-
Notifications
You must be signed in to change notification settings - Fork 6
/
.gitlab-ci.yml
104 lines (83 loc) · 2.16 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
---
workflow:
rules:
- if: $CI_MERGE_REQUEST_ID
when: never
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
when: always
- if: '$CI_PIPELINE_SOURCE == "push"'
when: always
- if: '$CI_PIPELINE_SOURCE =~ /^trigger|pipeline|web|api$/'
when: always
- if: $CI_COMMIT_TAG
when: never
- when: always
include:
- template: Security/SAST.gitlab-ci.yml
- template: Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
# - template: Security/Container-Scanning.gitlab-ci.yml
- local: 'ci/semantic-release.yml'
- local: 'ci/check.yml'
- local: 'ci/docker.yml'
- local: 'ci/pages.yml'
# Global SAST Variables
variables:
SAST_EXCLUDED_PATHS: "spec,test,tests,tmp,node_modules,target,venv"
SAST_BANDIT_EXCLUDED_PATHS: "*/test/**,*/tests/**,*/node_modules/**,*/target/**,*/venv/**"
SECRET_DETECTION_EXCLUDED_PATHS: "docs"
PYTHON_IMAGE: "python"
PYTHON_TAG: "3.10"
DOCKER_DRIVER: overlay2
DOCKER_BUILDKIT: 1
DOCKER_IMAGE: docker.io/library/docker
DOCKER_TAG: "20.10.16"
## Semantic Release
ENABLE_SEMANTIC_RELEASE: "true"
ENABLE_SEMANTIC_RELEASE_DRY_RUN: "true"
stages:
- test
- build
- docs
- deploy
- publish
.base-python:
image: $PYTHON_IMAGE:$PYTHON_TAG
before_script:
- pip install poetry
- poetry lock
- poetry install
sbom:
stage: docs
image: $PYTHON_IMAGE:$PYTHON_TAG
script:
- pip install cyclonedx-bom
- rm sbom.json
- cyclonedx-py --poetry -o sbom.json --format json
artifacts:
paths:
- sbom.json
###########
# build
###########
build-dist:
extends: .base-python
needs: [ "semantic-release:dry-run" ]
script:
- sed -i -e "s/^__version__ = \".*\"/__version__ = \"$RELEASE_VERSION\"/" hopprcop/__init__.py
- poetry version $RELEASE_VERSION
- poetry build
artifacts:
paths:
- "dist/"
- hopprcop/__init__.py
- pyproject.toml
- poetry.lock
validate-renovate-config:
image: renovate/renovate:36.64.1
needs: []
variables:
RENOVATE_CONFIG_FILE: "renovate.json"
script:
- renovate-config-validator