134 lines
3.6 KiB
YAML
134 lines
3.6 KiB
YAML
image: docker:latest
|
|
|
|
variables:
|
|
GIT_STRATEGY: fetch
|
|
GIT_SUBMODULE_STRATEGY: recursive
|
|
PACKER_VERSION: 1.4.3
|
|
ANNOUNCE: http://labsync.lab.fablab-nea.de:6969/announce
|
|
WEBSEED: http://labsync.lab.fablab-nea.de/labsync/$CI_COMMIT_REF_NAME/$CI_PIPELINE_ID/images
|
|
DOCKER_IMAGE_BUILDER: ${CI_REGISTRY_IMAGE}/labsync-builder:main
|
|
DOCKER_IMAGE_SECURITY_SCANNER: ${CI_REGISTRY_IMAGE}/security-scanner:main
|
|
DOCKER_TLS_CERTDIR: ""
|
|
|
|
stages:
|
|
- prepare
|
|
- check
|
|
- build
|
|
|
|
dockerimage_builder:
|
|
stage: prepare
|
|
before_script:
|
|
- apk add --no-cache make
|
|
services:
|
|
- docker:dind
|
|
variables:
|
|
DOCKER_IMAGE_BUILDER: ${CI_REGISTRY_IMAGE}/labsync-builder:$CI_COMMIT_REF_SLUG
|
|
script:
|
|
- docker pull $DOCKER_IMAGE_BUILDER || true
|
|
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
|
- make builderimg
|
|
- docker push $DOCKER_IMAGE_BUILDER
|
|
- echo "DOCKER_IMAGE_BUILDER=$DOCKER_IMAGE_BUILDER" >> build.env
|
|
artifacts:
|
|
reports:
|
|
dotenv: build.env
|
|
rules:
|
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
|
when: on_success
|
|
- if:
|
|
changes:
|
|
paths:
|
|
- builder/**/*
|
|
compare_to: main
|
|
when: on_success
|
|
|
|
dockerimage_security_scanner:
|
|
stage: prepare
|
|
before_script:
|
|
- apk add --no-cache make
|
|
services:
|
|
- docker:dind
|
|
script:
|
|
- docker pull $DOCKER_IMAGE_SECURITY_SCANNER || true
|
|
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
|
|
- make secscanimg
|
|
- docker push $DOCKER_IMAGE_SECURITY_SCANNER
|
|
- echo "DOCKER_IMAGE_SECURITY_SCANNER=${CI_REGISTRY_IMAGE}/security-scanner:$CI_COMMIT_REF_SLUG" >> build.env
|
|
artifacts:
|
|
reports:
|
|
dotenv: build.env
|
|
rules:
|
|
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
|
when: on_success
|
|
- if:
|
|
changes:
|
|
paths:
|
|
- security-scanner/**/*
|
|
compare_to: main
|
|
when: on_success
|
|
|
|
security_scanner:
|
|
stage: check
|
|
image: $DOCKER_IMAGE_SECURITY_SCANNER
|
|
script:
|
|
- set -x
|
|
- export GITLAB_URL="$(echo "$CI_PROJECT_URL" | grep -Eo '^https?://[^/]*')"
|
|
- /code/venv/bin/python -m security_scanner $target
|
|
only:
|
|
refs:
|
|
- schedules
|
|
- triggers
|
|
variables:
|
|
- $task == "security-scanner"
|
|
- $target
|
|
|
|
lightburn-download:
|
|
stage: prepare
|
|
image: quay.io/official-images/alpine
|
|
script:
|
|
- mkdir -p packer/ansible/roles/lightburn/files
|
|
- 'wget -O packer/ansible/roles/lightburn/files/lightburn.zip --header "JOB-TOKEN: $CI_JOB_TOKEN" "${CI_SERVER_URL}/api/v4/projects/fablab%2Flightburn-patched/jobs/artifacts/main/download?job=patch-Linux64"'
|
|
artifacts:
|
|
paths:
|
|
- packer/ansible/roles/lightburn/files/lightburn.zip
|
|
expire_in: 4 hours
|
|
|
|
.squashfs_template: &squashfs_template
|
|
image: $DOCKER_IMAGE_BUILDER
|
|
stage: build
|
|
services:
|
|
- docker:dind
|
|
script:
|
|
- echo DOCKER_IMAGE_BUILDER=$DOCKER_IMAGE_BUILDER
|
|
- echo DOCKER_IMAGE_SECURITY_SCANNER=$DOCKER_IMAGE_SECURITY_SCANNER
|
|
- scripts/packer.sh debian-bookworm
|
|
- aws --endpoint-url "$AWS_ENDPOINT_URL" s3 cp images/ "s3://$AWS_BUCKET/$CI_COMMIT_REF_SLUG/$CI_JOB_ID/" --recursive --no-progress
|
|
artifacts:
|
|
paths:
|
|
- images.txt
|
|
- images/*.dpkg-list
|
|
- images/*.initramfs
|
|
- images/*.linux
|
|
#- images/*.squashfs
|
|
- images/*.torrent
|
|
|
|
squashfs_featurebranch:
|
|
<<: *squashfs_template
|
|
variables:
|
|
COMPRESSION_LEVEL: 4
|
|
except:
|
|
variables:
|
|
- $task == "security-scanner"
|
|
refs:
|
|
- main
|
|
|
|
squashfs_main:
|
|
<<: *squashfs_template
|
|
variables:
|
|
COMPRESSION_LEVEL: 15
|
|
only:
|
|
refs:
|
|
- main
|
|
except:
|
|
variables:
|
|
- $task == "security-scanner"
|