misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix rule binding for SAST templates

Browse source
This commit is contained in:
Hazelnoot 2025-09-26 22:34:29 -04:00
parent 6c57746b6d
commit abc55ef13a
1 changed files with 17 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

34
.gitlab-ci.yml
View file

@ -6,24 +6,34 @@ stages:
.common: &common .common: &common
# "only" has been removed, so we use rules. # "only" has been removed, so we use rules.
# This runs in MR pipelines *or* push to develop/stable # This runs in MR pipelines *or* push to develop/stable
rules: rules: &common-rules
- if: $CI_PIPELINE_SOURCE == 'merge_request_event' - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable') - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
.deploy_common: &deploy_common
stage: deploy
# Only run when pushing to stable, develop, or tags
rules: &deploy-rules
- if: $CI_PIPELINE_SOURCE != 'push'
when: never
- if: $CI_COMMIT_BRANCH == 'develop'
- if: $CI_COMMIT_BRANCH == 'stable'
- if: $CI_COMMIT_TAG
# https://docs.gitlab.com/user/application_security/sast/ # https://docs.gitlab.com/user/application_security/sast/
# We have to define the rules here because the imported template can't be filtered properly. # We have to define the rules here because the imported template can't be filtered properly.
include: include:
- template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
<<: *common rules: *common-rules
- template: Jobs/Container-Scanning.latest.gitlab-ci.yml - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
<<: *common rules: *deploy-rules
- template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/SAST.latest.gitlab-ci.yml
<<: *common rules: *common-rules
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
<<: *common rules: *common-rules
# https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
- component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4 - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
<<: *common rules: *common-rules
# Cache node_modules and share build artifacts for the pipeline. # Cache node_modules and share build artifacts for the pipeline.
# This shares the same cache definition, but it's the only place that actually *pushes* to the cache. # This shares the same cache definition, but it's the only place that actually *pushes* to the cache.
@ -122,16 +132,6 @@ frontend_tests:
--filter=misskey-js --filter=misskey-js
- pnpm run test --filter=frontend --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js
.deploy_common: &deploy_common
stage: deploy
# Only run when pushing to stable, develop, or tags
rules:
- if: $CI_PIPELINE_SOURCE != 'push'
when: never
- if: $CI_COMMIT_BRANCH == 'develop'
- if: $CI_COMMIT_BRANCH == 'stable'
- if: $CI_COMMIT_TAG
get_image_tag: get_image_tag:
<<: *deploy_common <<: *deploy_common
image: image:
@ -230,7 +230,7 @@ merge_image_manifests:
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
container_scanning: container_scanning:
<<: *sast_common <<: *sast_common
<<: *deploy_common stage: deploy
variables: variables:
AST_ENABLE_MR_PIPELINES: 'false' AST_ENABLE_MR_PIPELINES: 'false'
CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}