-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
204 lines (192 loc) · 6.31 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
include:
- project: jitesoft/gitlab-ci-lib
file: Scan/trivy.yml
- project: jitesoft/gitlab-ci-lib
file: OCI/sign.yml
- file: /OCI/push-readme.yml
project: jitesoft/gitlab-ci-lib
stages:
- readme
- download
- build
- containerize
- cgi
- sign
- scan
- cache
update-readme:
stage: readme
extends: .readme-check.v2
variables:
PUSHRM_FILE: "$CI_PROJECT_DIR/README.md"
GIT_DEPTH: "3"
REGISTRIES: "quay.io/jitesoft/lighttpd,docker.io/jitesoft/lighttpd"
tags: [ protected ]
check:
stage: download
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: always
- if: '$CI_PIPELINE_SOURCE == "web"'
when: always
- when: never
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
script:
- touch version.txt
- VERSION=$(wget -qO- https://download.lighttpd.net/lighttpd/releases-1.4.x/ | grep -oP "(?<=<a href=\"lighttpd-)([0-9]{0,3}[.][0-9]{0,3}[.][0-9]{0,3})" | sort -r -u - | awk 'NR==1{print $1}')
- |
if [ ! -z "${FORCE_BUILD+x}" ] || [ "${VERSION}" != "$(cat version.txt)" ]; then
echo "${VERSION} and $(cat version.txt) differ. Running build."
curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[VERSION]=${VERSION}" -F "variables[BUILD]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
else
echo "${REMOTE_VERSION} and ${LOCAL_VERSION} where equal. Running scan."
curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[VERSION]=${VERSION}" -F "variables[SCAN]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
fi
cache:
paths:
- version.txt
policy: pull
download:
rules:
- if: "$BUILD"
when: always
- when: never
stage: download
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
script:
- curl -OsS https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${VERSION}.tar.xz
- curl -OsS https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${VERSION}.tar.xz.asc
- curl -OsS https://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-${VERSION}.sha256sum
- |
for key in $(cat keys.txt); do \
gpg --keyserver hkps://keys.openpgp.org --recv-keys "$key" 2>&1 || \
gpg --keyserver keyserver.ubuntu.com --recv-keys "$key" 2>&1 || \
gpg --keyserver hkp://ha.pool.sks-keyservers.net:80 --recv-keys "$key" 2>&1 || \
gpg --keyserver hkp://keyserver.pgp.com:80 --recv-keys "$key" 2>&1 || \
gpg --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key"; \
done
- gpg --verify lighttpd-${VERSION}.tar.xz.asc lighttpd-${VERSION}.tar.xz
- grep " lighttpd-${VERSION}.tar.xz\$" lighttpd-${VERSION}.sha256sum lighttpd-${VERSION}.tar.xz
artifacts:
expire_in: 1 day
paths:
- lighttpd-*.tar.xz
.build:
rules:
- if: "$BUILD"
when: on_success
- when: never
image: registry.gitlab.com/jitesoft/dockerfiles/misc/buildbase/3.20:latest
needs:
- download
stage: build
before_script:
- export CCACHE_DIR="${CI_PROJECT_DIR}/ccache"
- export PATH="/usr/lib/ccache/bin:$PATH"
- if [ ! -d "ccache" ]; then mkdir ccache; fi
- apk add --force-overwrite --no-cache build-base pcre2-dev bsd-compat-headers brotli-dev flex libressl-dev bzip2-dev lua5.3-dev openldap-dev libxml2-dev sqlite-dev libev-dev
- mkdir src
- tar -xJhf lighttpd-${VERSION}.tar.xz --strip-components=1 -C src
script:
- cd src
- ./autogen.sh
- ./configure --prefix=/usr/local --with-lua --with-openssl --with-ldap --with-brotli
- make -j4
- make install
- ccache -s
- $(cd /usr/local && tar -czf /tmp/lighttpd.tar.gz *)
- cd ..
- mkdir out
- mv /tmp/lighttpd.tar.gz out/lighttpd-${ARCH}.tar.gz
artifacts:
paths:
- out
expire_in: 1 day
cache:
paths:
- ccache
key: lighttpd.build.ccache-${ARCH}
build:arm:
extends: .build
tags:
- native-aarch64
variables:
GIT_STRATEGY: none
ARCH: arm64
build:amd:
extends: .build
tags:
- native-amd64
variables:
GIT_STRATEGY: none
ARCH: amd64
containerize:lighttpd:
rules:
- if: "$BUILD"
when: on_success
- when: never
stage: containerize
needs:
- build:amd
- build:arm
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
script:
- mv entrypoint out/
- mv healthcheck out/
- mv lighttpd.conf out/
- mv conf.d out/
- TAGS=$(helper "${CI_REGISTRY_IMAGE},jitesoft/lighttpd,ghcr.io/jitesoft/lighttpd,quay.io/jitesoft/lighttpd" "latest,${VERSION}")
- docker buildx build --sbom=true --provenance=true --platform linux/amd64,linux/arm64 --progress plain --push ${TAGS} --build-arg VERSION=${VERSION} .
tags: [ jitesoft, buildx, protected ]
containerize:lighttpd:cgi:
rules:
- if: "$BUILD"
when: on_success
- when: never
needs:
- job: containerize:lighttpd
artifacts: false
stage: cgi
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
script:
- TAGS=$(helper taglist "${CI_REGISTRY_IMAGE}/cgi", "latest,${VERSION}")
- OTAGS=$(helper taglist "jitesoft/lighttpd,ghcr.io/jitesoft/lighttpd,quay.io/jitesoft/lighttpd" "latest-cgi,${VERSION}-cgi,cgi")
- TAGS="$TAGS $OTAGS"
- docker buildx build --sbom=true --provenance=true --platform linux/amd64,linux/arm64 --build-arg BUILD_TIME="$(date -Iseconds)" --build-arg "VERSION=${VERSION}" --progress plain --push ${TAGS} -f cgi/Dockerfile .
tags: [ jitesoft, buildx, protected ]
scan:
stage: scan
rules:
- if: "$SCAN"
when: always
- if: "$BUILD"
when: on_success
- when: never
extends: .container_scanning
variables:
SCANNING_IMAGE_NAME: "${CI_REGISTRY_IMAGE}:${VERSION}"
GIT_STRATEGY: none
scan:cgi:
stage: scan
rules:
- if: "$SCAN"
when: always
- if: "$BUILD"
when: on_success
- when: never
extends: .container_scanning
variables:
SCANNING_IMAGE_NAME: "${CI_REGISTRY_IMAGE}/cgi:${VERSION}"
GIT_STRATEGY: none
create-cache:
stage: cache
script:
- echo "${VERSION}" > version.txt
cache:
paths:
- version.txt
policy: push
rules:
- if: "$BUILD"
when: on_success
- when: never