stages: - build - test - security - deploy variables: BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE DOCKER_DRIVER: overlay2 DOCKER_TLS_CERTDIR: "" TRIVY_CACHE_DIR: .cache/trivy TRIVY_NO_PROGRESS: "true" TRIVY_TIMEOUT: "10m0s" TRIVY_USERNAME: $CI_REGISTRY_USER TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD TRIVY_REGISTRY: $CI_REGISTRY cache: key: "${CI_COMMIT_REF_SLUG}" paths: - .cache/pip - .cache/trivy policy: pull-push .docker-job: &docker-job image: docker:28.5 services: - docker:28.5-dind before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY .trivy-fs-template: &trivy-fs-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json . - trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json . allow_failure: true artifacts: reports: sast: gl-sast-fs-report.json paths: - fs-sbom.json - gl-sast-fs-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .trivy-image-template: &trivy-image-scan stage: security image: name: aquasec/trivy:latest entrypoint: [""] cache: paths: - $TRIVY_CACHE_DIR policy: pull-push before_script: - mkdir -p $TRIVY_CACHE_DIR script: - | trivy image \ --scanners vuln \ --format cyclonedx \ --output image-sbom-${IMAGE_TYPE}.json \ $IMAGE_NAME:$CI_COMMIT_SHA - | trivy image \ --format sarif \ --output gl-sast-image-${IMAGE_TYPE}-report.json \ $IMAGE_NAME:$CI_COMMIT_SHA allow_failure: true artifacts: reports: sast: gl-sast-image-${IMAGE_TYPE}-report.json paths: - image-sbom-${IMAGE_TYPE}.json - gl-sast-image-${IMAGE_TYPE}-report.json expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $SAST_DISABLED when: never .webhook-template: &webhook-config stage: deploy image: curlimages/curl:latest script: - | curl -s -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \ -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \ "$WEBHOOK_URL" rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: on_success .build-template: &build-config <<: *docker-job stage: build variables: DOCKER_BUILDKIT: 1 BUILDKIT_INLINE_CACHE: 1 script: - | docker buildx create --use docker buildx build . \ -t $IMAGE_NAME:latest \ -t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \ -t $IMAGE_NAME:$CI_COMMIT_SHA \ -f $CONTAINERFILE --target $BUILDTARGET --push \ --cache-from type=registry,ref=$IMAGE_NAME-cache \ --cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \ --build-arg BUILDKIT_INLINE_CACHE=1 rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH when: always - if: $CI_COMMIT_TAG when: always - if: $CI_PIPELINE_SOURCE == 'merge_request_event' when: manual allow_failure: true sast-filesystem: <<: *trivy-fs-scan sast-image-runtime: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend IMAGE_TYPE: runtime dependencies: - build-runtime sast-image-tests: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests IMAGE_TYPE: tests dependencies: - build-tests sast-image-migrations: <<: *trivy-image-scan variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations IMAGE_TYPE: migrations dependencies: - build-migrations build-runtime: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend CONTAINERFILE: Containerfile BUILDTARGET: runtime build-tests: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests CONTAINERFILE: Containerfile BUILDTARGET: tests build-migrations: <<: *build-config variables: IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations CONTAINERFILE: Containerfile BUILDTARGET: migrations test-e2e: <<: *docker-job stage: test variables: COMPOSE_PROFILES: | --profile migrations --profile tests script: - export PROFILES="$(printf '%s ' $COMPOSE_PROFILES)" - apk add --no-cache docker-compose - | REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \ docker compose -f compose.yaml -f compose.prod.yaml \ $PROFILES up -d -y --quiet-pull --quiet-build - | TEST_CONTAINER_ID=$(docker compose $PROFILES ps -q tests -a) timeout 600 docker wait $TEST_CONTAINER_ID TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID) if [ $TEST_EXIT_CODE -eq 0 ]; then echo "Tests passed." else echo "Tests failed with exit code $TEST_EXIT_CODE." exit 1 fi - docker compose $PROFILES logs --no-color > compose.log - | docker compose -f compose.yaml -f compose.prod.yaml down artifacts: paths: - ./.cov - ./compose.log expire_in: 1 week when: always rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_PIPELINE_SOURCE == 'merge_request_event' dependencies: - build-runtime - build-tests - build-migrations webhook-backend-deploy: <<: *webhook-config variables: WEBHOOK_URL: $WEBHOOK_URL_BACKEND dependencies: - build-runtime - sast-image-runtime webhook-migrations-deploy: <<: *webhook-config variables: WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS dependencies: - build-migrations - sast-image-migrations workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH - if: $CI_COMMIT_TAG