-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.gitlab-ci.yml
More file actions
154 lines (138 loc) Β· 4.02 KB
/
.gitlab-ci.yml
File metadata and controls
154 lines (138 loc) Β· 4.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
---
stages:
- π¦ build
- π test
- π deploy
image: quay.io/testing-farm/python-ci-image:latest
variables:
IMAGE: quay.io/testing-farm/cli
#
# Mark tests to run for merge requests
#
.merge-request:
rules:
- if: $CI_MERGE_REQUEST_IID
#
# Mark tests to run on merge to main
#
.main:
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
#
# Mark tests to run on tags
#
.tag:
rules:
- if: $CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+/
#
# Common container build job
#
.container:
image: quay.io/testing-farm/cli:latest
script:
- >
testing-farm request \
--git-url https://gitlab.com/testing-farm/tests.git \
--git-ref main \
--environment GIT_URL=${CI_MERGE_REQUEST_PROJECT_URL:-$CI_PROJECT_URL} \
--environment GIT_REF=${CI_MERGE_REQUEST_REF_PATH:-$CI_COMMIT_SHA} \
--environment TARGET_IMAGE=$IMAGE:$IMAGE_TAG \
--environment CONTAINER_FILE=${CONTAINER_FILE:-container/Dockerfile} \
--environment BUILD_ENV=container/build.env \
--environment "PLATFORMS='${PLATFORMS:-linux/amd64 linux/arm64}'" \
--environment ENABLE_PUSH=yes \
--secret AUTH_JSON=$QUAY_AUTH_JSON_BASE64 \
--plan /container/build
#
# π¦ build
#
container/alpine:
extends: [.merge-request, .container]
stage: π¦ build
variables:
IMAGE_TAG: $CI_PIPELINE_ID
container/fedora:
extends: [.merge-request, .container]
stage: π¦ build
variables:
IMAGE_TAG: fedora-$CI_PIPELINE_ID
CONTAINER_FILE: container/Dockerfile.fedora
PLATFORMS: linux/amd64
#
# π test
#
pre-commit:
extends: .merge-request
stage: π test
needs: []
script:
- make pre-commit
tox:
extends: .merge-request
stage: π test
needs: []
script:
- make tox
tmt:
extends: .merge-request
stage: π test
needs: ["container/alpine", "container/fedora"]
image: quay.io/testing-farm/cli:latest
script:
- testing-farm request -e IMAGE_TAG=$CI_PIPELINE_ID
--git-url $CI_MERGE_REQUEST_PROJECT_URL
--git-ref $CI_MERGE_REQUEST_REF_PATH
goss:
extends: .merge-request
stage: π test
needs: ["container/alpine"]
image: quay.io/testing-farm/cli:$CI_PIPELINE_ID
script:
- make goss
#
# π deploy
#
publish/container/latest:
extends: [.main, .container]
stage: π deploy
variables:
IMAGE_TAG: latest
publish/container/version:
extends: [.main, .container]
stage: π deploy
before_script:
- wget -qO- https://install.python-poetry.org | python3 - --version 1.4.2
# Workaround: Poetry 1.4.2 `self add` needs distutils, removed in Python 3.12.
# Can be removed once Poetry is upgraded to 1.7+.
- /root/.local/share/pypoetry/venv/bin/pip install setuptools
- /root/.local/bin/poetry self add poetry-dynamic-versioning
- export IMAGE_TAG="v$(/root/.local/bin/poetry version -s | tr '+' '.')-$CI_COMMIT_SHORT_SHA"
publish/container/tag:
extends: [.tag, .container]
stage: π deploy
before_script:
- wget -qO- https://install.python-poetry.org | python3 - --version 1.4.2
# Workaround: Poetry 1.4.2 `self add` needs distutils, removed in Python 3.12.
# Can be removed once Poetry is upgraded to 1.7+.
- /root/.local/share/pypoetry/venv/bin/pip install setuptools
- /root/.local/bin/poetry self add poetry-dynamic-versioning
- export IMAGE_TAG="v$(/root/.local/bin/poetry version -s)"
publish/pypi:
extends: .tag
stage: π deploy
script:
- poetry self add poetry-dynamic-versioning
- poetry config repositories.tft-cli https://upload.pypi.org/legacy/
- poetry publish --build --repository tft-cli
trivy-scan:
stage: π test
needs: []
image:
# pinned to v0.69.3 by digest due to supply chain attack (GHSA-69fq-xp46-6x23)
name: aquasec/trivy@sha256:bcc376de8d77cfe086a917230e818dc9f8528e3c852f7b1aff648949b6258d1c
entrypoint: [""]
script:
- trivy fs --exit-code 1 --scanners vuln,secret --severity UNKNOWN,MEDIUM,HIGH,CRITICAL .
rules:
- if: $CI_MERGE_REQUEST_IID
- if: '$CI_COMMIT_BRANCH == "main"'