-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path.gitlab-ci.yml
215 lines (200 loc) · 6.76 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
variables:
DOCKER_DRIVER: overlay2
RELEASE_IMAGE: registry.gitlab.com/islandoftex/images/texlive
DOCKER_HUB_IMAGE: texlive/texlive
stages:
- file-conformance
- baseimage
- build
- test
pre-commit:
stage: file-conformance
image: nixos/nix:latest
variables:
PRE_COMMIT_HOME: ${CI_PROJECT_DIR}/.cache/pre-commit
script:
- nix develop --extra-experimental-features "nix-command flakes" --command pre-commit run --all-files --show-diff-on-failure
rules:
- if: '$CI_PIPELINE_SOURCE != "schedule"'
cache:
paths:
- ${PRE_COMMIT_HOME}
.buildtemplate:
image: docker:latest
services:
- docker:dind
before_script:
- if [ ! -z "$PUSH_TO_GITLAB" ]; then docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com; fi
- if [ ! -z "$PUSH_TO_DOCKER_HUB" ]; then docker login -u $DOCKER_HUB_USER -p $DOCKER_HUB_PASSWORD; fi
- docker info
- apk add --no-cache bash
# allow 1 retry for all builds (GitLab's maximum is 2)
retry: 1
.testtemplate:
stage: test
script:
- arara -l -v test.tex
- mtxrun --generate && context test.mkiv
build:baseimage:
stage: baseimage
extends: .buildtemplate
script:
- ./scripts/build-base-image.sh "$RELEASE_IMAGE" "$PUSH_TO_GITLAB"
rules:
- if: '$SKIPBASEIMAGE != "true"'
tags:
- multiarch
# from https://aquasecurity.github.io/trivy/v0.21.0/advanced/integrations/gitlab-ci/
.container_scanning:
image:
name: docker.io/aquasec/trivy:latest
entrypoint: [""]
needs: ["build:baseimage"]
stage: test
variables:
# No need to clone the repo, we exclusively work on artifacts. See
# https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
GIT_STRATEGY: none
TRIVY_USERNAME: "$CI_REGISTRY_USER"
TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
TRIVY_AUTH_URL: "$CI_REGISTRY"
script:
- trivy --version
# cache cleanup is needed when scanning images with the same tags, it does not remove the database
- time trivy image --clear-cache
# update vulnerabilities db
- time trivy --download-db-only --no-progress --cache-dir .trivycache/
# Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress --format template --template "@/contrib/gitlab.tpl"
--output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$RELEASE_IMAGE"
# Prints full report
- time trivy --exit-code 0 --cache-dir .trivycache/ --no-progress "$RELEASE_IMAGE"
# Fail on critical vulnerabilities
- time trivy --exit-code 1 --cache-dir .trivycache/ --severity CRITICAL --no-progress "$RELEASE_IMAGE"
cache:
paths:
- .trivycache/
# Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
artifacts:
when: always
reports:
container_scanning: gl-container-scanning-report.json
.latestruletemplate:
rules:
- if: '$LATESTRELEASES == "true"'
.latesttemplate:
extends: [.buildtemplate, .latestruletemplate]
stage: build
variables:
TLMIRRORURL: rsync://rsync.dante.ctan.org/CTAN/systems/texlive/tlnet/
script:
- apk add --no-cache curl sed
- ./scripts/build-latest-image.sh "$RELEASE_IMAGE" "$DOCKER_HUB_IMAGE" "$DOCFILES" "$SRCFILES" "$SCHEME" "$TLMIRRORURL" "$PUSH_TO_GITLAB" "$PUSH_TO_DOCKER_HUB"
artifacts:
expire_in: 4 weeks
paths:
- latest.svg
tags:
- multiarch
.pretestruletemplate:
rules:
- if: '$PRETEST == "true"'
.pretesttemplate:
extends: [.buildtemplate, .pretestruletemplate]
stage: build
variables:
TLMIRRORURL: ftp.cstug.cz::pub/tex/local/tlpretest/
script:
- apk add --no-cache curl sed
- ./scripts/build-latest-image.sh "$RELEASE_IMAGE" "$DOCKER_HUB_IMAGE" "$DOCFILES" "$SRCFILES" "$SCHEME" "$TLMIRRORURL" "$PUSH_TO_GITLAB" "$PUSH_TO_DOCKER_HUB" "true"
artifacts:
expire_in: 4 weeks
paths:
- latest.svg
tags:
- multiarch
.treetemplate:
extends: .buildtemplate
stage: build
script:
- TLMIRRORURL="$(scripts/pick-historic-mirror.sh $CURRENTRELEASE)systems/texlive/$CURRENTRELEASE/tlnet-final/"
- ./scripts/build-tree-image.sh "$RELEASE_IMAGE" "$DOCKER_HUB_IMAGE" "$DOCFILES" "$SRCFILES" "$CURRENTRELEASE" "$TLMIRRORURL" "$PUSH_TO_GITLAB" "$PUSH_TO_DOCKER_HUB"
.historictemplate:
extends: .buildtemplate
stage: build
script:
- ./scripts/build-historic-image.sh "$RELEASE_IMAGE" "$DOCKER_HUB_IMAGE" "$DOCFILES" "$SRCFILES" "$CURRENTRELEASE" "$PUSH_TO_GITLAB" "$PUSH_TO_DOCKER_HUB"
# build the latest image
build:latest:
extends: .latesttemplate
parallel:
matrix:
- DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
SCHEME: ["minimal", "basic", "small", "medium", "full"]
test:latest:
image: $RELEASE_IMAGE:latest
needs: ["build:latest"]
extends: [.testtemplate, .latestruletemplate]
build:pretest:
extends: .pretesttemplate
parallel:
matrix:
- DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
SCHEME: ["minimal", "basic", "small", "medium", "full"]
test:pretest:
image: $RELEASE_IMAGE:pretest
needs: ["build:pretest"]
extends: [.testtemplate, .pretestruletemplate]
# NOTE: historic images have to be built in batches (because the server has a
# rate limit which we should obey to get the CI passing)
# build historic images batch i (one)
build:tree:21to23:
extends: .treetemplate
parallel:
matrix:
- CURRENTRELEASE: [2021, 2022, 2023]
DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
rules:
- if: '$HISTORICTREEBATCHI == "true"'
# build historic images batch ii (two)
build:tree:17to20:
extends: .treetemplate
parallel:
matrix:
- CURRENTRELEASE: [2017, 2018, 2019, 2020]
DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
rules:
- if: '$HISTORICTREEBATCHII == "true"'
# build historic images batch iii (three)
build:tree:13to16:
extends: .treetemplate
parallel:
matrix:
- CURRENTRELEASE: [2013, 2014, 2015, 2016]
DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
rules:
- if: '$HISTORICTREEBATCHIII == "true"'
# build historic images based on our tree images
build:historic:
extends: .historictemplate
parallel:
matrix:
- CURRENTRELEASE: [2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023]
DOCFILES: ["yes", "no"]
SRCFILES: ["yes", "no"]
rules:
- if: '$HISTORICIMAGES == "true"'
test:historic:
image: $RELEASE_IMAGE:TL$CURRENTRELEASE-historic
extends: .testtemplate
parallel:
matrix:
- CURRENTRELEASE: [2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023]
TESTBUILD: "true" # this is a dummy parameter to make the matrix run the list
rules:
- if: '$HISTORICIMAGES == "true"'