && rm -rf "$CI_PROJECT_DIR/public/flatpak_app" ; fi
rm -rf "$CI_PROJECT_DIR/public/flatpak"
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: public/code_coverage_report/cobertura-coverage.xml
paths:
- public
when: on_success
expire_in: 1 day
rules:
- if: '$CI_COMMIT_TAG =~ /^release-\d+\.\d+\.\d+$/ || $UPDATE_INSTALLERS_ONLY == "true" || $CODE_COVERAGE == "true"'
interruptible: true
flathub:
stage: publish
tags:
- privileged-docker
needs:
- pages
before_script: |
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
eval $(ssh-agent -s)
echo "$SSH_FLATHUB_PRIVATE_KEY_B64" | base64 -d | ssh-add - > /dev/null
rm -rf org.squey.Squey
git clone git@github.com:flathub/org.squey.Squey.git
git config --global user.name "$FLATHUBGITCREDENTIALUSERNAME"
git config --global user.email "$FLATHUBGITCREDENTIALEMAIL"
export VERSION=$(cat $CI_PROJECT_DIR/VERSION.txt | tr -d '\n')
export BRANCH_NAME="publish-$VERSION"
cd "$CI_PROJECT_DIR/org.squey.Squey"
git checkout -b "$BRANCH_NAME"
script: |
cp "$CI_PROJECT_DIR/flathub/flathub.json" "$CI_PROJECT_DIR/org.squey.Squey"
jinja2 -D sha256=$(sha256sum "$CI_PROJECT_DIR/public/squey_flatpak_$VERSION.tar.xz" | awk '{print $1 }') -D version=$VERSION $CI_PROJECT_DIR/flathub/org.squey.Squey.yaml.j2 > "$CI_PROJECT_DIR/org.squey.Squey/org.squey.Squey.yaml"
git commit -a -m "Publish version $VERSION" || echo "No changes to commit"
git push -f --set-upstream origin "$BRANCH_NAME"
echo "$FLATHUB_GITHUB_PR_TOKEN" | gh auth login --with-token
gh pr --repo "flathub/org.squey.Squey" create --head master --base "$BRANCH_NAME" --fill || true
gh pr --repo "flathub/org.squey.Squey" merge "$BRANCH_NAME" --auto --merge --delete-branch
rules:
- if: $CI_COMMIT_TAG =~ /^release-\d+\.\d+\.\d+$/
sast:
variables:
SAST_EXCLUDED_PATHS: external, tests, doc
SAST_EXCLUDED_ANALYZERS: bandit, brakeman, gosec, kubesec, nodejs-scan, phpcs-security-audit,
pmd-apex, security-code-scan, sobelow, spotbugs
stage: test
tags:
- privileged-docker
include:
- template: Security/SAST.gitlab-ci.yml
#- template: Code-Quality.gitlab-ci.yml
#- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
- template: Jobs/Container-Scanning.gitlab-ci.yml
flawfinder-sast:
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
semgrep-sast:
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
#secret_detection:
# rules:
# - if: '$CI_PIPELINE_SOURCE == "push"'
# - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
# interruptible: true
#code_quality_html:
# extends: code_quality
# variables:
# REPORT_FORMAT: html
# artifacts:
# paths: [gl-code-quality-report.html]
container_scanning:
variables:
CS_IMAGE: $CI_REGISTRY_IMAGE:$CI_DEFAULT_BRANCH
CS_DOCKERFILE_PATH: docker/resources/Dockerfile
GIT_STRATEGY: fetch