PROD.2026/RekomenciBackend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7e3cf2b0ffe3c23b8711b1acf5eba348780dca9
RekomenciBackend/.gitlab-ci.yml
T

242 lines
6.0 KiB
YAML
Raw Blame History

stages:
- build
- test
- security
- deploy
variables:
BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: ""
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_NO_PROGRESS: "true"
TRIVY_TIMEOUT: "10m0s"
cache:
key: "${CI_COMMIT_REF_SLUG}"
paths:
- .cache/pip
- .cache/trivy
policy: pull-push
.docker-job: &docker-job
image: docker:28.0
services:
- docker:28.0-dind
before_script:
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
.trivy-fs-template: &trivy-fs-scan
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
variables:
TRIVY_CACHE_DIR: .cache/trivy
cache:
paths:
- $TRIVY_CACHE_DIR
policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
script:
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format cyclonedx --output fs-sbom.json .
- trivy filesystem --skip-files $TRIVY_CACHE_DIR --format sarif --output gl-sast-fs-report.json .
allow_failure: true
artifacts:
reports:
sast: gl-sast-fs-report.json
paths:
- fs-sbom.json
- gl-sast-fs-report.json
expire_in: 1 week
when: always
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $SAST_DISABLED
when: never
.trivy-image-template: &trivy-image-scan
stage: security
image:
name: aquasec/trivy:latest
entrypoint: [""]
variables:
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_USERNAME: $CI_REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
cache:
paths:
- $TRIVY_CACHE_DIR
policy: pull-push
before_script:
- mkdir -p $TRIVY_CACHE_DIR
script:
- trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA
- trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA
allow_failure: true
artifacts:
reports:
sast: gl-sast-image-${IMAGE_TYPE}-report.json
paths:
- image-sbom-${IMAGE_TYPE}.json
- gl-sast-image-${IMAGE_TYPE}-report.json
expire_in: 1 week
when: always
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $SAST_DISABLED
when: never
.webhook-template: &webhook-config
stage: deploy
image: curlimages/curl:latest
script:
- |
curl -s -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
-H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
"$WEBHOOK_URL"
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: on_success
.build-template: &build-config
<<: *docker-job
stage: build
variables:
DOCKER_BUILDKIT: 1
BUILDKIT_INLINE_CACHE: 1
script:
- |
docker buildx create --use
docker buildx build . \
-t $IMAGE_NAME:latest \
-t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
-t $IMAGE_NAME:$CI_COMMIT_SHA \
-f $CONTAINERFILE --target $BUILDTARGET --push \
--cache-from type=registry,ref=$IMAGE_NAME-cache \
--cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
--build-arg BUILDKIT_INLINE_CACHE=1
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: always
- if: $CI_COMMIT_TAG
when: always
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
allow_failure: true
.test-template: &test-config
<<: *docker-job
stage: test
script:
- apk add --no-cache docker-compose
- |
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
docker compose -f compose.yaml -f compose.prod.yaml \
--profile migrations --profile tests up -d
- |
TEST_CONTAINER_ID=$(docker compose --profile migrations --profile tests ps -q tests -a)
timeout 600 docker wait $TEST_CONTAINER_ID
TEST_EXIT_CODE=$(docker inspect --format "{{.State.ExitCode}}" $TEST_CONTAINER_ID)
if [ $TEST_EXIT_CODE -eq 0 ]; then
echo "Tests passed."
else
echo "Tests failed with exit code $TEST_EXIT_CODE."
exit 1
fi
- |
docker compose -f compose.yaml -f compose.prod.yaml down
artifacts:
paths:
- ./.cov
expire_in: 1 week
when: always
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
sast-filesystem:
<<: *trivy-fs-scan
sast-image-runtime:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
IMAGE_TYPE: runtime
dependencies:
- build-runtime
sast-image-tests:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
IMAGE_TYPE: tests
dependencies:
- build-tests
sast-image-migrations:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
IMAGE_TYPE: migrations
dependencies:
- build-migrations
build-runtime:
<<: *build-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
CONTAINERFILE: Containerfile
BUILDTARGET: runtime
build-tests:
<<: *build-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
CONTAINERFILE: Containerfile
BUILDTARGET: tests
build-migrations:
<<: *build-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
CONTAINERFILE: Containerfile
BUILDTARGET: migrations
run-tests:
<<: *test-config
dependencies:
- build-runtime
- build-tests
- build-migrations
webhook-backend-deploy:
<<: *webhook-config
variables:
WEBHOOK_URL: $WEBHOOK_URL_BACKEND
dependencies:
- build-runtime
- sast-image-runtime
webhook-migrations-deploy:
<<: *webhook-config
variables:
WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
dependencies:
- build-migrations
- sast-image-migrations
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
Reference in New Issue View Git Blame Copy Permalink