stages: - build - test - security - tag - deploy variables: BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" TRIVY_CACHE_DIR: .cache/trivy TRIVY_NO_PROGRESS: "true" TRIVY_TIMEOUT: "10m0s" TRIVY_USERNAME: $CI_REGISTRY_USER TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD TRIVY_REGISTRY: $CI_REGISTRY UV_PROJECT_ENVIRONMENT: .venv UV_CACHE_DIR: .cache/uv cache: key: "${CI_COMMIT_REF_SLUG}" paths: - $TRIVY_CACHE_DIR - $UV_CACHE_DIR - $UV_PROJECT_ENVIRONMENT policy: pull-push .docker-job: &docker-job image: docker:28.5 services: - docker:28.5-dind before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY .trivy-fs-template: &trivy-fs-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json . - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json . allow_failure: true artifacts: reports: sast: gl-sast-fs-report.json paths: - fs-sbom.json - gl-sast-fs-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .trivy-image-template: &trivy-image-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - | trivy image \ --scanners vuln \ --format cyclonedx \ --output image-sbom-${IMAGE_TYPE}.json \ $IMAGE_NAME:$CI_COMMIT_SHA - | trivy image \ --format sarif \ --output gl-sast-image-${IMAGE_TYPE}-report.json \ $IMAGE_NAME:$CI_COMMIT_SHA allow_failure: true artifacts: reports: sast: gl-sast-image-${IMAGE_TYPE}-report.json paths: - image-sbom-${IMAGE_TYPE}.json - gl-sast-image-${IMAGE_TYPE}-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .webhook-template: &webhook-config image: curlimages/curl:latest script: - | response=$(curl -s -w "\n%{http_code}" -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \ -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \ "$WEBHOOK_URL") body=$(echo "$response" | sed '$d') status=$(echo "$response" | tail -n1) echo "$body" [ $? -ne 0 ] && echo "curl failed" && exit 1 [ "$status" -lt 200 ] || [ "$status" -ge 300 ] && echo "HTTP $status" && exit 1 rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: on_success .build-template: &build-config <<: *docker-job stage: build variables: DOCKER_BUILDKIT: 1 BUILDKIT_INLINE_CACHE: 1 script: - | docker buildx create --use docker buildx build . \ -t $IMAGE_NAME:$CI_COMMIT_SHA \ -f $CONTAINERFILE --target $BUILDTARGET --push \ --cache-from type=registry,ref=$IMAGE_NAME-cache \ --cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \ --build-arg BUILDKIT_INLINE_CACHE=1 rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: always - if: $CI_COMMIT_TAG when: always - if: $CI_PIPELINE_SOURCE == 'merge_request_event' when: manual allow_failure: true .tag-template: &tag-config <<: *docker-job stage: tag script: - | set -euo pipefail SOURCE_IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA" docker pull "$SOURCE_IMAGE" DANGEROUS_TAGS="" if [ -n "$CI_COMMIT_TAG" ]; then DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_TAG" fi if [ -n "$CI_COMMIT_BRANCH" ]; then if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then DANGEROUS_TAGS="$DANGEROUS_TAGS latest $CI_COMMIT_REF_SLUG" else DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_REF_SLUG" fi fi if [ -z "$DANGEROUS_TAGS" ]; then echo "No tags to publish." exit 0 fi for TAG in $DANGEROUS_TAGS; do [ -z "$TAG" ] && continue TARGET_IMAGE="$IMAGE_NAME:$TAG" docker tag "$SOURCE_IMAGE" "$TARGET_IMAGE" docker push "$TARGET_IMAGE" done rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' when: manual allow_failure: true .uv-job: &uv-job image: debian:trixie-slim cache: key: "${CI_JOB_NAME}-${CI_COMMIT_REF_SLUG}" paths: - $UV_PROJECT_ENVIRONMENT - $UV_CACHE_DIR policy: pull-push before_script: - apt-get update - apt-get install -y --no-install-recommends ca-certificates curl just - update-ca-certificates - curl -LsSf https://astral.sh/uv/install.sh | sh - export PATH="$HOME/.local/bin:$PATH" build-runtime: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend CONTAINERFILE: Containerfile BUILDTARGET: runtime build-tests: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests CONTAINERFILE: Containerfile BUILDTARGET: tests build-migrations: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations CONTAINERFILE: Containerfile BUILDTARGET: migrations lint: <<: *uv-job stage: test script: - source $HOME/.local/bin/env - uv sync --group linters --frozen - source $UV_PROJECT_ENVIRONMENT/bin/activate - just lint rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_COMMIT_TAG test: <<: *docker-job stage: test variables: COMPOSE_PROFILES: | --profile migrations --profile tests script: - export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)" - apk add --no-cache docker-compose - | ( while true; do docker compose -f compose.yaml $PROFILES logs -f 2>&1 sleep 1 done ) | tee -a compose.log & - LOGS_PID=$! - | REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \ docker compose -f compose.yaml -f compose.prod.yaml \ $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log - | TEST_CONTAINER_ID=$(docker compose -f compose.yaml $PROFILES ps -q tests -a) timeout 600 docker wait $TEST_CONTAINER_ID TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID) if [ $TEST_EXIT_CODE -eq 0 ]; then echo "Tests passed." else echo "Tests failed with exit code $TEST_EXIT_CODE." exit 1 fi - | docker compose -f compose.yaml $PROFILES down - cat .cov/coverage.txt artifacts: paths: - ./.cov - ./compose.log reports: coverage_report: coverage_format: cobertura path: .cov/coverage.xml expire_in: 1 week when: always coverage: /TOTAL.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/ rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_PIPELINE_SOURCE == 'merge_request_event' dependencies: - build-runtime - build-tests - build-migrations sast-filesystem: <<: *trivy-fs-scan sast-image-runtime: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend IMAGE_TYPE: runtime dependencies: - build-runtime sast-image-tests: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests IMAGE_TYPE: tests dependencies: - build-tests sast-image-migrations: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations IMAGE_TYPE: migrations dependencies: - build-migrations tag-runtime: <<: *tag-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend tag-tests: <<: *tag-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests tag-migrations: <<: *tag-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations webhook-migrations-deploy: <<: *webhook-config stage: deploy variables: WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS resource_group: staging dependencies: - build-migrations - sast-image-migrations webhook-backend-deploy: <<: *webhook-config stage: deploy variables: WEBHOOK_URL: $WEBHOOK_URL_BACKEND environment: name: staging url: https://hackaton.paas.itqdev.xyz resource_group: staging dependencies: - build-runtime - sast-image-runtime workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG