# SPDX-FileCopyrightText: 2022 Georg-August-Universität Göttingen
#
# SPDX-License-Identifier: CC0-1.0
---
workflow:
rules:
- if: $CI_MERGE_REQUEST_IID
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
stages:
- test
- release
- build
- deploy
variables:
harbor_registry: "harbor.gwdg.de"
harbor_repo: "sub-fe"
project_name: "repdav"
lint dockerfile:
stage: test
image: hadolint/hadolint:latest-debian
before_script:
- mkdir -p reports
script:
- hadolint --format gitlab_codeclimate Dockerfile > reports/hadolint-$(md5sum Dockerfile | cut -d" " -f1).json
artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
when: always
reports:
codequality:
- "reports/*"
paths:
- "reports/*"
rules:
- if: $CI_MERGE_REQUEST_IID
changes:
- Dockerfile
release:
stage: release
image: docker.io/node:18.12
before_script:
- npm ci --unsafe-perm
script:
- npx semantic-release
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
build container image:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
# always succeed and don't print error message
- tag=$(git tag --contains $CI_COMMIT_SHORT_SHA 2>&1) || true
# use tag for version if not empty; else commit sha
- "[[ -n $tag ]] && export version=$tag || export version=$CI_COMMIT_SHORT_SHA"
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"},\"$harbor_registry\":{\"auth\":\"$HARBOR_ROBOT_TOKEN64\"}}}" > /kaniko/.docker/config.json
- /kaniko/executor
--context $CI_PROJECT_DIR
--dockerfile $CI_PROJECT_DIR/Dockerfile
--build-arg build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
--build-arg vcs_ref=${CI_COMMIT_SHORT_SHA}
--build-arg version=${version}
--destination $CI_REGISTRY_IMAGE/$project_name:$version
--destination $harbor_registry/$harbor_repo/$project_name:$version
rules:
# prevent job creation on release commits to $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE =~ /^chore\(release\):/
when: never
- if: $CI_MERGE_REQUEST_IID
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
generate app sbom:
stage: deploy
image: docker.io/node:18.12
before_script:
- npm ci --ignore-scripts
- npm run build
script:
- npx cdxgen
--type nodejs
--required-only
--server-url https://deps.sub.uni-goettingen.de
--api-key ${DEPS_UPLOAD_TOKEN}
--project-name ${project_name}
--project-version ${CI_COMMIT_TAG}
rules:
- if: $CI_COMMIT_TAG
generate container sbom:
stage: deploy
image: docker.io/alpine:3.16
before_script:
- apk add curl
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
script:
- syft --output cyclonedx-json --file bom.json
$CI_REGISTRY_IMAGE/${project_name}:${CI_COMMIT_TAG}
- 'curl -X POST "https://deps.sub.uni-goettingen.de/api/v1/bom"
--header "accept: application/json"
--header "X-Api-Key: ${DEPS_UPLOAD_TOKEN}"
--header "Content-Type: multipart/form-data"
--form "autoCreate=true"
--form "projectName=${project_name}-container"
--form "projectVersion=${CI_COMMIT_TAG}"
--form "bom=@bom.json"'
rules:
- if: $CI_COMMIT_TAG