skeleton/.gitlab-ci.yml at develop · roadiz/skeleton · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
stages:
    - test
    - build
    - deploy
    - release

# AutoDevOps templates for security
include:
    - template: Jobs/Secret-Detection.gitlab-ci.yml
    - template: Jobs/Dependency-Scanning.gitlab-ci.yml

variables:
    # Timezone will be used both for system and php date.timezone php.ini value
    COMPOSER_MEMORY_LIMIT: '-1'
    TIMEZONE: "Europe/Paris"
    SENTRY_URL: ""
    # List of Docker containers to restart on deploy
    DOCKER_CONTAINERS: "app scheduler worker db"

test:
    image: roadiz/php-runner:8.5
    stage: test
    interruptible: true
    rules:
        - if: '$CI_COMMIT_BRANCH == "develop"'
        - if: '$CI_COMMIT_TAG'
        - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    cache:
        key: ${CI_COMMIT_REF_SLUG}
        paths:
            - vendor/
    variables:
        JWT_PASSPHRASE: changeme
        APP_SECRET: changeme
        XDEBUG_MODE: "coverage"
        PHP_CS_FIXER_IGNORE_ENV: 1
        # Trigger composer config --global gitlab-token
        #GITLAB_DOMAIN: gitlab.com
    artifacts:
        expire_in: 1 day
        paths:
            - coverage
        reports:
            junit: coverage/report.xml
            coverage_report:
                coverage_format: cobertura
                path: coverage/cobertura.xml
    script:
        #
        # If you are using private repositories, you need to provide a COMPOSER_DEPLOY_TOKEN variable
        # in your Gitlab / GitHub CI/CD settings. This deploy-token must have read access to your private repositories.
        #
        - composer install
        - composer audit --abandoned=report --format=plain --locked
        - php -d memory_limit=-1 bin/console nodetypes:validate-files
        - php -d memory_limit=-1 vendor/bin/php-cs-fixer check --ansi -vvv
        - php -d memory_limit=-1 vendor/bin/phpstan analyse
        - php -d memory_limit=-1 vendor/bin/phpunit --colors=never

build_merge_requests:
    stage: build
    image: docker:git
    rules:
        - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    interruptible: true
    services:
        - docker:dind
    variables:
        DOCKER_DRIVER: overlay2
        DOCKER_TLS_CERTDIR: "/certs"
        # Provide env vars for docker bake
        REGISTRY: ${CI_REGISTRY_IMAGE}
    when: on_success
    script:
        # in your Gitlab / GitHub CI/CD settings. This deploy-token must have read access to your private repositories.
        #- "docker buildx bake --set *.args.COMPOSER_DEPLOY_TOKEN=${COMPOSER_DEPLOY_TOKEN} --print"
        #- "docker buildx bake --set *.args.COMPOSER_DEPLOY_TOKEN=${COMPOSER_DEPLOY_TOKEN}"
        - "docker buildx bake --print"
        - "docker buildx bake"

build_develop:
    stage: build
    image: docker:git
    interruptible: true
    rules:
        - if: '$CI_COMMIT_BRANCH == "develop"'
    services:
        - docker:dind
    variables:
        DOCKER_DRIVER: overlay2
        DOCKER_TLS_CERTDIR: "/certs"
        # Provide env vars for docker bake
        REGISTRY: ${CI_REGISTRY_IMAGE}
    when: on_success
    script:
        # Connect to your Gitlab Registry
        - "echo \"Registry image: ${CI_REGISTRY_IMAGE} for develop\""
        - "docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}"
        #- "docker buildx bake --set *.args.COMPOSER_DEPLOY_TOKEN=${COMPOSER_DEPLOY_TOKEN} --push"
        - "docker buildx bake --push"

build_tag:
    stage: build
    image: docker:git
    rules:
        - if: '$CI_COMMIT_TAG'
    services:
        - docker:dind
    variables:
        DOCKER_DRIVER: overlay2
        DOCKER_TLS_CERTDIR: "/certs"
        # Provide env vars for docker bake
        VERSION: ${CI_COMMIT_TAG}
        REGISTRY: ${CI_REGISTRY_IMAGE}
    when: on_success
    script:
        # Connect to your Gitlab Registry
        - "echo \"Registry image: ${CI_REGISTRY_IMAGE} for tag ${CI_COMMIT_TAG}\""
        - "docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY}"
        #- "docker buildx bake --set *.args.COMPOSER_DEPLOY_TOKEN=${COMPOSER_DEPLOY_TOKEN} --push"
        - "docker buildx bake --push"

# ==========================================
# Deploy to production environment
#
# Need to generate a SSH (ed25519) key pair and add the private key to the Gitlab CI variables (base64 -w 0 encoded) and
# the public key to the server ~/.ssh/authorized_keys file.
# ssh-keygen -C "My project Gitlab CI deploy key" -t ed25519 -b 2048 -f my_project.id_ed25519
# ==========================================
deploy_develop:
    stage: deploy
    image: alpine:3.21
    rules:
        - if: '$CI_COMMIT_BRANCH == "develop"'
    needs:
        - build_develop
    interruptible: true
    when: on_success
    after_script:
        - rm -rf ~/.ssh
    before_script:
        - apk update
        - apk add --no-cache openssh-client
        - install -m 600 -D /dev/null ~/.ssh/id_ed25519
        - echo "${PREPROD_SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_ed25519
        - ssh-keyscan -p ${PREPROD_SSH_PORT} -H "${PREPROD_SSH_HOST}" > ~/.ssh/known_hosts
    script:
        - ssh -p ${PREPROD_SSH_PORT} ${PREPROD_SSH_USER}@${PREPROD_SSH_HOST} "cd ${PREPROD_WORKDIR} && docker compose pull -q && docker compose run --rm migrate && docker compose up -d ${DOCKER_CONTAINERS} && docker compose up -d --force-recreate --no-deps varnish nginx && exit"

deploy_production:
    stage: deploy
    image: alpine:3.21
    rules:
        - if: $CI_COMMIT_TAG
    needs:
        - build_tag
    when: on_success
    after_script:
        - rm -rf ~/.ssh
    before_script:
        - apk update
        - apk add --no-cache openssh-client
        - install -m 600 -D /dev/null ~/.ssh/id_ed25519
        - echo "${PROD_SSH_PRIVATE_KEY}" | base64 -d > ~/.ssh/id_ed25519
        - ssh-keyscan -p ${PROD_SSH_PORT} -H "${PROD_SSH_HOST}" > ~/.ssh/known_hosts
    script:
        - ssh -p ${PROD_SSH_PORT} ${PROD_SSH_USER}@${PROD_SSH_HOST} "cd ${PROD_WORKDIR} && docker compose pull -q && docker compose run --rm migrate && docker compose up -d ${DOCKER_CONTAINERS} && docker compose up -d --force-recreate --no-deps varnish nginx && exit"

create_gitlab_release:
    stage: release
    image: registry.gitlab.com/gitlab-org/cli:latest
    rules:
        - if: '$CI_COMMIT_TAG'
    script:
        - echo "Running the release job."
    needs:
        - deploy_production
    when: on_success
    release:
        tag_name: $CI_COMMIT_TAG
        name: 'Release $CI_COMMIT_TAG'
        description: './CHANGELOG.md'
    allow_failure: true