From 5e5566388efd0860f97773349accadfd9a64f426 Mon Sep 17 00:00:00 2001 From: ITQ Date: Mon, 17 Nov 2025 22:27:07 +0300 Subject: [PATCH] ci: added integration tests and fixed trivy --- .gitlab-ci.yml | 83 ++++++++++++++++++++++++++++++++--------------- compose.prod.yaml | 9 +++++ compose.yaml | 5 ++- 3 files changed, 68 insertions(+), 29 deletions(-) create mode 100644 compose.prod.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5524ab0..303ded6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,6 @@ stages: - - test - build + - test - security - deploy @@ -8,6 +8,9 @@ variables: BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" + TRIVY_CACHE_DIR: .cache/trivy + TRIVY_NO_PROGRESS: "true" + TRIVY_TIMEOUT: "10m0s" cache: key: "${CI_COMMIT_REF_SLUG}" @@ -16,27 +19,27 @@ cache: - .cache/trivy policy: pull-push -image: docker:28.0 - -services: - - docker:28.0-dind +default: + image: docker:28.0 + services: + - docker:28.0-dind + before_script: + - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY .trivy-fs-template: &trivy-fs-scan stage: security - image: aquasec/trivy:latest + image: + name: aquasec/trivy:latest + entrypoint: [""] variables: TRIVY_CACHE_DIR: .cache/trivy - TRIVY_NO_PROGRESS: "true" - TRIVY_TIMEOUT: "10m0s" cache: paths: - $TRIVY_CACHE_DIR policy: pull-push - before_script: - - mkdir -p $TRIVY_CACHE_DIR script: - - trivy fs --format cyclonedx --output fs-sbom.json . || true - - trivy fs --format sarif --output gl-sast-fs-report.json . || true + - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json . + - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json . allow_failure: true artifacts: reports: @@ -55,21 +58,18 @@ services: .trivy-image-template: &trivy-image-scan stage: security - image: aquasec/trivy:latest + image: + name: aquasec/trivy:latest + entrypoint: [""] variables: TRIVY_CACHE_DIR: .cache/trivy - TRIVY_NO_PROGRESS: "true" - TRIVY_TIMEOUT: "10m0s" cache: paths: - $TRIVY_CACHE_DIR policy: pull-push - before_script: - - mkdir -p $TRIVY_CACHE_DIR - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true - - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true + - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA + - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA allow_failure: true artifacts: reports: @@ -102,14 +102,9 @@ services: .build-template: &build-config stage: build - image: docker:28.0 - services: - - docker:28.0-dind variables: DOCKER_BUILDKIT: 1 BUILDKIT_INLINE_CACHE: 1 - before_script: - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - | docker buildx create --use @@ -130,6 +125,33 @@ services: when: manual allow_failure: true +.run-test-template: &test-config + stage: test + script: + - apk add --no-cache docker-compose + - | + REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \ + docker compose -f compose.yaml -f compose.prod.yaml \ + --profile migrations --profile tests up -d + - | + TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a) + timeout 600 docker wait $TEST_CONTAINER_ID + TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID) + + if [ $TEST_EXIT_CODE -eq 0 ]; then + echo "Tests passed." + else + echo "Tests failed with exit code $TEST_EXIT_CODE." + exit 1 + fi + - | + docker compose -f compose.yaml -f compose.prod.yaml down + artifacts: + paths: + - ./.cov + expire_in: 1 week + when: always + sast-filesystem: <<: *trivy-fs-scan @@ -178,19 +200,28 @@ build-migrations: CONTAINERFILE: Containerfile BUILDTARGET: migrations +run-tests: + <<: *test-config + dependencies: + - build-runtime + - build-tests + - build-migrations + webhook-backend-deploy: <<: *webhook-config variables: WEBHOOK_URL: $WEBHOOK_URL_BACKEND dependencies: - build-runtime + - sast-image-runtime webhook-migrations-deploy: <<: *webhook-config variables: WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS dependencies: - - build-migrations + - build-migrations + - sast-image-migrations workflow: rules: diff --git a/compose.prod.yaml b/compose.prod.yaml new file mode 100644 index 0000000..c4ec125 --- /dev/null +++ b/compose.prod.yaml @@ -0,0 +1,9 @@ +services: + backend: + image: "${REGISTRY_PREFIX}/backend" + + tests: + image: "${REGISTRY_PREFIX}/backend-tests" + + migrations: + image: "${REGISTRY_PREFIX}/backend-migrations" diff --git a/compose.yaml b/compose.yaml index 720ae57..2f941f7 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,6 +1,7 @@ +name: prod-hackaton-template + services: backend: - image: template-project-backend build: context: . dockerfile: Containerfile @@ -42,7 +43,6 @@ services: shm_size: 4mb tests: - image: template-project-tests build: context: . dockerfile: Containerfile @@ -89,7 +89,6 @@ services: target: /app/cov migrations: - image: template-project-migrations build: context: . dockerfile: Containerfile