-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
143 lines (132 loc) · 4.13 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
cache:
key: venv
paths:
- .venv
stages:
- test
- build
- pypi-publish
- docker-publish
- gitops
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
build-whl:
stage: build
image: python:3-slim
variables:
POETRY_VIRTUALENVS_IN_PROJECT: "true"
before_script:
- apt update && apt install -y git
- pip3 install --upgrade build
script:
- python3 -m build
artifacts:
paths:
- dist/*
expire_in: 1 day
rules:
- if: $CI_COMMIT_TAG =~ /^(\d+\.)?(\d+\.)?(\*|\d+)$/
- changes:
- otpbot/**/*
docker:
stage: build
image: data61/magda-builder-docker
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
TAG: ${CI_COMMIT_REF_NAME}
services:
- docker:dind
script:
- echo ${CI_REGISTRY_PASSWORD} | docker login -u ${CI_REGISTRY_USER} ${CI_REGISTRY} --password-stdin
- docker pull ${CI_REGISTRY_IMAGE}:latest || true
- docker context create builder-context
- docker buildx create --name builderx --driver docker-container --use builder-context
- docker buildx bake -f bake.json yaotpbot-builder
cache:
key: docker-cache
paths:
- .buildx-cache/
except:
- tags
pypi-publish:
stage: pypi-publish
image: python:3-slim
variables:
POETRY_VIRTUALENVS_IN_PROJECT: "true"
TWINE_PASSWORD: "${PYPI_TOKEN}"
before_script:
- python3 -m pip install --upgrade twine
script:
- python3 -m twine upload -u __token__ --skip-existing dist/*
dependencies:
- build-whl
only:
- /^(\d+\.)?(\d+\.)?(\*|\d+)$/
except:
- branches
docker-publish:
stage: docker-publish
image: data61/magda-builder-docker
variables:
DOCKER_HOST: tcp://docker:2375/
DOCKER_DRIVER: overlay2
TAG: ${CI_COMMIT_REF_NAME}
services:
- docker:dind
script:
- echo ${CI_REGISTRY_PASSWORD} | docker login -u ${CI_REGISTRY_USER} ${CI_REGISTRY} --password-stdin
- docker pull ${CI_REGISTRY_IMAGE}:latest || true
- docker context create builder-context
- docker buildx create --name builderx --driver docker-container --use builder-context
- docker buildx bake -f bake.json --push
cache:
key: docker-cache
paths:
- .buildx-cache/
only:
- /^(\d+\.)?(\d+\.)?(\*|\d+)$/
except:
- branches
update-manifests:
stage: gitops
image:
name: alpine/git:v2.30.2
entrypoint: [""]
before_script:
- apk update && apk add curl bash && apk upgrade
- curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash -s /usr/local/bin/
- git clone "https://${GITLAB_USER_NAME}:${GITLAB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" "${CI_COMMIT_SHA}"
- git config --global user.email "${GIT_USER_EMAIL:-$GITLAB_USER_EMAIL}"
- git config --global user.name "${GIT_USER_NAME:-$GITLAB_USER_NAME}"
- cd "${CI_COMMIT_SHA}/manifests"
script:
- pwd
- kustomize edit set image main=${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}
- kustomize build . > ../gitops-artifacts/manifest.yml
after_script:
- pwd
- cd ${CI_COMMIT_SHA}
- git add .
- |-
CHANGES=$(git status --porcelain | wc -l)
if [ "$CHANGES" -gt "0" ]; then
git status
git commit -m "Gitops - Bump ${CI_COMMIT_REF_NAME}"
git push -o ci.skip
else
echo "Nothing to commit"
fi
only:
- /^(\d+\.)?(\d+\.)?(\*|\d+)$/
except:
- branches