splunk-otel-java/.gitlab-ci.yml at main · laurit/splunk-otel-java · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
include:
  - project: 'ci-cd/templates'
    ref: main
    file: '/prodsec/.sast-scan.yml'
  - project: 'ci-cd/templates'
    ref: main
    file: '/prodsec/.oss-scan.yml'

image:
  name: "docker.repo.splunkdev.net/ci-cd/ci-container/maven-3.8-jdk-17:1.15.0"

stages:
  - build
  - verify
  - release
  - post-release
  - troubleshooting

troubleshoot-start:
  stage: troubleshooting
  script:
    - echo "The troubleshooting has begun"
troubleshoot-any-tag:
  stage: troubleshooting
  rules:
    - if: '$CI_COMMIT_TAG != ""'
  script:
    - echo "We have a non-empty commit tag. Fun! $CI_COMMIT_TAG"
# Temporary job to use while investigating release tag issues
troubleshoot-tag:
  stage: troubleshooting
  artifacts: # Not necessary, but mimicking real release job
    when: always
    paths:
      - dist/
  rules:
    - if: $CI_COMMIT_TAG =~ /^troubleshoot-v[0-9]+\.[0-9]+\.[0-9]+/
  before_script:
    # Only keeping this here because the release job has it
    - ./scripts/install-gh-deps.sh
  script:
    - echo "YES! We are running with $CI_COMMIT_TAG"
troubleshoot-end:
  stage: troubleshooting
  rules:
    # Maybe single quotes break it now?
    - if: '$CI_COMMIT_TAG =~ /^troubleshoot-v[0-9]+\.[0-9]+\.[0-9]+/'
  script:
    - echo "This concludes our troubleshooting session. $CI_COMMIT_TAG"

build:
  stage: build
  script:
    - ./gradlew build -x :smoke-tests:test --scan --no-daemon --stacktrace

sast-scan:
  stage: verify
  rules:
    - if: '$CI_COMMIT_REF_NAME == "main"'
  extends: .sast_scan
  variables:
    SAST_SCANNER: "Semgrep"
    # Fail build on high severity security vulnerabilities
    alert_mode: "policy"

oss-scan:
  stage: verify
  rules:
    - if: '$CI_COMMIT_REF_NAME == "main"'
  extends: .oss-scan
  tags: []

snapshot:
  stage: release
  rules:
    - if: '$CI_COMMIT_REF_NAME == "main"'
  script:
    - ./gradlew assemble publishToSonatype --no-daemon --stacktrace

release:
  stage: release
  artifacts:
    when: always
    paths:
      - dist/
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
  before_script:
    - ./scripts/install-gh-deps.sh
  script:
    - ./scripts/release.sh "$CI_COMMIT_TAG"

publish-docker-image:
  stage: post-release
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
  variables:
    SIGNING_SERVICE_ADDR: "https://signing.prod.svc.splunk8s.io"
  id_tokens:
    CI_JOB_JWT:
      aud:
        - $CICD_VAULT_ADDR
        - $SIGNING_SERVICE_ADDR
  before_script:
    - ./scripts/install-docker-deps.sh
    - ./scripts/install-gh-deps.sh
  script:
    - ./scripts/publish-docker-image.sh "$CI_COMMIT_TAG"

propagate-version:
  stage: post-release
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
  before_script:
    - ./scripts/install-gh-deps.sh
  script:
    - ./scripts/propagate-version.sh "$CI_COMMIT_TAG"