Add .gitlab-ci.yml

c5fe9efc · micah · 33013655 · c5fe9efc
Commit c5fe9efc authored Apr 12, 2022 by micah
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+stages:
+  - build
+  - release
+
+variables:
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  RELEASE_TAG: $CI_REGISTRY_IMAGE:latest
+  PREVIOUS_RELEASE_TAG: $CI_REGISTRY_IMAGE:previous
+  DOCKER_DRIVER: overlay2
+
+.docker_job_template: &docker_job
+  image: docker:stable
+  services:
+    - name: docker:dind
+      alias: docker
+  tags:
+    - DIND
+  before_script:
+    - if [ -n "$TRIGGERED_USER" ] && [ -n "$TRIGGER_SOURCE" ]; then
+        echo "Pipeline triggered by $TRIGGERED_USER at $TRIGGER_SOURCE";
+      fi
+    - echo -n "$CI_JOB_TOKEN" | docker login -u gitlab-ci-token --password-stdin $CI_REGISTRY
+
+build:
+  <<: *docker_job
+  stage: build
+  script:
+    - >
+      docker build
+      --pull
+      --build-arg ci_token=$CI_JOB_TOKEN
+      --build-arg ci_commit_sha=$CI_COMMIT_SHORT_SHA
+      ${BUILD_DEB_APT_PROXY:+--build-arg http_proxy=http://${BUILD_DEB_APT_PROXY}}
+      --cache-from $RELEASE_TAG
+      --label "org.opencontainers.image.title=$CI_PROJECT_TITLE"
+      --label "org.opencontainers.image.url=$CI_PROJECT_URL"
+      --label "org.opencontainers.image.created=$CI_JOB_STARTED_AT"
+      --label "org.opencontainers.image.revision=$CI_COMMIT_SHA"
+      --label "org.opencontainers.image.version=$CI_COMMIT_REF_NAME"
+      -t $IMAGE_TAG
+      .
+    - docker push $IMAGE_TAG
+
+release:
+  <<: *docker_job
+  stage: release
+  variables:
+    GIT_STRATEGY: none
+  script:
+    # Update PREVIOUS_RELEASE_TAG and commit new RELEASE_TAG
+    - docker pull $RELEASE_TAG || true
+    - docker tag $RELEASE_TAG $PREVIOUS_RELEASE_TAG || true
+    - docker push $PREVIOUS_RELEASE_TAG || true
+    - docker pull $IMAGE_TAG
+    - docker tag $IMAGE_TAG $RELEASE_TAG
+    - docker push $RELEASE_TAG
+  only:
+    - main
+
+trivy:
+  <<: *docker_job
+  stage: build
+  needs: [build]
+  allow_failure: true
+  script:
+    - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+    - echo $TRIVY_VERSION
+    - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
+    - ./trivy --cache-dir .trivycache/ --format template --template "@contrib/gitlab-codequality.tpl" -o gl-codequality.json $IMAGE_TAG || true
+  cache:
+    paths:
+      - .trivycache/
+  artifacts:
+    paths:
+      - gl-codequality.json
+    reports:
+      codequality: gl-codequality.json