254 lines
7.3 KiB
YAML
254 lines
7.3 KiB
YAML
stages:
|
|
- build
|
|
- test
|
|
- deploy
|
|
|
|
.common: &common
|
|
# "only" has been removed, so we use rules.
|
|
# This runs in MR pipelines *or* push to develop/stable
|
|
rules:
|
|
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
|
- if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
|
|
|
|
# https://docs.gitlab.com/user/application_security/sast/
|
|
# We have to define the rules here because the imported template can't be filtered properly.
|
|
include:
|
|
- template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
|
|
<<: *common
|
|
- template: Jobs/Container-Scanning.latest.gitlab-ci.yml
|
|
<<: *common
|
|
- template: Jobs/SAST.latest.gitlab-ci.yml
|
|
<<: *common
|
|
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
|
|
<<: *common
|
|
# https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
|
|
- component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4
|
|
<<: *common
|
|
|
|
# Cache node_modules and share build artifacts for the pipeline.
|
|
# This shares the same cache definition, but it's the only place that actually *pushes* to the cache.
|
|
# https://docs.gitlab.com/ci/caching/
|
|
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439
|
|
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133
|
|
build: &build
|
|
<<: *common
|
|
stage: build
|
|
image:
|
|
name: docker.io/node:22
|
|
pull_policy: if-not-present
|
|
variables:
|
|
POSTGRES_PASSWORD: 'ci'
|
|
COREPACK_DEFAULT_TO_LATEST: '0'
|
|
# Arm64 is recommended for CI
|
|
tags:
|
|
- arm64
|
|
before_script:
|
|
- apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0
|
|
- 'echo "clusterLimit: $(nproc)" >> .config/ci.yml'
|
|
- cp .config/ci.yml .config/default.yml
|
|
- cp .config/ci.yml .config/test.yml
|
|
- corepack enable
|
|
- corepack install
|
|
- git submodule update --init
|
|
- pnpm config set store-dir .pnpm-store
|
|
- pnpm install --frozen-lockfile
|
|
script:
|
|
- pnpm run build
|
|
cache:
|
|
- &cache-pnpm
|
|
key:
|
|
files:
|
|
- 'pnpm-lock.yaml'
|
|
paths:
|
|
- '.pnpm-store/'
|
|
- 'node_modules/'
|
|
- 'packages/*/node_modules/'
|
|
- 'packages/misskey-js/generator/node_modules/'
|
|
policy: pull-push
|
|
when: on_success
|
|
- &cache-build
|
|
key: "$CI_COMMIT_REF_SLUG"
|
|
paths:
|
|
- 'built/'
|
|
- 'packages/*/built/'
|
|
- 'packages/megalodon/lib/'
|
|
policy: pull-push
|
|
when: on_success
|
|
|
|
.test_common: &test_common
|
|
<<: *common
|
|
<<: *build
|
|
stage: test
|
|
script: []
|
|
cache:
|
|
-
|
|
<<: *cache-pnpm
|
|
policy: pull
|
|
-
|
|
<<: *cache-build
|
|
policy: pull
|
|
|
|
lint:
|
|
<<: *test_common
|
|
script:
|
|
- pnpm run build
|
|
- pnpm run eslint
|
|
|
|
backend_tests:
|
|
<<: *test_common
|
|
services:
|
|
- name: postgres:15
|
|
pull_policy: if-not-present
|
|
- name: redis
|
|
pull_policy: if-not-present
|
|
script:
|
|
- >-
|
|
pnpm run build \
|
|
--filter=backend \
|
|
--filter=megalodon \
|
|
--filter=misskey-js
|
|
- pnpm run migrate
|
|
- pnpm run test --filter=backend
|
|
|
|
frontend_tests:
|
|
<<: *test_common
|
|
script:
|
|
- >-
|
|
pnpm run build \
|
|
--filter=frontend \
|
|
--filter=frontend-embed \
|
|
--filter=frontend-shared \
|
|
--filter=megalogon \
|
|
--filter=misskey-js
|
|
- pnpm run test --filter=frontend --filter=misskey-js
|
|
|
|
.deploy_common: &deploy_common
|
|
stage: deploy
|
|
# Only run when pushing to stable, develop, or tags
|
|
rules:
|
|
- if: $CI_PIPELINE_SOURCE != 'push'
|
|
when: never
|
|
- if: $CI_COMMIT_BRANCH == 'develop'
|
|
- if: $CI_COMMIT_BRANCH == 'stable'
|
|
- if: $CI_COMMIT_TAG
|
|
|
|
get_image_tag:
|
|
<<: *deploy_common
|
|
image:
|
|
name: docker.io/alpine:latest
|
|
pull_policy: if-not-present
|
|
script:
|
|
- apk add jq
|
|
- |
|
|
if test -n "$CI_COMMIT_TAG"; then
|
|
tag="$CI_COMMIT_TAG"
|
|
elif test "$CI_COMMIT_BRANCH" == "stable"; then
|
|
tag="latest"
|
|
elif test "$CI_COMMIT_BRANCH" == "develop"; then
|
|
tag="develop"
|
|
else
|
|
tag="$CI_COMMIT_BRANCH"
|
|
fi
|
|
version=$(cat package.json | jq -r '.version')
|
|
- echo "REGISTRY_PUSH_TAG=$tag" >> build.env
|
|
- echo "REGISTRY_PUSH_VERSION=$version" >> build.env
|
|
artifacts:
|
|
reports:
|
|
dotenv: build.env
|
|
|
|
build_image:
|
|
<<: *deploy_common
|
|
needs:
|
|
- job: get_image_tag
|
|
artifacts: true
|
|
parallel:
|
|
matrix:
|
|
- ARCH: amd64
|
|
- ARCH: arm64
|
|
tags:
|
|
- ${ARCH}
|
|
image:
|
|
name: gcr.io/kaniko-project/executor:debug
|
|
pull_policy: if-not-present
|
|
entrypoint: [""]
|
|
script:
|
|
- >-
|
|
/kaniko/executor \
|
|
--context "${CI_PROJECT_DIR}" \
|
|
--dockerfile "${CI_PROJECT_DIR}/Dockerfile" \
|
|
--single-snapshot \
|
|
--destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"
|
|
|
|
merge_image_manifests:
|
|
<<: *deploy_common
|
|
needs:
|
|
- job: build_image
|
|
artifacts: false
|
|
- job: get_image_tag
|
|
artifacts: true
|
|
image:
|
|
name: mplatform/manifest-tool:alpine
|
|
pull_policy: if-not-present
|
|
entrypoint: [""]
|
|
script:
|
|
- >-
|
|
manifest-tool \
|
|
--username=${CI_REGISTRY_USER} \
|
|
--password=${CI_REGISTRY_PASSWORD} \
|
|
push from-args \
|
|
--platforms linux/amd64,linux/arm64 \
|
|
--tags ${REGISTRY_PUSH_VERSION} \
|
|
--template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
|
|
--target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
|
|
|
|
# Note: do not extend any other configs here!
|
|
# Doing so may break the SAST templates.
|
|
.sast_common: &sast_common
|
|
stage: test
|
|
# SAST tools only support x64
|
|
tags:
|
|
- amd64
|
|
variables:
|
|
# https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
|
|
GITLAB_ADVANCED_SAST_ENABLED: 'true'
|
|
|
|
# https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
|
|
# https://stackoverflow.com/a/71111784
|
|
SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
|
|
DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
|
|
|
|
# https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
|
|
DS_ENFORCE_NEW_ANALYZER: 'true'
|
|
DS_MAX_DEPTH: -1
|
|
# https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
|
|
DS_STATIC_REACHABILITY_ENABLED: true
|
|
|
|
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
|
|
AST_ENABLE_MR_PIPELINES: 'true'
|
|
|
|
# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
|
|
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
|
|
container_scanning:
|
|
<<: *sast_common
|
|
<<: *deploy_common
|
|
variables:
|
|
AST_ENABLE_MR_PIPELINES: 'false'
|
|
CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
|
|
needs:
|
|
- job: merge_image_manifests
|
|
artifacts: true
|
|
|
|
dependency_scanning:
|
|
<<: *sast_common
|
|
|
|
sast:
|
|
<<: *sast_common
|
|
|
|
gitlab-advanced-sast:
|
|
<<: *sast_common
|
|
|
|
secret_detection:
|
|
<<: *sast_common
|
|
|
|
libbehave-experiment:
|
|
<<: *sast_common
|