forked from Netflix/lemur
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.gitlab-ci.yml
132 lines (124 loc) · 3.58 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
variables:
CURRENT_CI_IMAGE: registry.ddbuild.io/lemur-ci:0.2.5
KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: lemur
stages:
- test
- build-stage-image
- build-stage-image-fips
- build-prod-image
- build-prod-image-fips
- gbilite
test:
image: $CURRENT_CI_IMAGE
stage: test
timeout: 30m
rules:
- if: $GBILITE_GITLAB_ACTION != "gbilite-get-images" && $GBILITE_GITLAB_ACTION != "gbilite-build-image"
tags: ["arch:amd64"]
variables:
POSTGRES_DB: lemur
POSTGRES_USER: lemur
POSTGRES_PASSWORD: lemur
POSTGRES_HOST_AUTH_METHOD: trust
# Enable colors in pytest output: https://github.com/pytest-dev/pytest/issues/7443
PY_COLORS: 1
# Enable colors in chalk output: https://github.com/chalk/chalk#chalklevel
FORCE_COLOR: 1
services:
- registry.ddbuild.io/images/mirror/postgres:12.7
script:
# Setup virtualenv
- python3 -m venv ~/env && \
- source ~/env/bin/activate && \
- python3 -m pip install --upgrade pip setuptools coveralls bandit
# Run tests
- make test
- bandit -r . -ll -ii -x lemur/tests/,docs
- xvfb-run make test-js
build-stage-image:
image: $CURRENT_CI_IMAGE
stage: build-stage-image
when: on_success
rules:
- if: ($CI_COMMIT_TAG == null && $GBILITE_GITLAB_ACTION == null)
timeout: 2h
tags: ["arch:amd64"]
variables:
CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
script:
- CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=staging GBILITE_IMAGE_TO_BUILD="lemur:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}" /bin/bash .campaigns/build_and_push_image.sh
build-stage-image-fips:
image: $CURRENT_CI_IMAGE
stage: build-stage-image-fips
when: on_success
rules:
- if: ($CI_COMMIT_TAG == null && $GBILITE_GITLAB_ACTION == null)
timeout: 2h
tags: ["arch:amd64"]
variables:
CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
script:
- CHECKOUT_REF=$CI_COMMIT_SHA GBILITE_ENV=staging GBILITE_IMAGE_TO_BUILD="lemur:v${CI_PIPELINE_ID}-${CI_COMMIT_SHORT_SHA}-fips" /bin/bash .campaigns/build_and_push_image.sh
# build a prod image when we create a new tag
build-prod-image:
image: $CURRENT_CI_IMAGE
stage: build-prod-image
when: on_success
timeout: 2h
rules:
- if: $CI_COMMIT_TAG
tags: ["arch:amd64"]
variables:
CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
script:
- GBILITE_ENV=prod GBILITE_IMAGE_TO_BUILD="lemur:$CI_COMMIT_TAG" /bin/bash .campaigns/build_and_push_image.sh
build-prod-image-fips:
image: $CURRENT_CI_IMAGE
stage: build-prod-image-fips
when: on_success
timeout: 2h
rules:
- if: $CI_COMMIT_TAG
tags: ["arch:amd64"]
variables:
CI_ENABLE_CONTAINER_IMAGE_BUILDS: "true"
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
script:
- GBILITE_ENV=prod GBILITE_IMAGE_TO_BUILD="lemur:$CI_COMMIT_TAG-fips" /bin/bash .campaigns/build_and_push_image.sh
gbilite-get-images:
image: $CURRENT_CI_IMAGE
stage: gbilite
rules:
- if: $GBILITE_GITLAB_ACTION == "gbilite-get-images"
tags: ["arch:amd64"]
script:
- /bin/bash .campaigns/get_images.sh > .campaigns/allimages.txt
artifacts:
paths:
- .campaigns/allimages.txt
gbilite-build-image:
image: $CURRENT_CI_IMAGE
stage: gbilite
timeout: 2h
rules:
- if: $GBILITE_GITLAB_ACTION == "gbilite-build-image"
tags: ["arch:amd64"]
script:
- /bin/bash .campaigns/build_and_push_image.sh
id_tokens:
DDSIGN_ID_TOKEN:
aud: image-integrity
artifacts:
paths:
- .campaigns/image_info.txt