-
Notifications
You must be signed in to change notification settings - Fork 17
/
Copy path.gitlab-ci.yml
152 lines (143 loc) · 4.9 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
when: never
- if: $CI_COMMIT_BRANCH
- if: $CI_COMMIT_REF_PROTECTED == "true"
stages:
- test
- build
- release
variables:
DOCKER_HOST: tcp://docker:2376
DOCKER_TLS_CERTDIR: /certs
VERSION: 0.2.0
CONTAINER_OPERATOR: ${CI_REGISTRY}/slurm-operator:${VERSION}
CONTAINER_WEBHOOK: ${CI_REGISTRY}/slurm-operator-webhook:${VERSION}
CI_JOB_USER: gitlab-ci-token
.docker:
image: docker:27.5.0
services:
- docker:27.5.0-rc.1-dind
before_script:
- set -euo pipefail
- docker info
- echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
- apk update && apk upgrade
- apk add --no-cache git go helm
- export PATH=$PATH:$HOME/go/bin/
- go env -w GOPRIVATE=github.com/SlinkyProject/*
test:
stage: test
extends: .docker
script:
- set -euo pipefail
- apk update && apk upgrade
- apk add --no-cache go make bash shellcheck shfmt pre-commit
- go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
- go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest
- go install golang.org/x/vuln/cmd/govulncheck@latest
- pre-commit run --verbose --all-files --show-diff-on-failure
coverage: /total:\s+\(statements\)\s+\d+.\d+%/
artifacts:
expire_in: 7 days
paths:
- cover.html
- govulnreport.txt
build:
stage: build
extends: .docker
script:
- set -euo pipefail
- |
for dockerfile in $(find ./build -name "Dockerfile" -type f); do
kind="$(basename "$(dirname "$dockerfile")")"
image="${CI_REGISTRY_IMAGE}/${kind}:${VERSION}"
docker build --pull -t $image -f $dockerfile .
docker push $image
done
- |
for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
helm package --dependency-update ${chart};
done
rules:
- if: $CI_COMMIT_REF_PROTECTED != "true"
changes:
- Dockerfile
- ./**/*.go
- go.mod
- go.sum
- helm/**/*
push:
stage: build
extends: .docker
script:
- set -euo pipefail
- |
for dockerfile in $(find ./build -name "Dockerfile" -type f); do
kind="$(basename "$(dirname "$dockerfile")")"
image="${CI_REGISTRY_IMAGE}/${kind}:${VERSION}"
docker build -t $image -f $dockerfile .
docker push $image
done
- helm plugin install https://github.com/chartmuseum/helm-push
- helm repo add --username ${CI_JOB_USER} --password ${CI_JOB_TOKEN} ${CI_PROJECT_NAME} ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
- helm repo update
- |
for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
export CHART_NAME=$(basename $chart);
export CHART_VERSION=$(grep ^version ${chart}/Chart.yaml | awk '{print $2}');
export CHART_ARTIFACT=${CHART_NAME}-${CHART_VERSION}.tgz;
helm package --dependency-update ${chart};
helm cm-push ./${CHART_ARTIFACT} ${CI_PROJECT_NAME};
done
rules:
- if: $CI_COMMIT_REF_PROTECTED == "true"
changes:
- Dockerfile
- ./**/*.go
- go.mod
- go.sum
- helm/**/*
release:
stage: release
extends: .docker
variables:
CONTAINER_IMAGE: ${CI_PROJECT_NAME}:${VERSION}
CONTAINER_SOURCE_IMAGE: ${CONTAINER_CI_IMAGE}
CONTAINER_TARGET_IMAGE: ${DOCKER_REGISTRY}/${CONTAINER_IMAGE}
script:
- set -euo pipefail
- |
if [ -z $DOCKER_REGISTRY_PASSWORD ] || [ -z $DOCKER_REGISTRY ] || [ -z $DOCKER_REGISTRY_USER ]; then
echo "Runner lacks login info. Either environment variables are not defined, or runner is on an unprotected branch/tag.";
exit 1;
fi
- echo "$DOCKER_REGISTRY_PASSWORD" | docker login $DOCKER_REGISTRY -u $DOCKER_REGISTRY_USER --password-stdin
- docker pull $CONTAINER_SOURCE_IMAGE
- docker tag $CONTAINER_SOURCE_IMAGE $CONTAINER_TARGET_IMAGE
- docker push $CONTAINER_TARGET_IMAGE
- helm repo add --username ${CI_JOB_USER} --password ${CI_JOB_TOKEN} ${CI_PROJECT_NAME} ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
- helm repo update
- |
for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
export CHART_NAME=$(basename $chart);
export CHART_VERSION=$(grep ^version ${chart}/Chart.yaml | awk '{print $2}');
export CHART_ARTIFACT=${CHART_NAME}-${CHART_VERSION}.tgz;
helm pull ${CI_PROJECT_NAME}/${CHART_NAME};
helm push ./${CHART_ARTIFACT} oci://${DOCKER_REGISTRY}/charts;
done
rules:
- if: $CI_COMMIT_REF_PROTECTED == "true"
when: manual
include:
- template: Jobs/Secret-Detection.gitlab-ci.yml
secret_detection:
allow_failure: false
artifacts:
when: on_failure
expire_in: 7 days
paths:
- gl-secret-detection-report.json