You've already forked RekomenciBackend
chore: switched build impl to buildah
This commit is contained in:
+77
-81
@@ -7,8 +7,6 @@ stages:
|
|||||||
|
|
||||||
variables:
|
variables:
|
||||||
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
|
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
|
||||||
DOCKER_DRIVER: overlay2
|
|
||||||
DOCKER_TLS_CERTDIR: ""
|
|
||||||
TRIVY_CACHE_DIR: .cache/trivy
|
TRIVY_CACHE_DIR: .cache/trivy
|
||||||
TRIVY_NO_PROGRESS: "true"
|
TRIVY_NO_PROGRESS: "true"
|
||||||
TRIVY_TIMEOUT: "10m0s"
|
TRIVY_TIMEOUT: "10m0s"
|
||||||
@@ -17,6 +15,8 @@ variables:
|
|||||||
TRIVY_REGISTRY: $CI_REGISTRY
|
TRIVY_REGISTRY: $CI_REGISTRY
|
||||||
UV_PROJECT_ENVIRONMENT: .venv
|
UV_PROJECT_ENVIRONMENT: .venv
|
||||||
UV_CACHE_DIR: .cache/uv
|
UV_CACHE_DIR: .cache/uv
|
||||||
|
BUILDAH_ISOLATION: oci
|
||||||
|
STORAGE_DRIVER: vfs
|
||||||
|
|
||||||
cache:
|
cache:
|
||||||
key: "${CI_COMMIT_REF_SLUG}"
|
key: "${CI_COMMIT_REF_SLUG}"
|
||||||
@@ -26,12 +26,12 @@ cache:
|
|||||||
- $UV_PROJECT_ENVIRONMENT
|
- $UV_PROJECT_ENVIRONMENT
|
||||||
policy: pull-push
|
policy: pull-push
|
||||||
|
|
||||||
.docker-job: &docker-job
|
.buildah-job: &buildah-job
|
||||||
image: docker:28.5
|
image: quay.io/containers/buildah:latest
|
||||||
services:
|
variables:
|
||||||
- docker:28.5-dind
|
STORAGE_DRIVER: vfs
|
||||||
before_script:
|
before_script:
|
||||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
- buildah login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||||
|
|
||||||
.trivy-fs-template: &trivy-fs-scan
|
.trivy-fs-template: &trivy-fs-scan
|
||||||
stage: security
|
stage: security
|
||||||
@@ -116,20 +116,18 @@ cache:
|
|||||||
when: on_success
|
when: on_success
|
||||||
|
|
||||||
.build-template: &build-config
|
.build-template: &build-config
|
||||||
<<: *docker-job
|
<<: *buildah-job
|
||||||
stage: build
|
stage: build
|
||||||
variables:
|
|
||||||
DOCKER_BUILDKIT: 1
|
|
||||||
BUILDKIT_INLINE_CACHE: 1
|
|
||||||
script:
|
script:
|
||||||
- |
|
- |
|
||||||
docker buildx create --use
|
buildah build . \
|
||||||
docker buildx build . \
|
--tag $IMAGE_NAME:$CI_COMMIT_SHA \
|
||||||
-t $IMAGE_NAME:$CI_COMMIT_SHA \
|
--file $CONTAINERFILE \
|
||||||
-f $CONTAINERFILE --target $BUILDTARGET --push \
|
--target $BUILDTARGET \
|
||||||
--cache-from type=registry,ref=$IMAGE_NAME-cache \
|
--layers \
|
||||||
--cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
|
--cache-from $IMAGE_NAME-cache \
|
||||||
--build-arg BUILDKIT_INLINE_CACHE=1
|
--cache-to $IMAGE_NAME-cache
|
||||||
|
- buildah push $IMAGE_NAME:$CI_COMMIT_SHA
|
||||||
rules:
|
rules:
|
||||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||||
when: always
|
when: always
|
||||||
@@ -140,26 +138,24 @@ cache:
|
|||||||
allow_failure: true
|
allow_failure: true
|
||||||
|
|
||||||
.tag-template: &tag-config
|
.tag-template: &tag-config
|
||||||
<<: *docker-job
|
<<: *buildah-job
|
||||||
stage: tag
|
stage: tag
|
||||||
script:
|
script:
|
||||||
- |
|
- |
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
|
|
||||||
docker pull "$IMAGE"
|
|
||||||
|
|
||||||
if [ -n "${CI_COMMIT_TAG:-}" ]; then
|
if [ -n "${CI_COMMIT_TAG:-}" ]; then
|
||||||
docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_TAG"
|
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_TAG
|
||||||
docker push "$IMAGE_NAME:$CI_COMMIT_TAG"
|
buildah push $IMAGE_NAME:$CI_COMMIT_TAG
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
|
if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
|
||||||
docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
|
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:$CI_COMMIT_REF_SLUG
|
||||||
docker push "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
|
buildah push $IMAGE_NAME:$CI_COMMIT_REF_SLUG
|
||||||
|
|
||||||
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
|
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
|
||||||
docker tag "$IMAGE" "$IMAGE_NAME:latest"
|
buildah tag $IMAGE_NAME:$CI_COMMIT_SHA $IMAGE_NAME:latest
|
||||||
docker push "$IMAGE_NAME:latest"
|
buildah push $IMAGE_NAME:latest
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
rules:
|
rules:
|
||||||
@@ -219,61 +215,61 @@ lint:
|
|||||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||||
- if: $CI_COMMIT_TAG
|
- if: $CI_COMMIT_TAG
|
||||||
|
|
||||||
test:
|
# test:
|
||||||
<<: *docker-job
|
# <<: *docker-job
|
||||||
stage: test
|
# stage: test
|
||||||
variables:
|
# variables:
|
||||||
COMPOSE_PROFILES: |
|
# COMPOSE_PROFILES: |
|
||||||
--profile migrations
|
# --profile migrations
|
||||||
--profile tests
|
# --profile tests
|
||||||
script:
|
# script:
|
||||||
- apk add --no-cache docker-compose
|
# - apk add --no-cache docker-compose
|
||||||
- export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)"
|
# - export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)"
|
||||||
- cp "$TEST_STAGE_FIREBASE_CONF" ./infrastructure/configs/backend/firebase.json
|
# - cp "$TEST_STAGE_FIREBASE_CONF" ./infrastructure/configs/backend/firebase.json
|
||||||
- |
|
# - |
|
||||||
(
|
# (
|
||||||
while true; do
|
# while true; do
|
||||||
docker compose -f compose.yaml $PROFILES logs -f 2>&1
|
# docker compose -f compose.yaml $PROFILES logs -f 2>&1
|
||||||
sleep 1
|
# sleep 1
|
||||||
done
|
# done
|
||||||
) | tee -a compose.log &
|
# ) | tee -a compose.log &
|
||||||
- LOGS_PID=$!
|
# - LOGS_PID=$!
|
||||||
- |
|
# - |
|
||||||
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
|
# REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
|
||||||
docker compose -f compose.yaml -f compose.prod.yaml \
|
# docker compose -f compose.yaml -f compose.prod.yaml \
|
||||||
$PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
|
# $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
|
||||||
- |
|
# - |
|
||||||
TEST_CONTAINER_ID=$(docker compose -f compose.yaml $PROFILES ps -q tests -a)
|
# TEST_CONTAINER_ID=$(docker compose -f compose.yaml $PROFILES ps -q tests -a)
|
||||||
timeout 600 docker wait $TEST_CONTAINER_ID
|
# timeout 600 docker wait $TEST_CONTAINER_ID
|
||||||
TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
|
# TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
|
||||||
|
|
||||||
if [ $TEST_EXIT_CODE -eq 0 ]; then
|
# if [ $TEST_EXIT_CODE -eq 0 ]; then
|
||||||
echo "Tests passed."
|
# echo "Tests passed."
|
||||||
else
|
# else
|
||||||
echo "Tests failed with exit code $TEST_EXIT_CODE."
|
# echo "Tests failed with exit code $TEST_EXIT_CODE."
|
||||||
exit 1
|
# exit 1
|
||||||
fi
|
# fi
|
||||||
- |
|
# - |
|
||||||
docker compose -f compose.yaml $PROFILES down
|
# docker compose -f compose.yaml $PROFILES down
|
||||||
- cat .cov/coverage.txt
|
# - cat .cov/coverage.txt
|
||||||
artifacts:
|
# artifacts:
|
||||||
paths:
|
# paths:
|
||||||
- ./.cov
|
# - ./.cov
|
||||||
- ./compose.log
|
# - ./compose.log
|
||||||
reports:
|
# reports:
|
||||||
coverage_report:
|
# coverage_report:
|
||||||
coverage_format: cobertura
|
# coverage_format: cobertura
|
||||||
path: .cov/coverage.xml
|
# path: .cov/coverage.xml
|
||||||
expire_in: 1 week
|
# expire_in: 1 week
|
||||||
when: always
|
# when: always
|
||||||
coverage: /TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
|
# coverage: /TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/
|
||||||
rules:
|
# rules:
|
||||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
# - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
# - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||||
dependencies:
|
# dependencies:
|
||||||
- build-runtime
|
# - build-runtime
|
||||||
- build-tests
|
# - build-tests
|
||||||
- build-migrations
|
# - build-migrations
|
||||||
|
|
||||||
sast-filesystem:
|
sast-filesystem:
|
||||||
<<: *trivy-fs-scan
|
<<: *trivy-fs-scan
|
||||||
|
|||||||
Reference in New Issue
Block a user