109 lines
3.0 KiB
YAML
109 lines
3.0 KiB
YAML
# You can override the included template(s) by including variable overrides
|
|
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
|
|
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
|
|
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
|
|
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
|
|
# Note that environment variables can be set in several places
|
|
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
|
|
stages:
|
|
- 'test'
|
|
- 'code_quality'
|
|
- 'build'
|
|
- 'deploy'
|
|
|
|
sast:
|
|
stage: 'test'
|
|
include:
|
|
- template: Security/SAST.gitlab-ci.yml
|
|
- template: Security/Dependency-Scanning.gitlab-ci.yml
|
|
- template: Security/SAST-IaC.gitlab-ci.yml
|
|
|
|
pytest:
|
|
stage: 'test'
|
|
image: python
|
|
only:
|
|
- test
|
|
cache:
|
|
paths:
|
|
- $CI_PROJECT_DIR/venv/
|
|
before_script:
|
|
- cd $CI_PROJECT_DIR
|
|
- pip install --upgrade --quiet pip
|
|
- python -m venv venv
|
|
- chmod u+x venv/bin/activate
|
|
- source venv/bin/activate
|
|
- pip install --quiet -U -r requirements.txt
|
|
script:
|
|
- pytest -v
|
|
|
|
qodana:
|
|
stage: 'code_quality'
|
|
needs: ['gemnasium-python-dependency_scanning', 'semgrep-sast', 'kics-iac-sast']
|
|
image:
|
|
name: jetbrains/qodana-python-community
|
|
entrypoint:
|
|
- ''
|
|
cache:
|
|
- key: qodana-2023.3-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG
|
|
fallback_keys:
|
|
- qodana-2023.3-$CI_DEFAULT_BRANCH-
|
|
- qodana-2023.3-
|
|
paths:
|
|
- ".qodana/cache"
|
|
- $CI_PROJECT_DIR/venv
|
|
variables:
|
|
QODANA_TOKEN: "$qodana_token2"
|
|
before_script:
|
|
- pip install --upgrade --quiet pip
|
|
- cd $CI_PROJECT_DIR/
|
|
- python -m venv venv
|
|
- chmod u+x venv/bin/activate
|
|
- source venv/bin/activate
|
|
script:
|
|
- qodana --save-report --results-dir=$CI_PROJECT_DIR/.qodana/results --cache-dir=$CI_PROJECT_DIR/.qodana/cache
|
|
artifacts:
|
|
expose_as: 'Qodana report'
|
|
expire_in: 1 week
|
|
paths:
|
|
- ".qodana/results/"
|
|
|
|
docker-build:
|
|
image: docker:latest
|
|
needs: ['pytest', 'qodana']
|
|
stage: build
|
|
services:
|
|
- docker:dind
|
|
script:
|
|
- |
|
|
if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
|
|
tag=""
|
|
echo "Running on default branch '$CI_DEFAULT_BRANCH': tag = 'latest'"
|
|
else
|
|
tag=":$CI_COMMIT_REF_SLUG"
|
|
echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
|
|
fi
|
|
- docker build --pull -t "$CI_REGISTRY_IMAGE${tag}" .
|
|
|
|
|
|
push:
|
|
stage: 'deploy'
|
|
image: 'alpine'
|
|
needs: ['qodana']
|
|
only:
|
|
- master
|
|
before_script:
|
|
- apk add openssh-client > /dev/null
|
|
- eval $(ssh-agent -s)
|
|
- chmod 400 $SSH_PRIVATE_KEY
|
|
|
|
- mkdir -p ~/.ssh
|
|
- chmod 700 ~/.ssh
|
|
|
|
- cp $SSH_PRIVATE_KEY ~/.ssh/id_rsa
|
|
|
|
- ssh-add ~/.ssh/id_rsa
|
|
script:
|
|
- ssh $BOT_HOST -oStrictHostKeyChecking=accept-new 'cd /opt/discord/tarkov && git pull'
|
|
|
|
|