-
Notifications
You must be signed in to change notification settings - Fork 1
/
.gitlab-ci.yml
127 lines (119 loc) · 4.21 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
image: takkatakka/lftp
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: DAST.gitlab-ci.yml
stages:
- deploy
- scan
- dast
- test
variables:
GIT_SUBMODULE_STRATEGY: recursive
dast:
stage: scan
variables:
DAST_WEBSITE: https://dev.kara.moe
tags:
- $RUNNER_LINUX
dast_configuration:
site_profile: "Kara.moe"
scanner_profile: "Kara.moe"
rules:
- if: $CI_COMMIT_BRANCH == "dev"
- when: never
sast:
variables:
SAST_EXCLUDED_PATHS: spec, test, tests, tmp, assets, build, img, util, packages, dist
SECRET_DETECTION_EXCLUDED_PATHS: doc, spec, test, tests, .md, node_modules, yarn.lock, kmexplorer/node_modules, dist, .yarn
semgrep-sast:
interruptible: true
stage: scan
tags:
- $RUNNER_LINUX
rules:
- if: $CI_COMMIT_BRANCH == "dev"
- when: never
nodejs-scan-sast:
interruptible: true
stage: scan
tags:
- $RUNNER_LINUX
rules:
- if: $CI_COMMIT_BRANCH == "dev"
- when: never
secret_detection:
interruptible: true
stage: scan
tags:
- $RUNNER_LINUX
variables:
SECRET_DETECTION_EXCLUDED_PATHS: 'node_modules kmexplorer/node_modules dist'
rules:
- if: $CI_COMMIT_BRANCH == "dev"
- when: never
update_sentry:
stage: deploy
image: node:18
tags:
- $RUNNER_LINUX
cache:
key: km-server-${CI_COMMIT_REF_SLUG}
paths:
- .yarn/cache
- kmexplorer/.nuxt
script:
- mkdir -p app
- touch app/config.yml
- yarn install --immutable --check-cache
- yarn build:all
- yarn workspace kmserver-core sentry:sourcemaps
only:
- master
- dev
deploy_moe:
stage: deploy
tags:
- $RUNNER_LINUX
script:
- mkdir ~/.ssh
- echo "$SSH_KEY" > ~/.ssh/id_rsa
- ssh-keyscan -H '$HOST'
- chmod -R 700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
- lftp -c "set ftp:ssl-allow no; open -u $USERNAME,$PASSWORD $HOST; cd srv/kmserver; mirror -Rnev --parallel=10 --exclude .env --exclude .git/ --exclude kmserver-core/dist/ --exclude app/ --exclude config.yml --exclude database.json --exclude karaokemugen-app/ --exclude logs/ --exclude node_modules/ --exclude kmexplorer/.nuxt/ --exclude kmexplorer/.output/ --exclude .yarn/cache --exclude .yarn/build-state.yml --exclude .yarn/install-state.gz "
- ssh -l $USERNAME $HOST 'cd srv/kmserver ; yarn install ; yarn migrate; yarn build:all'
- ssh -l $USERNAME $HOST 'sudo systemctl restart karaokemugen-server'
variables:
NODE_ENV: production
environment:
name: production-moe
url: https://kara.moe
only:
- master
deploy_dev:
stage: deploy
tags:
- $RUNNER_LINUX
script:
- mkdir ~/.ssh
- echo "$SSH_KEY" > ~/.ssh/id_rsa
- ssh-keyscan -H '$HOST'
- chmod -R 700 ~/.ssh
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
- lftp -c "set ftp:ssl-allow no; open -u $USERNAME,$PASSWORD $HOST; cd srv/kmserver-dev; mirror -Rnev --parallel=10 --exclude .env --exclude .git/ --exclude app/ --exclude config.yml --exclude kmserver-core/dist/ --exclude database.json --exclude karaokemugen-app/ --exclude logs/ --exclude node_modules/ --exclude kmexplorer/.nuxt/ --exclude kmexplorer/.output/ --exclude .yarn/cache --exclude .yarn/build-state.yml --exclude .yarn/install-state.gz "
- ssh -l $USERNAME $HOST 'cd srv/kmserver-dev ; yarn install ; yarn migrate; yarn build:all'
- ssh -l $USERNAME $HOST 'sudo systemctl restart karaokemugen-server-dev'
variables:
NODE_ENV: production
environment:
name: dev
url: https://dev.kara.moe
only:
- dev