-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
170 lines (152 loc) · 4.52 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# -*- coding: utf-8 -*-
image: alpine:latest
variables:
DOCKER_DRIVER: overlay2
#Dependency Scan remote is ULTIMATE GOLD only Gemnasiumでのライブラリ脆弱性
DEP_SCAN_DISABLE_REMOTE_CHECKS: local
GITLAB_FEATURES: "$GITLAB_FEATURES container_scanning dependency_scanning license_scanning sast "
stages:
- build
- test
- deploy # for Pages # dummy stage to follow the template guidelines
# - review
- dast
# - staging
# - canary
# - production
# - incremental rollout 10%
# - incremental rollout 25%
# - incremental rollout 50%
# - incremental rollout 100%
# - performance
# - cleanup
include:
- template: Jobs/Build.gitlab-ci.yml
# - template: Jobs/Test.gitlab-ci.yml
- template: Jobs/Code-Quality.gitlab-ci.yml
# - template: Jobs/Deploy.gitlab-ci.yml
# - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml
# - template: Security/DAST.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
build: #上書きと追加項目
image: "node:alpine" #11.10.1-alpine <- alpine:2.9
tags:
- Docker
services:
script:
- |
function install_crxmake() {
apk add --no-cache ruby
export PATH=`gem environment gempath|sed 's/:.*$//'`/bin:$PATH
gem install --user-install --no-document crxmake #ruby-rdocパッケージいれず-no-..
}
function build() {
#npm WARN tar ENOENT: no such file or directory,でACexでは動かない
#npm install
#cp -p node_modules/jquery/dist/jquery.min.js src/lib/
#./node_modules/.bin/tsc
install_crxmake
if [ -z "$PRIVATE_KEY" ];then
unofficial_build
else
cp "$PRIVATE_KEY" src.pem
offical_build
fi
}
function unofficial_build() {
crxmake --pack-extension="src" --zip-output="${CI_PROJECT_NAME}.zip" \
--key-output=src-tmp.pem \
--ignore-file="/(\.swp|.*~)/" --ignore-dir="/\.(?:svn|git|cvs)/" --verbose
#DEBUG用に .tsと.map 含めておく
}
function offical_build() {
./build.rb
}
build
artifacts:
paths:
- ${CI_PROJECT_NAME}.zip
code_quality: #STARTER BRONZE->CORE FREE
tags: #追加項目
- DinD
container_scanning: #Docker image形式を検査する
tags: #追加項目
- DinD
artifacts:
# reports:
# container_scanning: gl-container-scanning-report.json
expose_as: 'Container Scanning Report JSON'
paths:
- gl-container-scanning-report.json
dependency_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
# script:
# - cat gl-dependency-scanning-report.json #Defaultで出力済み
artifacts:
expose_as: "Dependency JSON"
paths: [ "gl-dependency-scanning-report.json" ]
license_scanning: #ULTIMATE GOLD
tags: #追加項目
- DinD
# script: #置換え catでwrite errorがでる
# - /run.sh analyze .
# - cat $LM_REPORT_FILE #for CE defaultで出ない?
artifacts:
expose_as: "License Scanning Report"
paths: [ "gl-license-scanning-report.html", $LM_REPORT_FILE ]
sast: #ULTIMATE GOLD->CORE FREE(ESLint)
tags: #追加項目
- DinD
#のこりのテストはreviewが必要
# dast:
# performance:
pages:
stage: deploy
script:
- mkdir .public
- cp -r -p
gl-code-quality-report.json
gl-container-scanning-report.json
gl-dependency-scanning-report.json
gl-license-scanning-report.html $LM_REPORT_FILE
gl-sast-report.json
.public/ || true
- echo "<html><header><title>CI Reports ${CI_JOB_ID}</title></header><body>
<ul>" >index.html
- (cd .public;
for file in *;
do echo '<li><a href="'$file'">'$file'</a></li>';
done ) >>index.html
- echo '</ul>
</body></html>' >>index.html
- mv index.html .public
- mv .public public
artifacts:
expose_as: "CI Reports"
paths:
- public
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
#コードインテリジェンス https://docs.gitlab.com/ee/user/project/code_intelligence.html
code_navigation:
allow_failure: true
script:
- |
apk add --no-cache go git
export GOPATH="$HOME/go"
export PATH="$GOPATH/bin:$PATH"
go get github.com/sourcegraph/lsif-go/cmd/lsif-go
lsif-go
artifacts:
reports:
lsif: dump.lsif
# ---------------------------------------------------------------------------
.auto_devops: &auto_devops |
# Auto DevOps variables and functions
[[ "$TRACE" ]] && set -x
before_script:
- *auto_devops