-
Notifications
You must be signed in to change notification settings - Fork 19
/
.gitlab-ci.yml
executable file
·166 lines (153 loc) · 6.27 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
image: maven:3.6.1-jdk-11
variables:
MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true"
MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end"
DOCKER_IMAGE_TO_SCAN: hello-webapp:latest
# Cache the Maven repository so that each job does not have to download it.
cache:
key: mavenrepo
paths:
- ./.m2/repository/
stages:
- build
- release
- create_docker_image
- scan_docker_image
- push_docker_image
# Run tests.
test:
stage: build
script:
- 'mvn $MAVEN_CLI_OPTS install'
# Checkstyle source code standard review.
checkstyle:
stage: build
script:
- 'mvn $MAVEN_CLI_OPTS -Pcicdprofile checkstyle:check'
# PMD code quality analysis.
pmd:
stage: build
script:
- 'mvn $MAVEN_CLI_OPTS -Pcicdprofile pmd:check'
# SpotBugs code quality analysis.
spotbugs:
stage: build
script:
- 'mvn $MAVEN_CLI_OPTS -Pcicdprofile spotbugs:check'
# Test code coverage analysis.
code-coverage:
stage: build
script:
- 'mvn $MAVEN_CLI_OPTS -P-Pcicdprofile install'
# Supplies the option to perform Maven releases from the master branch.
# Releases need to be triggered manually in the GitLab CI/CD pipeline.
master-release:
stage: release
when: manual
script:
- git config --global user.email "gitlab@ivankrizsan.se"
- git config --global user.name "GitLab CI/CD"
# Fix the repository URL, replacing any host, localhost in my case, with gitlab.
# Note that gitlab is the name of the container in which GitLab is running.
# Insert GitLab access token into URL so release tag and next snapshot version
# can be pushed to the repository.
- export NEW_REPO_URL=$(echo $CI_REPOSITORY_URL | sed 's/@[^/]*/@gitlab/' | sed 's/\(http[s]*\):\/\/[^@]*/\1:\/\/oauth2:'$GITLAB_CICD_TOKEN'/')
# Debug git interaction.
- 'export GIT_TRACING=2'
- 'export GIT_CURL_VERBOSE=1'
# Remove the SNAPSHOT from the project's version thus creating the release version number.
- 'mvn $MAVEN_CLI_OPTS versions:set -DremoveSnapshot -DprocessAllModules=true'
- 'export RELEASE_VERSION=$(mvn --batch-mode --no-transfer-progress --non-recursive help:evaluate -Dexpression=project.version | grep -v "\[.*")'
- 'echo "Release version: $RELEASE_VERSION"'
# Push the release version to a new tag.
# This relies on the .m2 directory containing the Maven repository
# in the build directory being included in the .gitignore file in the
# project, since we do not want to commit the contents of the Maven repository.
- 'git add $CI_PROJECT_DIR'
- 'git commit -m "Create release version"'
- 'git tag -a $RELEASE_VERSION -m "Create release version tag"'
- 'git remote set-url --push origin $NEW_REPO_URL'
- 'git push origin $RELEASE_VERSION'
# Update master branch to next snapshot version.
# If automatic building of the master branch is desired, remove
# the "[ci skip]" part in the commit message.
- 'git checkout master'
- 'git reset --hard "origin/master"'
- 'git remote set-url --push origin $NEW_REPO_URL'
- 'mvn $MAVEN_CLI_OPTS versions:set -DnextSnapshot=true -DprocessAllModules=true'
- 'git add $CI_PROJECT_DIR'
- 'git commit -m "Create next snapshot version [ci skip]"'
- 'git push origin master'
only:
- master
# Builds release version tags as to create release artifact(s).
# Artifacts are retained 2 weeks if the Keep button in the web GUI
# is not clicked, in which case they will be retained forever.
release-build:
stage: release
script:
- 'mvn $MAVEN_CLI_OPTS install'
only:
- /^\d+\.\d+\.\d+$/
- tags
artifacts:
paths:
- target/*.jar
expire_in: 2 weeks
# Build a Docker image.
# Action can be manually triggered in the GitLab CI/CD pipeline
# of release tags.
create-docker-image:
stage: create_docker_image
when: manual
before_script:
# Install a Docker client in the container as to be able to build Docker image(s).
- wget -q https://download.docker.com/linux/static/stable/x86_64/docker-18.09.6.tgz
- tar zxvf docker*.tgz
- cp docker/docker /usr/local/bin/docker
script:
- mvn -Pdockerimage docker:build
only:
- /^\d+\.\d+\.\d+$/
- tags
# Scan the (local) Docker image using Clair.
scan-docker-image:
image: docker:stable
stage: scan_docker_image
when: manual
variables:
DOCKER_HOST: unix:///var/run/docker.sock
CLAIR_DB_CONTAINER_NAME: clairdb_$CI_CONCURRENT_PROJECT_ID
CLAIR_CONTAINER_NAME: clair_$CI_CONCURRENT_PROJECT_ID
before_script:
# Start an instance of Postgresql with a pre-populated Clair DB.
- docker run -d --name $CLAIR_DB_CONTAINER_NAME --network=gitlabnetwork arminc/clair-db:latest
# Start the Clair server.
- docker run -p 6060:6060 --link $CLAIR_DB_CONTAINER_NAME:postgres --network=gitlabnetwork -d --name $CLAIR_CONTAINER_NAME --restart on-failure arminc/clair-local-scan:v2.0.6
# Download Clair scanner client.
- wget -nv -qO clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- chmod +x clair-scanner
script:
# Scan the Docker image built in the previous step using Clair.
- ./clair-scanner --ip="$(hostname -i)" -c "http://$CLAIR_CONTAINER_NAME:6060" $DOCKER_IMAGE_TO_SCAN
after_script:
# Stop and remove the Clair DB container.
- if docker stop $CLAIR_DB_CONTAINER_NAME ; then echo "Clair DB container stopped"; else echo "There is no Clair DB container to stop"; fi
- if docker rm $CLAIR_DB_CONTAINER_NAME ; then echo "Clair DB container removed"; else echo "There is no Clair DB container to remove"; fi
# Remove the Clair container.
- if docker stop $CLAIR_CONTAINER_NAME ; then echo "Clair container stopped"; else echo "There is no Clair container to stop"; fi
- if docker rm $CLAIR_CONTAINER_NAME ; then echo "Clair container removed"; else echo "There is no Clair container to remove"; fi
only:
- /^\d+\.\d+\.\d+$/
- tags
# Push the Docker image to a repository.
# In this example the repository is DockerHub.
push-docker-image:
stage: push_docker_image
when: manual
script:
- docker login --username ivan --password secret
- docker push $DOCKER_IMAGE_TO_SCAN
only:
- /^\d+\.\d+\.\d+$/
- tags