diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b1e71ff9cb..b8ce04ab64 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -31,7 +31,8 @@ variables: AST_ENABLE_MR_PIPELINES: 'true' .common: &common - # Only run in MR pipelines *or* push to develop/stable + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') @@ -212,29 +213,17 @@ merge_image_manifests: --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} .sast_common: &sast_common + <<: *common stage: test # SAST tools only support x64 tags: - amd64 - # Only run in MR pipelines *or* push to develop/stable. - # This is the same as in common, but inverted to always include "when: never". - rules: - - if: $CI_PIPELINE_SOURCE != 'merge_request_event' && $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' - when: never # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - # Only run when pushing to stable, develop, or tags. - # This is the same as in deploy, but inverted to always include "when: never". - rules: - - if: $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' - when: never + <<: *deploy_common variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} @@ -242,11 +231,11 @@ container_scanning: - job: merge_image_manifests artifacts: true -dependency_scanning: +dependency-scanning: <<: *sast_common -sast: - <<: *sast_common +#sast: +# <<: *sast_common gitlab-advanced-sast: <<: *sast_common