-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
248 lines (223 loc) · 6.62 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
image: registry.gitlab.procivis.ch/procivis/one/one-operations/core-base:1.80.0-0.2
include:
- project: 'procivis/one/one-operations'
file:
- 'gitlab/aks-deploy.gitlab-ci.yml'
- 'gitlab/docker.gitlab-ci.yml'
variables:
DEPENDENCY_TRACK_PROJECT_NAME: "One-Open-Core"
CI_TAG_PATTERN: /^v[0-9]+\.[0-9]+\.[0-9]+-.+$/
HELM_APP_NAME: one-core-docs
HELM_PATH: docs/one-core-docs-chart
# Required variables in GitLab config:
# - AAD_SERVICE_PRINCIPAL_CLIENT_ID: Azure Active directory Application id. Use for RBAC SP kubelogin
# - AAD_SERVICE_PRINCIPAL_CLIENT_SECRET: Application secret. Use for RBAC SP kubelogin
# - AD_TENANT_ID: Azure Active Directory Tenant ID
# - DEMO_RESOURCE_GROUP: Azure Resource group where AKS deployed
# - DEMO_CLUSTER_NAME: AKS cluster name
# - DOCKER_AUTH_CONFIG: Pull image from private repository
stages:
- build
- test
- docs
- scan
- package
- deploy
.app_settings: &app_settings
- D_TRACK_PROJECT_VERSION=${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}
- APP_FLAVOR=docs
- APP_VERSION=$(echo $CI_COMMIT_TAG | sed -n "s/^\(v.*\)-.*$/\1/p")
- APP_VERSION=${APP_VERSION:-$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA}
- IMAGE_NAME=$CI_REGISTRY_IMAGE/$APP_FLAVOR
- IMAGE_TAG=$IMAGE_NAME:$APP_VERSION
- DEPLOY_IMAGE_TAG=$APP_VERSION
before_script:
- *app_settings
.only_main:
rules:
- if: $CI_COMMIT_BRANCH == "main"
when: on_success
.only_main_or_tag:
rules:
- if: $CI_COMMIT_TAG =~ $CI_TAG_PATTERN
when: on_success
- if: $CI_COMMIT_BRANCH == "main"
when: on_success
build:
stage: build
script:
- cargo build --release
# also build examples
- (cd examples/did_resolution_example ; cargo build --release)
- (cd examples/signature_example ; cargo build --release)
extends:
- .only_main
tests:
stage: test
script:
# The default amount of codegen-units (256 for dev builds) vastly increases
# the RAM usage during compilation, hence we limit it in CI
- RUSTFLAGS="-C codegen-units=4" cargo llvm-cov --no-clean --workspace --lcov --ignore-filename-regex=".*test.*\.rs$|tests/.*\.rs$" --output-path lcov.info
- cargo llvm-cov report --cobertura --output-path cobertura.xml
- cargo llvm-cov report
coverage: '/^TOTAL\s+\d+\s+\d+\s+(?:\d+\.\d+)%\s+\d+\s+\d+\s+(?:\d+\.\d+)%\s+\d+\s+\d+\s+(\d+\.\d+)%/'
artifacts:
expire_in: 1 day
paths:
- lcov.info
reports:
coverage_report:
coverage_format: cobertura
path: cobertura.xml
linter:clippy:
stage: test
script:
- cargo clippy --all-targets --message-format=json -- -D warnings > clippy.json
- cargo clippy --package one-providers --message-format=json -- -W clippy::expect_used -W clippy::panic -W clippy::unwrap_used >> clippy.json
artifacts:
expire_in: 1 day
when: always
paths:
- clippy.json
linter:rustfmt:
stage: test
script:
- cargo fmt --all -- --check
linter:dependencies:
stage: test
script:
- cargo deny --format json check 2> deny.json || true
- cargo deny check
artifacts:
expire_in: 1 day
when: always
paths:
- deny.json
sonarqube-check:
stage: scan
dependencies:
- linter:clippy
- tests
needs:
- linter:clippy
- tests
image:
name: sonarsource/sonar-scanner-cli:latest
entrypoint: [""]
variables:
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
script:
- sonar-scanner
allow_failure: true
extends:
- .only_main
build:docs:
stage: docs
script:
- cargo doc --no-deps --release
artifacts:
expire_in: 1 day
paths:
- target/doc
extends:
- .only_main_or_tag
publish:docs:
stage: package
dependencies: [ build:docs ]
variables:
DOCKERFILE_PATH: docs/docker/Dockerfile
extends:
- .docker_publish
- .only_main_or_tag
deploy:docs:
stage: deploy
needs: [ publish:docs ]
extends:
- .deploy_k8s
- .only_main_or_tag
before_script:
- *app_settings
- RESOURCE_GROUP=$DEMO_RESOURCE_GROUP
- CLUSTER_NAME=$DEMO_CLUSTER_NAME
variables:
HELM_VALUES_FILE: values/docs.procivis-one.yaml
K8S_NAMESPACE: trial
dependency_track:upload-bom:
stage: scan
variables:
D_TRACK_PATH: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom
SBOM_FILE_PATH: "merged_sbom.json"
SBOM_FILES: >-
one-open-core/one-open-core.cdx.json
one-providers/one-providers.cdx.json
extends:
- .only_main
artifacts:
expire_in: 1 day
paths:
- ${SBOM_FILE_PATH}
reports:
cyclonedx:
- ${SBOM_FILE_PATH}
script:
- cargo cyclonedx -f json --spec-version 1.3
- cyclonedx-cli merge --input-files ${SBOM_FILES} --input-format=json --output-format=json --group apps > ${SBOM_FILE_PATH}
- echo "${SBOM_FILE_PATH}"
- file_content=$(base64 -i $SBOM_FILE_PATH)
- |
curl -i --fail -X PUT \
-H "Content-Type: application/json" \
-H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \
--data @- ${D_TRACK_PATH} << EOF
{
"projectName": "${DEPENDENCY_TRACK_PROJECT_NAME}",
"projectVersion": "${D_TRACK_PROJECT_VERSION}",
"autoCreate": true,
"bom": "${file_content}"
}
EOF
.dTrack_metrics: &dTrack_metrics
- base_url=${DEPENDENCY_TRACK_BASE_URL}/api/v1/project/lookup
- url="${base_url}?name=${DEPENDENCY_TRACK_PROJECT_NAME}&version=${D_TRACK_PROJECT_VERSION}"
- echo "URL=$url"
- >
result=$(curl -X GET "${url}" \
-H "X-Api-Key: ${DEPENDENCY_TRACK_API_KEY}" \
-H "Accept: application/json")
- metrics=$(echo $result | jq -r .metrics)
- echo "Dependency Track Project Version metrics=${metrics}"
dependency_track:policy_violations:
stage: scan
allow_failure: true
needs:
- job: dependency_track:upload-bom
extends:
- .only_main
script:
- *dTrack_metrics
- violated_licences=$(echo ${metrics} | jq -r .policyViolationsFail)
- echo "Count of violated_licences=${violated_licences}"
- >
if [[ ${violated_licences} -gt 0 ]]; then
echo "Violated licences more that 0."
exit 1;
fi
dependency_track:metrics:
stage: scan
allow_failure: true
needs:
- job: dependency_track:upload-bom
extends:
- .only_main
script:
- *dTrack_metrics
- critical=$(echo ${metrics} | jq -r .critical)
- high=$(echo ${metrics} | jq -r .high)
- echo "Critical vulnerabilities=${critical}"
- echo "High vulnerabilities=${high}"
- >
if [[ ${critical} -gt 0 || ${high} -gt 0 ]]; then
echo "Lib vulnerabilities more that 0."
exit 1;
fi