misty.cafe/mistykey
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
mistykey/.gitlab-ci.yml
Hazelnoot d88e0c5193 Update to libbehave job v0.2.1
2025-09-26 21:02:57 -04:00

216 lines
5.8 KiB
YAML
Raw Blame History

stages:
- build
- test
- deploy
.build_common: &build_common
stage: build
image: docker.io/node:22
variables:
POSTGRES_PASSWORD: ci
COREPACK_DEFAULT_TO_LATEST: 0
before_script:
- apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0
- 'echo "clusterLimit: $(nproc)" >> .config/ci.yml'
- cp .config/ci.yml .config/default.yml
- cp .config/ci.yml .config/test.yml
- corepack enable
- corepack install
- git submodule update --init
- pnpm install --frozen-lockfile
cache:
key: node_modules
policy: pull-push
when: on_success
paths:
- node_modules/
- packages/*/node_modules/
only:
- develop
- merge_requests
- stable
build:
<<: *build_common
script:
- pnpm run build
.test_common: &test_common
<<: *build_common
stage: test
lint:
<<: *test_common
script:
- pnpm run build
- pnpm run eslint
backend_tests:
<<: *test_common
services:
- postgres:15
- redis
script:
- >-
pnpm run build \
--filter=backend \
--filter=megalodon \
--filter=misskey-js
- pnpm run migrate
- pnpm run test --filter=backend
frontend_tests:
<<: *test_common
script:
- >-
pnpm run build \
--filter=frontend \
--filter=frontend-embed \
--filter=frontend-shared \
--filter=megalogon \
--filter=misskey-js
- pnpm run test --filter=frontend --filter=misskey-js
get_image_tag:
stage: deploy
image: docker.io/alpine:latest
script:
- apk add jq
- |
if test -n "$CI_COMMIT_TAG"; then
tag="$CI_COMMIT_TAG"
elif test "$CI_COMMIT_BRANCH" == "stable"; then
tag="latest"
elif test "$CI_COMMIT_BRANCH" == "develop"; then
tag="develop"
else
tag="$CI_COMMIT_BRANCH"
fi
version=$(cat package.json | jq -r '.version')
- echo "REGISTRY_PUSH_TAG=$tag" >> build.env
- echo "REGISTRY_PUSH_VERSION=$version" >> build.env
artifacts:
reports:
dotenv: build.env
only:
- stable
- develop
- tags
build_image:
stage: deploy
needs:
- job: get_image_tag
artifacts: true
parallel:
matrix:
- ARCH: amd64
- ARCH: arm64
tags:
- ${ARCH}
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
script:
- >-
/kaniko/executor \
--context "${CI_PROJECT_DIR}" \
--dockerfile "${CI_PROJECT_DIR}/Dockerfile" \
--single-snapshot \
--destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"
only:
- stable
- develop
- tags
merge_image_manifests:
stage: deploy
needs:
- job: build_image
artifacts: false
- job: get_image_tag
artifacts: true
image:
name: mplatform/manifest-tool:alpine
entrypoint: [""]
script:
- >-
manifest-tool \
--username=${CI_REGISTRY_USER} \
--password=${CI_REGISTRY_PASSWORD} \
push from-args \
--platforms linux/amd64,linux/arm64 \
--tags ${REGISTRY_PUSH_VERSION} \
--template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
--target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
only:
- stable
- develop
- tags
# https://docs.gitlab.com/user/application_security/sast/
include:
- template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
- template: Jobs/Container-Scanning.latest.gitlab-ci.yml
- template: Jobs/SAST.latest.gitlab-ci.yml
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
# https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
- component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.1
variables:
# https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
GITLAB_ADVANCED_SAST_ENABLED: 'true'
SEARCH_MAX_DEPTH: 32
# https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
# https://stackoverflow.com/a/71111784
SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories
# https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
DS_ENFORCE_NEW_ANALYZER: 'true'
DS_MAX_DEPTH: -1
# https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
DS_STATIC_REACHABILITY_ENABLED: true
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
AST_ENABLE_MR_PIPELINES: 'true'
dependency_scanning:
tags:
- amd64
# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
container_scanning:
variables:
AST_ENABLE_MR_PIPELINES: 'false'
CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
stage: deploy
dependencies:
- merge_image_manifests
rules:
- if: $CI_PIPELINE_SOURCE != 'push' || ($CI_COMMIT_BRANCH != 'develop' && $CI_COMMIT_BRANCH != 'stable' && $CI_COMMIT_TAG != '')
when: never
tags:
- amd64
sast:
tags:
- amd64
gitlab-advanced-sast:
tags:
- amd64
secret_detection:
tags:
- amd64
libbehave-experiment:
# https://gitlab.com/gitlab-org/security-products/demos/experiments/libbehave/npm-demo/-/blob/add_dependencies/.gitlab-ci.yml?ref_type=heads#L6
# https://stackoverflow.com/a/70360201
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
tags:
- amd64
Reference in a new issue View git blame Copy permalink