workspaces-core-images/ci-scripts/gitlab-ci.template
2023-11-22 17:13:20 +00:00

301 lines
8.4 KiB
Plaintext

############
# Settings #
############
image: docker:24.0.6
services:
- docker:24.0.6-dind
stages:
- readme
- revert
- build
- scan
- test
- manifest
variables:
KASM_RELEASE: "{{ KASM_RELEASE }}"
TEST_INSTALLER: "{{ TEST_INSTALLER }}"
DOCKER_HOST: tcp://docker:2375
DOCKER_TLS_CERTDIR: ""
before_script:
- docker login --username $DOCKER_HUB_USERNAME --password $DOCKER_HUB_PASSWORD
- export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
###############################################
# Build Containers and push to cache endpoint #
###############################################
{% for IMAGE in multiImages %}
build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: build
script:
- apk add bash
- bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
tags:
- ${TAG}
retry: 1
parallel:
matrix:
- TAG: [ oci-fixed-amd, oci-fixed-arm ]
{% endfor %}
{% for IMAGE in singleImages %}
build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: build
script:
- apk add bash
- bash ci-scripts/build.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
tags:
- oci-fixed-amd
retry: 1
{% endfor %}
######################################
# Test containers and upload results #
######################################
{% for IMAGE in multiImages %}
test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: test
when: always
script:
- apk add bash
- bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "${ARCH}" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
retry: 1
parallel:
matrix:
- ARCH: [ "x86_64", "aarch64" ]
{% endfor %}
{% for IMAGE in singleImages %}
test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: test
when: always
script:
- apk add bash
- bash ci-scripts/test.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "{{ IMAGE.base }}" "{{ IMAGE.bg }}" "{{ IMAGE.distro }}" "{{ IMAGE.dockerfile }}" "x86_64" "${EC2_LAUNCHER_ID}" "${EC2_LAUNCHER_SECRET}"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
retry: 1
{% endfor %}
######################################
# Vulnerability Scans #
######################################
{% for IMAGE in multiImages %}
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: scan
script:
- apk add bash
- (cd ci-scripts && bash download-trivy)
- bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: never
- if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
{% if FILE_LIMITS %}changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
when: always
- when: manual
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
tags:
- oci-fixed-amd
retry: 1
artifacts:
reports:
junit:
- $CI_PROJECT_DIR/trivy-report.xml
parallel:
matrix:
- ARCH: [ "x86_64", "aarch64" ]
{% endfor %}
{% for IMAGE in singleImages %}
scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: scan
script:
- apk add bash
- (cd ci-scripts && bash download-trivy)
- bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
when: never
- if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
{% if FILE_LIMITS %}changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
when: always
- when: manual
needs:
- build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
artifacts:
reports:
junit:
- $CI_PROJECT_DIR/trivy-report.xml
tags:
- oci-fixed-amd
retry: 1
{% endfor %}
############################################
# Manifest Containers if their test passed #
############################################
{% for IMAGE in multiImages %}
manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: manifest
when: always
script:
- apk add bash
- bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
{% endfor %}
{% for IMAGE in singleImages %}
manifest_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: manifest
when: always
script:
- apk add bash
- bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single"
{% if FILE_LIMITS %}only:
changes:
{% for FILE in files %}- {{ FILE }}
{% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
{% endfor %}{% endif %}
except:
variables:
- $README_USERNAME
- $README_PASSWORD
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
needs:
- test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
when: on_success
tags:
- oci-fixed-amd
{% endfor %}
####################
# Helper Functions #
####################
## Update Readmes ##
{% for IMAGE in multiImages %}
update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: readme
script:
- apk add bash
- bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}"
only:
variables:
- $README_USERNAME
- $README_PASSWORD
tags:
- oci-fixed-amd
{% endfor %}
{% for IMAGE in singleImages %}
update_readmes_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: readme
script:
- apk add bash
- bash ci-scripts/readme.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}"
only:
variables:
- $README_USERNAME
- $README_PASSWORD
tags:
- oci-fixed-amd
{% endfor %}
## Revert Images to specific build id ##
{% for IMAGE in multiImages %}
dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: revert
script:
- /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "multi" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}"
only:
variables:
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
{% endfor %}
{% for IMAGE in singleImages %}
dockerhub_revert_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
stage: revert
script:
- /bin/bash ci-scripts/manifest.sh "{{ IMAGE.name1 }}" "{{ IMAGE.name2 }}" "single" "${DOCKERHUB_REVERT}" "${REVERT_IS_ROLLING}"
only:
variables:
- $DOCKERHUB_REVERT
- $REVERT_IS_ROLLING
{% endfor %}