# Crafty Controller 4.0 - Lint & Build Pipes # [Maintainer: Zedifus(https://gitlab.com/Zedifus)] ################################################### # yamllint disable rule:line-length --- stages: - lint - test - prod-deployment - dev-deployment variables: DOCKER_HOST: tcp://docker:2376 DOCKER_TLS_CERTDIR: "/certs" yamllint: stage: lint image: registry.gitlab.com/pipeline-components/yamllint:latest tags: - docker rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never script: - yamllint . jsonlint: stage: lint image: registry.gitlab.com/pipeline-components/jsonlint:latest tags: - docker rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never script: - | find . -not -path './.git/*' -name '*.json' -type f -print0 | parallel --will-cite -k -0 -n1 jsonlint -q black: stage: lint image: registry.gitlab.com/pipeline-components/black:latest tags: - docker rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never script: - black --check --verbose -- . pylint: stage: lint image: registry.gitlab.com/pipeline-components/pylint:latest tags: - docker rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event"' - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS" when: never # before_script: # - mkdir -p public/badges public/lint # - echo undefined > public/badges/$CI_JOB_NAME.score script: # - pylint --exit-zero --output-format=text $(find -type f -name "*.py" ! -path "**/.venv/**" ! -path "**/app/migrations/**") | tee /tmp/pylint.txt # - sed -n 's/^Your code has been rated at \([-0-9.]*\)\/.*/\1/p' /tmp/pylint.txt > public/badges/$CI_JOB_NAME.score - pylint --exit-zero --output-format=pylint_gitlab.GitlabCodeClimateReporter $(find -type f -name "*.py" ! -path "**/.venv/**" ! -path "**/app/migrations/**") > codeclimate.json # after_script: # - anybadge --overwrite --label $CI_JOB_NAME --value=$(cat public/badges/$CI_JOB_NAME.score) --file=public/badges/$CI_JOB_NAME.svg 4=red 6=orange 8=yellow 10=green # - | # echo "Your score is: $(cat public/badges/$CI_JOB_NAME.score)" # Removed lint badge generation until public release artifacts: paths: - public reports: codequality: codeclimate.json when: always docker-build-dev: image: docker:latest services: - name: docker:dind stage: dev-deployment tags: - docker_priv rules: - if: $CI_COMMIT_BRANCH == 'dev' environment: name: development before_script: - | apk --no-cache add jq MAJOR=$(cat app/config/version.json | jq '.major' ) MINOR=$(cat app/config/version.json | jq '.minor' ) SUB=$(cat app/config/version.json | jq '.sub' ) META=$(cat app/config/version.json | jq -r '.meta' ) - | apk --no-cache add curl latest_tag=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | sed -Ene '/^ *"tag_name": *"(v.+)",$/s//\1/p') echo "Using buildx version $latest_tag" curl -sSLo docker-buildx "https://github.com/docker/buildx/releases/download/$latest_tag/buildx-$latest_tag.linux-amd64" chmod a+x docker-buildx mkdir -p ~/.docker/cli-plugins mv docker-buildx ~/.docker/cli-plugins/docker-buildx docker version - docker run --rm --privileged aptman/qus -- -r - docker run --rm --privileged aptman/qus -s -- -p aarch64 x86_64 - echo $CI_BUILD_TOKEN | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY script: - | tag=":$CI_COMMIT_REF_SLUG" VERSION="${MAJOR}.${MINOR}.${SUB}-${META}" - | echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag" echo "Crafty Version: $VERSION" - docker context create tls-environment - docker buildx create --name zedBuilder --use tls-environment - docker buildx build --cache-from type=registry,ref="$CI_REGISTRY_IMAGE${tag}" --build-arg BUILDKIT_INLINE_CACHE=1 --build-arg "BUILD_DATE=$(date +"%Y-%m-%dT%H:%M:%SZ")" --build-arg "BUILD_REF=${CI_COMMIT_SHA}" --build-arg "CRAFTY_VER=${VERSION}" --tag "$CI_REGISTRY_IMAGE${tag}" --platform linux/arm64/v8,linux/amd64 --push . after_script: - | docker buildx rm zedBuilder && echo "Successfully Stopped builder instance" || echo "Failed to stop builder instance." docker context rm tls-environment || true echo "Please review multi-arch manifests are present:" docker buildx imagetools inspect "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG" docker-build-prod: image: docker:latest services: - name: docker:dind stage: prod-deployment tags: - docker_priv rules: - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH environment: name: production before_script: - | apk --no-cache add jq MAJOR=$(cat app/config/version.json | jq '.major' ) MINOR=$(cat app/config/version.json | jq '.minor' ) SUB=$(cat app/config/version.json | jq '.sub' ) META=$(cat app/config/version.json | jq -r '.meta' ) - | apk --no-cache add curl latest_tag=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | sed -Ene '/^ *"tag_name": *"(v.+)",$/s//\1/p') echo "Using buildx version $latest_tag" curl -sSLo docker-buildx "https://github.com/docker/buildx/releases/download/$latest_tag/buildx-$latest_tag.linux-amd64" chmod a+x docker-buildx mkdir -p ~/.docker/cli-plugins mv docker-buildx ~/.docker/cli-plugins/docker-buildx docker version - docker run --rm --privileged aptman/qus -- -r - docker run --rm --privileged aptman/qus -s -- -p aarch64 x86_64 - echo $CI_BUILD_TOKEN | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY script: - | tag="" VERSION="${MAJOR}.${MINOR}.${SUB}-${META}" - | echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag" echo "Crafty Version: $VERSION" - docker context create tls-environment - docker buildx create --name zedBuilder --use tls-environment - docker buildx build --cache-from type=registry,ref="$CI_REGISTRY_IMAGE${tag}" --build-arg BUILDKIT_INLINE_CACHE=1 --build-arg "BUILD_DATE=$(date +"%Y-%m-%dT%H:%M:%SZ")" --build-arg "BUILD_REF=${CI_COMMIT_SHA}" --build-arg "CRAFTY_VER=${VERSION}" --tag "$CI_REGISTRY_IMAGE${tag}" --platform linux/arm64/v8,linux/amd64 --push . after_script: - | docker buildx rm zedBuilder && echo "Successfully Stopped builder instance" || echo "Failed to stop builder instance." docker context rm tls-environment || true echo "Please review multi-arch manifests are present:" docker buildx imagetools inspect "$CI_REGISTRY_IMAGE${tag}" win-dev-build: stage: dev-deployment tags: - win64 cache: paths: - .venv/ rules: - if: "$CI_COMMIT_BRANCH == 'dev'" environment: name: development script: - | $ErrorActionPreference = "Stop" py -m venv .venv .venv\Scripts\activate.ps1 pip install pyinstaller pip install -r requirements.txt - pyinstaller -F main.py --distpath . --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico --name "crafty_commander" --paths .venv\Lib\site-packages --hidden-import cryptography --hidden-import cffi --hidden-import apscheduler --collect-all tzlocal --collect-all tzdata --collect-all pytz --collect-all six # Download latest: # | https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/dev/download?job=win-dev-build artifacts: name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}" paths: - app\ - .\crafty_commander.exe exclude: - app\classes\**\* win-prod-build: stage: prod-deployment tags: - win64 cache: paths: - .venv/ rules: - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH" environment: name: production script: - | $ErrorActionPreference = "Stop" py -m venv .venv .venv\Scripts\activate.ps1 pip install pyinstaller pip install -r requirements.txt - pyinstaller -F main.py --distpath . --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico --name "crafty_commander" --paths .venv\Lib\site-packages --hidden-import cryptography --hidden-import cffi --hidden-import apscheduler --collect-all tzlocal --collect-all tzdata --collect-all pytz --collect-all six # Download latest: # | https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/master/download?job=win-prod-build artifacts: name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}" paths: - app\ - .\crafty_commander.exe exclude: - app\classes\**\* sast: variables: SAST_EXCLUDED_PATHS: spec, test, tests, tmp, migrations, vendors SAST_BANDIT_EXCLUDED_PATHS: "'*/migrations/*, */vendors/*'" SAST_EXCLUDED_ANALYZERS: semgrep stage: test tags: - docker secret_detection: variables: SECRET_DETECTION_EXCLUDED_PATHS: migrations, vendors tags: - docker gemnasium-dependency_scanning: tags: - docker gemnasium-python-dependency_scanning: tags: - docker include: - template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml