Loading .gitlab-ci.yml +38 −12 Original line number Diff line number Diff line variables: PYTHON_PACKAGE: "templates_tests/python/mypackage" include: - local: 'alm/semantic-release.yml' - local: 'alm/semantic-release-badge.yml' - local: 'docker/kaniko.yml' - local: 'docker/anchore/grype.yml' - local: 'python/bandit.yml' - local: 'python/black.yml' - local: 'python/pip-outdated.yml' - local: 'python/pytest.yml' - local: 'python/mypy.yml' - local: 'python/pylint.yml' - local: 'python/safety.yml' - local: 'yaml/yamllint.yml' docker:kaniko: variables: CI_PROJECT_DIR: "./templates_tests/python" yaml:yamllint: allow_failure: true # for now # We only check if it runs properly, not if our image has problems docker:anchore:grype: variables: GRYPE_FAIL_ON: "" python:pytest: before_script: # We need to move here so it's added to PYTHONPATH - cd templates_tests/python variables: # Not happy with this, but we need it so --cov works, without breaking other jobs PYTHON_PACKAGE: mypackage workflow: rules: # Run if we're in a merge request Loading @@ -11,18 +47,7 @@ workflow: # Run for changes on the master branch (so merged MRs) - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH downstream:python-tests: stage: test variables: TARGET_REF: ${CI_COMMIT_REF_NAME} trigger: project: ci/tests/python strategy: depend rules: - if: $CI_COMMIT_TAG when: never - when: always # We keep this downstream, as we don't expect many MRs for this specific test downstream:pages: stage: test trigger: Loading @@ -34,6 +59,7 @@ downstream:pages: - changes: - other/pages-hugo.yml # We keep this downstream, as we don't expect many MRs for this specific test downstream:pandoc: stage: test trigger: Loading alm/semantic-release-badge.yml +5 −5 Original line number Diff line number Diff line Loading @@ -6,13 +6,13 @@ semantic-release:badge: script: - LATEST_TAG=$(git describe --abbrev=0 --tags) - | BADGE_ID=$(curl --silent --header "PRIVATE-TOKEN: $GL_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges" | jq '.[] | select(.name=="version") | .id') || echo "[-] Unable to get current badge id." - LINK_URL="$CI_PROJECT_URL/tags/$LATEST_TAG" BADGE_ID=$(curl --silent --header "PRIVATE-TOKEN: ${GL_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges" | jq '.[] | select(.name=="version") | .id') || echo "[-] Unable to get current badge id." - LINK_URL="${CI_PROJECT_URL}/tags/${LATEST_TAG}" - IMAGE_URL="https://img.shields.io/badge/version-$LATEST_TAG-informational" - | case $BADGE_ID in ''|*[!0-9]*) echo "[*] Creating badge..." && curl --silent --request POST --header "PRIVATE-TOKEN: $GL_TOKEN" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}&name=version" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges" > /dev/null && echo "[+] Badge created successfully." || echo "[!] Badge creation failed" ;; ;; *) curl --silent --request PUT --header "PRIVATE-TOKEN: $GL_TOKEN" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges/$BADGE_ID" > /dev/null && echo "[+] Badge updated successfully." || echo "[!] Badge update failed" ;; case ${BADGE_ID} in ''|*[!0-9]*) echo "[*] Creating badge..." && curl --silent --request POST --header "PRIVATE-TOKEN: ${GL_TOKEN}" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}&name=version" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges" > /dev/null && echo "[+] Badge created successfully." || echo "[!] Badge creation failed" ;; ;; *) curl --silent --request PUT --header "PRIVATE-TOKEN: ${GL_TOKEN}" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges/${BADGE_ID}" > /dev/null && echo "[+] Badge updated successfully." || echo "[!] Badge update failed" ;; esac rules: - if: $CI_COMMIT_TAG && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH alm/semantic-release.yml +1 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,7 @@ semantic-release: PLUGINS: "@semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/gitlab" EXTRA_ARGS: "" # See https://semantic-release.gitbook.io/semantic-release/usage/configuration script: - semantic-release $EXTRA_ARGS --plugins $PLUGINS - semantic-release ${EXTRA_ARGS} --plugins $PLUGINS rules: - if: $CI_COMMIT_TAG when: never Loading docker/anchore/grype.yml +15 −15 Original line number Diff line number Diff line Loading @@ -4,16 +4,16 @@ docker:anchore:grype: image: registry.gitlab.com/notno/grype variables: GRYPE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" GRYPE_IMAGE: "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" script: - | skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${CI_REGISTRY_IMAGE}:${CI_COMMIT_BRANCH} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${GRYPE_IMAGE} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope ${GRYPE_SCOPE} --fail-on ${GRYPE_FAIL_ON} --output ${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} docker/kaniko-template.yml +15 −23 Original line number Diff line number Diff line Loading @@ -8,39 +8,31 @@ USE_CACHE: "true" DOCKERFILE: "Dockerfile" # Can be a path DEV_BUILD: "false" # set true to tag an image for each commit LABELS: "--label CI_PROJECT_URL=$CI_PROJECT_URL --label CI_COMMIT_SHORT_SHA=$CI_COMMIT_SHORT_SHA --label CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME" LABELS: "--label CI_PROJECT_URL=${CI_PROJECT_URL} --label CI_COMMIT_SHORT_SHA=${CI_COMMIT_SHORT_SHA} --label CI_COMMIT_REF_NAME=${CI_COMMIT_REF_NAME}" EXTRA_ARGS: "" # See https://github.com/GoogleContainerTools/kaniko#additional-flags image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > /kaniko/.docker/config.json - | if [ -z "$DESTINATIONS" ]; then if [ ! -z "$CI_COMMIT_BRANCH" ]; then DESTINATIONS="--destination $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" if [ "$CI_COMMIT_BRANCH" = "master" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE:latest" fi fi if [ ! -z "$CI_COMMIT_TAG" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" if [ -z "${DESTINATIONS}" ]; then DESTINATIONS="--destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}" if [ "${CI_COMMIT_REF_NAME}" = "master" ]; then DESTINATIONS="${DESTINATIONS} --destination ${CI_REGISTRY_IMAGE}:latest" fi fi - | if [ "$DEV_BUILD" = "true" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE/dev:$CI_COMMIT_SHORT_SHA" if [ "${DEV_BUILD}" = "true" ]; then DESTINATIONS="${DESTINATIONS} --destination ${CI_REGISTRY_IMAGE}/dev:${CI_COMMIT_SHORT_SHA}" fi - printf "Will use the following destinations:$DESTINATIONS\n" | sed 's/--destination /\n/g' - /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE $DESTINATIONS $LABELS $EXTRA_ARGS - printf "Will use the following destinations:${DESTINATIONS}\n" | sed 's/--destination /\n/g' - /kaniko/executor --cache=${USE_CACHE} --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE} ${DESTINATIONS} ${LABELS} ${EXTRA_ARGS} - | if [ "$PYTHON_TEST" = "true" ]; then if [ "${PYTHON_TEST}" = "true" ]; then printf "\nRUN if ! python3 -m pip >/dev/null; then wget -q https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py; fi" >> $CI_PROJECT_DIR/$DOCKERFILE printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> $CI_PROJECT_DIR/$DOCKERFILE /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME-testing $EXTRA_ARGS printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> ${CI_PROJECT_DIR}/${DOCKERFILE} /kaniko/executor --cache=${USE_CACHE} --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE} --destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}-testing ${EXTRA_ARGS} fi artifacts: paths: - "${CI_PROJECT_NAME}.tar" Loading
.gitlab-ci.yml +38 −12 Original line number Diff line number Diff line variables: PYTHON_PACKAGE: "templates_tests/python/mypackage" include: - local: 'alm/semantic-release.yml' - local: 'alm/semantic-release-badge.yml' - local: 'docker/kaniko.yml' - local: 'docker/anchore/grype.yml' - local: 'python/bandit.yml' - local: 'python/black.yml' - local: 'python/pip-outdated.yml' - local: 'python/pytest.yml' - local: 'python/mypy.yml' - local: 'python/pylint.yml' - local: 'python/safety.yml' - local: 'yaml/yamllint.yml' docker:kaniko: variables: CI_PROJECT_DIR: "./templates_tests/python" yaml:yamllint: allow_failure: true # for now # We only check if it runs properly, not if our image has problems docker:anchore:grype: variables: GRYPE_FAIL_ON: "" python:pytest: before_script: # We need to move here so it's added to PYTHONPATH - cd templates_tests/python variables: # Not happy with this, but we need it so --cov works, without breaking other jobs PYTHON_PACKAGE: mypackage workflow: rules: # Run if we're in a merge request Loading @@ -11,18 +47,7 @@ workflow: # Run for changes on the master branch (so merged MRs) - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH downstream:python-tests: stage: test variables: TARGET_REF: ${CI_COMMIT_REF_NAME} trigger: project: ci/tests/python strategy: depend rules: - if: $CI_COMMIT_TAG when: never - when: always # We keep this downstream, as we don't expect many MRs for this specific test downstream:pages: stage: test trigger: Loading @@ -34,6 +59,7 @@ downstream:pages: - changes: - other/pages-hugo.yml # We keep this downstream, as we don't expect many MRs for this specific test downstream:pandoc: stage: test trigger: Loading
alm/semantic-release-badge.yml +5 −5 Original line number Diff line number Diff line Loading @@ -6,13 +6,13 @@ semantic-release:badge: script: - LATEST_TAG=$(git describe --abbrev=0 --tags) - | BADGE_ID=$(curl --silent --header "PRIVATE-TOKEN: $GL_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges" | jq '.[] | select(.name=="version") | .id') || echo "[-] Unable to get current badge id." - LINK_URL="$CI_PROJECT_URL/tags/$LATEST_TAG" BADGE_ID=$(curl --silent --header "PRIVATE-TOKEN: ${GL_TOKEN}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges" | jq '.[] | select(.name=="version") | .id') || echo "[-] Unable to get current badge id." - LINK_URL="${CI_PROJECT_URL}/tags/${LATEST_TAG}" - IMAGE_URL="https://img.shields.io/badge/version-$LATEST_TAG-informational" - | case $BADGE_ID in ''|*[!0-9]*) echo "[*] Creating badge..." && curl --silent --request POST --header "PRIVATE-TOKEN: $GL_TOKEN" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}&name=version" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges" > /dev/null && echo "[+] Badge created successfully." || echo "[!] Badge creation failed" ;; ;; *) curl --silent --request PUT --header "PRIVATE-TOKEN: $GL_TOKEN" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/badges/$BADGE_ID" > /dev/null && echo "[+] Badge updated successfully." || echo "[!] Badge update failed" ;; case ${BADGE_ID} in ''|*[!0-9]*) echo "[*] Creating badge..." && curl --silent --request POST --header "PRIVATE-TOKEN: ${GL_TOKEN}" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}&name=version" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges" > /dev/null && echo "[+] Badge created successfully." || echo "[!] Badge creation failed" ;; ;; *) curl --silent --request PUT --header "PRIVATE-TOKEN: ${GL_TOKEN}" --data "image_url=${IMAGE_URL}&link_url=${LINK_URL}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/badges/${BADGE_ID}" > /dev/null && echo "[+] Badge updated successfully." || echo "[!] Badge update failed" ;; esac rules: - if: $CI_COMMIT_TAG && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
alm/semantic-release.yml +1 −1 Original line number Diff line number Diff line Loading @@ -8,7 +8,7 @@ semantic-release: PLUGINS: "@semantic-release/commit-analyzer @semantic-release/release-notes-generator @semantic-release/gitlab" EXTRA_ARGS: "" # See https://semantic-release.gitbook.io/semantic-release/usage/configuration script: - semantic-release $EXTRA_ARGS --plugins $PLUGINS - semantic-release ${EXTRA_ARGS} --plugins $PLUGINS rules: - if: $CI_COMMIT_TAG when: never Loading
docker/anchore/grype.yml +15 −15 Original line number Diff line number Diff line Loading @@ -4,16 +4,16 @@ docker:anchore:grype: image: registry.gitlab.com/notno/grype variables: GRYPE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" GRYPE_IMAGE: "${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}" GRYPE_SCOPE: "Squashed" GRYPE_OUTPUT_FORMAT: "table" GRYPE_FAIL_ON: "medium" script: - | skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${CI_REGISTRY_IMAGE}:${CI_COMMIT_BRANCH} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} skopeo copy --src-creds=${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} docker://${GRYPE_IMAGE} oci://${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} echo "Running grype with following options:" echo "GRYPE_SCOPE=${GRYPE_SCOPE} selection of layers to analyze, options=[Squashed AllLayers] (default 'Squashed')" echo "GRYPE_OUTPUT_FORMAT=${GRYPE_OUTPUT_FORMAT} report output formatter, options=[json table cyclonedx] (default 'table')" echo "GRYPE_FAIL_ON=${GRYPE_FAIL_ON} set the return code to 1 if a vulnerability is found with a severity >= the given severity, options=[negligible low medium high critical]" - grype version - grype --scope ${GRYPE_SCOPE} --fail-on ${GRYPE_FAIL_ON} --output ${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA} - grype --scope=${GRYPE_SCOPE} --fail-on=${GRYPE_FAIL_ON} --output=${GRYPE_OUTPUT_FORMAT} ${CI_PROJECT_DIR}/${CI_COMMIT_SHORT_SHA}
docker/kaniko-template.yml +15 −23 Original line number Diff line number Diff line Loading @@ -8,39 +8,31 @@ USE_CACHE: "true" DOCKERFILE: "Dockerfile" # Can be a path DEV_BUILD: "false" # set true to tag an image for each commit LABELS: "--label CI_PROJECT_URL=$CI_PROJECT_URL --label CI_COMMIT_SHORT_SHA=$CI_COMMIT_SHORT_SHA --label CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME" LABELS: "--label CI_PROJECT_URL=${CI_PROJECT_URL} --label CI_COMMIT_SHORT_SHA=${CI_COMMIT_SHORT_SHA} --label CI_COMMIT_REF_NAME=${CI_COMMIT_REF_NAME}" EXTRA_ARGS: "" # See https://github.com/GoogleContainerTools/kaniko#additional-flags image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > /kaniko/.docker/config.json - | if [ -z "$DESTINATIONS" ]; then if [ ! -z "$CI_COMMIT_BRANCH" ]; then DESTINATIONS="--destination $CI_REGISTRY_IMAGE:$CI_COMMIT_BRANCH" if [ "$CI_COMMIT_BRANCH" = "master" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE:latest" fi fi if [ ! -z "$CI_COMMIT_TAG" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" if [ -z "${DESTINATIONS}" ]; then DESTINATIONS="--destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}" if [ "${CI_COMMIT_REF_NAME}" = "master" ]; then DESTINATIONS="${DESTINATIONS} --destination ${CI_REGISTRY_IMAGE}:latest" fi fi - | if [ "$DEV_BUILD" = "true" ]; then DESTINATIONS="${DESTINATIONS} --destination $CI_REGISTRY_IMAGE/dev:$CI_COMMIT_SHORT_SHA" if [ "${DEV_BUILD}" = "true" ]; then DESTINATIONS="${DESTINATIONS} --destination ${CI_REGISTRY_IMAGE}/dev:${CI_COMMIT_SHORT_SHA}" fi - printf "Will use the following destinations:$DESTINATIONS\n" | sed 's/--destination /\n/g' - /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE $DESTINATIONS $LABELS $EXTRA_ARGS - printf "Will use the following destinations:${DESTINATIONS}\n" | sed 's/--destination /\n/g' - /kaniko/executor --cache=${USE_CACHE} --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE} ${DESTINATIONS} ${LABELS} ${EXTRA_ARGS} - | if [ "$PYTHON_TEST" = "true" ]; then if [ "${PYTHON_TEST}" = "true" ]; then printf "\nRUN if ! python3 -m pip >/dev/null; then wget -q https://bootstrap.pypa.io/get-pip.py && python3 get-pip.py; fi" >> $CI_PROJECT_DIR/$DOCKERFILE printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> $CI_PROJECT_DIR/$DOCKERFILE /kaniko/executor --cache=$USE_CACHE --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/$DOCKERFILE --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME-testing $EXTRA_ARGS printf "\nRUN python3 -m pip install pytest pytest-cov pylint pylint_junit safety mutmut coverage" >> ${CI_PROJECT_DIR}/${DOCKERFILE} /kaniko/executor --cache=${USE_CACHE} --context ${CI_PROJECT_DIR} --dockerfile ${CI_PROJECT_DIR}/${DOCKERFILE} --destination ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME}-testing ${EXTRA_ARGS} fi artifacts: paths: - "${CI_PROJECT_NAME}.tar"
