-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.gitlab-ci.yml
84 lines (76 loc) · 2.64 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
variables:
ORGANIZATION_NAME: "maxrdz"
PROJECT_NAME: "spacelink"
MIRROR_HOST: "github.com"
TYPOS_UPSTREAM: "https://github.com/crate-ci/typos/releases/download/v1.22.7/typos-v1.22.7-x86_64-unknown-linux-musl.tar.gz"
GCP_PROJECT_NUMBER: 155457831646
GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID: "gitlab-ci-pool" # IAM WIF Pool
GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID: "gitlab-ci-provider" # Provider from Pool
GCP_GIT_ACCESS_KEY_SECRET_NAME: "GIT_ACCESS_KEY"
stages:
- .pre
- build
- test
- deploy
.install-required: &install-required
- apt-get update
- apt-get install -y git meson rustup pkg-config python3 python3-venv
- rustup default stable
- rustup component add clippy rustfmt
secret_detection:
stage: .pre
sync-mirror:
image: alpine
stage: .pre
allow_failure: true
retry: 2
interruptible: true
rules:
- if: ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_BRANCH == "master")
id_tokens:
GCP_ID_TOKEN:
# Must match the audience defined in the WIF Identity Pool!
aud: https://iam.googleapis.com/projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID}/providers/${GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID}
secrets:
SSH_PRIVATE_KEY:
gcp_secret_manager:
name: $GCP_GIT_ACCESS_KEY_SECRET_NAME
version: 1
file: false
token: $GCP_ID_TOKEN
script:
- apk add --no-cache git openssh
# Setup SSH key for mirror push access
- mkdir ~/.ssh
- echo "-----BEGIN OPENSSH PRIVATE KEY-----" > ~/.ssh/privatekey
- echo ${SSH_PRIVATE_KEY} >> ~/.ssh/privatekey
- echo "-----END OPENSSH PRIVATE KEY-----" >> ~/.ssh/privatekey
- chmod 600 ~/.ssh/privatekey
# Setup known hosts beforehand to avoid interactive prompt
- ssh-keyscan gitlab.com >> ~/.ssh/known_hosts
- ssh-keyscan ${MIRROR_HOST} >> ~/.ssh/known_hosts
# Clone repository and push to mirror remote
- git clone --mirror https://gitlab.com/${ORGANIZATION_NAME}/${PROJECT_NAME}.git/
- cd ${PROJECT_NAME}.git
- ssh-agent sh -c 'ssh-add ~/.ssh/privatekey; git push -v --mirror [email protected]:${ORGANIZATION_NAME}/${PROJECT_NAME}'
commit-validation:
image: 'python:3.12-alpine'
stage: .pre
interruptible: true
script:
- python build-aux/validate-commit.py "${CI_COMMIT_TITLE}"
typos:
image: alpine
stage: .pre
interruptible: true
script:
- apk add --no-cache wget tar
- wget ${TYPOS_UPSTREAM}
- mkdir .tmp
- tar -xzf typos-v*.tar.gz -C .tmp/
- ./.tmp/typos
sast:
stage: test