/
.gitlab-ci.yml
156 lines (140 loc) · 3.94 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
stages:
- test
- build
- analyze
image: $CI_REGISTRY/alphabill/gitlab-ci-image:main
.go-dependency:
before_script:
# Configure go caching
- mkdir -p .go
# Configure SSH agent
- eval "$(ssh-agent -s)"
- chmod 600 ${ALPHABILL_PRIVATE_KEY}
- ssh-add ${ALPHABILL_PRIVATE_KEY}
# Add SSH keys
- ssh-keyscan ${CI_SERVER_SHELL_SSH_HOST} > ci/known_hosts
- mkdir -p ~/.ssh
- chmod 600 ~/.ssh
- cp ci/known_hosts ~/.ssh/known_hosts
# Configure SSH mirror repository
- printf "[url \"ssh://git@${CI_SERVER_SHELL_SSH_HOST}/${CI_PROJECT_NAMESPACE}/\"]\n insteadOf = https://github.com/alphabill-org/\n" > ci/.gitconfig
- cp ci/.gitconfig ~/.gitconfig
.go-cache:
variables:
GOPATH: "$CI_PROJECT_DIR/.go:/root/go"
before_script:
- mkdir -p .go
cache:
key:
files:
- go.sum
paths:
- .go/pkg/mod/
vet:
stage: test
extends:
- .go-cache
- .go-dependency
needs: []
script:
- go vet ./...
test:
stage: test
extends:
- .go-cache
- .go-dependency
needs:
# tests are expensive compared to vet so do not start tests unless vet job succeeded
- vet
script:
- gotestsum --junitfile report.xml --format standard-quiet -- ./... -race -count=1 -parallel=1 -coverprofile test-coverage.out
- go tool cover -func test-coverage.out
- gocover-cobertura < test-coverage.out > test-coverage-cobertura.xml
coverage: '/\(statements\)(?:\s+)?(\d+(?:\.\d+)?%)/'
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: test-coverage-cobertura.xml
junit: report.xml
paths:
- test-coverage.out
when: always
build-docker:
stage: build
extends: .go-dependency
image: docker:latest
variables:
IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
script:
- docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
- docker build --ssh default --push --tag ${IMAGE_TAG} --file cli/alphabill/Dockerfile .
needs: []
build:
stage: build
extends:
- .go-cache
- .go-dependency
script:
- make build
artifacts:
paths:
- build
needs: []
gosec:
stage: analyze
script:
- make gosec
artifacts:
paths:
- gosec_report.json
needs: []
sonarqube-check:
stage: analyze
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
cache:
key: "${CI_JOB_NAME}"
paths:
- .sonar/cache
script: >
if [ "$CI_OPEN_MERGE_REQUESTS" == "" ]; then
# Merge request not available, running Sonar without it.
sonar-scanner
else
# Place the CI_OPEN_MERGE_REQUESTS in between single quotes, because ! is special character for bash.
QUOTED_CI_OPEN_MERGE_REQUESTS="'${CI_OPEN_MERGE_REQUESTS}'"
# Takes part between last ! and ' character. Job rules makes sure that $CI_OPEN_MERGE_REQUESTS is not empty.
MERGE_REQUEST_ID=`echo ${QUOTED_CI_OPEN_MERGE_REQUESTS} | rev | cut -d'!' -f1 | cut -d"'" -f2 | rev`
sonar-scanner -Dsonar.pullrequest.key=${MERGE_REQUEST_ID} -Dsonar.pullrequest.branch=${CI_COMMIT_BRANCH} -Dsonar.pullrequest.base=${CI_DEFAULT_BRANCH}
fi
allow_failure: true
needs: ["gosec", "test"]
trivy:
stage: analyze
script:
# build report
- trivy --cache-dir .trivycache/ fs --exit-code 0 --no-progress --format template --template "@/html.tpl" -o trivy-report.html .
# print report
- trivy --cache-dir .trivycache/ fs --exit-code 1 --no-progress --severity "HIGH,CRITICAL" .
cache:
paths:
- .trivycache/
artifacts:
paths:
- trivy-report.html
when: always
needs: []
nancy:
stage: analyze
extends:
- .go-cache
- .go-dependency
when: manual
script:
- go list -json -m all | nancy sleuth
needs: []