You've already forked RekomenciBackend
feat: added sample GitLab CI
This commit is contained in:
+192
@@ -0,0 +1,192 @@
|
||||
stages:
|
||||
- test
|
||||
- build
|
||||
- security
|
||||
- deploy
|
||||
|
||||
variables:
|
||||
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
|
||||
DOCKER_DRIVER: overlay2
|
||||
DOCKER_TLS_CERTDIR: ""
|
||||
|
||||
cache:
|
||||
key: "${CI_COMMIT_REF_SLUG}"
|
||||
paths:
|
||||
- .cache/pip
|
||||
- .cache/trivy
|
||||
policy: pull-push
|
||||
|
||||
image: docker:28.0
|
||||
|
||||
services:
|
||||
- docker:28.0-dind
|
||||
|
||||
.trivy-fs-template: &trivy-fs-scan
|
||||
stage: security
|
||||
image: aquasec/trivy:latest
|
||||
variables:
|
||||
TRIVY_CACHE_DIR: .cache/trivy
|
||||
TRIVY_NO_PROGRESS: "true"
|
||||
TRIVY_TIMEOUT: "10m0s"
|
||||
cache:
|
||||
paths:
|
||||
- $TRIVY_CACHE_DIR
|
||||
policy: pull-push
|
||||
before_script:
|
||||
- mkdir -p $TRIVY_CACHE_DIR
|
||||
script:
|
||||
- trivy fs --format cyclonedx --output fs-sbom.json . || true
|
||||
- trivy fs --format sarif --output gl-sast-fs-report.json . || true
|
||||
allow_failure: true
|
||||
artifacts:
|
||||
reports:
|
||||
sast: gl-sast-fs-report.json
|
||||
paths:
|
||||
- fs-sbom.json
|
||||
- gl-sast-fs-report.json
|
||||
expire_in: 1 week
|
||||
when: always
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
- if: $CI_COMMIT_TAG
|
||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||
- if: $SAST_DISABLED
|
||||
when: never
|
||||
|
||||
.trivy-image-template: &trivy-image-scan
|
||||
stage: security
|
||||
image: aquasec/trivy:latest
|
||||
variables:
|
||||
TRIVY_CACHE_DIR: .cache/trivy
|
||||
TRIVY_NO_PROGRESS: "true"
|
||||
TRIVY_TIMEOUT: "10m0s"
|
||||
cache:
|
||||
paths:
|
||||
- $TRIVY_CACHE_DIR
|
||||
policy: pull-push
|
||||
before_script:
|
||||
- mkdir -p $TRIVY_CACHE_DIR
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
script:
|
||||
- trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true
|
||||
- trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true
|
||||
allow_failure: true
|
||||
artifacts:
|
||||
reports:
|
||||
sast: gl-sast-image-${IMAGE_TYPE}-report.json
|
||||
paths:
|
||||
- image-sbom-${IMAGE_TYPE}.json
|
||||
- gl-sast-image-${IMAGE_TYPE}-report.json
|
||||
expire_in: 1 week
|
||||
when: always
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
- if: $CI_COMMIT_TAG
|
||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||
- if: $SAST_DISABLED
|
||||
when: never
|
||||
|
||||
.webhook-template: &webhook-config
|
||||
stage: deploy
|
||||
image: curlimages/curl:latest
|
||||
script:
|
||||
- |
|
||||
curl -s -X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
|
||||
-H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
|
||||
"$WEBHOOK_URL"
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
when: on_success
|
||||
|
||||
.build-template: &build-config
|
||||
stage: build
|
||||
image: docker:28.0
|
||||
services:
|
||||
- docker:28.0-dind
|
||||
variables:
|
||||
DOCKER_BUILDKIT: 1
|
||||
BUILDKIT_INLINE_CACHE: 1
|
||||
before_script:
|
||||
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
|
||||
script:
|
||||
- |
|
||||
docker buildx create --use
|
||||
docker buildx build . \
|
||||
-t $IMAGE_NAME:latest \
|
||||
-t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
|
||||
-t $IMAGE_NAME:$CI_COMMIT_SHA \
|
||||
-f $CONTAINERFILE --target $BUILDTARGET --push \
|
||||
--cache-from type=registry,ref=$IMAGE_NAME-cache \
|
||||
--cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
|
||||
--build-arg BUILDKIT_INLINE_CACHE=1
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
when: always
|
||||
- if: $CI_COMMIT_TAG
|
||||
when: always
|
||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||
when: manual
|
||||
allow_failure: true
|
||||
|
||||
sast-filesystem:
|
||||
<<: *trivy-fs-scan
|
||||
|
||||
sast-image-runtime:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend
|
||||
IMAGE_TYPE: runtime
|
||||
dependencies:
|
||||
- build-runtime
|
||||
|
||||
sast-image-tests:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
|
||||
IMAGE_TYPE: tests
|
||||
dependencies:
|
||||
- build-tests
|
||||
|
||||
sast-image-migrations:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
|
||||
IMAGE_TYPE: migrations
|
||||
dependencies:
|
||||
- build-migrations
|
||||
|
||||
build-runtime:
|
||||
<<: *build-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend
|
||||
CONTAINERFILE: Containerfile
|
||||
BUILDTARGET: runtime
|
||||
|
||||
build-tests:
|
||||
<<: *build-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
|
||||
CONTAINERFILE: Containerfile
|
||||
BUILDTARGET: tests
|
||||
|
||||
build-migrations:
|
||||
<<: *build-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
|
||||
CONTAINERFILE: Containerfile
|
||||
BUILDTARGET: migrations
|
||||
|
||||
webhook-backend-deploy:
|
||||
<<: *webhook-config
|
||||
variables:
|
||||
WEBHOOK_URL: "https://paas.itqdev.xyz/api/v1/deploy?uuid=gokokwkwkgg8o4gggow00cc8&force=false&tag=$CI_COMMIT_REF_SLUG"
|
||||
dependencies:
|
||||
- build-runtime
|
||||
|
||||
workflow:
|
||||
rules:
|
||||
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
- if: $CI_COMMIT_TAG
|
||||
Reference in New Issue
Block a user