From 4dfd21de8bda1d9fe76c9a4bfc3adadfa94ec105 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Fri, 26 Sep 2025 22:46:33 -0400
Subject: [PATCH] promote SAST variables to top-level

---
 .gitlab-ci.yml | 35 ++++++++++++++++++-----------------
 1 file changed, 18 insertions(+), 17 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b5ad078991..b1b49db45f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -12,6 +12,24 @@ include:
   # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
   - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
 
+variables:
+  # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
+  GITLAB_ADVANCED_SAST_ENABLED: 'true'
+
+  # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
+  # https://stackoverflow.com/a/71111784
+  SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
+  DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
+
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
+  DS_ENFORCE_NEW_ANALYZER: 'true'
+  DS_MAX_DEPTH: -1
+  # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
+  DS_STATIC_REACHABILITY_ENABLED: true
+
+  # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
+  AST_ENABLE_MR_PIPELINES: 'true'
+
 .common: &common
   # "only" has been removed, so we use rules.
   # This runs in MR pipelines *or* push to develop/stable
@@ -201,23 +219,6 @@ merge_image_manifests:
   # SAST tools only support x64
   tags:
     - amd64
-  variables:
-    # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
-    GITLAB_ADVANCED_SAST_ENABLED: 'true'
-
-    # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
-    # https://stackoverflow.com/a/71111784
-    SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
-    DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
-
-    # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
-    DS_ENFORCE_NEW_ANALYZER: 'true'
-    DS_MAX_DEPTH: -1
-    # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
-    DS_STATIC_REACHABILITY_ENABLED: true
-
-    # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
-    AST_ENABLE_MR_PIPELINES: 'true'
 
 # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
 # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist