stages: - 'test' - 'code_quality' - 'build' - 'deploy' - 'push' sast: stage: 'test' include: - template: Security/SAST.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/SAST-IaC.gitlab-ci.yml pytest: stage: 'test' image: python only: - test cache: paths: - $CI_PROJECT_DIR/venv/ before_script: - cd $CI_PROJECT_DIR - pip install --upgrade --quiet pip - python -m venv venv - chmod u+x venv/bin/activate - source venv/bin/activate - pip install --quiet -U -r requirements.txt script: - pytest -v qodana: stage: 'code_quality' needs: ['gemnasium-python-dependency_scanning', 'semgrep-sast', 'kics-iac-sast'] image: name: jetbrains/qodana-python-community entrypoint: - '' cache: - key: qodana-2023.3-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG fallback_keys: - qodana-2023.3-$CI_DEFAULT_BRANCH- - qodana-2023.3- paths: - ".qodana/cache" - $CI_PROJECT_DIR/venv variables: QODANA_TOKEN: "$qodana_token2" before_script: - pip install --upgrade --quiet pip - cd $CI_PROJECT_DIR/ - python -m venv venv - chmod u+x venv/bin/activate - source venv/bin/activate script: - qodana --save-report --results-dir=$CI_PROJECT_DIR/.qodana/results --cache-dir=$CI_PROJECT_DIR/.qodana/cache artifacts: expose_as: 'Qodana report' expire_in: 1 week paths: - ".qodana/results/" variables: # fill those if you have a proxy in your environment DOCKER_HOST: tcp://docker:2375/ DOCKER_DRIVER: overlay2 # See https://github.com/docker-library/docker/pull/166 DOCKER_TLS_CERTDIR: "" services: - name: docker:25.0.5-dind entrypoint: [ "env", "-u", "DOCKER_HOST" ] Build: stage: build image: docker:25.0.5-dind services: - docker:25.0.5-dind before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: # fetches the latest image (not failing if image is not found) - docker pull $CI_REGISTRY_IMAGE:latest || true # builds the project, passing proxy variables, using OCI labels # notice the cache-from, which is going to use the image we just pulled locally # the built image is tagged locally with the commit SHA, and then pushed to # the GitLab registry - > docker build --pull --label "org.opencontainers.image.title=$CI_PROJECT_TITLE" --label "org.opencontainers.image.url=$CI_PROJECT_URL" --label "org.opencontainers.image.created=$CI_JOB_STARTED_AT" --label "org.opencontainers.image.revision=$CI_COMMIT_SHA" --label "org.opencontainers.image.version=$CI_COMMIT_REF_NAME" --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA . - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA # Here, the goal is to tag the "master" branch as "latest" Push latest: variables: # We are just playing with Docker here. # We do not need GitLab to clone the source code. GIT_STRATEGY: none stage: push only: # Only "master" should be tagged "latest" - master script: # Because we have no guarantee that this job will be picked up by the same runner # that built the image in the previous step, we pull it again locally - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA # Then we tag it "latest" - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest # Annnd we push it. - docker push $CI_REGISTRY_IMAGE:latest # Finally, the goal here is to Docker tag any Git tag # GitLab will start a new pipeline everytime a Git tag is created, which is pretty awesome Push tag: variables: # Again, we do not need the source code here. Just playing with Docker. GIT_STRATEGY: none stage: push only: # We want this job to be run on tags only. - tags script: - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME push: stage: 'deploy' image: 'alpine' needs: ['qodana'] only: - master before_script: - apk add openssh-client > /dev/null - eval $(ssh-agent -s) - chmod 400 $SSH_PRIVATE_KEY - mkdir -p ~/.ssh - chmod 700 ~/.ssh - cp $SSH_PRIVATE_KEY ~/.ssh/id_rsa - ssh-add ~/.ssh/id_rsa script: - ssh $BOT_HOST -oStrictHostKeyChecking=accept-new 'cd /opt/discord/tarkov && git pull'