stages: - build - test - deploy .build_common: &build_common stage: build image: docker.io/node:22 variables: POSTGRES_PASSWORD: ci COREPACK_DEFAULT_TO_LATEST: 0 before_script: - apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0 - 'echo "clusterLimit: $(nproc)" >> .config/ci.yml' - cp .config/ci.yml .config/default.yml - cp .config/ci.yml .config/test.yml - corepack enable - corepack install - git submodule update --init - pnpm install --frozen-lockfile cache: key: node_modules policy: pull-push when: on_success paths: - node_modules/ - packages/*/node_modules/ only: - develop - merge_requests - stable build: <<: *build_common script: - pnpm run build .test_common: &test_common <<: *build_common stage: test lint: <<: *test_common script: - pnpm run build - pnpm run eslint backend_tests: <<: *test_common services: - postgres:15 - redis script: - >- pnpm run build \ --filter=backend \ --filter=megalodon \ --filter=misskey-js - pnpm run migrate - pnpm run test --filter=backend frontend_tests: <<: *test_common script: - >- pnpm run build \ --filter=frontend \ --filter=frontend-embed \ --filter=frontend-shared \ --filter=megalogon \ --filter=misskey-js - pnpm run test --filter=frontend --filter=misskey-js get_image_tag: stage: deploy image: docker.io/alpine:latest script: - apk add jq - | if test -n "$CI_COMMIT_TAG"; then tag="$CI_COMMIT_TAG" elif test "$CI_COMMIT_BRANCH" == "stable"; then tag="latest" elif test "$CI_COMMIT_BRANCH" == "develop"; then tag="develop" else tag="$CI_COMMIT_BRANCH" fi version=$(cat package.json | jq -r '.version') - echo "REGISTRY_PUSH_TAG=$tag" >> build.env - echo "REGISTRY_PUSH_VERSION=$version" >> build.env artifacts: reports: dotenv: build.env only: - stable - develop - tags build_image: stage: deploy needs: - job: get_image_tag artifacts: true parallel: matrix: - ARCH: amd64 - ARCH: arm64 tags: - ${ARCH} image: name: gcr.io/kaniko-project/executor:debug entrypoint: [""] script: - >- /kaniko/executor \ --context "${CI_PROJECT_DIR}" \ --dockerfile "${CI_PROJECT_DIR}/Dockerfile" \ --single-snapshot \ --destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}" only: - stable - develop - tags merge_image_manifests: stage: deploy needs: - job: build_image artifacts: false - job: get_image_tag artifacts: true image: name: mplatform/manifest-tool:alpine entrypoint: [""] script: - >- manifest-tool \ --username=${CI_REGISTRY_USER} \ --password=${CI_REGISTRY_PASSWORD} \ push from-args \ --platforms linux/amd64,linux/arm64 \ --tags ${REGISTRY_PUSH_VERSION} \ --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \ --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} only: - stable - develop - tags # https://docs.gitlab.com/user/application_security/sast/ include: - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml - template: Jobs/Container-Scanning.latest.gitlab-ci.yml - template: Jobs/SAST.latest.gitlab-ci.yml - template: Jobs/Secret-Detection.latest.gitlab-ci.yml # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/ - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.1 variables: # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast GITLAB_ADVANCED_SAST_ENABLED: 'true' SEARCH_MAX_DEPTH: 32 # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters # https://stackoverflow.com/a/71111784 SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt' DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/ DS_ENFORCE_NEW_ANALYZER: 'true' DS_MAX_DEPTH: -1 # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/ DS_STATIC_REACHABILITY_ENABLED: true # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines AST_ENABLE_MR_PIPELINES: 'true' dependency_scanning: tags: - amd64 # https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job # https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist container_scanning: variables: AST_ENABLE_MR_PIPELINES: 'false' CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG} stage: deploy dependencies: - merge_image_manifests rules: - if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '') when: never tags: - amd64 sast: tags: - amd64 gitlab-advanced-sast: tags: - amd64 secret_detection: tags: - amd64 libbehave-experiment: # https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6 # https://stackoverflow.com/a/70360201 rules: - if: $CI_PIPELINE_SOURCE == 'merge_request_event' tags: - amd64