stages: - build - style - test - security - tag default: retry: 2 variables: BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE TRIVY_CACHE_DIR: .cache/trivy TRIVY_NO_PROGRESS: "true" TRIVY_TIMEOUT: "10m0s" TRIVY_USERNAME: $CI_REGISTRY_USER TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD TRIVY_REGISTRY: $CI_REGISTRY UV_PROJECT_ENVIRONMENT: .venv UV_CACHE_DIR: .cache/uv BUILDAH_ISOLATION: oci STORAGE_DRIVER: vfs DOCKER_HOST: "tcp://docker:2375" DOCKER_TLS_CERTDIR: "" cache: key: "${CI_COMMIT_REF_SLUG}" paths: - $TRIVY_CACHE_DIR - $UV_CACHE_DIR - $UV_PROJECT_ENVIRONMENT policy: pull-push .buildah-job: &buildah-job image: quay.io/containers/buildah:latest variables: STORAGE_DRIVER: vfs before_script: - buildah login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY .trivy-fs-template: &trivy-fs-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json . - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json . allow_failure: true artifacts: reports: sast: gl-sast-fs-report.json paths: - fs-sbom.json - gl-sast-fs-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .trivy-image-template: &trivy-image-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - | trivy image \ --scanners vuln \ --format cyclonedx \ --output image-sbom-${IMAGE_TYPE}.json \ $IMAGE_NAME:$CI_COMMIT_SHA - | trivy image \ --format sarif \ --output gl-sast-image-${IMAGE_TYPE}-report.json \ $IMAGE_NAME:$CI_COMMIT_SHA allow_failure: true artifacts: reports: sast: gl-sast-image-${IMAGE_TYPE}-report.json paths: - image-sbom-${IMAGE_TYPE}.json - gl-sast-image-${IMAGE_TYPE}-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .build-template: &build-config <<: *buildah-job stage: build script: - | buildah bud \ --tag $IMAGE_NAME:$CI_COMMIT_SHA \ --file $CONTAINERFILE \ --target $BUILDTARGET \ --layers \ --cache-from $IMAGE_NAME-cache \ --cache-to $IMAGE_NAME-cache \ $CONTEXT - buildah push $IMAGE_NAME:$CI_COMMIT_SHA rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: always - if: $CI_COMMIT_TAG when: always - if: $CI_PIPELINE_SOURCE == 'merge_request_event' when: manual allow_failure: true .tag-template: &tag-config <<: *buildah-job stage: tag script: - | set -euo pipefail buildah pull $IMAGE_NAME:$CI_COMMIT_SHA if [ -n "${CI_COMMIT_TAG:-}" ]; then buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_TAG buildah push $IMAGE_NAME:$CI_COMMIT_TAG fi if [ -n "${CI_COMMIT_BRANCH:-}" ]; then buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_REF_SLUG buildah push $IMAGE_NAME:$CI_COMMIT_REF_SLUG if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:latest buildah push $IMAGE_NAME:latest fi fi rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' when: manual allow_failure: true .uv-job: &uv-job image: docker.io/python:3.13-slim-trixie cache: key: "${CI_JOB_NAME}-${CI_COMMIT_REF_SLUG}" paths: - $UV_PROJECT_ENVIRONMENT - $UV_CACHE_DIR policy: pull-push before_script: - apt-get update - apt-get install -y --no-install-recommends ca-certificates curl just git - update-ca-certificates - curl -LsSf https://astral.sh/uv/install.sh | sh - export PATH="$HOME/.local/bin:$PATH" build-runtime: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend CONTAINERFILE: src/backend/Containerfile CONTEXT: src/backend BUILDTARGET: app build-staticfiles: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles CONTAINERFILE: src/backend/Containerfile CONTEXT: src/backend BUILDTARGET: staticfiles lint: <<: *uv-job stage: style script: - cd src/backend - uv sync --dev - just lint allow_failure: true format: <<: *uv-job stage: style script: - cd src/backend - uv sync --dev - just format-check allow_failure: true test: <<: *uv-job stage: test script: - cd src/backend - uv sync --dev - just ci-test artifacts: paths: - src/backend/.cov/ reports: junit: src/backend/.cov/junit.xml coverage_report: coverage_format: cobertura path: src/backend/.cov/coverage.xml expire_in: 1 week when: always coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/' dependencies: - build-runtime sast-filesystem: <<: *trivy-fs-scan sast-image-runtime: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend IMAGE_TYPE: runtime dependencies: - build-runtime sast-image-staticfiles: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles IMAGE_TYPE: staticfiles dependencies: - build-staticfiles tag-runtime: <<: *tag-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend dependencies: - build-runtime tag-staticfiles: <<: *tag-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles dependencies: - build-staticfiles workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG