From 8c84c5b3f7de54174c45781dbdfdcd286e8592ce Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 08:50:19 -0400 Subject: [PATCH 01/68] enable gitlab SAST scanning --- .gitlab-ci.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 201fceccc1..995d209170 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,3 +1,22 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/SAST.latest.gitlab-ci.yml + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + stages: - test - deploy From 726f0881f0df649530ed2f14d787e34c9aa9f413 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 09:05:32 -0400 Subject: [PATCH 02/68] increase dependency scanning depth --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 995d209170..03dda4c821 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -13,6 +13,7 @@ variables: # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: 8 # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' From b7ed110eca1aee99e8d31ea439eb1e6db39ff4aa Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 09:12:43 -0400 Subject: [PATCH 03/68] enable dependency reachability analysis --- .gitlab-ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 03dda4c821..7a20a5fe6f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,6 +14,8 @@ variables: # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ DS_ENFORCE_NEW_ANALYZER: 'true' DS_MAX_DEPTH: 8 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' From b9ec20b736467f78257b885d78d46341a01993ff Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 09:18:44 -0400 Subject: [PATCH 04/68] add docs link for SAS_EXCLUDED_PATHS --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7a20a5fe6f..29b78d1537 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,6 +8,7 @@ variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast GITLAB_ADVANCED_SAST_ENABLED: 'true' + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' From f9ba21f73134afc4355a5c6964fca1e628682fc0 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 09:35:51 -0400 Subject: [PATCH 05/68] add container scanning --- .gitlab-ci.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 29b78d1537..c19ada35ac 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,6 +1,7 @@ # https://docs.gitlab.com/user/application_security/sast/ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml @@ -21,6 +22,14 @@ variables: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' +# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job +# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist +container_scanning: + variables: + CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} + AST_ENABLE_MR_PIPELINES: 'false' + stage: deploy + stages: - test - deploy From 0d5fb8931e501a38c16fab82df81934669b12a32 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 09:42:22 -0400 Subject: [PATCH 06/68] add dependency behavior scanning --- .gitlab-ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c19ada35ac..b551850e8a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -4,6 +4,10 @@ include: - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + - component: $CI_SERVER_FQDN/security-products/experiments/libbehave/libbehave@v0.1.0 + inputs: + stage: test variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast From a727f79ea4f50d9bd0ed0ecc75a48ec342823dd0 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:17:37 -0400 Subject: [PATCH 07/68] use mirrored libbehave --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b551850e8a..2005715936 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,7 +5,7 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/security-products/experiments/libbehave/libbehave@v0.1.0 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 inputs: stage: test From cde3c3eda6c01055062be4274e165290cfff8e7f Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:25:07 -0400 Subject: [PATCH 08/68] only run libbehave on PRs --- .gitlab-ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2005715936..2091f2df69 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -5,9 +5,14 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 + # https://stackoverflow.com/a/70360201 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 inputs: stage: test + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast From cde21646f6334146459cfe4445d2246467679149 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:31:20 -0400 Subject: [PATCH 09/68] skip container scanning on MRs --- .gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2091f2df69..14aa1636e0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,6 +2,8 @@ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ @@ -36,7 +38,6 @@ variables: container_scanning: variables: CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - AST_ENABLE_MR_PIPELINES: 'false' stage: deploy stages: From 46404154ee246064d70030d13422120b6272a97a Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:31:29 -0400 Subject: [PATCH 10/68] remove redundant stage specifier --- .gitlab-ci.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 14aa1636e0..7f26e2f871 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,8 +10,6 @@ include: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 # https://stackoverflow.com/a/70360201 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 - inputs: - stage: test rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' From 804223757494376353f90471e8a9730f2f6fd6d8 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:32:07 -0400 Subject: [PATCH 11/68] =?UTF-8?q?fix=20inverted=20condition=20=F0=9F=A4=A6?= =?UTF-8?q?=E2=80=8D=E2=99=80=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7f26e2f871..3f4f00356c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,7 +3,7 @@ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - template: Jobs/Container-Scanning.latest.gitlab-ci.yml rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE != 'merge_request_event' - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ From c9dcb405c89e848c95e3c1831bf924e76150a543 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:46:24 -0400 Subject: [PATCH 12/68] fix broken pipeline generation --- .gitlab-ci.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3f4f00356c..4b921c55be 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -2,8 +2,6 @@ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - rules: - - if: $CI_PIPELINE_SOURCE != 'merge_request_event' - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ @@ -11,7 +9,7 @@ include: # https://stackoverflow.com/a/70360201 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' variables: @@ -35,6 +33,7 @@ variables: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: variables: + AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} stage: deploy From 3d5b0c1847c2812e3e65df664ac6bd2d4b55c6c1 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 10:54:49 -0400 Subject: [PATCH 13/68] move CI configuration to the end, maybe fix generation errors? --- .gitlab-ci.yml | 77 +++++++++++++++++++++++++------------------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4b921c55be..6dc4e33023 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,42 +1,3 @@ -# https://docs.gitlab.com/user/application_security/sast/ -include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - - template: Jobs/SAST.latest.gitlab-ci.yml - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 - # https://stackoverflow.com/a/70360201 - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - - -variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' - - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: 8 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' - -# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job -# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist -container_scanning: - variables: - AST_ENABLE_MR_PIPELINES: 'false' - CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - stage: deploy - stages: - test - deploy @@ -176,3 +137,41 @@ merge_image_manifests: - stable - develop - tags + +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + - template: Jobs/SAST.latest.gitlab-ci.yml + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 + # https://stackoverflow.com/a/70360201 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: 8 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + +# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job +# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist +container_scanning: + variables: + AST_ENABLE_MR_PIPELINES: 'false' + CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} + stage: deploy \ No newline at end of file From 877ce7caab8d61778c0e51cc9b16cb96cef24520 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:13:05 -0400 Subject: [PATCH 14/68] more pipeline scheduling fixes --- .gitlab-ci.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6dc4e33023..7dc3bb3d3a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -145,11 +145,7 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 - # https://stackoverflow.com/a/70360201 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast @@ -158,6 +154,7 @@ variables: # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ DS_ENFORCE_NEW_ANALYZER: 'true' @@ -174,4 +171,15 @@ container_scanning: variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - stage: deploy \ No newline at end of file + stage: deploy + dependencies: + - merge_image_manifests + rules: + - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') + when: never + +libbehave-experiment: + # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 + # https://stackoverflow.com/a/70360201 + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' \ No newline at end of file From e352c364eff8d1b92998873dbb9b18369e445fcc Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:16:39 -0400 Subject: [PATCH 15/68] fix warnings from dependency scanner --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7dc3bb3d3a..999cf7fcd0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -154,11 +154,11 @@ variables: # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: 8 + DS_MAX_DEPTH: -1 # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ DS_STATIC_REACHABILITY_ENABLED: true @@ -182,4 +182,4 @@ libbehave-experiment: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 # https://stackoverflow.com/a/70360201 rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' \ No newline at end of file + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' From d6a76a9fe6803734260f9cfbcc1c252e8ceb6bfe Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:28:24 -0400 Subject: [PATCH 16/68] add separate build step --- .gitlab-ci.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 999cf7fcd0..b88f2ea655 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,9 +1,10 @@ stages: + - build - test - deploy -.test_common: &test_common - stage: test +.build_common: &build_common + stage: build image: docker.io/node:22 variables: POSTGRES_PASSWORD: ci @@ -18,7 +19,7 @@ stages: - git submodule update --init - pnpm install --frozen-lockfile cache: - key: test + key: build policy: pull-push when: on_success paths: @@ -29,6 +30,17 @@ stages: - merge_requests - stable +build: + <<: *build_common + script: + - pnpm run build + +.test_common: &test_common + <<: *build_common + stage: test + cache: + key: test + lint: <<: *test_common script: @@ -150,6 +162,7 @@ include: variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast GITLAB_ADVANCED_SAST_ENABLED: 'true' + SEARCH_MAX_DEPTH: 32 # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 From 9afa7b9196d124efbfe1fccdede71d72f0924ff4 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:37:07 -0400 Subject: [PATCH 17/68] enforce SAST runner arch --- .gitlab-ci.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b88f2ea655..84cd43b24c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -178,6 +178,10 @@ variables: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' +dependency_scanning: + tags: + ARCH: amd64 + # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: @@ -190,9 +194,25 @@ container_scanning: rules: - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') when: never + tags: + ARCH: amd64 + +sast: + tags: + ARCH: amd64 + +gitlab-advanced-sast: + tags: + ARCH: amd64 + +secret_detection: + tags: + ARCH: amd64 libbehave-experiment: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 # https://stackoverflow.com/a/70360201 rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + tags: + ARCH: amd64 From 2337c837cbae61a05759d75c1488b026a3d97879 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:38:20 -0400 Subject: [PATCH 18/68] fix syntax of tags --- .gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 84cd43b24c..8c3d2c56a1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -180,7 +180,7 @@ variables: dependency_scanning: tags: - ARCH: amd64 + - ARCH: amd64 # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist @@ -195,19 +195,19 @@ container_scanning: - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') when: never tags: - ARCH: amd64 + - ARCH: amd64 sast: tags: - ARCH: amd64 + - ARCH: amd64 gitlab-advanced-sast: tags: - ARCH: amd64 + - ARCH: amd64 secret_detection: tags: - ARCH: amd64 + - ARCH: amd64 libbehave-experiment: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 @@ -215,4 +215,4 @@ libbehave-experiment: rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' tags: - ARCH: amd64 + - ARCH: amd64 From e367b5e73a53bc4d3fbeade910ebb2b9e5fe4a0d Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:44:41 -0400 Subject: [PATCH 19/68] fix syntax of tags (again) --- .gitlab-ci.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8c3d2c56a1..4a525be559 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -180,7 +180,7 @@ variables: dependency_scanning: tags: - - ARCH: amd64 + - amd64 # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist @@ -195,19 +195,19 @@ container_scanning: - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') when: never tags: - - ARCH: amd64 + - amd64 sast: tags: - - ARCH: amd64 + - amd64 gitlab-advanced-sast: tags: - - ARCH: amd64 + - amd64 secret_detection: tags: - - ARCH: amd64 + - amd64 libbehave-experiment: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 @@ -215,4 +215,4 @@ libbehave-experiment: rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' tags: - - ARCH: amd64 + - amd64 From ac9c01cf105379623e48d0a59ba11520e6ba53b5 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:45:55 -0400 Subject: [PATCH 20/68] share the node_modules cache between dev and test --- .gitlab-ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4a525be559..d23e21be7d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,7 +19,7 @@ stages: - git submodule update --init - pnpm install --frozen-lockfile cache: - key: build + key: node_modules policy: pull-push when: on_success paths: @@ -38,8 +38,6 @@ build: .test_common: &test_common <<: *build_common stage: test - cache: - key: test lint: <<: *test_common From d88e0c5193b21656bf7fae40cdcc3c74db16c465 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 13:33:11 -0400 Subject: [PATCH 21/68] Update to libbehave job v0.2.1 --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d23e21be7d..0801b29d1e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -155,7 +155,7 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.1.0 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.1 variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast From 4032abc4dbf71598fbc8fb28b2d55579b09630d8 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:49:05 -0400 Subject: [PATCH 22/68] Revert "share the node_modules cache between dev and test" This reverts commit 4d8b9715fe5ac6c82da4798c99a4be62906350d9. --- .gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0801b29d1e..5f89e68cff 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,7 +19,7 @@ stages: - git submodule update --init - pnpm install --frozen-lockfile cache: - key: node_modules + key: build policy: pull-push when: on_success paths: @@ -38,6 +38,8 @@ build: .test_common: &test_common <<: *build_common stage: test + cache: + key: test lint: <<: *test_common From f87a96da7f3145627c8edb8694d3cd3098b16c56 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 11:49:05 -0400 Subject: [PATCH 23/68] Revert "add separate build step" This reverts commit 92f8543a30702529c267bc9ca691b0e1a1ce2551. --- .gitlab-ci.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5f89e68cff..1182bf9301 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,10 +1,9 @@ stages: - - build - test - deploy -.build_common: &build_common - stage: build +.test_common: &test_common + stage: test image: docker.io/node:22 variables: POSTGRES_PASSWORD: ci @@ -19,7 +18,7 @@ stages: - git submodule update --init - pnpm install --frozen-lockfile cache: - key: build + key: test policy: pull-push when: on_success paths: @@ -30,17 +29,6 @@ stages: - merge_requests - stable -build: - <<: *build_common - script: - - pnpm run build - -.test_common: &test_common - <<: *build_common - stage: test - cache: - key: test - lint: <<: *test_common script: @@ -162,7 +150,6 @@ include: variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast GITLAB_ADVANCED_SAST_ENABLED: 'true' - SEARCH_MAX_DEPTH: 32 # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 From f5f2c10a86ae5d1030900dc2420d709c224d3509 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 14:56:14 -0400 Subject: [PATCH 24/68] update to libbehave 0.2.2 --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1182bf9301..736c3c4efe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -145,7 +145,7 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.1 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.2 variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast From 27366418fdde77d3b634f3705bb372ecdec44b93 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Wed, 24 Sep 2025 17:53:06 -0400 Subject: [PATCH 25/68] update to libbehave 0.2.4 and simplify pipeline --- .gitlab-ci.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 736c3c4efe..302c96db5a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -145,7 +145,7 @@ include: - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.2 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast @@ -197,9 +197,6 @@ secret_detection: - amd64 libbehave-experiment: - # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 - # https://stackoverflow.com/a/70360201 - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' tags: - amd64 + From b64ec3dbc2ef634d3513c3fb8899bed85d4cdfaa Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 19:35:41 -0400 Subject: [PATCH 26/68] move security scanning to the top of CI pipeline --- .gitlab-ci.yml | 54 +++++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 302c96db5a..e4160689fa 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,3 +1,30 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + - template: Jobs/SAST.latest.gitlab-ci.yml + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: -1 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + stages: - test - deploy @@ -138,33 +165,6 @@ merge_image_manifests: - develop - tags -# https://docs.gitlab.com/user/application_security/sast/ -include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - - template: Jobs/SAST.latest.gitlab-ci.yml - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - -variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' - - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: -1 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' - dependency_scanning: tags: - amd64 From 92538b3b5d45675e11c329353b4c067fb10b4797 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:39:34 -0400 Subject: [PATCH 27/68] use caching in pipeline --- .gitlab-ci.yml | 177 ++++++++++++++++++++++++++++++------------------- 1 file changed, 110 insertions(+), 67 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index e4160689fa..eec821b0f2 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,3 +1,8 @@ +stages: + - build + - test + - deploy + # https://docs.gitlab.com/user/application_security/sast/ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml @@ -7,34 +12,26 @@ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 -variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' +# https://docs.gitlab.com/ci/yaml/#default +default: + only: + - develop + - merge_requests + - stable - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: -1 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' - -stages: - - test - - deploy - -.test_common: &test_common - stage: test - image: docker.io/node:22 +# Cache node_modules and share build artifacts for the pipeline. +# This shares the same cache definition, but it's the only place that actually *pushes* to the cache. +# https://docs.gitlab.com/ci/caching/ +# https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439 +# https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133 +build: &build + stage: build variables: - POSTGRES_PASSWORD: ci - COREPACK_DEFAULT_TO_LATEST: 0 + POSTGRES_PASSWORD: 'ci' + COREPACK_DEFAULT_TO_LATEST: '0' + # Arm64 is recommended for CI + tags: + - arm64 before_script: - apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0 - 'echo "clusterLimit: $(nproc)" >> .config/ci.yml' @@ -42,19 +39,57 @@ stages: - cp .config/ci.yml .config/test.yml - corepack enable - corepack install + - pnpm config set store-dir .pnpm-store - git submodule update --init - - pnpm install --frozen-lockfile + script: + - pnpm run build cache: - key: test - policy: pull-push - when: on_success - paths: - - node_modules/ - - packages/*/node_modules/ - only: - - develop - - merge_requests - - stable + - &cache-pnpm + key: + files: + - pnpm-lock.yaml + paths: + - .pnpm-store/ + - node_modules/ + - packages/backend/node_modules/ + - packages/frontend/node_modules/ + - packages/frontend-embed/node_modules/ + - packages/frontend-shared/node_modules/ + - packages/megalodon/node_modules/ + - packages/misskey-bubble-game/node_modules/ + - packages/misskey-js/node_modules/ + - packages/misskey-js/generator/node_modules/ + - packages/misskey-reversi/node_modules/ + - packages/sw/node_modules/ + # Not sure if this really works + - '**/node_modules/' + policy: push-pull + when: on_success + - &cache-build + key: "$CI_COMMIT_REF_SLUG" + paths: + - built/ + - packages/backend/built/ + - packages/backend/test_federation/built/ + - packages/megalodon/lib/ + - packages/misskey-bubble-game/built/ + - packages/misskey-js/built/ + - packages/misskey-reversi/built/ + policy: push-pull + when: on_success + image: docker.io/node:22 + +.test_common: &test_common: + <<: *build + stage: test + script: [] + cache: + - + <<: *cache-pnpm + policy: pull + - + <<: *cache-build + policy: pull lint: <<: *test_common @@ -88,8 +123,11 @@ frontend_tests: --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js -get_image_tag: +.deploy_common: &deploy_common stage: deploy + +get_image_tag: + <<: *deploy_common image: docker.io/alpine:latest script: - apk add jq @@ -109,13 +147,9 @@ get_image_tag: artifacts: reports: dotenv: build.env - only: - - stable - - develop - - tags build_image: - stage: deploy + <<: *deploy_common needs: - job: get_image_tag artifacts: true @@ -135,13 +169,9 @@ build_image: --dockerfile "${CI_PROJECT_DIR}/Dockerfile" \ --single-snapshot \ --destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}" - only: - - stable - - develop - - tags merge_image_manifests: - stage: deploy + <<: *deploy_common needs: - job: build_image artifacts: false @@ -160,43 +190,56 @@ merge_image_manifests: --tags ${REGISTRY_PUSH_VERSION} \ --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \ --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - only: - - stable - - develop - - tags -dependency_scanning: +.sast_common: &sast_common + stage: test + # SAST tools only support x64 tags: - amd64 + variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: -1 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: + <<: *deploy_common + <<: *sast_common variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - stage: deploy - dependencies: - - merge_image_manifests + needs: + - job: merge_image_manifests + artifacts: true rules: - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') when: never - tags: - - amd64 + +dependency_scanning: + <<: *sast_common sast: - tags: - - amd64 + <<: *sast_common gitlab-advanced-sast: - tags: - - amd64 + <<: *sast_common secret_detection: - tags: - - amd64 + <<: *sast_common libbehave-experiment: - tags: - - amd64 - + <<: *sast_common From 433fbbed8052502729de6b5cc1ef3425585e13a7 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:39:45 -0400 Subject: [PATCH 28/68] regen locales --- locales/index.d.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/locales/index.d.ts b/locales/index.d.ts index 9f285f08f1..98206ce664 100644 --- a/locales/index.d.ts +++ b/locales/index.d.ts @@ -12521,6 +12521,14 @@ export interface Locale extends ILocale { * Failed to load note */ "cannotLoadNote": string; + /** + * Please click [OK] to unsubscribe from announcement e-mails. + */ + "clickToUnsubscribe": string; + /** + * There was a problem unsubscribing. + */ + "unsubscribeError": string; "_flash": { /** * Flash Content Hidden From 21f9fb2809b1622be1b4b1c574cb3ac30706cfe9 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:40:16 -0400 Subject: [PATCH 29/68] regen misskey-js --- packages/misskey-js/etc/misskey-js.api.md | 8 +++ .../misskey-js/src/autogen/apiClientJSDoc.ts | 11 ++++ packages/misskey-js/src/autogen/endpoint.ts | 3 + packages/misskey-js/src/autogen/entities.ts | 2 + packages/misskey-js/src/autogen/types.ts | 66 +++++++++++++++++++ 5 files changed, 90 insertions(+) diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md index 040e9429f0..25ad5d4788 100644 --- a/packages/misskey-js/etc/misskey-js.api.md +++ b/packages/misskey-js/etc/misskey-js.api.md @@ -347,6 +347,12 @@ type AdminResetPasswordResponse = operations['admin___reset-password']['response // @public (undocumented) type AdminResolveAbuseUserReportRequest = operations['admin___resolve-abuse-user-report']['requestBody']['content']['application/json']; +// @public (undocumented) +type AdminRolesAnnotateConditionRequest = operations['admin___roles___annotate-condition']['requestBody']['content']['application/json']; + +// @public (undocumented) +type AdminRolesAnnotateConditionResponse = operations['admin___roles___annotate-condition']['responses']['200']['content']['application/json']; + // @public (undocumented) type AdminRolesAssignRequest = operations['admin___roles___assign']['requestBody']['content']['application/json']; @@ -1622,6 +1628,8 @@ declare namespace entities { AdminResetPasswordRequest, AdminResetPasswordResponse, AdminResolveAbuseUserReportRequest, + AdminRolesAnnotateConditionRequest, + AdminRolesAnnotateConditionResponse, AdminRolesAssignRequest, AdminRolesCloneRequest, AdminRolesCloneResponse, diff --git a/packages/misskey-js/src/autogen/apiClientJSDoc.ts b/packages/misskey-js/src/autogen/apiClientJSDoc.ts index 0e061c8e06..61f2afb90c 100644 --- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts +++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts @@ -867,6 +867,17 @@ declare module '../api.js' { credential?: string | null, ): Promise>; + /** + * No description provided. + * + * **Credential required**: *Yes* / **Permission**: *read:admin:roles* + */ + request( + endpoint: E, + params: P, + credential?: string | null, + ): Promise>; + /** * No description provided. * diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts index 5bdaa58a6f..32a5013ab6 100644 --- a/packages/misskey-js/src/autogen/endpoint.ts +++ b/packages/misskey-js/src/autogen/endpoint.ts @@ -103,6 +103,8 @@ import type { AdminResetPasswordRequest, AdminResetPasswordResponse, AdminResolveAbuseUserReportRequest, + AdminRolesAnnotateConditionRequest, + AdminRolesAnnotateConditionResponse, AdminRolesAssignRequest, AdminRolesCloneRequest, AdminRolesCloneResponse, @@ -748,6 +750,7 @@ export type Endpoints = { 'admin/relays/remove': { req: AdminRelaysRemoveRequest; res: EmptyResponse }; 'admin/reset-password': { req: AdminResetPasswordRequest; res: AdminResetPasswordResponse }; 'admin/resolve-abuse-user-report': { req: AdminResolveAbuseUserReportRequest; res: EmptyResponse }; + 'admin/roles/annotate-condition': { req: AdminRolesAnnotateConditionRequest; res: AdminRolesAnnotateConditionResponse }; 'admin/roles/assign': { req: AdminRolesAssignRequest; res: EmptyResponse }; 'admin/roles/clone': { req: AdminRolesCloneRequest; res: AdminRolesCloneResponse }; 'admin/roles/create': { req: AdminRolesCreateRequest; res: AdminRolesCreateResponse }; diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts index 4ad9c9afbb..9254758109 100644 --- a/packages/misskey-js/src/autogen/entities.ts +++ b/packages/misskey-js/src/autogen/entities.ts @@ -106,6 +106,8 @@ export type AdminRelaysRemoveRequest = operations['admin___relays___remove']['re export type AdminResetPasswordRequest = operations['admin___reset-password']['requestBody']['content']['application/json']; export type AdminResetPasswordResponse = operations['admin___reset-password']['responses']['200']['content']['application/json']; export type AdminResolveAbuseUserReportRequest = operations['admin___resolve-abuse-user-report']['requestBody']['content']['application/json']; +export type AdminRolesAnnotateConditionRequest = operations['admin___roles___annotate-condition']['requestBody']['content']['application/json']; +export type AdminRolesAnnotateConditionResponse = operations['admin___roles___annotate-condition']['responses']['200']['content']['application/json']; export type AdminRolesAssignRequest = operations['admin___roles___assign']['requestBody']['content']['application/json']; export type AdminRolesCloneRequest = operations['admin___roles___clone']['requestBody']['content']['application/json']; export type AdminRolesCloneResponse = operations['admin___roles___clone']['responses']['200']['content']['application/json']; diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts index 03304eb69f..0551bdc44f 100644 --- a/packages/misskey-js/src/autogen/types.ts +++ b/packages/misskey-js/src/autogen/types.ts @@ -720,6 +720,15 @@ export type paths = { */ post: operations['admin___resolve-abuse-user-report']; }; + '/admin/roles/annotate-condition': { + /** + * admin/roles/annotate-condition + * @description No description provided. + * + * **Credential required**: *Yes* / **Permission**: *read:admin:roles* + */ + post: operations['admin___roles___annotate-condition']; + }; '/admin/roles/assign': { /** * admin/roles/assign @@ -10521,6 +10530,63 @@ export type operations = { }; }; }; + /** + * admin/roles/annotate-condition + * @description No description provided. + * + * **Credential required**: *Yes* / **Permission**: *read:admin:roles* + */ + 'admin___roles___annotate-condition': { + requestBody: { + content: { + 'application/json': { + /** Format: misskey:id */ + userId: string; + condFormula: Record; + }; + }; + }; + responses: { + /** @description OK (with results) */ + 200: { + content: { + 'application/json': { + [key: string]: boolean; + }; + }; + }; + /** @description Client error */ + 400: { + content: { + 'application/json': components['schemas']['Error']; + }; + }; + /** @description Authentication error */ + 401: { + content: { + 'application/json': components['schemas']['Error']; + }; + }; + /** @description Forbidden error */ + 403: { + content: { + 'application/json': components['schemas']['Error']; + }; + }; + /** @description I'm Ai */ + 418: { + content: { + 'application/json': components['schemas']['Error']; + }; + }; + /** @description Internal server error */ + 500: { + content: { + 'application/json': components['schemas']['Error']; + }; + }; + }; + }; /** * admin/roles/assign * @description No description provided. From ee55c73d797cc96ec7b4ac80166da4de9d7f061e Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:41:11 -0400 Subject: [PATCH 30/68] fix syntax error --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index eec821b0f2..29dcf764b8 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -79,7 +79,7 @@ build: &build when: on_success image: docker.io/node:22 -.test_common: &test_common: +.test_common: &test_common <<: *build stage: test script: [] From 94ed5ad7d04bae6fb809f5cef0b91082476fd9ed Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:54:29 -0400 Subject: [PATCH 31/68] replace deprecated "only" tags --- .gitlab-ci.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 29dcf764b8..9eeae2f2c1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -14,10 +14,11 @@ include: # https://docs.gitlab.com/ci/yaml/#default default: - only: - - develop - - merge_requests - - stable + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. @@ -125,6 +126,13 @@ frontend_tests: .deploy_common: &deploy_common stage: deploy + # Only run when pushing to stable, develop, or tags + rules: + - if: $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_COMMIT_BRANCH == 'develop' + - if: $CI_COMMIT_BRANCH == 'stable' + - if: $CI_COMMIT_TAG get_image_tag: <<: *deploy_common @@ -225,9 +233,6 @@ container_scanning: needs: - job: merge_image_manifests artifacts: true - rules: - - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') - when: never dependency_scanning: <<: *sast_common From d402212db43a0f6391310f447e80aea6283280ea Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:56:09 -0400 Subject: [PATCH 32/68] remove default since it's so limited --- .gitlab-ci.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9eeae2f2c1..d31ba4c275 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,14 +12,6 @@ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 -# https://docs.gitlab.com/ci/yaml/#default -default: - # "only" has been removed, so we use rules. - # This runs in MR pipelines *or* push to develop/stable - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') - # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ @@ -27,6 +19,7 @@ default: # https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133 build: &build stage: build + image: docker.io/node:22 variables: POSTGRES_PASSWORD: 'ci' COREPACK_DEFAULT_TO_LATEST: '0' @@ -78,7 +71,11 @@ build: &build - packages/misskey-reversi/built/ policy: push-pull when: on_success - image: docker.io/node:22 + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') .test_common: &test_common <<: *build From 8364c187b69216bc72aa66b2d2096c1ff647a95c Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:57:05 -0400 Subject: [PATCH 33/68] fix container_scanning tying to run in test stage --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d31ba4c275..5ef9fc6829 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -224,6 +224,7 @@ merge_image_manifests: container_scanning: <<: *deploy_common <<: *sast_common + stage: deploy variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} From aff0097a8443ae309c7814621ff4687ff4455484 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 20:59:25 -0400 Subject: [PATCH 34/68] push-pull -> pull-push --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5ef9fc6829..7b04e2301e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -57,7 +57,7 @@ build: &build - packages/sw/node_modules/ # Not sure if this really works - '**/node_modules/' - policy: push-pull + policy: pull-push when: on_success - &cache-build key: "$CI_COMMIT_REF_SLUG" @@ -69,7 +69,7 @@ build: &build - packages/misskey-bubble-game/built/ - packages/misskey-js/built/ - packages/misskey-reversi/built/ - policy: push-pull + policy: pull-push when: on_success # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable From 4a898569760c0628336a034b98d85bb96b9eb804 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:02:31 -0400 Subject: [PATCH 35/68] restore missing pnpm install step --- .gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b04e2301e..2eb9463545 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -33,8 +33,9 @@ build: &build - cp .config/ci.yml .config/test.yml - corepack enable - corepack install - - pnpm config set store-dir .pnpm-store - git submodule update --init + - pnpm config set store-dir .pnpm-store + - pnpm install --frozen-lockfile script: - pnpm run build cache: From c1ed7c7424f1f132eb73553d6c76a349c0482a96 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:13:48 -0400 Subject: [PATCH 36/68] use if-not-present policy to cache docker images --- .gitlab-ci.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 2eb9463545..61e4f6f23b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -19,7 +19,9 @@ include: # https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133 build: &build stage: build - image: docker.io/node:22 + image: + name: docker.io/node:22 + pull_policy: if-not-present variables: POSTGRES_PASSWORD: 'ci' COREPACK_DEFAULT_TO_LATEST: '0' @@ -134,7 +136,9 @@ frontend_tests: get_image_tag: <<: *deploy_common - image: docker.io/alpine:latest + image: + name: docker.io/alpine:latest + pull_policy: if-not-present script: - apk add jq - | @@ -167,6 +171,7 @@ build_image: - ${ARCH} image: name: gcr.io/kaniko-project/executor:debug + pull_policy: if-not-present entrypoint: [""] script: - >- @@ -185,6 +190,7 @@ merge_image_manifests: artifacts: true image: name: mplatform/manifest-tool:alpine + pull_policy: if-not-present entrypoint: [""] script: - >- From ca56f95db46c5af4e385e4c883000e5728e33c04 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:14:09 -0400 Subject: [PATCH 37/68] fix rule filters for SAST tests --- .gitlab-ci.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 61e4f6f23b..5eb7ee5e6c 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,12 +12,20 @@ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 +.common: &common + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable + rules: + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') + # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ # https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439 # https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133 build: &build + <<: *common stage: build image: name: docker.io/node:22 @@ -74,13 +82,9 @@ build: &build - packages/misskey-reversi/built/ policy: pull-push when: on_success - # "only" has been removed, so we use rules. - # This runs in MR pipelines *or* push to develop/stable - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') .test_common: &test_common + <<: *common <<: *build stage: test script: [] @@ -204,6 +208,7 @@ merge_image_manifests: --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} .sast_common: &sast_common + <<: *common stage: test # SAST tools only support x64 tags: From ad3b1ec8ac0e5a5cbdb09e71b75a5e04230a637b Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:20:42 -0400 Subject: [PATCH 38/68] make sure container_scanning only runs when deploy phase is actually happening --- .gitlab-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5eb7ee5e6c..8b978c423b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -234,9 +234,8 @@ merge_image_manifests: # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: - <<: *deploy_common <<: *sast_common - stage: deploy + <<: *deploy_common variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} From 9a3734369a2bdad9d3177ecd292ca987175328f5 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:26:59 -0400 Subject: [PATCH 39/68] fix cache including too much --- .gitlab-ci.yml | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8b978c423b..5744468a33 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -52,34 +52,21 @@ build: &build - &cache-pnpm key: files: - - pnpm-lock.yaml + - 'pnpm-lock.yaml' paths: - - .pnpm-store/ - - node_modules/ - - packages/backend/node_modules/ - - packages/frontend/node_modules/ - - packages/frontend-embed/node_modules/ - - packages/frontend-shared/node_modules/ - - packages/megalodon/node_modules/ - - packages/misskey-bubble-game/node_modules/ - - packages/misskey-js/node_modules/ - - packages/misskey-js/generator/node_modules/ - - packages/misskey-reversi/node_modules/ - - packages/sw/node_modules/ - # Not sure if this really works - - '**/node_modules/' + - '.pnpm-store/' + - 'node_modules/' + - 'packages/*/node_modules/' + - 'packages/misskey-js/generator/node_modules/' policy: pull-push when: on_success - &cache-build key: "$CI_COMMIT_REF_SLUG" paths: - - built/ - - packages/backend/built/ - - packages/backend/test_federation/built/ - - packages/megalodon/lib/ - - packages/misskey-bubble-game/built/ - - packages/misskey-js/built/ - - packages/misskey-reversi/built/ + - 'built/' + - '/packages/*/built/' + - 'packages/backend/test_federation/built/' + - 'packages/megalodon/lib/' policy: pull-push when: on_success From ad12c8541a699ce250f13e3d378788c975b0ca35 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 21:32:56 -0400 Subject: [PATCH 40/68] fix unmatched paths in cache --- .gitlab-ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 5744468a33..4d7ffa4288 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -64,8 +64,7 @@ build: &build key: "$CI_COMMIT_REF_SLUG" paths: - 'built/' - - '/packages/*/built/' - - 'packages/backend/test_federation/built/' + - 'packages/*/built/' - 'packages/megalodon/lib/' policy: pull-push when: on_success From e69d2da1614b06416ac81d8ad71b3d004c142c65 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:22:45 -0400 Subject: [PATCH 41/68] fix SAST broken due to unsupported rules --- .gitlab-ci.yml | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 4d7ffa4288..6b2665189d 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,15 +3,6 @@ stages: - test - deploy -# https://docs.gitlab.com/user/application_security/sast/ -include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - - template: Jobs/SAST.latest.gitlab-ci.yml - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable @@ -19,6 +10,21 @@ include: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') +# https://docs.gitlab.com/user/application_security/sast/ +# We have to define the rules here because the imported template can't be filtered properly. +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + <<: *common + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + <<: *common + - template: Jobs/SAST.latest.gitlab-ci.yml + <<: *common + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + <<: *common + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + <<: *common + # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ @@ -193,8 +199,9 @@ merge_image_manifests: --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \ --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} +# Note: do not extend any other configs here! +# Doing so may break the SAST templates. .sast_common: &sast_common - <<: *common stage: test # SAST tools only support x64 tags: From 6c57746b6dcc1eb1574b58b92f13bc7c8a47b2c9 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:30:48 -0400 Subject: [PATCH 42/68] use cache for service images --- .gitlab-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6b2665189d..0fdee9f2a0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -97,8 +97,10 @@ lint: backend_tests: <<: *test_common services: - - postgres:15 - - redis + - name: postgres:15 + pull_policy: if-not-present + - name: redis + pull_policy: if-not-present script: - >- pnpm run build \ From abc55ef13aa320f658d083b936d88ec106d7f413 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:34:29 -0400 Subject: [PATCH 43/68] fix rule binding for SAST templates --- .gitlab-ci.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0fdee9f2a0..7004472906 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,24 +6,34 @@ stages: .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable - rules: + rules: &common-rules - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') +.deploy_common: &deploy_common + stage: deploy + # Only run when pushing to stable, develop, or tags + rules: &deploy-rules + - if: $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_COMMIT_BRANCH == 'develop' + - if: $CI_COMMIT_BRANCH == 'stable' + - if: $CI_COMMIT_TAG + # https://docs.gitlab.com/user/application_security/sast/ # We have to define the rules here because the imported template can't be filtered properly. include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - <<: *common + rules: *common-rules - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - <<: *common + rules: *deploy-rules - template: Jobs/SAST.latest.gitlab-ci.yml - <<: *common + rules: *common-rules - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - <<: *common + rules: *common-rules # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - <<: *common + rules: *common-rules # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. @@ -122,16 +132,6 @@ frontend_tests: --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js -.deploy_common: &deploy_common - stage: deploy - # Only run when pushing to stable, develop, or tags - rules: - - if: $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_COMMIT_BRANCH == 'develop' - - if: $CI_COMMIT_BRANCH == 'stable' - - if: $CI_COMMIT_TAG - get_image_tag: <<: *deploy_common image: @@ -230,7 +230,7 @@ merge_image_manifests: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - <<: *deploy_common + stage: deploy variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} From 3dfd4bdf91cf2194fc7b2ffe0b146e50f4f24a8d Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:45:26 -0400 Subject: [PATCH 44/68] Revert "fix rule binding for SAST templates" This reverts commit abc55ef13aa320f658d083b936d88ec106d7f413. --- .gitlab-ci.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7004472906..0fdee9f2a0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,34 +6,24 @@ stages: .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable - rules: &common-rules + rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') -.deploy_common: &deploy_common - stage: deploy - # Only run when pushing to stable, develop, or tags - rules: &deploy-rules - - if: $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_COMMIT_BRANCH == 'develop' - - if: $CI_COMMIT_BRANCH == 'stable' - - if: $CI_COMMIT_TAG - # https://docs.gitlab.com/user/application_security/sast/ # We have to define the rules here because the imported template can't be filtered properly. include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - rules: *common-rules + <<: *common - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - rules: *deploy-rules + <<: *common - template: Jobs/SAST.latest.gitlab-ci.yml - rules: *common-rules + <<: *common - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - rules: *common-rules + <<: *common # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - rules: *common-rules + <<: *common # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. @@ -132,6 +122,16 @@ frontend_tests: --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js +.deploy_common: &deploy_common + stage: deploy + # Only run when pushing to stable, develop, or tags + rules: + - if: $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_COMMIT_BRANCH == 'develop' + - if: $CI_COMMIT_BRANCH == 'stable' + - if: $CI_COMMIT_TAG + get_image_tag: <<: *deploy_common image: @@ -230,7 +230,7 @@ merge_image_manifests: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - stage: deploy + <<: *deploy_common variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} From 40b0d1a4ea07436172e7bfe064ab25f13e886257 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:45:26 -0400 Subject: [PATCH 45/68] Revert "fix SAST broken due to unsupported rules" This reverts commit e69d2da1614b06416ac81d8ad71b3d004c142c65. --- .gitlab-ci.yml | 27 ++++++++++----------------- 1 file changed, 10 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0fdee9f2a0..b5ad078991 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,6 +3,15 @@ stages: - test - deploy +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + - template: Jobs/SAST.latest.gitlab-ci.yml + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable @@ -10,21 +19,6 @@ stages: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') -# https://docs.gitlab.com/user/application_security/sast/ -# We have to define the rules here because the imported template can't be filtered properly. -include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - <<: *common - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - <<: *common - - template: Jobs/SAST.latest.gitlab-ci.yml - <<: *common - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml - <<: *common - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - <<: *common - # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ @@ -201,9 +195,8 @@ merge_image_manifests: --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \ --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} -# Note: do not extend any other configs here! -# Doing so may break the SAST templates. .sast_common: &sast_common + <<: *common stage: test # SAST tools only support x64 tags: From 4dfd21de8bda1d9fe76c9a4bfc3adadfa94ec105 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:46:33 -0400 Subject: [PATCH 46/68] promote SAST variables to top-level --- .gitlab-ci.yml | 35 ++++++++++++++++++----------------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b5ad078991..b1b49db45f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -12,6 +12,24 @@ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: -1 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable @@ -201,23 +219,6 @@ merge_image_manifests: # SAST tools only support x64 tags: - amd64 - variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' - - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: -1 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist From d0a98ee5e5ff1a61a21ce8e0d712cc2346210e11 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:52:58 -0400 Subject: [PATCH 47/68] remove unused "script: []" --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b1b49db45f..abfe0f31fe 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -91,7 +91,6 @@ build: &build <<: *common <<: *build stage: test - script: [] cache: - <<: *cache-pnpm From def03d97515b0ce697a0daa24f5c62d59ba0c639 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:53:09 -0400 Subject: [PATCH 48/68] fix dependency-scanning job --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index abfe0f31fe..3bd653cc07 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -231,7 +231,7 @@ container_scanning: - job: merge_image_manifests artifacts: true -dependency_scanning: +dependency-scanning: <<: *sast_common sast: From ba1f6f3ac3dbce218e0525b88044b70e66a2335a Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 22:53:22 -0400 Subject: [PATCH 49/68] temporarily disable SAST overrides to see the normal config --- .gitlab-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3bd653cc07..b8ce04ab64 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -234,8 +234,8 @@ container_scanning: dependency-scanning: <<: *sast_common -sast: - <<: *sast_common +#sast: +# <<: *sast_common gitlab-advanced-sast: <<: *sast_common From 8a0b64a265aae0e1f2041b81c16204d59dee6332 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:03:19 -0400 Subject: [PATCH 50/68] another attempt to fix SAST rules --- .gitlab-ci.yml | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b8ce04ab64..b1e71ff9cb 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -31,8 +31,7 @@ variables: AST_ENABLE_MR_PIPELINES: 'true' .common: &common - # "only" has been removed, so we use rules. - # This runs in MR pipelines *or* push to develop/stable + # Only run in MR pipelines *or* push to develop/stable rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') @@ -213,17 +212,29 @@ merge_image_manifests: --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} .sast_common: &sast_common - <<: *common stage: test # SAST tools only support x64 tags: - amd64 + # Only run in MR pipelines *or* push to develop/stable. + # This is the same as in common, but inverted to always include "when: never". + rules: + - if: $CI_PIPELINE_SOURCE != 'merge_request_event' && $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' + when: never # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - <<: *deploy_common + # Only run when pushing to stable, develop, or tags. + # This is the same as in deploy, but inverted to always include "when: never". + rules: + - if: $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' + when: never variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} @@ -231,11 +242,11 @@ container_scanning: - job: merge_image_manifests artifacts: true -dependency-scanning: +dependency_scanning: <<: *sast_common -#sast: -# <<: *sast_common +sast: + <<: *sast_common gitlab-advanced-sast: <<: *sast_common From 2ca73ea8a99c80fd10bd31a9e109f5fb3b479f8c Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:06:36 -0400 Subject: [PATCH 51/68] Revert "another attempt to fix SAST rules" This reverts commit 8a0b64a265aae0e1f2041b81c16204d59dee6332. --- .gitlab-ci.yml | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b1e71ff9cb..b8ce04ab64 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -31,7 +31,8 @@ variables: AST_ENABLE_MR_PIPELINES: 'true' .common: &common - # Only run in MR pipelines *or* push to develop/stable + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') @@ -212,29 +213,17 @@ merge_image_manifests: --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} .sast_common: &sast_common + <<: *common stage: test # SAST tools only support x64 tags: - amd64 - # Only run in MR pipelines *or* push to develop/stable. - # This is the same as in common, but inverted to always include "when: never". - rules: - - if: $CI_PIPELINE_SOURCE != 'merge_request_event' && $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' - when: never # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - # Only run when pushing to stable, develop, or tags. - # This is the same as in deploy, but inverted to always include "when: never". - rules: - - if: $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' - when: never + <<: *deploy_common variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} @@ -242,11 +231,11 @@ container_scanning: - job: merge_image_manifests artifacts: true -dependency_scanning: +dependency-scanning: <<: *sast_common -sast: - <<: *sast_common +#sast: +# <<: *sast_common gitlab-advanced-sast: <<: *sast_common From 17d3f4948f0ae2d6adeebd7f0837b33edf9cbce5 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:27:40 -0400 Subject: [PATCH 52/68] try conditional include again --- .gitlab-ci.yml | 52 +++++++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b8ce04ab64..09339effc0 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,14 +3,36 @@ stages: - test - deploy +.common: &common + # "only" has been removed, so we use rules. + # This runs in MR pipelines *or* push to develop/stable + rules: &common-rules + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') + +.deploy_common: &deploy_common + stage: deploy + # Only run when pushing to stable, develop, or tags + rules: &deploy-rules + - if: $CI_PIPELINE_SOURCE != 'push' + when: never + - if: $CI_COMMIT_BRANCH == 'develop' + - if: $CI_COMMIT_BRANCH == 'stable' + - if: $CI_COMMIT_TAG + # https://docs.gitlab.com/user/application_security/sast/ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + rules: *common-rules - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + rules: *deploy-rules - template: Jobs/SAST.latest.gitlab-ci.yml + rules: *common-rules - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + rules: *common-rules # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + rules: *common-rules variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast @@ -30,13 +52,6 @@ variables: # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' -.common: &common - # "only" has been removed, so we use rules. - # This runs in MR pipelines *or* push to develop/stable - rules: - - if: $CI_PIPELINE_SOURCE == 'merge_request_event' - - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') - # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ @@ -133,16 +148,6 @@ frontend_tests: --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js -.deploy_common: &deploy_common - stage: deploy - # Only run when pushing to stable, develop, or tags - rules: - - if: $CI_PIPELINE_SOURCE != 'push' - when: never - - if: $CI_COMMIT_BRANCH == 'develop' - - if: $CI_COMMIT_BRANCH == 'stable' - - if: $CI_COMMIT_TAG - get_image_tag: <<: *deploy_common image: @@ -218,24 +223,27 @@ merge_image_manifests: # SAST tools only support x64 tags: - amd64 + # Don't wait for the build stage to complete, since we don't use it. + # https://docs.gitlab.com/ci/yaml/#needs + needs: [] # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: <<: *sast_common - <<: *deploy_common + stage: deploy variables: AST_ENABLE_MR_PIPELINES: 'false' - CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} + CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}" needs: - job: merge_image_manifests artifacts: true -dependency-scanning: +dependency_scanning: <<: *sast_common -#sast: -# <<: *sast_common +sast: + <<: *sast_common gitlab-advanced-sast: <<: *sast_common From 3c06f86a9db3b6e46a951f53066b9e694de18b69 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:30:28 -0400 Subject: [PATCH 53/68] remove extraneous import of common --- .gitlab-ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 09339effc0..efd641e020 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -218,7 +218,6 @@ merge_image_manifests: --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} .sast_common: &sast_common - <<: *common stage: test # SAST tools only support x64 tags: From e2bc9974a90a6e3e14d8f9a382888bcc2274bbfb Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:44:50 -0400 Subject: [PATCH 54/68] another attempt to fix conditional SAST --- .gitlab-ci.yml | 47 +++----------------- .gitlab/ci_templates/container_scanning.yml | 20 +++++++++ .gitlab/ci_templates/dependency-scanning.yml | 14 ++++++ .gitlab/ci_templates/lib_behave.yml | 15 +++++++ .gitlab/ci_templates/sast.yml | 17 +++++++ .gitlab/ci_templates/secret_detection.yml | 14 ++++++ 6 files changed, 85 insertions(+), 42 deletions(-) create mode 100644 .gitlab/ci_templates/container_scanning.yml create mode 100644 .gitlab/ci_templates/dependency-scanning.yml create mode 100644 .gitlab/ci_templates/lib_behave.yml create mode 100644 .gitlab/ci_templates/sast.yml create mode 100644 .gitlab/ci_templates/secret_detection.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index efd641e020..16752c0e15 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,16 +22,15 @@ stages: # https://docs.gitlab.com/user/application_security/sast/ include: - - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + - local: '.gitlab/ci_templates/dependency_scanning.yml' rules: *common-rules - - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + - local: '.gitlab/ci_templates/container_scanning.yml' rules: *deploy-rules - - template: Jobs/SAST.latest.gitlab-ci.yml + - local: '.gitlab/ci_templates/sast.yml' rules: *common-rules - - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + - local: '.gitlab/ci_templates/secret_detection.yml' rules: *common-rules - # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + - local: '.gitlab/ci_templates/lib_behave.yml' rules: *common-rules variables: @@ -216,39 +215,3 @@ merge_image_manifests: --tags ${REGISTRY_PUSH_VERSION} \ --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \ --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} - -.sast_common: &sast_common - stage: test - # SAST tools only support x64 - tags: - - amd64 - # Don't wait for the build stage to complete, since we don't use it. - # https://docs.gitlab.com/ci/yaml/#needs - needs: [] - -# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job -# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist -container_scanning: - <<: *sast_common - stage: deploy - variables: - AST_ENABLE_MR_PIPELINES: 'false' - CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}" - needs: - - job: merge_image_manifests - artifacts: true - -dependency_scanning: - <<: *sast_common - -sast: - <<: *sast_common - -gitlab-advanced-sast: - <<: *sast_common - -secret_detection: - <<: *sast_common - -libbehave-experiment: - <<: *sast_common diff --git a/.gitlab/ci_templates/container_scanning.yml b/.gitlab/ci_templates/container_scanning.yml new file mode 100644 index 0000000000..19231ba4dc --- /dev/null +++ b/.gitlab/ci_templates/container_scanning.yml @@ -0,0 +1,20 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Container-Scanning.latest.gitlab-ci.yml + +# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job +# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist +container_scanning: + stage: deploy + + # SAST tools only support x64 + tags: + - amd64 + + variables: + AST_ENABLE_MR_PIPELINES: 'false' + CS_IMAGE: "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}" + + needs: + - job: merge_image_manifests + artifacts: true diff --git a/.gitlab/ci_templates/dependency-scanning.yml b/.gitlab/ci_templates/dependency-scanning.yml new file mode 100644 index 0000000000..2e3f945d23 --- /dev/null +++ b/.gitlab/ci_templates/dependency-scanning.yml @@ -0,0 +1,14 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml + +dependency_scanning: + stage: test + + # SAST tools only support x64 + tags: + - amd64 + + # Don't wait, since this has no dependencies. + # https://docs.gitlab.com/ci/yaml/#needs + needs: [] diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml new file mode 100644 index 0000000000..0ffbdccedc --- /dev/null +++ b/.gitlab/ci_templates/lib_behave.yml @@ -0,0 +1,15 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + +libbehave-experiment: + stage: test + + # SAST tools only support x64 + tags: + - amd64 + + # Don't wait, since this has no dependencies. + # https://docs.gitlab.com/ci/yaml/#needs + needs: [] diff --git a/.gitlab/ci_templates/sast.yml b/.gitlab/ci_templates/sast.yml new file mode 100644 index 0000000000..52b27c39b2 --- /dev/null +++ b/.gitlab/ci_templates/sast.yml @@ -0,0 +1,17 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/SAST.latest.gitlab-ci.yml + +sast: &sast + stage: test + + # SAST tools only support x64 + tags: + - amd64 + + # Don't wait, since this has no dependencies. + # https://docs.gitlab.com/ci/yaml/#needs + needs: [ ] + +gitlab-advanced-sast: + <<: *sast diff --git a/.gitlab/ci_templates/secret_detection.yml b/.gitlab/ci_templates/secret_detection.yml new file mode 100644 index 0000000000..4fae1fd418 --- /dev/null +++ b/.gitlab/ci_templates/secret_detection.yml @@ -0,0 +1,14 @@ +# https://docs.gitlab.com/user/application_security/sast/ +include: + - template: Jobs/Secret-Detection.latest.gitlab-ci.yml + +secret_detection: + stage: test + + # SAST tools only support x64 + tags: + - amd64 + + # Don't wait, since this has no dependencies. + # https://docs.gitlab.com/ci/yaml/#needs + needs: [ ] From 998cebadeb9fa92b96ae9a84e441a934fdd9bb2a Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:45:59 -0400 Subject: [PATCH 55/68] fix filename --- .../{dependency-scanning.yml => dependency_scanning.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .gitlab/ci_templates/{dependency-scanning.yml => dependency_scanning.yml} (100%) diff --git a/.gitlab/ci_templates/dependency-scanning.yml b/.gitlab/ci_templates/dependency_scanning.yml similarity index 100% rename from .gitlab/ci_templates/dependency-scanning.yml rename to .gitlab/ci_templates/dependency_scanning.yml From bf7ef305fe6da1fb9dd626cb84914164acd1a2d7 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:51:32 -0400 Subject: [PATCH 56/68] fix incorrect name of dependency-scanning task --- .gitlab/ci_templates/dependency_scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/ci_templates/dependency_scanning.yml b/.gitlab/ci_templates/dependency_scanning.yml index 2e3f945d23..5f9deaab6b 100644 --- a/.gitlab/ci_templates/dependency_scanning.yml +++ b/.gitlab/ci_templates/dependency_scanning.yml @@ -2,7 +2,7 @@ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml -dependency_scanning: +dependency-scanning: stage: test # SAST tools only support x64 From 339c9b9a89c2f0411064f648dbfcba4fb41283fe Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:51:59 -0400 Subject: [PATCH 57/68] fix formatting --- .gitlab/ci_templates/sast.yml | 2 +- .gitlab/ci_templates/secret_detection.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/ci_templates/sast.yml b/.gitlab/ci_templates/sast.yml index 52b27c39b2..204df7183c 100644 --- a/.gitlab/ci_templates/sast.yml +++ b/.gitlab/ci_templates/sast.yml @@ -11,7 +11,7 @@ sast: &sast # Don't wait, since this has no dependencies. # https://docs.gitlab.com/ci/yaml/#needs - needs: [ ] + needs: [] gitlab-advanced-sast: <<: *sast diff --git a/.gitlab/ci_templates/secret_detection.yml b/.gitlab/ci_templates/secret_detection.yml index 4fae1fd418..f78e092bf6 100644 --- a/.gitlab/ci_templates/secret_detection.yml +++ b/.gitlab/ci_templates/secret_detection.yml @@ -11,4 +11,4 @@ secret_detection: # Don't wait, since this has no dependencies. # https://docs.gitlab.com/ci/yaml/#needs - needs: [ ] + needs: [] From c87d60e2ba67588c2d19f79ba01801e6590944bb Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:54:32 -0400 Subject: [PATCH 58/68] speed up lint job --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 16752c0e15..3d764a42b3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -116,7 +116,7 @@ build: &build lint: <<: *test_common script: - - pnpm run build + - pnpm run build-assets - pnpm run eslint backend_tests: From 8b4346a326c92b874c786be1a90ecfc3af6d48b7 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Fri, 26 Sep 2025 23:54:43 -0400 Subject: [PATCH 59/68] fix build filter for frontend tests --- .gitlab-ci.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 3d764a42b3..1733a44062 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -143,8 +143,10 @@ frontend_tests: --filter=frontend \ --filter=frontend-embed \ --filter=frontend-shared \ - --filter=megalogon \ - --filter=misskey-js + --filter=misskey-js \ + --filter=misskey-bubble-game \ + --filter=misskey-reversi \ + --filter=misskey-sw - pnpm run test --filter=frontend --filter=misskey-js get_image_tag: From 81e654848cf162fbe7a257ead871654a9dee5544 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 00:11:20 -0400 Subject: [PATCH 60/68] fix typo in frontend tests filter --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1733a44062..28fb0eb739 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -146,7 +146,7 @@ frontend_tests: --filter=misskey-js \ --filter=misskey-bubble-game \ --filter=misskey-reversi \ - --filter=misskey-sw + --filter=sw - pnpm run test --filter=frontend --filter=misskey-js get_image_tag: From 8fc1899f53e16600fbbad496ffb6781d0ad9db81 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 00:11:33 -0400 Subject: [PATCH 61/68] conditionally run frontend/backend tests --- .gitlab-ci.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 28fb0eb739..9298795cb1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -134,6 +134,19 @@ backend_tests: --filter=misskey-js - pnpm run migrate - pnpm run test --filter=backend + # Same as common, but MRs are only run if they modify the backend. + rules: + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + changes: + - 'packages/backend/**/*' + - 'packages/megalodon/**/*' + - 'packages/misskey-js/**/*' + - 'packages/*' # single-star is intention - we don't want to recurse! + - 'scripts/**/*' + - 'eslint/**/*' + - 'chart/**/*' + - '.config/**/*' frontend_tests: <<: *test_common @@ -148,6 +161,25 @@ frontend_tests: --filter=misskey-reversi \ --filter=sw - pnpm run test --filter=frontend --filter=misskey-js + # Same as common, but MRs are only run if they modify the frontend. + rules: + - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') + - if: $CI_PIPELINE_SOURCE == 'merge_request_event' + changes: + - 'packages/frontend/**/*' + - 'packages/frontend-embed/**/*' + - 'packages/frontend-shared/**/*' + - 'packages/misskey-js/**/*' + - 'packages/misskey-bubble-game/**/*' + - 'packages/misskey-reversi/**/*' + - 'packages/sw/**/*' + - 'packages/*' # single-star is intention - we don't want to recurse! + - 'scripts/**/*' + - 'eslint/**/*' + - 'locales/**/*' + - 'sharkey-locales/**/*' + - 'cypress/**/*' + - 'assets/**/*' get_image_tag: <<: *deploy_common From 73d1c6abe1adacf3c6771b1e70248c4a5cd1082d Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 00:24:57 -0400 Subject: [PATCH 62/68] update libbehave component to 0.3.0 --- .gitlab/ci_templates/lib_behave.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml index 0ffbdccedc..f1a9debc01 100644 --- a/.gitlab/ci_templates/lib_behave.yml +++ b/.gitlab/ci_templates/lib_behave.yml @@ -1,7 +1,7 @@ # https://docs.gitlab.com/user/application_security/sast/ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.3.0 libbehave-experiment: stage: test From 2d5ce9b67f75cd12d54c78171d5efdd2ddd74244 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 00:27:27 -0400 Subject: [PATCH 63/68] move variables to the top --- .gitlab-ci.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9298795cb1..d587c7afee 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -3,6 +3,24 @@ stages: - test - deploy +variables: + # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast + GITLAB_ADVANCED_SAST_ENABLED: 'true' + + # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters + # https://stackoverflow.com/a/71111784 + SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' + DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories + + # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ + DS_ENFORCE_NEW_ANALYZER: 'true' + DS_MAX_DEPTH: -1 + # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ + DS_STATIC_REACHABILITY_ENABLED: true + + # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines + AST_ENABLE_MR_PIPELINES: 'true' + .common: &common # "only" has been removed, so we use rules. # This runs in MR pipelines *or* push to develop/stable @@ -33,24 +51,6 @@ include: - local: '.gitlab/ci_templates/lib_behave.yml' rules: *common-rules -variables: - # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast - GITLAB_ADVANCED_SAST_ENABLED: 'true' - - # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters - # https://stackoverflow.com/a/71111784 - SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' - DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories - - # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ - DS_ENFORCE_NEW_ANALYZER: 'true' - DS_MAX_DEPTH: -1 - # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ - DS_STATIC_REACHABILITY_ENABLED: true - - # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines - AST_ENABLE_MR_PIPELINES: 'true' - # Cache node_modules and share build artifacts for the pipeline. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # https://docs.gitlab.com/ci/caching/ From dfc4a1d0957625b5f547694c06f9c2ef35dc65db Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 00:56:02 -0400 Subject: [PATCH 64/68] only scan JS in lib_behave --- .gitlab/ci_templates/lib_behave.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml index f1a9debc01..49a58a5501 100644 --- a/.gitlab/ci_templates/lib_behave.yml +++ b/.gitlab/ci_templates/lib_behave.yml @@ -2,6 +2,9 @@ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.3.0 + inputs: + include-lang: 'js' + libbehave-experiment: stage: test From 3035ccd0c828743062c431c49d769f19750e28a7 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 01:40:10 -0400 Subject: [PATCH 65/68] update lib_behave to 0.3.1 --- .gitlab/ci_templates/lib_behave.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml index 49a58a5501..85ee1a82d1 100644 --- a/.gitlab/ci_templates/lib_behave.yml +++ b/.gitlab/ci_templates/lib_behave.yml @@ -1,7 +1,7 @@ # https://docs.gitlab.com/user/application_security/sast/ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.3.0 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.3.1 inputs: include-lang: 'js' From 2f1ac23c57341d042726edf3a642a5a10f7cebec Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 16:22:13 -0400 Subject: [PATCH 66/68] include pnpm-workspace.yaml in cache key --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d587c7afee..c97d9ba04a 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -85,6 +85,7 @@ build: &build key: files: - 'pnpm-lock.yaml' + - 'pnpm-workspace.yaml' paths: - '.pnpm-store/' - 'node_modules/' From 1150a04f51cd0562977a1e02a4a217d8a73c549a Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 17:45:57 -0400 Subject: [PATCH 67/68] prevent pipeline failure when libbehave fails to upload artifacts --- .gitlab/ci_templates/lib_behave.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml index 85ee1a82d1..c229f25eeb 100644 --- a/.gitlab/ci_templates/lib_behave.yml +++ b/.gitlab/ci_templates/lib_behave.yml @@ -16,3 +16,6 @@ libbehave-experiment: # Don't wait, since this has no dependencies. # https://docs.gitlab.com/ci/yaml/#needs needs: [] + + # Gitlab issue currently causes error when upload final artifacts + allow_failure: true From 20848ac08fb4665449a13f672830a6f969fa7e42 Mon Sep 17 00:00:00 2001 From: Hazelnoot Date: Sat, 27 Sep 2025 18:13:53 -0400 Subject: [PATCH 68/68] fix pipeline error from libbehave --- .gitlab/ci_templates/lib_behave.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.gitlab/ci_templates/lib_behave.yml b/.gitlab/ci_templates/lib_behave.yml index c229f25eeb..ecec0a4586 100644 --- a/.gitlab/ci_templates/lib_behave.yml +++ b/.gitlab/ci_templates/lib_behave.yml @@ -1,14 +1,13 @@ # https://docs.gitlab.com/user/application_security/sast/ include: # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.3.1 + - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.4.0 inputs: include-lang: 'js' + stage: test -libbehave-experiment: - stage: test - +.libbehave-experiment: # SAST tools only support x64 tags: - amd64