-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
172 lines (163 loc) · 5.69 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
variables:
IMAGE_TAG: $CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA
IMAGE_TAG_COMPOSE: $CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA-compose
DOCKER_HUB_REPOSITORY: k911/docker-client
DOCKER_TLS_CERTDIR: /certs
DOCKER_RUNNER_VERSION: 25.0.3
DOCKER_VERSION: 25.0.3
TRIVY_VERSION: 0.16.0
DOCKER_BUILDX_VERSION: 0.12.1
DOCKER_AWS_ECR_CREDENTIAL_HELPER_VERSION: 0.7.1
DOCKER_PASS_CREDENTIAL_HELPER_VERSION: 0.8.1
PYTHON_VERSION: "3.9"
ALPINE_VERSION: "3.16"
# do not run duplicate "detached" pipelines
# https://docs.gitlab.com/ee/ci/yaml/README.html#workflowrules-templates
include:
- template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
stages:
- lint
- build
- test
- deploy
lint-shellcheck:
image: koalaman/shellcheck-alpine:stable
stage: lint
script: shellcheck scripts/*.sh
rules:
- changes:
- scripts/*.sh
- .gitlab-ci.yml
lint-yamllint:
image: python:$PYTHON_VERSION-alpine$ALPINE_VERSION
stage: lint
variables:
PIP_CACHE_DIR: $CI_PROJECT_DIR/.cache/pip/
cache:
paths:
- .cache/pip/
before_script:
- pip install yamllint
script: yamllint .
rules:
- changes:
- "**/*.{yml,yaml}"
build-docker-image:
image: docker:$DOCKER_RUNNER_VERSION
stage: build
variables:
DOCKER_BUILDKIT: "1"
services:
- docker:$DOCKER_RUNNER_VERSION-dind
before_script:
- docker info
- ./scripts/gitlab-docker-registry-login.sh
script:
- docker pull "$CI_REGISTRY_IMAGE:latest" || true
- >-
docker build --pull --build-arg "DOCKER_VERSION=$DOCKER_VERSION"
--target client
--build-arg "DOCKER_BUILDX_VERSION=$DOCKER_BUILDX_VERSION"
--build-arg "DOCKER_AWS_ECR_CREDENTIAL_HELPER_VERSION=$DOCKER_AWS_ECR_CREDENTIAL_HELPER_VERSION"
--build-arg "DOCKER_PASS_CREDENTIAL_HELPER_VERSION=$DOCKER_PASS_CREDENTIAL_HELPER_VERSION"
--tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG" .
- docker push "$CI_REGISTRY_IMAGE:$IMAGE_TAG"
- docker pull "$CI_REGISTRY_IMAGE:composer" || true
- >-
docker build --pull --build-arg "DOCKER_VERSION=$DOCKER_VERSION"
--target compose
--build-arg "DOCKER_BUILDX_VERSION=$DOCKER_BUILDX_VERSION"
--build-arg "DOCKER_AWS_ECR_CREDENTIAL_HELPER_VERSION=$DOCKER_AWS_ECR_CREDENTIAL_HELPER_VERSION"
--build-arg "DOCKER_PASS_CREDENTIAL_HELPER_VERSION=$DOCKER_PASS_CREDENTIAL_HELPER_VERSION"
--tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE" .
- docker push "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE"
test-build-self-buildx:
image: $CI_REGISTRY_IMAGE:$IMAGE_TAG
stage: test
needs:
- build-docker-image
variables:
DOCKER_BUILDX_CONTEXT_CREATE: "1"
DOCKER_BUILDX_BUILDER_CREATE: "1"
services:
- docker:$DOCKER_RUNNER_VERSION-dind
before_script:
- docker-use-buildx
- gitlab-docker-registry-login
script:
- docker build . -t "$CI_REGISTRY_IMAGE:$IMAGE_TAG-self" --load
- docker image ls
test-build-self-docker-compose:
image: $CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE
stage: test
needs:
- build-docker-image
variables:
TARGET: compose
DOCKER_BUILDKIT: "1"
COMPOSE_DOCKER_CLI_BUILD: "1"
services:
- docker:$DOCKER_RUNNER_VERSION-dind
before_script:
- gitlab-docker-registry-login
script:
- docker-compose build --pull local
- docker images ls
test-scan-trivy:
image:
name: aquasec/trivy:$TRIVY_VERSION
entrypoint: [""]
stage: test
needs:
- build-docker-image
cache:
paths:
- .trivycache/
variables:
TRIVY_AUTH_URL: $CI_REGISTRY
TRIVY_USERNAME: $CI_REGISTRY_USER
TRIVY_PASSWORD: $CI_REGISTRY_PASSWORD
TRIVY_CACHE_DIR: $CI_PROJECT_DIR/.trivycache/
allow_failure: true
script:
- trivy -no-progress "$CI_REGISTRY_IMAGE:$IMAGE_TAG"
- trivy -no-progress "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE"
deploy-docker-image:
image: docker:$DOCKER_RUNNER_VERSION
stage: deploy
variables:
DOCKER_REGISTRY: $DOCKER_HUB_REGISTRY
DOCKER_USERNAME: $DOCKER_HUB_USERNAME
DOCKER_PASSWORD: $DOCKER_HUB_TOKEN
environment:
name: prod
rules:
- if: '$CI_COMMIT_BRANCH == "master"'
services:
- docker:$DOCKER_RUNNER_VERSION-dind
before_script:
- ./scripts/docker-registry-login.sh
- ./scripts/gitlab-docker-registry-login.sh
script:
- docker pull "$CI_REGISTRY_IMAGE:$IMAGE_TAG"
- docker pull "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE"
# GitLab tags
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG" "$CI_REGISTRY_IMAGE:$DOCKER_VERSION"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG" "$CI_REGISTRY_IMAGE:latest"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE" "$CI_REGISTRY_IMAGE:$DOCKER_VERSION-compose"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE" "$CI_REGISTRY_IMAGE:compose"
# Docker Hub tags
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG" "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:$DOCKER_VERSION"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG" "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:latest"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE" "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:$DOCKER_VERSION-compose"
- docker tag "$CI_REGISTRY_IMAGE:$IMAGE_TAG_COMPOSE" "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:compose"
# GitLab push
- docker push "$CI_REGISTRY_IMAGE:$DOCKER_VERSION"
- docker push "$CI_REGISTRY_IMAGE:latest"
- docker push "$CI_REGISTRY_IMAGE:$DOCKER_VERSION-compose"
- docker push "$CI_REGISTRY_IMAGE:compose"
# DockerHub pash
- docker push "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:$DOCKER_VERSION"
- docker push "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:latest"
- docker push "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:$DOCKER_VERSION-compose"
- docker push "$DOCKER_HUB_REGISTRY/$DOCKER_HUB_REPOSITORY:compose"