Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Georg Abenthung
funkwhale
Commits
bb332aab
Commit
bb332aab
authored
Apr 22, 2021
by
Georg Krause
Browse files
Set .gitlab-ci.yml to enable or configure SAST
parent
4fed82a3
Changes
1
Hide whitespace changes
Inline
Side-by-side
.gitlab-ci.yml
View file @
bb332aab
# You can override the included template(s) by including variable overrides
# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
variables
:
IMAGE_NAME
:
funkwhale/funkwhale
IMAGE
:
$IMAGE_NAME:$CI_COMMIT_REF_NAME
IMAGE_LATEST
:
$IMAGE_NAME:latest
IMAGE
:
"
$IMAGE_NAME:$CI_COMMIT_REF_NAME
"
IMAGE_LATEST
:
"
$IMAGE_NAME:latest
"
ALL_IN_ONE_IMAGE_NAME
:
funkwhale/all-in-one
ALL_IN_ONE_IMAGE
:
$ALL_IN_ONE_IMAGE_NAME:$CI_COMMIT_REF_NAME
ALL_IN_ONE_IMAGE_LATEST
:
$ALL_IN_ONE_IMAGE_NAME:latest
ALL_IN_ONE_IMAGE
:
"
$ALL_IN_ONE_IMAGE_NAME:$CI_COMMIT_REF_NAME
"
ALL_IN_ONE_IMAGE_LATEST
:
"
$ALL_IN_ONE_IMAGE_NAME:latest
"
PIP_CACHE_DIR
:
"
$CI_PROJECT_DIR/pip-cache"
PYTHONDONTWRITEBYTECODE
:
"
true
"
PYTHONDONTWRITEBYTECODE
:
'
true
'
REVIEW_DOMAIN
:
preview.funkwhale.audio
REVIEW_INSTANCE_URL
:
https://demo.funkwhale.audio
stages
:
-
review
-
lint
-
test
-
build
-
deploy
-
review
-
lint
-
test
-
build
-
deploy
review_front
:
interruptible
:
true
stage
:
review
...
...
@@ -24,39 +26,36 @@ review_front:
when
:
manual
allow_failure
:
true
variables
:
BASE_URL
:
/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/front-review/
VUE_APP_ROUTER_BASE_URL
:
/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/front-review/
VUE_APP_INSTANCE_URL
:
$REVIEW_INSTANCE_URL
BASE_URL
:
"
/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/front-review/
"
VUE_APP_ROUTER_BASE_URL
:
"
/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/front-review/
"
VUE_APP_INSTANCE_URL
:
"
$REVIEW_INSTANCE_URL
"
before_script
:
-
curl -L -o /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
-
chmod +x /usr/local/bin/jq
-
rm -rf front-review
-
mkdir front-review
-
cd front
-
curl -L -o /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
-
chmod +x /usr/local/bin/jq
-
rm -rf front-review
-
mkdir front-review
-
cd front
script
:
-
yarn install
-
yarn run i18n-compile
# this is to ensure we don't have any errors in the output,
# cf https://dev.funkwhale.audio/funkwhale/funkwhale/issues/169
-
yarn run build | tee /dev/stderr | (! grep -i 'ERROR in')
-
cp -r dist/* ../front-review
-
yarn install
-
yarn run i18n-compile
-
yarn run build | tee /dev/stderr | (! grep -i 'ERROR in')
-
cp -r dist/* ../front-review
artifacts
:
expire_in
:
2 weeks
paths
:
-
front-review
-
front-review
cache
:
key
:
"
funkwhale__front_dependencies
"
key
:
funkwhale__front_dependencies
paths
:
-
front/node_modules
-
front/yarn.lock
-
front/node_modules
-
front/yarn.lock
only
:
-
branches
-
branches
tags
:
-
docker
-
docker
environment
:
name
:
review/front/$CI_COMMIT_REF_NAME
url
:
http://$CI_PROJECT_NAMESPACE.pages.funkwhale.audio/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/front-review/index.html
review_docs
:
interruptible
:
true
stage
:
review
...
...
@@ -66,30 +65,29 @@ review_docs:
variables
:
BUILD_PATH
:
"
../docs-review"
before_script
:
-
rm -rf docs-review
-
mkdir docs-review
-
cd docs
-
apt-get update
-
apt-get install -y graphviz
-
pip install sphinx sphinx_rtd_theme django-environ django
-
rm -rf docs-review
-
mkdir docs-review
-
cd docs
-
apt-get update
-
apt-get install -y graphviz
-
pip install sphinx sphinx_rtd_theme django-environ django
script
:
-
./build_docs.sh
-
"
./build_docs.sh
"
cache
:
key
:
"
$CI_PROJECT_ID__sphinx"
paths
:
-
"
$PIP_CACHE_DIR"
-
"
$PIP_CACHE_DIR"
artifacts
:
expire_in
:
2 weeks
paths
:
-
docs-review
-
docs-review
only
:
-
branches
-
branches
tags
:
-
docker
-
docker
environment
:
name
:
review/docs/$CI_COMMIT_REF_NAME
url
:
http://$CI_PROJECT_NAMESPACE.pages.funkwhale.audio/-/$CI_PROJECT_NAME/-/jobs/$CI_JOB_ID/artifacts/docs-review/index.html
black
:
interruptible
:
true
image
:
python:3.6
...
...
@@ -97,10 +95,9 @@ black:
variables
:
GIT_STRATEGY
:
fetch
before_script
:
-
pip install black==19.10b0
-
pip install black==19.10b0
script
:
-
black --check --diff api/
-
black --check --diff api/
flake8
:
interruptible
:
true
image
:
python:3.6
...
...
@@ -108,137 +105,133 @@ flake8:
variables
:
GIT_STRATEGY
:
fetch
before_script
:
-
pip install 'flake8<3.7'
-
pip install 'flake8<3.7'
script
:
-
flake8 -v api
-
flake8 -v api
cache
:
key
:
"
$CI_PROJECT_ID__flake8_pip_cache"
paths
:
-
"
$PIP_CACHE_DIR"
-
"
$PIP_CACHE_DIR"
test_api
:
interruptible
:
true
services
:
-
postgres:11
-
redis:5
-
postgres:11
-
redis:5
stage
:
test
image
:
funkwhale/funkwhale:develop
cache
:
key
:
"
$CI_PROJECT_ID__pip_cache"
paths
:
-
"
$PIP_CACHE_DIR"
-
"
$PIP_CACHE_DIR"
variables
:
DATABASE_URL
:
"
postgresql://postgres@postgres/postgres
"
FUNKWHALE_URL
:
"
https://funkwhale.ci
"
DATABASE_URL
:
postgresql://postgres@postgres/postgres
FUNKWHALE_URL
:
https://funkwhale.ci
DJANGO_SETTINGS_MODULE
:
config.settings.local
POSTGRES_HOST_AUTH_METHOD
:
trust
only
:
-
branches
-
branches
before_script
:
-
apk add make git gcc python3-dev musl-dev
-
apk add postgresql-dev py3-psycopg2 libldap libffi-dev make zlib-dev jpeg-dev openldap-dev
-
cd api
-
pip3 install -r requirements/base.txt
-
pip3 install -r requirements/local.txt
-
pip3 install -r requirements/test.txt
-
apk add make git gcc python3-dev musl-dev
-
apk add postgresql-dev py3-psycopg2 libldap libffi-dev make zlib-dev jpeg-dev
openldap-dev
-
cd api
-
pip3 install -r requirements/base.txt
-
pip3 install -r requirements/local.txt
-
pip3 install -r requirements/test.txt
script
:
-
pytest --cov=funkwhale_api tests/
-
pytest --cov=funkwhale_api tests/
tags
:
-
docker
-
docker
test_front
:
interruptible
:
true
stage
:
test
image
:
node:12-buster
before_script
:
-
cd front
-
cd front
only
:
-
branches
-
branches
script
:
-
yarn install --check-files
-
yarn test:unit
-
yarn install --check-files
-
yarn test:unit
cache
:
key
:
"
funkwhale__front_dependencies
"
key
:
funkwhale__front_dependencies
paths
:
-
front/node_modules
-
front/yarn.lock
-
front/node_modules
-
front/yarn.lock
artifacts
:
name
:
"
front_${CI_COMMIT_REF_NAME}
"
name
:
front_${CI_COMMIT_REF_NAME}
paths
:
-
front/dist/
-
front/dist/
tags
:
-
docker
-
docker
build_front
:
stage
:
build
image
:
node:12-buster
before_script
:
-
curl -L -o /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
-
chmod +x /usr/local/bin/jq
-
cd front
-
curl -L -o /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
-
chmod +x /usr/local/bin/jq
-
cd front
script
:
-
yarn install
-
yarn run i18n-compile
# this is to ensure we don't have any errors in the output,
# cf https://dev.funkwhale.audio/funkwhale/funkwhale/issues/169
-
yarn build | tee /dev/stderr | (! grep -i 'ERROR in')
-
chmod -R 755 dist
-
yarn install
-
yarn run i18n-compile
-
yarn build | tee /dev/stderr | (! grep -i 'ERROR in')
-
chmod -R 755 dist
artifacts
:
name
:
"
front_${CI_COMMIT_REF_NAME}
"
name
:
front_${CI_COMMIT_REF_NAME}
paths
:
-
front/dist/
-
front/dist/
only
:
-
tags@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
tags
:
-
docker
-
docker
pages
:
stage
:
test
image
:
python:3.6
variables
:
BUILD_PATH
:
"
../public"
before_script
:
-
cd docs
-
apt-get update
-
apt-get install -y graphviz
-
pip install sphinx sphinx_rtd_theme django-environ django
-
cd docs
-
apt-get update
-
apt-get install -y graphviz
-
pip install sphinx sphinx_rtd_theme django-environ django
script
:
-
./build_docs.sh
-
"
./build_docs.sh
"
cache
:
key
:
"
$CI_PROJECT_ID__sphinx"
paths
:
-
"
$PIP_CACHE_DIR"
-
"
$PIP_CACHE_DIR"
artifacts
:
paths
:
-
public
-
public
only
:
-
master@funkwhale/funkwhale
-
master@funkwhale/funkwhale
tags
:
-
docker
-
docker
docker_release
:
stage
:
deploy
image
:
bash
before_script
:
-
docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-
cp -r front/dist api/frontend
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master" ]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8); fi);
-
docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-
cp -r front/dist api/frontend
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master"
]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8);
fi);
script
:
-
if [[ ! -z "$CI_COMMIT_TAG" ]]; then (./docs/get-releases-json.py | scripts/is-docker-latest.py $CI_COMMIT_TAG -) && export DOCKER_LATEST_TAG="-t $IMAGE_LATEST" || export DOCKER_LATEST_TAG=; fi
-
cd api
-
docker build -t $IMAGE $DOCKER_LATEST_TAG .
-
docker push $IMAGE
-
if [[ ! -z "$DOCKER_LATEST_TAG" ]]; then docker push $IMAGE_LATEST; fi
-
if [[ ! -z "$CI_COMMIT_TAG" ]]; then (./docs/get-releases-json.py | scripts/is-docker-latest.py
$CI_COMMIT_TAG -) && export DOCKER_LATEST_TAG="-t $IMAGE_LATEST" || export DOCKER_LATEST_TAG=;
fi
-
cd api
-
docker build -t $IMAGE $DOCKER_LATEST_TAG .
-
docker push $IMAGE
-
if [[ ! -z "$DOCKER_LATEST_TAG" ]]; then docker push $IMAGE_LATEST; fi
only
:
-
develop@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
tags
:
-
docker-build
-
docker-build
docker_all_in_one_release
:
stage
:
deploy
image
:
bash
...
...
@@ -247,41 +240,50 @@ docker_all_in_one_release:
ALL_IN_ONE_ARTIFACT_URL
:
https://github.com/thetarkus/docker-funkwhale/archive/$ALL_IN_ONE_REF.zip
BUILD_PATH
:
all_in_one
before_script
:
-
docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master" ]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8); fi);
-
docker login -u $DOCKER_LOGIN -p $DOCKER_PASSWORD
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master"
]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8);
fi);
script
:
-
if [[ ! -z "$CI_COMMIT_TAG" ]]; then (./docs/get-releases-json.py | scripts/is-docker-latest.py $CI_COMMIT_TAG -) && export DOCKER_LATEST_TAG="-t $ALL_IN_ONE_IMAGE_LATEST" || export DOCKER_LATEST_TAG=; fi
-
wget $ALL_IN_ONE_ARTIFACT_URL -O all_in_one.zip
-
unzip -o all_in_one.zip -d tmpdir
-
mv tmpdir/docker-funkwhale-$ALL_IN_ONE_REF $BUILD_PATH && rmdir tmpdir
-
cp -r api $BUILD_PATH/src/api
-
cp -r front $BUILD_PATH/src/front
-
cd $BUILD_PATH
-
./scripts/download-nginx-template.sh src/ $CI_COMMIT_REF_NAME
-
docker build -t $ALL_IN_ONE_IMAGE $DOCKER_LATEST_TAG .
-
docker push $ALL_IN_ONE_IMAGE
-
if [[ ! -z "$DOCKER_LATEST_TAG" ]]; then docker push $ALL_IN_ONE_IMAGE_LATEST; fi
-
if [[ ! -z "$CI_COMMIT_TAG" ]]; then (./docs/get-releases-json.py | scripts/is-docker-latest.py
$CI_COMMIT_TAG -) && export DOCKER_LATEST_TAG="-t $ALL_IN_ONE_IMAGE_LATEST" ||
export DOCKER_LATEST_TAG=; fi
-
wget $ALL_IN_ONE_ARTIFACT_URL -O all_in_one.zip
-
unzip -o all_in_one.zip -d tmpdir
-
mv tmpdir/docker-funkwhale-$ALL_IN_ONE_REF $BUILD_PATH && rmdir tmpdir
-
cp -r api $BUILD_PATH/src/api
-
cp -r front $BUILD_PATH/src/front
-
cd $BUILD_PATH
-
"
./scripts/download-nginx-template.sh
src/
$CI_COMMIT_REF_NAME"
-
docker build -t $ALL_IN_ONE_IMAGE $DOCKER_LATEST_TAG .
-
docker push $ALL_IN_ONE_IMAGE
-
if [[ ! -z "$DOCKER_LATEST_TAG" ]]; then docker push $ALL_IN_ONE_IMAGE_LATEST;
fi
only
:
-
develop@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
tags
:
-
docker-build
-
docker-build
build_api
:
# Simply publish a zip containing api/ directory
stage
:
deploy
image
:
bash
artifacts
:
name
:
"
api_${CI_COMMIT_REF_NAME}
"
name
:
api_${CI_COMMIT_REF_NAME}
paths
:
-
api
-
api
script
:
-
rm -rf api/tests
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master" ]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8); fi);
-
chmod -R 750 api
-
echo Done!
-
rm -rf api/tests
-
(if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "master"
]; then ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8);
fi);
-
chmod -R 750 api
-
echo Done!
only
:
-
tags@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
-
tags@funkwhale/funkwhale
-
master@funkwhale/funkwhale
-
develop@funkwhale/funkwhale
sast
:
stage
:
test
include
:
-
template
:
Security/SAST.gitlab-ci.yml
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
