mirror of
https://github.com/kasmtech/workspaces-core-images.git
synced 2024-11-25 08:53:12 +01:00
301 lines
8.4 KiB
Plaintext
301 lines
8.4 KiB
Plaintext
############
|
|
# Settings #
|
|
############
|
|
image: docker:24.0.6
|
|
services:
|
|
- docker:24.0.6-dind
|
|
stages:
|
|
- readme
|
|
- revert
|
|
- build
|
|
- scan
|
|
- test
|
|
- manifest
|
|
variables:
|
|
KASM_RELEASE: "{{ KASM_RELEASE }}"
|
|
TEST_INSTALLER: "{{ TEST_INSTALLER }}"
|
|
DOCKER_HOST: tcp://docker:2375
|
|
DOCKER_TLS_CERTDIR: ""
|
|
before_script:
|
|
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
|
|
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
|
|
|
|
###############################################
|
|
# Build Containers and push to cache endpoint #
|
|
###############################################
|
|
{% for IMAGE in multiImages %}
|
|
build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: build
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
tags:
|
|
- ${TAG}
|
|
retry: 1
|
|
parallel:
|
|
matrix:
|
|
- TAG: [ oci-fixed-amd, oci-fixed-arm ]
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: build
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
tags:
|
|
- oci-fixed-amd
|
|
retry: 1
|
|
{% endfor %}
|
|
|
|
######################################
|
|
# Test containers and upload results #
|
|
######################################
|
|
{% for IMAGE in multiImages %}
|
|
test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: test
|
|
when: always
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "${ARCH}" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
needs:
|
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
when: on_success
|
|
tags:
|
|
- oci-fixed-amd
|
|
retry: 1
|
|
parallel:
|
|
matrix:
|
|
- ARCH: [ "x86_64", "aarch64" ]
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: test
|
|
when: always
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "x86_64" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
needs:
|
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
when: on_success
|
|
tags:
|
|
- oci-fixed-amd
|
|
retry: 1
|
|
{% endfor %}
|
|
|
|
######################################
|
|
# Vulnerability Scans #
|
|
######################################
|
|
{% for IMAGE in multiImages %}
|
|
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: scan
|
|
script:
|
|
- apk add bash
|
|
- (cd ci-scripts && bash download-trivy)
|
|
- bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
|
|
rules:
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
|
when: never
|
|
- if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
|
|
{% if FILE_LIMITS %}changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
when: always
|
|
- when: manual
|
|
needs:
|
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
tags:
|
|
- oci-fixed-amd
|
|
retry: 1
|
|
artifacts:
|
|
reports:
|
|
junit:
|
|
- $CI_PROJECT_DIR/trivy-report.xml
|
|
parallel:
|
|
matrix:
|
|
- ARCH: [ "x86_64", "aarch64" ]
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: scan
|
|
script:
|
|
- apk add bash
|
|
- (cd ci-scripts && bash download-trivy)
|
|
- bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
|
|
rules:
|
|
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
|
|
when: never
|
|
- if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
|
|
{% if FILE_LIMITS %}changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
when: always
|
|
- when: manual
|
|
needs:
|
|
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
artifacts:
|
|
reports:
|
|
junit:
|
|
- $CI_PROJECT_DIR/trivy-report.xml
|
|
tags:
|
|
- oci-fixed-amd
|
|
retry: 1
|
|
{% endfor %}
|
|
|
|
############################################
|
|
# Manifest Containers if their test passed #
|
|
############################################
|
|
{% for IMAGE in multiImages %}
|
|
manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: manifest
|
|
when: always
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
needs:
|
|
- test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
when: on_success
|
|
tags:
|
|
- oci-fixed-amd
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: manifest
|
|
when: always
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single"
|
|
{% if FILE_LIMITS %}only:
|
|
changes:
|
|
{% for FILE in files %}- {{ FILE }}
|
|
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
|
|
{% endfor %}{% endif %}
|
|
except:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
needs:
|
|
- test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
|
|
when: on_success
|
|
tags:
|
|
- oci-fixed-amd
|
|
{% endfor %}
|
|
|
|
####################
|
|
# Helper Functions #
|
|
####################
|
|
|
|
## Update Readmes ##
|
|
{% for IMAGE in multiImages %}
|
|
update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: readme
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}"
|
|
only:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
tags:
|
|
- oci-fixed-amd
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: readme
|
|
script:
|
|
- apk add bash
|
|
- bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}"
|
|
only:
|
|
variables:
|
|
- $README_USERNAME
|
|
- $README_PASSWORD
|
|
tags:
|
|
- oci-fixed-amd
|
|
{% endfor %}
|
|
|
|
## Revert Images to specific build id ##
|
|
{% for IMAGE in multiImages %}
|
|
dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: revert
|
|
script:
|
|
- /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}"
|
|
only:
|
|
variables:
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
{% endfor %}
|
|
|
|
{% for IMAGE in singleImages %}
|
|
dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
|
|
stage: revert
|
|
script:
|
|
- /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}"
|
|
only:
|
|
variables:
|
|
- $DOCKERHUB_REVERT
|
|
- $REVERT_IS_ROLLING
|
|
{% endfor %}
|