-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.gitlab-ci.yml
More file actions
173 lines (157 loc) · 3.34 KB
/
.gitlab-ci.yml
File metadata and controls
173 lines (157 loc) · 3.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# GitLab CI/CD Configuration
stages:
- lint
- test
- build
- security
- deploy
variables:
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
PODMAN_USERNS: keep-id
# Default settings
default:
image: alpine:latest
before_script:
- echo "Starting job..."
after_script:
- echo "Job completed."
# Templates
.cache_template: &cache_config
cache:
key: ${CI_COMMIT_REF_SLUG}
paths:
- node_modules/
- .cache/
- vendor/
# Lint stage
lint:shell:
stage: lint
image: koalaman/shellcheck-alpine:stable
script:
- shellcheck **/*.sh
only:
changes:
- "**/*.sh"
lint:yaml:
stage: lint
image: sdesbure/yamllint
script:
- yamllint -c .yamllint .
only:
changes:
- "**/*.yml"
- "**/*.yaml"
lint:markdown:
stage: lint
image: node:lts-alpine
script:
- npm install -g markdownlint-cli
- markdownlint '**/*.md'
only:
changes:
- "**/*.md"
# Test stage
test:unit:
stage: test
image: python:3.11-slim
script:
- pip install -r requirements.txt
- pytest tests/unit
coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
artifacts:
reports:
junit: test-results.xml
coverage_report:
coverage_format: cobertura
path: coverage.xml
paths:
- htmlcov/
expire_in: 1 week
test:integration:
stage: test
image: python:3.11-slim
services:
- postgres:latest
variables:
POSTGRES_DB: testdb
POSTGRES_USER: testuser
POSTGRES_PASSWORD: testpass
script:
- pip install -r requirements.txt
- pytest tests/integration
# Build stage
build:podman:
stage: build
image: quay.io/podman/stable
script:
- podman build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
- podman tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
- podman login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- podman push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
- podman push $CI_REGISTRY_IMAGE:latest
only:
- main
- tags
build:binary:
stage: build
image: rust:latest
script:
- cargo build --release
artifacts:
paths:
- target/release/
expire_in: 1 month
# Security stage
security:sast:
stage: security
image: returntocorp/semgrep
script:
- semgrep --config=auto --json --output=semgrep-report.json
artifacts:
reports:
sast: semgrep-report.json
allow_failure: true
security:dependency-scan:
stage: security
image: aquasec/trivy:latest
script:
- trivy fs --format json --output trivy-report.json .
artifacts:
reports:
dependency_scanning: trivy-report.json
allow_failure: true
security:container-scan:
stage: security
image: aquasec/trivy:latest
script:
- trivy image --format json $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
only:
- main
allow_failure: true
# Deploy stage
deploy:staging:
stage: deploy
image: alpine:latest
script:
- echo "Deploying to staging..."
- apk add --no-cache curl
- curl -X POST $STAGING_WEBHOOK_URL
environment:
name: staging
url: https://staging.example.com
only:
- main
deploy:production:
stage: deploy
image: alpine:latest
script:
- echo "Deploying to production..."
- apk add --no-cache curl
- curl -X POST $PRODUCTION_WEBHOOK_URL
environment:
name: production
url: https://example.com
only:
- tags
when: manual