crafty-4/.gitlab-ci.yml

# Crafty Controller 4.0 - Lint & Build Pipes
# [Maintainer: Zedifus(https://gitlab.com/Zedifus)]
###################################################
# yamllint disable rule:line-length
---
stages:
  - lint
  - test
  - prod-deployment
  - dev-deployment

variables:
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: "/certs"

yamllint:
  stage: lint
  image: registry.gitlab.com/pipeline-components/yamllint:latest
  tags:
    - docker
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
      when: never
  script:
    - yamllint .

jsonlint:
  stage: lint
  image: registry.gitlab.com/pipeline-components/jsonlint:latest
  tags:
    - docker
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
      when: never
  script:
    - |
      find . -not -path './.git/*' -name '*.json' -type f -print0 |
      parallel --will-cite -k -0 -n1 jsonlint -q      

black:
  stage: lint
  image: registry.gitlab.com/pipeline-components/black:latest
  tags:
    - docker
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
      when: never
  script:
    - black --check --verbose -- .

pylint:
  stage: lint
  image: registry.gitlab.com/pipeline-components/pylint:latest
  tags:
    - docker
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
      when: never
  # before_script:
  # - mkdir -p public/badges public/lint
  # - echo undefined > public/badges/$CI_JOB_NAME.score
  script:
    # - pylint --exit-zero --output-format=text $(find -type f -name "*.py" ! -path "**/.venv/**" ! -path "**/app/migrations/**") | tee /tmp/pylint.txt
    # - sed -n 's/^Your code has been rated at \([-0-9.]*\)\/.*/\1/p' /tmp/pylint.txt > public/badges/$CI_JOB_NAME.score
    - pylint --exit-zero --output-format=pylint_gitlab.GitlabCodeClimateReporter $(find -type f -name "*.py" ! -path "**/.venv/**" ! -path "**/app/migrations/**") > codeclimate.json
  # after_script:
  # - anybadge --overwrite --label $CI_JOB_NAME --value=$(cat public/badges/$CI_JOB_NAME.score) --file=public/badges/$CI_JOB_NAME.svg 4=red 6=orange 8=yellow 10=green
  # - |
  #   echo "Your score is: $(cat public/badges/$CI_JOB_NAME.score)"
  # Removed lint badge generation until public release
  artifacts:
    paths:
      - public
    reports:
      codequality: codeclimate.json
    when: always

docker-build-dev:
  image: docker:latest
  services:
    - name: docker:dind
  stage: dev-deployment
  tags:
    - docker_priv
  rules:
    - if: $CI_COMMIT_BRANCH == 'dev'
  environment:
    name: development
  before_script:
    - |
      apk --no-cache add jq
      MAJOR=$(cat app/config/version.json | jq '.major' )
      MINOR=$(cat app/config/version.json | jq '.minor' )
      SUB=$(cat app/config/version.json | jq '.sub' )
      META=$(cat app/config/version.json | jq -r '.meta' )      
    - |
      apk --no-cache add curl
      latest_tag=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | sed -Ene '/^ *"tag_name": *"(v.+)",$/s//\1/p')
      echo "Using buildx version $latest_tag"
      curl -sSLo docker-buildx "https://github.com/docker/buildx/releases/download/$latest_tag/buildx-$latest_tag.linux-amd64"
      chmod a+x docker-buildx
      mkdir -p ~/.docker/cli-plugins
      mv docker-buildx ~/.docker/cli-plugins/docker-buildx
      docker version      
    - docker run --rm --privileged aptman/qus -- -r
    - docker run --rm --privileged aptman/qus -s -- -p aarch64 x86_64
    - echo $CI_BUILD_TOKEN | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
  script:
    - |
      tag=":$CI_COMMIT_REF_SLUG"
      VERSION="${MAJOR}.${MINOR}.${SUB}-${META}"      
    - |
      echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      echo "Crafty Version: $VERSION"      
    - docker context create tls-environment
    - docker buildx create --name zedBuilder --use tls-environment
    - docker buildx build
      --cache-from type=registry,ref="$CI_REGISTRY_IMAGE${tag}"
      --build-arg BUILDKIT_INLINE_CACHE=1
      --build-arg "BUILD_DATE=$(date +"%Y-%m-%dT%H:%M:%SZ")"
      --build-arg "BUILD_REF=${CI_COMMIT_SHA}"
      --build-arg "CRAFTY_VER=${VERSION}"
      --tag "$CI_REGISTRY_IMAGE${tag}"
      --platform linux/arm64/v8,linux/amd64
      --push .
  after_script:
    - |
      docker buildx rm zedBuilder && echo "Successfully Stopped builder instance" || echo "Failed to stop builder instance."
      docker context rm tls-environment || true
      echo "Please review multi-arch manifests are present:"
      docker buildx imagetools inspect "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"      

docker-build-prod:
  image: docker:latest
  services:
    - name: docker:dind
  stage: prod-deployment
  tags:
    - docker_priv
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  environment:
    name: production
  before_script:
    - |
      apk --no-cache add jq
      MAJOR=$(cat app/config/version.json | jq '.major' )
      MINOR=$(cat app/config/version.json | jq '.minor' )
      SUB=$(cat app/config/version.json | jq '.sub' )
      META=$(cat app/config/version.json | jq -r '.meta' )      
    - |
      apk --no-cache add curl
      latest_tag=$(curl -s https://api.github.com/repos/docker/buildx/releases/latest | sed -Ene '/^ *"tag_name": *"(v.+)",$/s//\1/p')
      echo "Using buildx version $latest_tag"
      curl -sSLo docker-buildx "https://github.com/docker/buildx/releases/download/$latest_tag/buildx-$latest_tag.linux-amd64"
      chmod a+x docker-buildx
      mkdir -p ~/.docker/cli-plugins
      mv docker-buildx ~/.docker/cli-plugins/docker-buildx
      docker version      
    - docker run --rm --privileged aptman/qus -- -r
    - docker run --rm --privileged aptman/qus -s -- -p aarch64 x86_64
    - echo $CI_BUILD_TOKEN | docker login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
  script:
    - |
      tag=""
      VERSION="${MAJOR}.${MINOR}.${SUB}-${META}"      
    - |
      echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
      echo "Crafty Version: $VERSION"      
    - docker context create tls-environment
    - docker buildx create --name zedBuilder --use tls-environment
    - docker buildx build
      --cache-from type=registry,ref="$CI_REGISTRY_IMAGE${tag}"
      --build-arg BUILDKIT_INLINE_CACHE=1
      --build-arg "BUILD_DATE=$(date +"%Y-%m-%dT%H:%M:%SZ")"
      --build-arg "BUILD_REF=${CI_COMMIT_SHA}"
      --build-arg "CRAFTY_VER=${VERSION}"
      --tag "$CI_REGISTRY_IMAGE${tag}"
      --platform linux/arm64/v8,linux/amd64
      --push .
  after_script:
    - |
      docker buildx rm zedBuilder && echo "Successfully Stopped builder instance" || echo "Failed to stop builder instance."
      docker context rm tls-environment || true
      echo "Please review multi-arch manifests are present:"
      docker buildx imagetools inspect "$CI_REGISTRY_IMAGE${tag}"      

win-dev-build:
  stage: dev-deployment
  tags:
    - win64
  cache:
    paths:
      - .venv/
  rules:
    - if: "$CI_COMMIT_BRANCH == 'dev'"
  environment:
    name: development
  script:
    - |
      $ErrorActionPreference = "Stop"
      py -m venv .venv
      .venv\Scripts\activate.ps1
      pip install pyinstaller
      pip install -r requirements.txt      
    - pyinstaller -F main.py
      --distpath .
      --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico
      --name "crafty_commander"
      --paths .venv\Lib\site-packages
      --hidden-import cryptography
      --hidden-import cffi
      --hidden-import apscheduler
      --collect-all tzlocal
      --collect-all tzdata
      --collect-all pytz
      --collect-all six

  # Download latest:
  # | https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/dev/download?job=win-dev-build
  artifacts:
    name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}"
    paths:
      - app\
      - .\crafty_commander.exe
    exclude:
      - app\classes\**\*

win-prod-build:
  stage: prod-deployment
  tags:
    - win64
  cache:
    paths:
      - .venv/
  rules:
    - if: "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
  environment:
    name: production
  script:
    - |
      $ErrorActionPreference = "Stop"
      py -m venv .venv
      .venv\Scripts\activate.ps1
      pip install pyinstaller
      pip install -r requirements.txt      
    - pyinstaller -F main.py
      --distpath .
      --icon app\frontend\static\assets\images\Crafty_4-0_Logo_square.ico
      --name "crafty_commander"
      --paths .venv\Lib\site-packages
      --hidden-import cryptography
      --hidden-import cffi
      --hidden-import apscheduler
      --collect-all tzlocal
      --collect-all tzdata
      --collect-all pytz
      --collect-all six

  # Download latest:
  # | https://gitlab.com/crafty-controller/crafty-4/-/jobs/artifacts/master/download?job=win-prod-build
  artifacts:
    name: "crafty-${CI_RUNNER_TAGS}-${CI_COMMIT_BRANCH}_${CI_COMMIT_SHORT_SHA}"
    paths:
      - app\
      - .\crafty_commander.exe
    exclude:
      - app\classes\**\*

sast:
  variables:
    SAST_EXCLUDED_PATHS: spec, test, tests, tmp, migrations, vendors
    SAST_BANDIT_EXCLUDED_PATHS: "'*/migrations/*, */vendors/*'"
    SAST_EXCLUDED_ANALYZERS: semgrep
  stage: test
  tags:
    - docker

secret_detection:
  variables:
    SECRET_DETECTION_EXCLUDED_PATHS: migrations, vendors
  tags:
    - docker

gemnasium-dependency_scanning:
  tags:
    - docker

gemnasium-python-dependency_scanning:
  tags:
    - docker

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml