misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
mistykey/.gitlab-ci.yml
Hazelnoot 3d5d84e75c run root build-pre from CI
2025-11-05 19:41:09 -05:00

260 lines
7.8 KiB
YAML
Raw Blame History

stages:
- build
- test
- deploy
variables:
# https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
GITLAB_ADVANCED_SAST_ENABLED: 'true'
# https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
# https://stackoverflow.com/a/71111784
SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
# https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
DS_ENFORCE_NEW_ANALYZER: 'true'
DS_MAX_DEPTH: -1
# https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
DS_STATIC_REACHABILITY_ENABLED: true
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
AST_ENABLE_MR_PIPELINES: 'true'
.common: &common
# "only" has been removed, so we use rules.
# This runs in MR pipelines *or* push to develop/stable
rules: &common-rules
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
- if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
.deploy_common: &deploy_common
stage: deploy
# Only run when pushing to stable, develop, or tags
rules: &deploy-rules
- if: $CI_PIPELINE_SOURCE != 'push'
when: never
- if: $CI_COMMIT_BRANCH == 'develop'
- if: $CI_COMMIT_BRANCH == 'stable'
- if: $CI_COMMIT_TAG
# https://docs.gitlab.com/user/application_security/sast/
include:
- local: '.gitlab/ci_templates/dependency_scanning.yml'
rules: *common-rules
- local: '.gitlab/ci_templates/container_scanning.yml'
rules: *deploy-rules
- local: '.gitlab/ci_templates/sast.yml'
rules: *common-rules
- local: '.gitlab/ci_templates/secret_detection.yml'
rules: *common-rules
- local: '.gitlab/ci_templates/lib_behave.yml'
rules: *common-rules
# Cache node_modules and share build artifacts for the pipeline.
# This shares the same cache definition, but it's the only place that actually *pushes* to the cache.
# https://docs.gitlab.com/ci/caching/
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133
build: &build
<<: *common
stage: build
image:
name: docker.io/node:22
pull_policy: if-not-present
variables:
POSTGRES_PASSWORD: 'ci'
COREPACK_DEFAULT_TO_LATEST: '0'
# Arm64 is recommended for CI
tags:
- arm64
before_script:
- apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0
- 'echo "clusterLimit: $(nproc)" >> .config/ci.yml'
- cp .config/ci.yml .config/default.yml
- cp .config/ci.yml .config/test.yml
- corepack enable
- corepack install
- git submodule update --init
- pnpm config set store-dir .pnpm-store
- pnpm install --frozen-lockfile
script:
- pnpm run build
cache:
- &cache-pnpm
key:
files:
- 'pnpm-lock.yaml'
- 'pnpm-workspace.yaml'
paths:
- '.pnpm-store/'
- 'node_modules/'
- 'packages/*/node_modules/'
- 'packages/misskey-js/generator/node_modules/'
policy: pull-push
when: on_success
- &cache-build
key: "$CI_COMMIT_REF_SLUG"
paths:
- 'built/'
- 'packages/*/built/'
- 'packages/megalodon/lib/'
policy: pull-push
when: on_success
.test_common: &test_common
<<: *common
<<: *build
stage: test
cache:
-
<<: *cache-pnpm
policy: pull
-
<<: *cache-build
policy: pull
lint:
<<: *test_common
script:
- pnpm run build-assets
- pnpm run eslint
backend_tests:
<<: *test_common
services:
- name: postgres:15
pull_policy: if-not-present
- name: redis
pull_policy: if-not-present
script:
- pnpm run --filter backend build:pre
- pnpm run --filter backend build
- pnpm run --filter backend migrate
- pnpm run --filter backend test
# Same as common, but MRs are only run if they modify the backend.
rules:
- if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
changes:
- 'packages/backend/**/*'
- 'packages/megalodon/**/*'
- 'packages/misskey-js/**/*'
- 'packages/*' # single-star is intention - we don't want to recurse!
- 'scripts/**/*'
- 'eslint/**/*'
- 'chart/**/*'
- '.config/**/*'
frontend_tests:
<<: *test_common
script:
- pnpm run --filter frontend build:pre
- pnpm run --filter frontend build
- pnpm run --filter frontend test
# Same as common, but MRs are only run if they modify the frontend.
rules:
- if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
changes:
- 'packages/frontend/**/*'
- 'packages/frontend-embed/**/*'
- 'packages/frontend-shared/**/*'
- 'packages/misskey-js/**/*'
- 'packages/misskey-bubble-game/**/*'
- 'packages/misskey-reversi/**/*'
- 'packages/sw/**/*'
- 'packages/*' # single-star is intention - we don't want to recurse!
- 'scripts/**/*'
- 'eslint/**/*'
- 'locales/**/*'
- 'sharkey-locales/**/*'
- 'cypress/**/*'
- 'assets/**/*'
misskey-js_tests:
<<: *test_common
script:
- pnpm run --filter misskey-js build
- pnpm run --filter misskey-js test
misskey-js_tests:
<<: *test_common
script:
- pnpm run --filter misskey-js build
- pnpm run --filter misskey-js test
megalodon_tests:
<<: *test_common
script:
- pnpm run --filter megalodon build
- pnpm run --filter megalodon test
get_image_tag:
<<: *deploy_common
image:
name: docker.io/alpine:latest
pull_policy: if-not-present
script:
- apk add jq
- |
if test -n "$CI_COMMIT_TAG"; then
tag="$CI_COMMIT_TAG"
elif test "$CI_COMMIT_BRANCH" == "stable"; then
tag="latest"
elif test "$CI_COMMIT_BRANCH" == "develop"; then
tag="develop"
else
tag="$CI_COMMIT_BRANCH"
fi
version=$(cat package.json | jq -r '.version')
- echo "REGISTRY_PUSH_TAG=$tag" >> build.env
- echo "REGISTRY_PUSH_VERSION=$version" >> build.env
artifacts:
reports:
dotenv: build.env
build_image:
<<: *deploy_common
needs:
- job: get_image_tag
artifacts: true
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
tags:
- ${ARCH}
image:
name: gcr.io/kaniko-project/executor:debug
pull_policy: if-not-present
entrypoint: [""]
script:
- >-
/kaniko/executor \
--context "${CI_PROJECT_DIR}" \
--dockerfile "${CI_PROJECT_DIR}/Dockerfile" \
--single-snapshot \
--destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"
merge_image_manifests:
<<: *deploy_common
needs:
- job: build_image
artifacts: false
- job: get_image_tag
artifacts: true
image:
name: mplatform/manifest-tool:alpine
pull_policy: if-not-present
entrypoint: [""]
script:
- >-
manifest-tool \
--username=${CI_REGISTRY_USER} \
--password=${CI_REGISTRY_PASSWORD} \
push from-args \
--platforms linux/amd64,linux/arm64 \
--tags ${REGISTRY_PUSH_VERSION} \
--template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
--target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
Reference in a new issue View git blame Copy permalink