This repository has been archived by the owner on Sep 9, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy path.gitlab-ci.yml
237 lines (218 loc) · 6.17 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
image: ${DEVOPS_REGISTRY}usgs/centos:latest
stages:
- test
- build
- deploy
- publish
variables:
ALGORITHMS_CI_REGISTRY_IMAGE: ${ALGORITHMS_REGISTRY_ADDRESS}
# docker variables
DOCKER_DRIVER: overlay2
JAVA_IMAGE: ${DEVOPS_REGISTRY}usgs/java:11-jdk
# environment variables
APP_NAME: neic-traveltime
UPSTREAM_PATH: ghsc/neic/algorithms/neic-traveltime
## --------------------------------------------------
# Templates
## --------------------------------------------------
.adjust_image_names:
before_script:
- IMAGE_NAME=${APP_NAME}:${CI_COMMIT_REF_SLUG}
- INTERNAL_IMAGE_NAME=${ALGORITHMS_CI_REGISTRY_IMAGE}/${IMAGE_NAME}
- STACK_NAME=${APP_NAME}
.deploy:
cache: {}
extends:
- .adjust_image_names
image: ${CODE_REGISTRY}/ghsc/hazdev/container-deploy:latest
script:
# upstream check
- if [ "${CI_PROJECT_PATH}" != "${UPSTREAM_PATH}" ]; then
echo "Skipping deploy on non-upstream (${CI_PROJECT_PATH})";
exit 0;
fi
- mkdir scripts
# get configuration from the config repository
- git clone ${ALGORITHMS_CONFIG_REPO_ADDRESS}/${APP_NAME}.git config
- cp -v
config/custom.config.sh
config/custom.funcs.sh
config/${APP_NAME}.yml
scripts/.
# get the deploy scripts
- cp -v
/container-deploy/default.config.sh
/container-deploy/default.funcs.sh
/container-deploy/deploy.sh
scripts/.
# set varibles
- export APP_NAME=${APP_NAME}
- export IMAGE_NAME=${IMAGE_NAME}
- export REGISTRY=${ALGORITHMS_CI_REGISTRY_IMAGE}
- export STACK_NAME=${APP_NAME}
- export DEBUG='true'
# do the deployment
- ./scripts/deploy.sh
stage: deploy
tags:
- deploy
# rules to define which branches should trigger actions
.dev-env: &dev-env
if: $CI_PROJECT_PATH != $UPSTREAM_PATH
variables:
ENVIRONMENT: dev
.publish-env: &publish-env
if: $CI_PROJECT_PATH == $UPSTREAM_PATH
variables:
ENVIRONMENT: publish
## --------------------------------------------------
# Build Stage
## --------------------------------------------------
Build Docker Image:
cache: {}
extends:
- .adjust_image_names
image: ${CI_REGISTRY}/devops/images/usgs/docker:20
script:
- LOCAL_IMAGE="local/${IMAGE_NAME}"
# Build the container
- docker build
--pull
--build-arg FROM_IMAGE=${FROM_IMAGE}
--build-arg BUILD_IMAGE=${BUILD_IMAGE}
--build-arg GIT_BRANCH_NAME=${CI_COMMIT_REF_NAME}
--build-arg GIT_COMMIT_SHA=${CI_COMMIT_SHA}
--tag "${LOCAL_IMAGE}"
"."
## trivy scan before push
- wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
- tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz
# fail LOW,MEDIUM vulnerabilities that have a fix available
- ./trivy image --exit-code 1 --ignore-unfixed --severity LOW,MEDIUM "${LOCAL_IMAGE}";
# fail HIGH,CRITICAL vulnerabilities
- ./trivy image --exit-code 1 --severity HIGH,CRITICAL "${LOCAL_IMAGE}";
# upstream check
- if [ "${CI_PROJECT_PATH}" != "${UPSTREAM_PATH}" ]; then
echo "Skipping push on non-upstream (${CI_PROJECT_PATH})";
exit 0;
fi
# Tag and Push image to algorithms registry
- docker tag local/${IMAGE_NAME} ${INTERNAL_IMAGE_NAME}
- docker push ${INTERNAL_IMAGE_NAME}
- docker image rm ${INTERNAL_IMAGE_NAME}
services:
- alias: docker
name: ${CI_REGISTRY}/devops/images/usgs/docker:20-dind
stage: build
rules:
- <<: *dev-env
when: always
- <<: *publish-env
when: always
tags:
- build
variables:
APP_NAME: neic-traveltime
DOCKER_DRIVER: overlay2
TRIVY_VERSION: "0.27.1"
FROM_IMAGE: ${DEVOPS_REGISTRY}usgs/amazoncorretto:11
BUILD_IMAGE: ${DEVOPS_REGISTRY}usgs/amazoncorretto:11
## --------------------------------------------------
# Test Stage
## --------------------------------------------------
Java Test:
after_script:
# runs before cache is saved
- rm -f "${CI_PROJECT_DIR}/.gradle/caches/modules-2/modules-2.lock"
- rm -fr "${CI_PROJECT_DIR}/.gradle/caches/*/plugin-resolution/"
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: build/reports/cobertura/cobertura.xml
junit: build/test-results/test/TEST-*.xml
cache:
paths:
- .gradle/caches
- .gradle/wrapper
image: ${JAVA_IMAGE}
script:
# run gradle and javadoc
- export GRADLE_USER_HOME="${CI_PROJECT_DIR}/.gradle"
- ./gradlew build javadoc zipModels
stage: test
rules:
- <<: *dev-env
when: always
- <<: *publish-env
when: always
tags:
- development
## --------------------------------------------------
# Deploy Stage
## --------------------------------------------------
# Dev deploy
dvbl2 webttt Service:
extends:
- .deploy
tags:
- deploy
- development
- dvbl2
variables:
APP_NAME: neic-traveltime
only:
- development@ghsc/neic/algorithms/neic-traveltime
# Staging (test) deploy
dvbld webttt Service:
extends:
- .deploy
tags:
- deploy
- staging
- dvbld
variables:
APP_NAME: neic-traveltime
only:
- staging@ghsc/neic/algorithms/neic-traveltime
# Production deployment:
mot1 webttt Service:
extends:
- .deploy
tags:
- deploy
- production
- mot1
variables:
APP_NAME: neic-traveltime
only:
- production@ghsc/neic/algorithms/neic-traveltime
## --------------------------------------------------
# Publish stage
## --------------------------------------------------
Java Publish:
after_script:
# runs before cache is saved
- rm -f "${CI_PROJECT_DIR}/.gradle/caches/modules-2/modules-2.lock"
- rm -fr "${CI_PROJECT_DIR}/.gradle/caches/*/plugin-resolution/"
artifacts:
paths:
- build/libs/*all.jar
- build/distributions/Models.zip
cache:
paths:
- .gradle/caches
- .gradle/wrapper
image: ${JAVA_IMAGE}
script:
# use gradle to publish to our maven repository
- export GRADLE_USER_HOME="${CI_PROJECT_DIR}/.gradle"
- ./gradlew zipModels publish
stage: publish
rules:
- <<: *dev-env
when: never
- <<: *publish-env
when: manual
tags:
- build