Commit 8c21e124 authored by Mashudu modika's avatar Mashudu modika 💬
Browse files

Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist

parent 51edfa52
# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
image: docker:19.03.12
variables:
# When you use the dind service, you must instruct Docker to talk with
# the daemon started inside of the service. The daemon is available
# with a network connection instead of the default
# /var/run/docker.sock socket. Docker 19.03 does this automatically
# by setting the DOCKER_HOST in
# https://github.com/docker-library/docker/blob/d45051476babc297257df490d22cbd806f1b11e4/19.03/docker-entrypoint.sh#L23-L29
#
# The 'docker' hostname is the alias of the service container as described at
# https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#accessing-the-services.
#
# Specify to Docker where to create the certificates. Docker
# creates them automatically on boot, and creates
# `/certs/client` to share between the service and job
# container, thanks to volume mount from config.toml
DOCKER_TLS_CERTDIR: "/certs"
stages:
- test
- buildp-the space
- integration
- release-build
- release-upload
- release-publish
# The plan would be for this cache to be reused by all jobs.
# Caches curently end up cached per runner, per job concurrency level and per md5 of path?
# So there are potentially 12 caches that end up needing to be populated right now?
# https://forum.gitlab.com/t/confusion-around-ci-docker-cache-volumes-and-sharing-across-jobs-concurrency/56793
# Docker cache volumes look like this runner-<short-token>-project-<id>-concurrent-<concurrency-id>-cache-<md5-of-path>
- test
- buildp-the space
- integration
- release-build
- release-upload
- release-publish
cache:
- key: mediawiki
- key: mediawiki
paths:
- mediawiki
services:
- name: docker:19.03.12-dind
- name: docker:19.03.12-dind
test:
stage: test
needs: []
......@@ -50,7 +32,6 @@ test:
- make test
- go get github.com/boumenot/gocover-cobertura
- gocover-cobertura < coverage.txt > coverage.xml
checks:
stage: test
needs: []
......@@ -62,10 +43,8 @@ checks:
- CHECK: vet
- CHECK: staticcheck
script:
# XDG_CACHE_HOME is needed by staticcheck
- export XDG_CACHE_HOME=/tmp/mwcli-cache
- make $CHECK
build:
stage: build
needs: []
......@@ -76,11 +55,12 @@ build:
- bin/
script:
- make
integration-general:
stage: integration
needs: [checks,test,build]
needs:
- checks
- test
- build
cache: {}
dependencies:
- build
......@@ -88,14 +68,15 @@ integration-general:
matrix:
- TEST: general-commands.sh
before_script:
# libc6-compat needed because https://stackoverflow.com/questions/36279253/go-compiled-binary-wont-run-in-an-alpine-docker-container-on-ubuntu-host
- apk add --no-cache libc6-compat bash
script:
- ./tests/$TEST
- "./tests/$TEST"
integration-docker:
stage: integration
needs: [checks,test,build]
needs:
- checks
- test
- build
dependencies:
- build
parallel:
......@@ -104,70 +85,65 @@ integration-docker:
- TEST: docker-mw-install-all-the-dbs.sh
- TEST: docker-mw-mysql-suspend-resume-destroy.sh
before_script:
# libc6-compat needed because https://stackoverflow.com/questions/36279253/go-compiled-binary-wont-run-in-an-alpine-docker-container-on-ubuntu-host
- apk add --no-cache libc6-compat bash docker-compose curl composer
- ./tests/cache-mediawiki.sh
- ./tests/setup.sh
- "./tests/cache-mediawiki.sh"
- "./tests/setup.sh"
script:
- ./tests/$TEST
- "./tests/$TEST"
release-build:
stage: release-build
needs: [build]
needs:
- build
cache: {}
#image: docker-registry.wikimedia.org/golang:1.13-3
# Custom 1.13 image that also has curl in, which is needed for the release upload hack https://phabricator.wikimedia.org/T292372
image: addshore/wm-golang-curl:1.13-3
# artifacts:
# paths:
# - _release/
script:
# Ideally make would not be needed, only release? But it is needed to install deps currently?
- make
- make release VERSION=${CI_COMMIT_TAG:-$CI_COMMIT_BRANCH}
# This next part should be in release-upload, but https://phabricator.wikimedia.org/T292372
- >
- |
if [ -n "$CI_COMMIT_TAG" ]; then
for release_path in $(find ./_release -type f); do
release_file=$(echo $release_path | sed "s/.*\///")
curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${release_path} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/mwcli/${CI_COMMIT_TAG}/${release_file}"
done
fi
release-upload:
only:
- tags
stage: release-upload
needs: [integration-general, integration-docker, release-build]
needs:
- integration-general
- integration-docker
- release-build
dependencies:
- release-build
# Has 1 requirement of curl, could be replaced by a wmf releng image?
image: alpine:latest
before_script:
- apk add curl
# https://docs.gitlab.com/ee/user/packages/generic_packages/#publish-a-generic-package-by-using-cicd
script:
- echo "Placeholder job, as a conditional upload currently happens as part of release-build awaiting decision on https://phabricator.wikimedia.org/T292372"
# - >
# for release_path in $(find ./_release -type f); do
# release_file=$(echo $release_path | sed "s/.*\///")
# curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${release_path} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/mwcli/${CI_COMMIT_TAG}/${release_file}"
# done
- echo "Placeholder job, as a conditional upload currently happens as part of release-build
awaiting decision on https://phabricator.wikimedia.org/T292372"
release-publish:
only:
- tags
stage: release-publish
needs: [release-build, release-upload]
needs:
- release-build
- release-upload
dependencies:
- release-build
image: registry.gitlab.com/gitlab-org/release-cli:latest
script:
- (echo "## ${CI_COMMIT_TAG}" && echo "CHANGELOG extracted from https://gitlab.wikimedia.org/releng/cli/-/blob/main/CHANGELOG.md" && sed "/^## ${CI_COMMIT_TAG}$/,/^## /"'!d'";//d;/\^$/d" CHANGELOG.md) > .gitlab.description.md
- (echo "## ${CI_COMMIT_TAG}" && echo "CHANGELOG extracted from https://gitlab.wikimedia.org/releng/cli/-/blob/main/CHANGELOG.md"
&& sed "/^## ${CI_COMMIT_TAG}$/,/^## /"'!d'";//d;/\^$/d" CHANGELOG.md) > .gitlab.description.md
- assets_links=""
- >
- |
for release_path in $(find ./_release -type f); do
release_file=$(echo $release_path | sed "s/.*\///")
assets_links="${assets_links} --assets-link {\"name\":\"${release_file}\",\"url\":\"${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/mwcli/${CI_COMMIT_TAG}/${release_file}\"}"
done
- release-cli create --name "Release $CI_COMMIT_TAG" --description ".gitlab.description.md" --released-at "${CI_COMMIT_TIMESTAMP}" ${assets_links}
- release-cli create --name "Release $CI_COMMIT_TAG" --description ".gitlab.description.md"
--released-at "${CI_COMMIT_TIMESTAMP}" ${assets_links}
sast:
stage: test
include:
- template: Security/SAST.gitlab-ci.yml
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment