image: alpine:latest stages: - build - test - release build: stage: build image: docker:stable-git services: - docker:stable-dind variables: DOCKER_DRIVER: overlay2 script: - setup_docker - build only: - branches test: stage: test image: docker:stable services: - docker:stable-dind script: - docker run "$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG:$CI_COMMIT_SHA" test only: - branches release-latest: stage: release image: docker:stable services: - docker:stable-dind variables: DOCKER_DRIVER: overlay2 script: - setup_docker - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "Pulling Docker image..." - docker pull "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - echo "Tagging image" - docker tag "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" "$CI_REGISTRY_IMAGE:latest" - echo "Pushing to GitLab Container Registry..." - docker push "$CI_REGISTRY_IMAGE:latest" only: - master release-stable: stage: release image: docker:stable services: - docker:stable-dind variables: DOCKER_DRIVER: overlay2 script: - setup_docker - echo "Logging to GitLab Container Registry with CI credentials..." - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" - echo "Pulling Docker image..." - docker pull "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" - echo "Tagging image" - docker tag "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" - echo "Pushing to GitLab Container Registry..." - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" only: - /^\d+-\d+-stable$/ code_quality: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure: true services: - docker:stable-dind script: - setup_docker - codeclimate artifacts: paths: [gl-code-quality-report.json] container_scanning: image: docker:stable variables: DOCKER_DRIVER: overlay2 allow_failure: true services: - docker:stable-dind script: - setup_docker - sast_container artifacts: paths: [gl-container-scanning-report.json] # --------------------------------------------------------------------------- .auto_devops: &auto_devops | # Auto DevOps variables and functions [[ "$TRACE" ]] && set -x auto_database_url=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${CI_ENVIRONMENT_SLUG}-postgres:5432/${POSTGRES_DB} export DATABASE_URL=${DATABASE_URL-$auto_database_url} export CI_APPLICATION_REPOSITORY=$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG export CI_APPLICATION_TAG=$CI_COMMIT_SHA export CI_CONTAINER_NAME=ci_job_build_${CI_JOB_ID} export TILLER_NAMESPACE=$KUBE_NAMESPACE # Extract "MAJOR.MINOR" from CI_SERVER_VERSION and generate "MAJOR-MINOR-stable" for Security Products export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/') function sast_container() { if [[ -n "$CI_REGISTRY_USER" ]]; then echo "Logging to GitLab Container Registry with CI credentials..." docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" echo "" fi docker run -d --name db arminc/clair-db:latest docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1 apk add -U wget ca-certificates docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 mv clair-scanner_linux_amd64 clair-scanner chmod +x clair-scanner touch clair-whitelist.yml retries=0 echo "Waiting for clair daemon to start" while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true } function codeclimate() { docker run --env SOURCE_CODE="$PWD" \ --volume "$PWD":/code \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code } function sast() { case "$CI_SERVER_VERSION" in *-ee) # Deprecation notice for CONFIDENCE_LEVEL variable if [ -z "$SAST_CONFIDENCE_LEVEL" -a "$CONFIDENCE_LEVEL" ]; then SAST_CONFIDENCE_LEVEL="$CONFIDENCE_LEVEL" echo "WARNING: CONFIDENCE_LEVEL is deprecated and MUST be replaced with SAST_CONFIDENCE_LEVEL" fi docker run --env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}" \ --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code ;; *) echo "GitLab EE is required" ;; esac } function dependency_scanning() { case "$CI_SERVER_VERSION" in *-ee) docker run --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}" \ --volume "$PWD:/code" \ --volume /var/run/docker.sock:/var/run/docker.sock \ "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code ;; *) echo "GitLab EE is required" ;; esac } function setup_docker() { if ! docker info &>/dev/null; then if [ -z "$DOCKER_HOST" -a "$KUBERNETES_PORT" ]; then export DOCKER_HOST='tcp://localhost:2375' fi fi } function build() { if [[ -n "$CI_REGISTRY_USER" ]]; then echo "Logging to GitLab Container Registry with CI credentials..." docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY" echo "" fi if [[ -f Dockerfile ]]; then echo "Building Dockerfile-based application..." docker build -t "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" . else echo "Building Heroku-based application using gliderlabs/herokuish docker image..." docker run -i --name="$CI_CONTAINER_NAME" -v "$(pwd):/tmp/app:ro" gliderlabs/herokuish /bin/herokuish buildpack build docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" docker rm "$CI_CONTAINER_NAME" >/dev/null echo "" echo "Configuring $CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG docker image..." docker create --expose 5000 --env PORT=5000 --name="$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" /bin/herokuish procfile start web docker commit "$CI_CONTAINER_NAME" "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" docker rm "$CI_CONTAINER_NAME" >/dev/null echo "" fi echo "Pushing to GitLab Container Registry..." docker push "$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG" echo "" } before_script: - *auto_devops