PROD.2026/Lotty
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f190b38af799ae6549438891e7d1d6c6b525a2db
Lotty/.gitlab-ci.yml
T
ITQ 1c7753b71e style(): small improvements
2026-02-24 18:30:01 +03:00

271 lines
6.3 KiB
YAML
Raw Blame History

stages:
- build
- style
- test
- security
- tag
default:
retry: 2
variables:
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_NO_PROGRESS: "true"
TRIVY_TIMEOUT: "10m0s"
TRIVY_USERNAME: $CI_REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
TRIVY_REGISTRY: $CI_REGISTRY
UV_PROJECT_ENVIRONMENT: .venv
UV_CACHE_DIR: .cache/uv
BUILDAH_ISOLATION: oci
STORAGE_DRIVER: vfs
DOCKER_HOST: "tcp://docker:2375"
DOCKER_TLS_CERTDIR: ""
cache:
key: "${CI_COMMIT_REF_SLUG}"
paths:
- $TRIVY_CACHE_DIR
- $UV_CACHE_DIR
- $UV_PROJECT_ENVIRONMENT
policy: pull-push
.buildah-job: &buildah-job
image: quay.io/containers/buildah:latest
variables:
STORAGE_DRIVER: vfs
before_script:
- buildah login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
.trivy-fs-template: &trivy-fs-scan
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
cache:
paths:
- $TRIVY_CACHE_DIR
policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
script:
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json .
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json .
allow_failure: true
artifacts:
reports:
sast: gl-sast-fs-report.json
paths:
- fs-sbom.json
- gl-sast-fs-report.json
expire_in: 1 week
when: always
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $SAST_DISABLED
when: never
.trivy-image-template: &trivy-image-scan
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
cache:
paths:
- $TRIVY_CACHE_DIR
policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
script:
- |
trivy image \
--scanners vuln \
--format cyclonedx \
--output image-sbom-${IMAGE_TYPE}.json \
$IMAGE_NAME:$CI_COMMIT_SHA
- |
trivy image \
--format sarif \
--output gl-sast-image-${IMAGE_TYPE}-report.json \
$IMAGE_NAME:$CI_COMMIT_SHA
allow_failure: true
artifacts:
reports:
sast: gl-sast-image-${IMAGE_TYPE}-report.json
paths:
- image-sbom-${IMAGE_TYPE}.json
- gl-sast-image-${IMAGE_TYPE}-report.json
expire_in: 1 week
when: always
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $SAST_DISABLED
when: never
.build-template: &build-config
<<: *buildah-job
stage: build
script:
- |
buildah bud \
--tag $IMAGE_NAME:$CI_COMMIT_SHA \
--file $CONTAINERFILE \
--target $BUILDTARGET \
--layers \
--cache-from $IMAGE_NAME-cache \
--cache-to $IMAGE_NAME-cache \
$CONTEXT
- buildah push $IMAGE_NAME:$CI_COMMIT_SHA
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
- if: $CI_COMMIT_TAG
when: always
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
allow_failure: true
.tag-template: &tag-config
<<: *buildah-job
stage: tag
script:
- |
set -euo pipefail
buildah pull $IMAGE_NAME:$CI_COMMIT_SHA
if [ -n "${CI_COMMIT_TAG:-}" ]; then
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_TAG
buildah push $IMAGE_NAME:$CI_COMMIT_TAG
fi
if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_REF_SLUG
buildah push $IMAGE_NAME:$CI_COMMIT_REF_SLUG
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:latest
buildah push $IMAGE_NAME:latest
fi
fi
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
allow_failure: true
.uv-job: &uv-job
image: docker.io/python:3.13-slim-trixie
cache:
key: "${CI_JOB_NAME}-${CI_COMMIT_REF_SLUG}"
paths:
- $UV_PROJECT_ENVIRONMENT
- $UV_CACHE_DIR
policy: pull-push
before_script:
- apt-get update
- apt-get install -y --no-install-recommends ca-certificates curl just git
- update-ca-certificates
- curl -LsSf https://astral.sh/uv/install.sh | sh
- export PATH="$HOME/.local/bin:$PATH"
build-runtime:
<<: *build-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
CONTAINERFILE: src/backend/Containerfile
CONTEXT: src/backend
BUILDTARGET: app
build-staticfiles:
<<: *build-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles
CONTAINERFILE: src/backend/Containerfile
CONTEXT: src/backend
BUILDTARGET: staticfiles
lint:
<<: *uv-job
stage: style
script:
- cd src/backend
- uv sync --dev
- just lint
allow_failure: true
format:
<<: *uv-job
stage: style
script:
- cd src/backend
- uv sync --dev
- just format-check
allow_failure: true
test:
<<: *uv-job
stage: test
script:
- cd src/backend
- uv sync --dev
- just ci-test
artifacts:
paths:
- src/backend/.cov/
reports:
junit: src/backend/.cov/junit.xml
coverage_report:
coverage_format: cobertura
path: src/backend/.cov/coverage.xml
expire_in: 1 week
when: always
coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
dependencies:
- build-runtime
sast-filesystem:
<<: *trivy-fs-scan
sast-image-runtime:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
IMAGE_TYPE: runtime
dependencies:
- build-runtime
sast-image-staticfiles:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles
IMAGE_TYPE: staticfiles
dependencies:
- build-staticfiles
tag-runtime:
<<: *tag-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
dependencies:
- build-runtime
tag-staticfiles:
<<: *tag-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-staticfiles
dependencies:
- build-staticfiles
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
Reference in New Issue View Git Blame Copy Permalink