Skip to content
Snippets Groups Projects

Rework gitlab-ci

Compare and
3 files
+ 332
128
Compare changes
  • Side-by-side
  • Inline

Files

+ 311
124
# Customized Auto DevOps
#
# Test jobs may be disabled by setting environment variables:
# * test: TEST_DISABLED
# * code_quality: CODE_QUALITY_DISABLED
# * license_management: LICENSE_MANAGEMENT_DISABLED
# * performance: PERFORMANCE_DISABLED
# * sast: SAST_DISABLED
# * dependency_scanning: DEPENDENCY_SCANNING_DISABLED
# * container_scanning: CONTAINER_SCANNING_DISABLED
# * dast: DAST_DISABLED
# * review: REVIEW_DISABLED
# * stop_review: REVIEW_DISABLED
# Queue - A Queueing system that can be used to handle labs in higher education
# Copyright (C) 2016-2020 Delft University of Technology
#
# Continuous deployment to production is enabled by default for master.
# If you want to deploy to staging first, set STAGING_ENABLED environment variable.
# If you want to enable incremental rollout, either manual or time based,
# set INCREMENTAL_ROLLOUT_MODE environment variable to "manual" or "timed".
# If you want to use canary deployments, set CANARY_ENABLED environment variable.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# If Auto DevOps fails to detect the proper buildpack, or if you want to
# specify a custom buildpack, set a project variable `BUILDPACK_URL` to the
# repository URL of the buildpack.
# e.g. BUILDPACK_URL=https://github.com/heroku/heroku-buildpack-ruby.git#v142
# If you need multiple buildpacks, add a file to your project called
# `.buildpacks` that contains the URLs, one on each line, in order.
# Note: Auto CI does not work with multiple buildpacks yet
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
image: gradle:jdk11
image: alpine:latest
variables:
GRADLE_USER_HOME: $CI_PROJECT_DIR/.gradle
# KUBE_INGRESS_BASE_DOMAIN is the application deployment domain and should be set as a variable at the group or project level.
# KUBE_INGRESS_BASE_DOMAIN: domain.example.com
DOCKER_DRIVER: overlay2
DOCKER_TLS_CERTDIR: "/certs"
DOCKER_DRIVER: overlay2
# Create the certificates inside this directory for both the server
# and client. The certificates used by the client will be created in
# /certs/client so we only need to share this directory with the
# volume mount in `config.toml`.
DOCKER_TLS_CERTDIR: "/certs"
GRADLE_USER_HOME: ".gradle"
GRADLE_OPTS: "-Dorg.gradle.daemon=false -Dorg.gradle.caching=true"
ROLLOUT_RESOURCE_TYPE: deployment
cache: &global_cache
key: "$CI_PROJECT_NAME"
policy: pull
paths:
- .gradle
- build
# The names of the stages we use
stages:
- build
- build_pom
- build 1
- build 2
- test
- deploy # dummy stage to follow the template guidelines
- review
- dast
- staging # dummy stage to follow the template guidelines
- canary # dummy stage to follow the template guidelines
- production # dummy stage to follow the template guidelines
- incremental rollout 10% # dummy stage to follow the template guidelines
- incremental rollout 25% # dummy stage to follow the template guidelines
- incremental rollout 50% # dummy stage to follow the template guidelines
- incremental rollout 100% # dummy stage to follow the template guidelines
- performance # dummy stage to follow the template guidelines
- cleanup # dummy stage to follow the template guidelines
- gitlab reports
- publish
# Default build cache settings to extend from
.build_cached:
cache:
key: "${CI_COMMIT_REF_SLUG}-gradle-build"
paths:
- .gradle/
policy: pull
only:
- master
- development
- merge_requests
- pushes
.gitlab_reporter:
stage: gitlab reports
needs:
- gradle_build
# Runs gradle build without tests or checks
gradle_build:
extends: .build_cached
stage: build 1
cache:
policy: pull-push
artifacts:
name: build
expire_in: 6 hours
paths:
- build/
script:
- ./gradlew --build-cache build -x test -x licenseMain -x licenseTest -x spotlessJava -x spotlessCheck
# Runs build and publish JAR jobs on Labracore
#labracore_build:
# stage: build
# only:
# - master
# - development
# - merge_requests
# - pushes
# trigger:
# project: eip/labrador/labracore
# branch: gitlab-ci-dev
# strategy: depend
# Generate the pom for dependency scanning
generate_pom:
extends: .build_cached
stage: build 2
only:
- master
- development
- merge_requests
except:
- triggers
needs:
- gradle_build
artifacts:
name: pom
expire_in: 6 hours
paths:
- pom.xml
script:
- ./gradlew --build-cache generatePomFileForGeneratePomPublication
after_script:
- cp build/publications/generatePom/pom-*.xml pom.xml
# Run the tests
gradle_test:
extends: .build_cached
stage: test
needs:
- gradle_build
# - labracore_build
cache:
policy: pull-push
artifacts:
name: build
expire_in: 6 hours
paths:
- build/
script:
- ./gradlew --build-cache test
# Run spotless
gradle_spotless:
extends: .build_cached
needs:
- gradle_build
artifacts:
name: spotless
expose_as: Spotless Diagnosis
expire_in: 7 days
paths:
- spotless-diagnose-java/
stage: review
script:
- ./gradlew --build-cache spotlessCheck
after_script:
- cp -r build/spotless-diagnose-java spotless-diagnose-java/
# Run license check
gradle_licenses:
extends: .build_cached
needs:
- gradle_build
stage: review
script:
- ./gradlew --build-cache licenseMain
- ./gradlew --build-cache licenseTest
# Publish jacoco test report
publish_jacoco_report:
extends: .build_cached
needs:
- gradle_test
stage: publish
coverage: '/Code coverage: \d+\.\d+/'
artifacts:
name: codecov
expose_as: Code coverage report
expire_in: 7 days
paths:
- codecov/
script:
# Rerun with none of the dependent tasks to ensure creation of the report
# without having to recheck whether the code has compiled (it has in build cache).
- ./gradlew --build-cache jacocoTestReport -x processResources -x compileJava -x classes --rerun-tasks
after_script:
# Print out the coverage percentage from the test report.
- awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print "Code coverage:", 100*covered/instructions }' build/reports/jacoco/test/jacocoTestReport.csv
- cp -r build/reports codecov
# Publish the test failure/pass report
publish_test_report:
extends: .build_cached
needs:
- gradle_test
when: always
stage: publish
artifacts:
reports:
junit: TEST-*.xml
script:
- cp build/test-results/test/TEST-*.xml ./
# Publish the JAR for Queue
publish_jar:
extends: .build_cached
stage: publish
needs:
- gradle_build
artifacts:
name: queue
expose_as: Queue JAR
expire_in: 7 days
paths:
- queue.jar
script:
- cp build/libs/queue-*.jar ./queue.jar
# Include templates for security scans and code quality reports
include:
- template: Jobs/Build.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
- template: Jobs/Test.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Test.gitlab-ci.yml
- template: Jobs/Code-Quality.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml
- template: Jobs/Deploy.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Deploy.gitlab-ci.yml
- template: Jobs/Browser-Performance-Testing.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Jobs/Browser-Performance-Testing.gitlab-ci.yml
- template: Security/DAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Management.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/License-Management.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
build:
cache:
# inherit all global cache settings
<<: *global_cache
# override the policy
policy: push
only:
- branches
- tags
- merge_requests
build_pom:
stage: build_pom
image: gradle:jdk11
artifacts:
expose_as: 'Maven POM'
paths:
- build/poms/pom-default.xml
expire_in:
1 week
only:
- branches
- tags
- merge_requests
script:
# This generates the POM used in the artifacts
- ./gradlew install
test:
after_script:
- awk -F"," '{ instructions += $4 + $5; covered += $5 } END { print covered, "/", instructions, " instructions covered"; print 100*covered/instructions, "% covered" }' /app/target/site/jacoco/jacoco.csv
linter:
image: gradle:jdk11
stage: review
script: ./gradlew spotlessCheck
only:
- tags
- branches
- merge_requests
- template: Jobs/Code-Quality.gitlab-ci.yml
- template: Security/DAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
code_quality:
cache: {}
only:
- branches
- tags
- merge_requests
dependency_scanning:
before_script:
- cp build/poms/pom-default.xml pom.xml
license_management:
cache: {}
variables:
LM_JAVA_VERSION: 11
GRADLE_CLI_OPTS: -x test
# Runs the code quality reporter
code_quality:
extends:
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
# Runs the SAST reporter manually
# (there was a problem with running this from the template with Java 11,
# even though it should have been configured)
sast:
cache: {}
variables:
SAST_JAVA_VERSION: 11
extends:
# - .build_cached
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
image: docker:stable
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--env SAST_DEFAULT_ANALYZERS=spotbugs
--env SAST_JAVA_VERSION=11
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
# Run the DAST security checks and reporter.
# Currently set to manual as it requires a test environment to be up and running.
dast:
only:
- master
extends:
- .build_cached
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
when: manual
variables:
DAST_VERSION: latest
# Run the container scanning security checks.
# Currently set to manual because we do not believe it adds anything to the current
# setup of Queue.
container_scanning:
extends:
- .build_cached
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
when: manual
before_script:
- export DOCKER_USER=$CI_REGISTRY_USER
- export DOCKER_PASSWORD=$CI_REGISTRY_PASSWORD
# Dependency scanning reporter for checking dependencies of Queue.
dependency_scanning:
extends:
- .build_cached
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
needs:
- generate_pom
dependencies:
- generate_pom
before_script:
- rm build.gradle* gradlew gradlew.bat
variables:
MAVEN_CLI_OPTS: -q -Dmaven.main.skip -Dmaven.test.skip -DskipTests --batch-mode
# License scanning reporter for checking the licenses of dependencies.
license_scanning:
extends:
- .build_cached
- .gitlab_reporter
only:
- master
- development
- merge_requests
stage: gitlab reports
needs:
- generate_pom
dependencies:
- generate_pom
before_script:
- rm build.gradle* gradlew gradlew.bat
variables:
MAVEN_CLI_OPTS: -q -Dmaven.main.skip -Dmaven.test.skip -DskipTests --batch-mode
LM_JAVA_VERSION: 11
Loading