diff options
| -rw-r--r-- | .gitlab-ci.yml | 327 | ||||
| -rw-r--r-- | CHANGELOG.md | 16 | ||||
| -rw-r--r-- | Dockerfile.v1 | 1 | ||||
| -rw-r--r-- | VERSION | 1 |
4 files changed, 141 insertions, 204 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index cbe34ca..a82ff6f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,218 +1,163 @@ -image: alpine:latest +# When using dind, it's wise to use the overlayfs driver for +# improved performance. +variables: + DOCKER_DRIVER: overlay2 + MAJOR: 1 + TMP_IMAGE: $CI_REGISTRY_IMAGE/tmp:$CI_COMMIT_SHA + +services: + - docker:stable-dind stages: - build - test + - tag - release -build: +build commit: + image: docker:stable stage: build - image: docker:stable-git - services: - - docker:stable-dind - variables: - DOCKER_DRIVER: overlay2 script: - - setup_docker - - build - only: - - branches + - docker info + - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + - docker build -t $TMP_IMAGE . + - docker push $TMP_IMAGE -test: +code_quality: + image: docker:stable stage: test + allow_failure: true + script: + - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') + - docker run + --env SOURCE_CODE="$PWD" + --volume "$PWD":/code + --volume /var/run/docker.sock:/var/run/docker.sock + "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code + artifacts: + reports: + codequality: gl-code-quality-report.json + +container_scanning: image: docker:stable - services: - - docker:stable-dind + stage: test + allow_failure: true script: - - docker run "$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA" test + - docker run -d --name db arminc/clair-db:latest + - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 + - apk add -U wget ca-certificates + - docker pull $TMP_IMAGE + - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + - mv clair-scanner_linux_amd64 clair-scanner + - chmod +x clair-scanner + - touch clair-whitelist.yml + - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done + - retries=0 + - echo "Waiting for clair daemon to start" + - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done + - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml $TMP_IMAGE || true + artifacts: + reports: + container_scanning: gl-container-scanning-report.json + +QA: + image: docker:stable + stage: test + script: + - docker info + - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + - docker pull $TMP_IMAGE + - docker run $TMP_IMAGE test + +.docker_tag: + image: docker:stable + stage: tag + script: + - docker info + - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + - export SOURCE_IMAGE=$TMP_IMAGE + - export TARGET_IMAGE=$CI_REGISTRY_IMAGE:${IMAGE_TAG:-$CI_JOB_NAME} + - docker pull $SOURCE_IMAGE + - docker tag $SOURCE_IMAGE $TARGET_IMAGE + - docker push $TARGET_IMAGE + +branch: + extends: .docker_tag + variables: + IMAGE_TAG: $CI_COMMIT_REF_SLUG only: - branches + except: + - master -release-latest-and-next-version: - stage: release - image: docker:stable - services: - - docker:stable-dind +edge: + extends: .docker_tag variables: - DOCKER_DRIVER: overlay2 - script: - - setup_docker - - echo "Logging to GitLab Container Registry with CI credentials..." - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - - echo "Pulling Docker image..." - - docker pull "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - - echo "Tagging image" - - docker tag "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" "$CI_REGISTRY_IMAGE:latest" - - echo "Pushing to GitLab Container Registry..." - - docker push "$CI_REGISTRY_IMAGE:latest" - - docker tag "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" "$CI_REGISTRY_IMAGE:$(cat VERSION)" - - echo "Pushing to GitLab Container Registry..." - - docker push "$CI_REGISTRY_IMAGE:$(cat VERSION)" + IMAGE_TAG: edge only: - master -release-stable: +version: + extends: .docker_tag + before_script: + - export IMAGE_TAG=${CI_COMMIT_TAG/v/} + only: + - tags + when: manual + allow_failure: false + +.release: + extends: .docker_tag stage: release - image: docker:stable - services: - - docker:stable-dind - variables: - DOCKER_DRIVER: overlay2 - script: - - setup_docker - - echo "Logging to GitLab Container Registry with CI credentials..." - - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - - echo "Pulling Docker image..." - - docker pull "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - - echo "Tagging image" - - docker tag "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" - - echo "Pushing to GitLab Container Registry..." - - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" only: - - /^\d+-\d+-stable$/ + - tags -code_quality: - image: docker:stable +major: + extends: .release variables: - DOCKER_DRIVER: overlay2 - allow_failure: true - services: - - docker:stable-dind - script: - - setup_docker - - codeclimate - artifacts: - paths: [gl-code-quality-report.json] + IMAGE_TAG: $MAJOR -container_scanning: - image: docker:stable +latest: + extends: .release variables: - DOCKER_DRIVER: overlay2 - allow_failure: true - services: - - docker:stable-dind - script: - - setup_docker - - sast_container - artifacts: - paths: [gl-container-scanning-report.json] - -# --------------------------------------------------------------------------- - -.auto_devops: &auto_devops | - # Auto DevOps variables and functions - [[ "$TRACE" ]] && set -x - auto_database_url=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${CI_ENVIRONMENT_SLUG}-postgres:5432/${POSTGRES_DB} - export DATABASE_URL=${DATABASE_URL-$auto_database_url} - export CI_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG - export CI_APPLICATION_TAG=$CI_COMMIT_SHA - export CI_CONTAINER_NAME=ci_job_build_${CI_JOB_ID} - export TILLER_NAMESPACE=$KUBE_NAMESPACE - # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') - - function sast_container() { - if [[ -n "$CI_REGISTRY_USER" ]]; then - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "" - fi - - docker run -d --name db arminc/clair-db:latest - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 - apk add -U wget ca-certificates - docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} - wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 - mv clair-scanner_linux_amd64 clair-scanner - chmod +x clair-scanner - touch clair-whitelist.yml - retries=0 - echo "Waiting for clair daemon to start" - while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true - } - - function codeclimate() { - docker run --env SOURCE_CODE="$PWD" \ - --volume "$PWD":/code \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code - } - - function sast() { - case "$CI_SERVER_VERSION" in - *-ee) - - # Deprecation notice for CONFIDENCE_LEVEL variable - if [ -z "$SAST_CONFIDENCE_LEVEL" -a "$CONFIDENCE_LEVEL" ]; then - SAST_CONFIDENCE_LEVEL="$CONFIDENCE_LEVEL" - echo "WARNING: CONFIDENCE_LEVEL is deprecated and MUST be replaced with SAST_CONFIDENCE_LEVEL" - fi - - docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \ - --volume "$PWD:/code" \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code - ;; - *) - echo "GitLab EE is required" - ;; - esac - } - - function dependency_scanning() { - case "$CI_SERVER_VERSION" in - *-ee) - docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" \ - --volume "$PWD:/code" \ - --volume /var/run/docker.sock:/var/run/docker.sock \ - "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code - ;; - *) - echo "GitLab EE is required" - ;; - esac - } - - function setup_docker() { - if ! docker info &>/dev/null; then - if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then - export DOCKER_HOST='tcp://localhost:2375' - fi - fi - } - - function build() { - - if [[ -n "$CI_REGISTRY_USER" ]]; then - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "" - fi - - if [[ -f Dockerfile ]]; then - echo "Building Dockerfile-based application..." - docker build -t "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" . - else - echo "Building Heroku-based application using gliderlabs/herokuish docker image..." - docker run -i --name="$CI_CONTAINER_NAME" -v "$(pwd):/tmp/app:ro" gliderlabs/herokuish /bin/herokuish buildpack build - docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - docker rm "$CI_CONTAINER_NAME" >/dev/null - echo "" - - echo "Configuring $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG docker image..." - docker create --expose 5000 --env PORT=5000 --name="$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" /bin/herokuish procfile start web - docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - docker rm "$CI_CONTAINER_NAME" >/dev/null - echo "" - fi - - echo "Pushing to GitLab Container Registry..." - docker push "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - echo "" - } - -before_script: - - *auto_devops + DOCKERFILE: Dockerfile.v1 +11-7-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-6-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-5-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-4-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 +11-3-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-2-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-1-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 + +11-0-stable: + extends: .release + variables: + DOCKERFILE: Dockerfile.v1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 7febac3..1f793b6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,21 +1,13 @@ # GitLab License management changelog -## 11-7-stable -- Bump LicenseFinder to 5.5.2 - -## 11-6-stable +## 1.2.0 -## 11-5-stable +- Bump LicenseFinder to 5.5.2 -## 11-4-stable +## 1.1.0 - Allow `SETUP_CMD` to skip auto-detection of build tool -## 11-3-stable - -## 11-2-stable - -## 11-1-stable +## 1.0.0 -## 11-0-stable - Initial release diff --git a/Dockerfile.v1 b/Dockerfile.v1 new file mode 100644 index 0000000..01b4c16 --- /dev/null +++ b/Dockerfile.v1 @@ -0,0 +1 @@ +FROM registry.gitlab.com/gonzoyumo/license-management:1 diff --git a/VERSION b/VERSION deleted file mode 100644 index eb11914..0000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -11-7-stable
\ No newline at end of file |