Skip to content
Snippets Groups Projects

Switch to a shared CI file

Files

+ 9
288
@@ -16,297 +16,18 @@
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
image: gradle:jdk21
variables:
DOCKER_TLS_CERTDIR: "/certs"
DOCKER_DRIVER: overlay2
# The names of the stages we use
stages:
- build
- prepare
- test
- review
- gitlab reports
- publish
- deploy
# Default build cache settings to extend from
.build_cached:
cache:
key: "gradle-build"
paths:
# Only cache the gradle directory, as we do not use a shared cache
- .gradle/
# - build/
# - generated/
policy: pull-push
.gitlab_reporter:
stage: gitlab reports
needs:
- gradle_build
# Runs gradle build without tests or checks
gradle_build:
extends: .build_cached
stage: build
rules:
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID ||
$CI_PIPELINE_SOURCE == "push" ||
$CI_PIPELINE_SOURCE == "trigger"
cache:
policy: pull-push
artifacts:
name: build
expire_in: 6 hours
paths:
- build/
script:
- gradle --build-cache build testClasses -x test -x licenseMain -x licenseTest -x spotlessJava -x spotlessCheck
# Run tests
gradle_test:
extends: .build_cached
stage: test
needs:
- gradle_build
rules:
- if: $CI_PIPELINE_SOURCE == "trigger"
when: never
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID ||
$CI_PIPELINE_SOURCE == "push"
cache:
policy: pull-push
coverage: '/Code coverage: \d+\.\d+/'
artifacts:
name: Coverage report
expire_in: 6 hours
paths:
- codecov/
reports:
junit: build/test-results/test/TEST-*.xml
coverage_report:
coverage_format: cobertura
path: build/reports/jacoco/test/jacocoTestReport.xml
script:
- ./gradlew test
after_script:
# Rerun with none of the dependent tasks to ensure creation of the report
# without having to recheck whether the code has compiled (it has in build cache).
- ./gradlew jacocoTestReport -x processResources -x compileJava -x classes --rerun-tasks
# Print out the coverage percentage from the test report.
- awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print "Code coverage:", 100*covered/instructions }' build/reports/jacoco/test/jacocoTestReport.csv || true
- cp -r build/reports codecov
# Run spotless
gradle_spotless:
extends: .build_cached
needs:
- gradle_build
rules:
- if: $CI_PIPELINE_SOURCE == "trigger"
when: never
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID ||
$CI_PIPELINE_SOURCE == "push"
artifacts:
name: spotless
expose_as: Spotless Diagnosis
expire_in: 7 days
paths:
- spotless-diagnose-java/
stage: review
script:
- ./gradlew spotlessCheck
after_script:
- cp -r build/spotless-diagnose-java spotless-diagnose-java/
# Run license check
gradle_licenses:
extends: .build_cached
needs:
- gradle_build
rules:
- if: $CI_PIPELINE_SOURCE == "trigger"
when: never
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID ||
$CI_PIPELINE_SOURCE == "push"
stage: review
script:
- ./gradlew licenseMain
- ./gradlew licenseTest
# Publish the JAR for Portal
publish_jar:
extends: .build_cached
stage: publish
rules:
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID ||
$CI_PIPELINE_SOURCE == "push" ||
$CI_PIPELINE_SOURCE == "trigger"
needs:
- gradle_build
artifacts:
name: portal
expose_as: Portal JAR
expire_in: 7 days
paths:
- portal.jar
script:
- cp build/libs/portal-*.jar ./portal.jar
# Include templates for security scans and code quality reports
include:
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/DAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
# Runs the code quality reporter
code_quality:
extends:
- .build_cached
- .gitlab_reporter
rules:
- if: $CI_PIPELINE_SOURCE == "trigger" ||
$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
when: never
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID
stage: gitlab reports
# Runs the SAST checks and reporter.
spotbugs-sast:
variables:
COMPILE: "false"
allow_failure: true
rules:
- if: $CI_PIPELINE_SOURCE == "trigger" ||
$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
when: never
- if: $CI_COMMIT_BRANCH == "master" ||
$CI_COMMIT_BRANCH == "development" ||
$CI_MERGE_REQUEST_ID
stage: gitlab reports
needs:
- gradle_build
dependencies:
- gradle_build
- project: "eip/labrador/shared-ci"
ref: "main"
file: ".gitlab-ci-template.yaml"
# Run the DAST security checks and reporter.
# Currently set to manual as it requires a test environment to be up and running.
dast:
extends:
- .build_cached
- .gitlab_reporter
rules:
- if: $CI_PIPELINE_SOURCE == "trigger" ||
$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
when: never
- if: $CI_COMMIT_BRANCH == "master"
when: manual
stage: gitlab reports
variables:
DAST_VERSION: latest
variables:
APP_NAME: portal
# job for deploying on staging
deploy_staging:
image: getsentry/sentry-cli
stage: deploy
dependencies:
- publish_jar
before_script:
- 'which ssh-agent || ( apk add --update openssh-client )'
- eval $(ssh-agent -s)
##
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
## We're using tr to fix line endings which makes ed25519 keys work
## without extra base64 encoding.
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
##
- echo "$SSH_PRIVATE_KEY_STAGING" | tr -d '\r' | ssh-add -
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- ssh-keyscan eiptest.ewi.tudelft.nl >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
- scp portal.jar deployer-tam@eiptest.ewi.tudelft.nl:/var/www/portal/
- ssh deployer-tam@eiptest.ewi.tudelft.nl sudo /bin/systemctl restart portal
environment:
name: staging
url: https://portal.eiptest.ewi.tudelft.nl
rules:
- if: $CI_PIPELINE_SOURCE == "trigger" ||
$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
when: never
- if: $CI_COMMIT_BRANCH == "development"
variables:
USER: "deployer-tam"
# Manual job for deploying on labrador.tudelft.nl
deploy:
image: getsentry/sentry-cli
stage: deploy
dependencies:
- publish_jar
before_script:
- 'which ssh-agent || ( apk add --update openssh-client )'
- eval $(ssh-agent -s)
##
## Add the SSH key stored in SSH_PRIVATE_KEY variable to the agent store
## We're using tr to fix line endings which makes ed25519 keys work
## without extra base64 encoding.
## https://gitlab.com/gitlab-examples/ssh-private-key/issues/1#note_48526556
##
- echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir -p ~/.ssh
- chmod 700 ~/.ssh
- ssh-keyscan labrador.tudelft.nl >> ~/.ssh/known_hosts
- chmod 644 ~/.ssh/known_hosts
script:
- start=$(date +%s)
- export SENTRY_URL=$SENTRY_URL
- export SENTRY_ORG=$SENTRY_GIT_ORG
- export SENTRY_AUTH_TOKEN=$SENTRY_GIT_AUTH_TOKEN
- export SENTRY_PROJECT=$SENTRY_GIT_PROJECT
- export SENTRY_RELEASE_VERSION=`sentry-cli releases propose-version`
- echo "proposed version is $SENTRY_RELEASE_VERSION"
- sentry-cli releases set-commits $SENTRY_RELEASE_VERSION --auto
- sentry-cli releases new $SENTRY_RELEASE_VERSION
- ssh deploy@labrador.tudelft.nl cp /var/www/portal/portal.jar /var/www/portal/portal.jar.bak
- scp portal.jar deploy@labrador.tudelft.nl:/var/www/portal/
- ssh deploy@labrador.tudelft.nl sudo /bin/systemctl restart portal
- sentry-cli releases finalize $SENTRY_RELEASE_VERSION
- now=$(date +%s)
- sentry-cli releases deploys $SENTRY_RELEASE_VERSION new -e production -t $((now-start))
environment:
name: production
url: https://labrador.tudelft.nl
rules:
- if: $CI_PIPELINE_SOURCE == "trigger" ||
$CI_MERGE_REQUEST_EVENT_TYPE == "merge_train"
when: never
- if: $CI_COMMIT_BRANCH == "master"
when: manual
variables:
URL: "labrador.tudelft.nl"
\ No newline at end of file
Loading