echidna/.gitlab-ci.yml at main · hyperpolymath/echidna · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
# SPDX-License-Identifier: PMPL-1.0-or-later
# SPDX-FileCopyrightText: 2024-2025 ECHIDNA Project Contributors
#
# ECHIDNA GitLab CI/CD Pipeline
# Comprehensive build, test, quality check, and deploy stages

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG

variables:
  CARGO_HOME: "${CI_PROJECT_DIR}/.cargo"
  RUST_BACKTRACE: "1"
  JULIA_DEPOT_PATH: "${CI_PROJECT_DIR}/.julia"
  PODMAN_BUILDAH_ISOLATION: "chroot"

stages:
  - lint
  - build
  - test
  - quality
  - security
  - deploy

# =============================================================================
# Cache Configuration
# =============================================================================
.rust_cache:
  cache:
    key: rust-${CI_COMMIT_REF_SLUG}
    paths:
      - .cargo/
      - target/

.julia_cache:
  cache:
    key: julia-${CI_COMMIT_REF_SLUG}
    paths:
      - .julia/

# =============================================================================
# Stage 1: Linting and Formatting
# =============================================================================

reuse-lint:
  stage: lint
  image: docker.io/fsfe/reuse:latest
  script:
    - reuse lint
  allow_failure: false

rust-fmt:
  stage: lint
  image: docker.io/library/rust:1.75-slim
  extends: .rust_cache
  script:
    - rustup component add rustfmt
    - cargo fmt -- --check
  allow_failure: false

rust-clippy:
  stage: lint
  image: docker.io/library/rust:1.75-slim
  extends: .rust_cache
  before_script:
    - apt-get update && apt-get install -y pkg-config libssl-dev
    - rustup component add clippy
  script:
    - cargo clippy --all-targets --all-features -- -D warnings
  allow_failure: false

# =============================================================================
# Stage 2: Build
# =============================================================================

build-rust:
  stage: build
  image: docker.io/library/rust:1.75-slim
  extends: .rust_cache
  before_script:
    - apt-get update && apt-get install -y pkg-config libssl-dev build-essential
  script:
    - cargo build --release
  artifacts:
    paths:
      - target/release/echidna*
    expire_in: 1 day

build-julia:
  stage: build
  image: docker.io/library/julia:1.10
  extends: .julia_cache
  script:
    - julia --project=. -e 'using Pkg; Pkg.instantiate(); Pkg.precompile()'
  artifacts:
    paths:
      - Manifest.toml
      - .julia/
    expire_in: 1 day

build-rescript:
  stage: build
  image: docker.io/denoland/deno:debian-1.40.0
  script:
    - cd src/rescript
    - deno task build || echo "ReScript build completed with warnings"
  artifacts:
    paths:
      - src/rescript/dist/
    expire_in: 1 day
  allow_failure: true

build-container:
  stage: build
  image: quay.io/podman/stable:latest
  services:
    - name: docker:dind
      command: ["--tls=false"]
  variables:
    DOCKER_HOST: tcp://docker:2375
  before_script:
    - podman --version
  script:
    - podman build -f Containerfile -t echidna:${CI_COMMIT_SHORT_SHA} .
    - podman save echidna:${CI_COMMIT_SHORT_SHA} -o echidna-image.tar
  artifacts:
    paths:
      - echidna-image.tar
    expire_in: 1 day
  only:
    - main
    - merge_requests
    - tags

# =============================================================================
# Stage 3: Testing
# =============================================================================

test-rust:
  stage: test
  image: docker.io/library/rust:1.75-slim
  extends: .rust_cache
  before_script:
    - apt-get update && apt-get install -y pkg-config libssl-dev build-essential
  script:
    - cargo test --all-features --verbose
  coverage: '/^\s*lines\.+:\s+(\d+\.\d+)%/'
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml
    expire_in: 30 days

test-julia:
  stage: test
  image: docker.io/library/julia:1.10
  extends: .julia_cache
  script:
    - julia --project=. -e 'using Pkg; Pkg.test(coverage=true)'
    - julia --project=. -e 'using Coverage; coverage = process_folder(); covered_lines, total_lines = get_summary(coverage); println("Coverage: ", covered_lines/total_lines*100, "%")'
  coverage: '/Coverage: \d+\.\d+/'

test-integration:
  stage: test
  image: docker.io/library/rust:1.75-slim
  extends: .rust_cache
  before_script:
    - apt-get update && apt-get install -y pkg-config libssl-dev build-essential z3 cvc5
  script:
    - cargo test --test integration_tests --verbose
  allow_failure: true

# =============================================================================
# Stage 4: Quality Checks
# =============================================================================

quality-aqua:
  stage: quality
  image: docker.io/library/julia:1.10
  extends: .julia_cache
  script:
    - julia --project=. -e 'using Pkg; Pkg.add("Aqua"); using Aqua; Aqua.test_all()'
  allow_failure: true

quality-jet:
  stage: quality
  image: docker.io/library/julia:1.10
  extends: .julia_cache
  script:
    - julia --project=. -e 'using Pkg; Pkg.add("JET"); using JET; report_file()'
  allow_failure: true

quality-coverage:
  stage: quality
  image: docker.io/library/julia:1.10
  extends: .julia_cache
  script:
    - julia --project=. -e 'using Pkg; Pkg.add("Coverage"); using Coverage; coverage = process_folder(); LCOV.writefile("coverage.info", coverage)'
  artifacts:
    paths:
      - coverage.info
    expire_in: 30 days
  allow_failure: true

# =============================================================================
# Stage 5: Security Scanning
# =============================================================================

security-trivy-fs:
  stage: security
  image: docker.io/aquasec/trivy:latest
  script:
    - trivy fs --exit-code 0 --severity HIGH,CRITICAL --format table .
    - trivy fs --exit-code 1 --severity CRITICAL --format json -o trivy-fs-report.json .
  artifacts:
    paths:
      - trivy-fs-report.json
    expire_in: 30 days
  allow_failure: true

security-trivy-container:
  stage: security
  image: docker.io/aquasec/trivy:latest
  dependencies:
    - build-container
  before_script:
    - apk add --no-cache podman
  script:
    - podman load -i echidna-image.tar
    - trivy image --exit-code 0 --severity HIGH,CRITICAL echidna:${CI_COMMIT_SHORT_SHA}
    - trivy image --exit-code 1 --severity CRITICAL --format json -o trivy-image-report.json echidna:${CI_COMMIT_SHORT_SHA}
  artifacts:
    paths:
      - trivy-image-report.json
    expire_in: 30 days
  allow_failure: true
  only:
    - main
    - merge_requests
    - tags

security-cargo-audit:
  stage: security
  image: docker.io/library/rust:1.75-slim
  script:
    - cargo install cargo-audit
    - cargo audit
  allow_failure: true

# =============================================================================
# Stage 6: Deployment
# =============================================================================

deploy-docs:
  stage: deploy
  image: docker.io/library/ruby:3.2
  script:
    - echo "Deploying documentation..."
    - mkdir -p public
    - cp -r docs/* public/
  artifacts:
    paths:
      - public
  only:
    - main

deploy-container-registry:
  stage: deploy
  image: quay.io/podman/stable:latest
  services:
    - name: docker:dind
      command: ["--tls=false"]
  variables:
    DOCKER_HOST: tcp://docker:2375
  dependencies:
    - build-container
  before_script:
    - echo "${CI_REGISTRY_PASSWORD}" | podman login -u "${CI_REGISTRY_USER}" --password-stdin "${CI_REGISTRY}"
  script:
    - podman load -i echidna-image.tar
    - podman tag echidna:${CI_COMMIT_SHORT_SHA} ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}
    - podman tag echidna:${CI_COMMIT_SHORT_SHA} ${CI_REGISTRY_IMAGE}:latest
    - podman push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}
    - podman push ${CI_REGISTRY_IMAGE}:latest
  only:
    - tags

deploy-release:
  stage: deploy
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  script:
    - echo "Creating GitLab Release..."
  release:
    tag_name: ${CI_COMMIT_TAG}
    description: "ECHIDNA Release ${CI_COMMIT_TAG}"
    assets:
      links:
        - name: "Container Image"
          url: "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"
  only:
    - tags