-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy path.gitlab-ci.yml
159 lines (146 loc) · 4.12 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# Jobs defined here use the idp/ci docker image from ECR by default. To find
# other available images:
# aws ecr describe-repositories | jq '.repositories[].repositoryUri'
# Images are built via the identity-devops GitLab pipeline.
variables:
GITLAB_CI: 'true'
ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'
IDP_CI_SHA: 'sha256:5c4953f8efba18b7a6d6a9a961cb77ba7143059cbb2176499432b4275fbe67db'
JUNIT_OUTPUT: 'true'
DS_IMAGE_SUFFIX: "-fips"
default:
image: '${ECR_REGISTRY}/idp/ci@${IDP_CI_SHA}'
.bundle_install: &bundle_install
- bundle check || bundle install --deployment --jobs=4 --retry=3 --without deploy development doc production --path vendor/ruby
.build_cache:
- &ruby_cache
key:
files:
- Gemfile.lock
paths:
- vendor/ruby
policy: pull
stages:
- build
- test
- after_test
workflow:
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: never
- if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "external_pull_request_event"'
- if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "external_pull_request_event" || $CI_PIPELINE_SOURCE == "web"'
- if: '$CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "stages/prod"'
- if: '$CI_MERGE_REQUEST_IID || $CI_EXTERNAL_PULL_REQUEST_IID'
install:
stage: build
variables:
RAILS_ENV: test
cache:
- <<: *ruby_cache
policy: pull-push
script:
- *bundle_install
specs:
stage: test
needs:
- job: install
parallel: 22
cache:
- <<: *ruby_cache
variables:
AWS_ACCESS_KEY_ID: test
AWS_DEFAULT_REGION: us-west-2
AWS_REGION: us-west-2
AWS_SECRET_ACCESS_KEY: test
COVERAGE: 'true'
DOCKER_DB_HOST: db-postgres
POSTGRES_DB: identity_reporting_rails_test
POSTGRES_USER: postgres_user
POSTGRES_PASSWORD: postgres_password
POSTGRES_HOST_AUTH_METHOD: trust
RAILS_ENV: test
services:
- name: postgres:13
alias: db-postgres
command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
artifacts:
expire_in: 31d
when: always
paths:
- coverage/
- rspec.xml
- rspec_json/
reports:
junit: rspec.xml
script:
- *bundle_install
- cp config/application.yml.default config/application.yml
- bundle exec rake db:create db:migrate --trace
- bundle exec rake db:seed
- bundle exec rake knapsack:rspec["--format documentation --format RspecJunitFormatter --out rspec.xml --format json --out rspec_json/${CI_NODE_INDEX}.json"]
lint:
stage: test
needs:
- job: install
cache:
- <<: *ruby_cache
script:
- *bundle_install
- make lint
artifacts:
expire_in: 31d
when: always
paths:
- rubocop.xml
reports:
junit: rubocop.xml
coverage:
stage: after_test
cache:
- <<: *ruby_cache
script:
- *bundle_install
- bundle exec spec/simplecov_merger.rb
- mv coverage/coverage/* coverage/
coverage: '/Coverage report generated for .* LOC \((\d\d.\d\d\%)\).*$/'
artifacts:
reports:
coverage_report:
coverage_format: cobertura
path: coverage/coverage.xml
name: coverage
expire_in: 31d
paths:
- rspec_json/rspec.json
- knapsack_rspec_report.json
- coverage/index.html
- coverage/assets/
- coverage/coverage.xml
include:
- template: Jobs/SAST.latest.gitlab-ci.yml
- template: Jobs/Secret-Detection.latest.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
audit_packages_scheduled:
stage:
test
needs:
- job: install
cache:
- <<: *ruby_cache
script:
- *bundle_install
- make audit
after_script:
- |-
if [ "$CI_JOB_STATUS" != "success" ]; then
./scripts/notify-slack \
--icon ":gitlab:" \
--username "gitlab-notify" \
--channel "#login-team-agnes" \
--webhook "${SLACK_WEBHOOK}" \
--raise \
--text "$(printf "Dependencies audit in GitLab failed.\nBuild Results: ${CI_JOB_URL}\nCheck results locally with 'make audit'")"
fi
rules:
- if: $CI_PIPELINE_SOURCE == "schedule"