############ # Settings # ############ image: docker:24.0.6 services: - docker:24.0.6-dind stages: - readme - revert - build - scan - test - manifest variables: KASM_RELEASE: "{{ KASM_RELEASE }}" TEST_INSTALLER: "{{ TEST_INSTALLER }}" DOCKER_HOST: tcp://docker:2375 DOCKER_TLS_CERTDIR: "" before_script: - docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')" ############################################### # Build Containers and push to cache endpoint # ############################################### {% for IMAGE in multiImages %} build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: build script: - apk add bash - bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING tags: - ${TAG} retry: 1 parallel: matrix: - TAG: [ oci-fixed-amd, oci-fixed-arm ] {% endfor %} {% for IMAGE in singleImages %} build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: build script: - apk add bash - bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING tags: - oci-fixed-amd retry: 1 {% endfor %} ###################################### # Test containers and upload results # ###################################### {% for IMAGE in multiImages %} test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: test when: always script: - apk add bash - bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "${ARCH}" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success tags: - oci-fixed-amd retry: 1 parallel: matrix: - ARCH: [ "x86_64", "aarch64" ] {% endfor %} {% for IMAGE in singleImages %} test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: test when: always script: - apk add bash - bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "x86_64" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success tags: - oci-fixed-amd retry: 1 {% endfor %} ###################################### # Vulnerability Scans # ###################################### {% for IMAGE in multiImages %} scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: scan script: - apk add bash - (cd ci-scripts && bash download-trivy) - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true") {% if FILE_LIMITS %}changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} when: always - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} tags: - oci-fixed-amd retry: 1 artifacts: reports: junit: - $CI_PROJECT_DIR/trivy-report.xml parallel: matrix: - ARCH: [ "x86_64", "aarch64" ] {% endfor %} {% for IMAGE in singleImages %} scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: scan script: - apk add bash - (cd ci-scripts && bash download-trivy) - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID} rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" when: never - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true") {% if FILE_LIMITS %}changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} when: always - when: manual needs: - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} artifacts: reports: junit: - $CI_PROJECT_DIR/trivy-report.xml tags: - oci-fixed-amd retry: 1 {% endfor %} ############################################ # Manifest Containers if their test passed # ############################################ {% for IMAGE in multiImages %} manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: manifest when: always script: - apk add bash - bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING needs: - test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success tags: - oci-fixed-amd {% endfor %} {% for IMAGE in singleImages %} manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: manifest when: always script: - apk add bash - bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single" {% if FILE_LIMITS %}only: changes: {% for FILE in files %}- {{ FILE }} {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }} {% endfor %}{% endif %} except: variables: - $README_USERNAME - $README_PASSWORD - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING needs: - test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }} when: on_success tags: - oci-fixed-amd {% endfor %} #################### # Helper Functions # #################### ## Update Readmes ## {% for IMAGE in multiImages %} update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: readme script: - apk add bash - bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" only: variables: - $README_USERNAME - $README_PASSWORD tags: - oci-fixed-amd {% endfor %} {% for IMAGE in singleImages %} update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: readme script: - apk add bash - bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" only: variables: - $README_USERNAME - $README_PASSWORD tags: - oci-fixed-amd {% endfor %} ## Revert Images to specific build id ## {% for IMAGE in multiImages %} dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: revert script: - /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}" only: variables: - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING {% endfor %} {% for IMAGE in singleImages %} dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}: stage: revert script: - /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}" only: variables: - $DOCKERHUB_REVERT - $REVERT_IS_ROLLING {% endfor %}