-
Notifications
You must be signed in to change notification settings - Fork 9
/
.gitlab-ci.yml
136 lines (131 loc) · 5.19 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#
# Copyright (c) 2022 Axway Software SA and its affiliates. All rights reserved.
#
default:
before_script:
- if [ -z "$DOCKER_TAG" ]; then
- eval export DOCKER_TAG=$CI_COMMIT_REF_NAME
- fi
- echo Using DOCKER_TAG=$DOCKER_TAG
stages:
- build
- test
- security
- push
build:
stage: build
script:
- if [ -n "$INSTALL_KIT" ]; then
- echo Build using version=$BUILD_VERSION, revision=$BUILD_REVISION, and kit=$INSTALL_KIT
- docker build -t $IMAGE_CFT:$DOCKER_TAG --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
--build-arg BUILD_VERSION=$BUILD_VERSION
--build-arg BUILD_REVISION=$BUILD_REVISION
--build-arg INSTALL_KIT=$INSTALL_KIT
docker
- elif [ -n "$URL_BASE" ]; then
- if [ -n "$PACKAGE" ]; then
- echo Build using version=$BUILD_VERSION, revision=$BUILD_REVISION, url=$URL_BASE and package=$PACKAGE
- docker build -t $IMAGE_CFT:$DOCKER_TAG --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
--build-arg BUILD_VERSION=$BUILD_VERSION
--build-arg BUILD_REVISION=$BUILD_REVISION
--build-arg URL_BASE=$URL_BASE
--build-arg PACKAGE=$PACKAGE
docker
- else
- echo Build using version=$BUILD_VERSION, revision=$BUILD_REVISION, and url=$URL_BASE
- docker build -t $IMAGE_CFT:$DOCKER_TAG --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
--build-arg BUILD_VERSION=$BUILD_VERSION
--build-arg BUILD_REVISION=$BUILD_REVISION
--build-arg URL_BASE=$URL_BASE
docker
- fi
- else
- echo INSTALL_KIT or URL_BASE must be defined, aborting...
- exit 1
- fi
test:
stage: test
before_script:
- if [ -z "$DOCKER_TAG" ]; then
- eval export DOCKER_TAG=$CI_COMMIT_REF_NAME
- fi
- echo Using DOCKER_TAG=$DOCKER_TAG
- docker login $RELEASE_REGISTRY_URL -u $ARTIFACTORY_CI_USER -p $ARTIFACTORY_CI_API_KEY
script:
- cd test
- docker network prune --force
- docker-compose -f docker-compose-01.test.yml down -v
- docker-compose -f docker-compose-01.test.yml up --build --abort-on-container-exit --remove-orphans --force-recreate sut || FAILED=true
- docker-compose -f docker-compose-01.test.yml logs || true
# redo a set of smoke tests with a runtime that already exists
- docker-compose -f docker-compose-01.test.yml down
- if [ ${FAILED} ]; then
- exit 1
- fi
- docker-compose -f docker-compose-01.test.yml up --abort-on-container-exit --remove-orphans
- docker-compose -f docker-compose-01.test.yml down -v
- docker-compose -f docker-compose-02-pre-upgrade.test.yml down -v
- docker-compose -f docker-compose-02-pre-upgrade.test.yml up --build --abort-on-container-exit --remove-orphans --force-recreate sut || FAILED=true
- docker-compose -f docker-compose-02-pre-upgrade.test.yml logs || true
- docker-compose -f docker-compose-02-pre-upgrade.test.yml down
- if [ ${FAILED} ]; then
- exit 1
- fi
- docker-compose -f docker-compose-03-upgrade.test.yml up --build --abort-on-container-exit --remove-orphans --force-recreate sut || FAILED=true
- docker-compose -f docker-compose-03-upgrade.test.yml logs || true
- docker-compose -f docker-compose-03-upgrade.test.yml down -v
- if [ ${FAILED} ]; then
- exit 1
- fi
- cd ..
security:
stage: security
rules:
- if: $CI_PIPELINE_SOURCE == "trigger"
script:
- if [ -n "${SKIP_SECURITY}" -a "${SKIP_SECURITY}" = "1" ]; then
- echo "Skip security scan"
- else
# Scan the image and store the URL of the scan results.
# The image name scanned is not deterministic; retrieve it from the output...
- twistcli images scan -u $TWISTLOCK_USER -p "$TWISTLOCK_PASSWORD" --address $TWISTLOCK_URL --details --output-file analysis.json $IMAGE_CFT:$DOCKER_TAG
- echo ">>>> analysis.json"
- cat analysis.json | jq .
- echo "<<<< analysis.json"
# Upload the scan result to SRM
- "curl --insecure -H \"Authorization: Bearer $SRM_APIKEY\" -H \"Accept: application/json\" -X POST --form \"[email protected]\" ${SRM_URL}/${SRM_PROJECTID}/analysis"
# Remove scan results.
- rm -f analysis.json
- fi
push:
stage: push
before_script:
- if [ -z "$DOCKER_TAG" ]; then
- eval export DOCKER_TAG=$CI_COMMIT_REF_NAME
- fi
- echo Using DOCKER_TAG=$DOCKER_TAG
- docker login $REGISTRY_URL -u $ARTIFACTORY_CI_USER -p $ARTIFACTORY_CI_API_KEY
script:
- docker tag $IMAGE_CFT:$DOCKER_TAG $REGISTRY_URL/$IMAGE_CFT:$DOCKER_TAG
- docker push $REGISTRY_URL/$IMAGE_CFT:$DOCKER_TAG
# Additional tag with DOCKER_ADD_TAG
- if [ -n "$DOCKER_ADD_TAG" ]; then
- docker tag $IMAGE_CFT:$DOCKER_TAG $REGISTRY_URL/$IMAGE_CFT:$DOCKER_ADD_TAG
- docker push $REGISTRY_URL/$IMAGE_CFT:$DOCKER_ADD_TAG
- fi
push-latest:
stage: push
only:
refs:
# Push the "latest" mutable Docker version only when tagging
- /^\d+.\d+.\d+\-?/
before_script:
- if [ -z "$DOCKER_TAG" ]; then
- eval export DOCKER_TAG=$CI_COMMIT_REF_NAME
- fi
- echo Using DOCKER_TAG=$DOCKER_TAG
- docker login $REGISTRY_URL -u $ARTIFACTORY_CI_USER -p $ARTIFACTORY_CI_API_KEY
script:
- docker tag $IMAGE_CFT:$DOCKER_TAG $REGISTRY_URL/$IMAGE_CFT:latest
- docker push $REGISTRY_URL/$IMAGE_CFT:latest