You've already forked RekomenciBackend
ci: added integration tests and fixed trivy
This commit is contained in:
+57
-26
@@ -1,6 +1,6 @@
|
||||
stages:
|
||||
- test
|
||||
- build
|
||||
- test
|
||||
- security
|
||||
- deploy
|
||||
|
||||
@@ -8,6 +8,9 @@ variables:
|
||||
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
|
||||
DOCKER_DRIVER: overlay2
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
TRIVY_CACHE_DIR: .cache/trivy
|
||||
TRIVY_NO_PROGRESS: "true"
|
||||
TRIVY_TIMEOUT: "10m0s"
|
||||
|
||||
cache:
|
||||
key: "${CI_COMMIT_REF_SLUG}"
|
||||
@@ -16,27 +19,27 @@ cache:
|
||||
- .cache/trivy
|
||||
policy: pull-push
|
||||
|
||||
image: docker:28.0
|
||||
|
||||
services:
|
||||
- docker:28.0-dind
|
||||
default:
|
||||
image: docker:28.0
|
||||
services:
|
||||
- docker:28.0-dind
|
||||
before_script:
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
|
||||
.trivy-fs-template: &trivy-fs-scan
|
||||
stage: security
|
||||
image: aquasec/trivy:latest
|
||||
image:
|
||||
name: aquasec/trivy:latest
|
||||
entrypoint: [""]
|
||||
variables:
|
||||
TRIVY_CACHE_DIR: .cache/trivy
|
||||
TRIVY_NO_PROGRESS: "true"
|
||||
TRIVY_TIMEOUT: "10m0s"
|
||||
cache:
|
||||
paths:
|
||||
- $TRIVY_CACHE_DIR
|
||||
policy: pull-push
|
||||
before_script:
|
||||
- mkdir -p $TRIVY_CACHE_DIR
|
||||
script:
|
||||
- trivy fs --format cyclonedx --output fs-sbom.json . || true
|
||||
- trivy fs --format sarif --output gl-sast-fs-report.json . || true
|
||||
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json .
|
||||
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json .
|
||||
allow_failure: true
|
||||
artifacts:
|
||||
reports:
|
||||
@@ -55,21 +58,18 @@ services:
|
||||
|
||||
.trivy-image-template: &trivy-image-scan
|
||||
stage: security
|
||||
image: aquasec/trivy:latest
|
||||
image:
|
||||
name: aquasec/trivy:latest
|
||||
entrypoint: [""]
|
||||
variables:
|
||||
TRIVY_CACHE_DIR: .cache/trivy
|
||||
TRIVY_NO_PROGRESS: "true"
|
||||
TRIVY_TIMEOUT: "10m0s"
|
||||
cache:
|
||||
paths:
|
||||
- $TRIVY_CACHE_DIR
|
||||
policy: pull-push
|
||||
before_script:
|
||||
- mkdir -p $TRIVY_CACHE_DIR
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
script:
|
||||
- trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true
|
||||
- trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true
|
||||
- trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA
|
||||
- trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA
|
||||
allow_failure: true
|
||||
artifacts:
|
||||
reports:
|
||||
@@ -102,14 +102,9 @@ services:
|
||||
|
||||
.build-template: &build-config
|
||||
stage: build
|
||||
image: docker:28.0
|
||||
services:
|
||||
- docker:28.0-dind
|
||||
variables:
|
||||
DOCKER_BUILDKIT: 1
|
||||
BUILDKIT_INLINE_CACHE: 1
|
||||
before_script:
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
script:
|
||||
- |
|
||||
docker buildx create --use
|
||||
@@ -130,6 +125,33 @@ services:
|
||||
when: manual
|
||||
allow_failure: true
|
||||
|
||||
.run-test-template: &test-config
|
||||
stage: test
|
||||
script:
|
||||
- apk add --no-cache docker-compose
|
||||
- |
|
||||
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
|
||||
docker compose -f compose.yaml -f compose.prod.yaml \
|
||||
--profile migrations --profile tests up -d
|
||||
- |
|
||||
TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a)
|
||||
timeout 600 docker wait $TEST_CONTAINER_ID
|
||||
TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
|
||||
|
||||
if [ $TEST_EXIT_CODE -eq 0 ]; then
|
||||
echo "Tests passed."
|
||||
else
|
||||
echo "Tests failed with exit code $TEST_EXIT_CODE."
|
||||
exit 1
|
||||
fi
|
||||
- |
|
||||
docker compose -f compose.yaml -f compose.prod.yaml down
|
||||
artifacts:
|
||||
paths:
|
||||
- ./.cov
|
||||
expire_in: 1 week
|
||||
when: always
|
||||
|
||||
sast-filesystem:
|
||||
<<: *trivy-fs-scan
|
||||
|
||||
@@ -178,19 +200,28 @@ build-migrations:
|
||||
CONTAINERFILE: Containerfile
|
||||
BUILDTARGET: migrations
|
||||
|
||||
run-tests:
|
||||
<<: *test-config
|
||||
dependencies:
|
||||
- build-runtime
|
||||
- build-tests
|
||||
- build-migrations
|
||||
|
||||
webhook-backend-deploy:
|
||||
<<: *webhook-config
|
||||
variables:
|
||||
WEBHOOK_URL: $WEBHOOK_URL_BACKEND
|
||||
dependencies:
|
||||
- build-runtime
|
||||
- sast-image-runtime
|
||||
|
||||
webhook-migrations-deploy:
|
||||
<<: *webhook-config
|
||||
variables:
|
||||
WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
|
||||
dependencies:
|
||||
- build-migrations
|
||||
- build-migrations
|
||||
- sast-image-migrations
|
||||
|
||||
workflow:
|
||||
rules:
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
services:
|
||||
backend:
|
||||
image: "${REGISTRY_PREFIX}/backend"
|
||||
|
||||
tests:
|
||||
image: "${REGISTRY_PREFIX}/backend-tests"
|
||||
|
||||
migrations:
|
||||
image: "${REGISTRY_PREFIX}/backend-migrations"
|
||||
+2
-3
@@ -1,6 +1,7 @@
|
||||
name: prod-hackaton-template
|
||||
|
||||
services:
|
||||
backend:
|
||||
image: template-project-backend
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Containerfile
|
||||
@@ -42,7 +43,6 @@ services:
|
||||
shm_size: 4mb
|
||||
|
||||
tests:
|
||||
image: template-project-tests
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Containerfile
|
||||
@@ -89,7 +89,6 @@ services:
|
||||
target: /app/cov
|
||||
|
||||
migrations:
|
||||
image: template-project-migrations
|
||||
build:
|
||||
context: .
|
||||
dockerfile: Containerfile
|
||||
|
||||
Reference in New Issue
Block a user