118 lines
3.1 KiB
YAML
118 lines
3.1 KiB
YAML
# You can override the included template(s) by including variable overrides
|
|
# SAST customization: https://docs.gitlab.com/user/application_security/sast/#available-cicd-variables
|
|
# Secret Detection customization: https://docs.gitlab.com/user/application_security/secret_detection/pipeline/configure/
|
|
# Dependency Scanning customization: https://docs.gitlab.com/user/application_security/dependency_scanning/#customizing-analyzer-behavior
|
|
# Container Scanning customization: https://docs.gitlab.com/user/application_security/container_scanning/#customizing-analyzer-behavior
|
|
# Note that environment variables can be set in several places
|
|
# See https://docs.gitlab.com/ci/variables/#cicd-variable-precedence
|
|
default:
|
|
image: python:3.12-slim
|
|
|
|
cache:
|
|
key:
|
|
files:
|
|
- pyproject.toml
|
|
paths:
|
|
- .cache/pip
|
|
- .venv/
|
|
|
|
stages:
|
|
- install
|
|
- check
|
|
- test
|
|
- secret-detection
|
|
- security
|
|
|
|
sast:
|
|
stage: test
|
|
|
|
include:
|
|
- template: Security/SAST.gitlab-ci.yml
|
|
- template: Security/Secret-Detection.gitlab-ci.yml
|
|
|
|
variables:
|
|
SECRET_DETECTION_ENABLED: "true"
|
|
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
|
|
POETRY_VERSION: "2.1.1"
|
|
POETRY_VIRTUALENVS_IN_PROJECT: "true"
|
|
|
|
secret_detection:
|
|
stage: secret-detection
|
|
|
|
install:
|
|
stage: install
|
|
script:
|
|
- apt-get update -qq && apt-get install -y -qq libcap-dev
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry install --without pi --no-interaction
|
|
artifacts:
|
|
paths:
|
|
- .venv/
|
|
expire_in: 1 hour
|
|
|
|
black:
|
|
stage: check
|
|
needs: [install]
|
|
script:
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry run black --check src/ tests/
|
|
|
|
ruff:
|
|
stage: check
|
|
needs: [install]
|
|
script:
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry run ruff check src/ tests/
|
|
|
|
mypy:
|
|
stage: check
|
|
needs: [install]
|
|
script:
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry run mypy src/
|
|
|
|
pytest:
|
|
stage: test
|
|
needs: [install]
|
|
script:
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry run pytest
|
|
coverage: '/TOTAL.*\s+(\d+%)$/'
|
|
artifacts:
|
|
reports:
|
|
coverage_report:
|
|
coverage_format: cobertura
|
|
path: coverage.xml
|
|
when: always
|
|
expire_in: 7 days
|
|
|
|
dependency-update:
|
|
stage: security
|
|
# fresh install — don't reuse cached venv since we're updating packages
|
|
cache: []
|
|
script:
|
|
- apt-get update -qq && apt-get install -y -qq libcap-dev git curl
|
|
- pip install poetry==$POETRY_VERSION
|
|
- poetry install --without pi --no-interaction
|
|
- chmod +x scripts/dependency_update.sh scripts/create_mr.sh
|
|
# run update — exits 0 if no changes, 1 if changes found
|
|
- |
|
|
set +e
|
|
bash scripts/dependency_update.sh
|
|
UPDATE_EXIT=$?
|
|
set -e
|
|
if [ $UPDATE_EXIT -eq 1 ]; then
|
|
echo "Changes found — creating merge request"
|
|
bash scripts/create_mr.sh
|
|
else
|
|
echo "No changes — skipping merge request"
|
|
fi
|
|
rules:
|
|
# run on push to main
|
|
- if: '$CI_COMMIT_BRANCH == "main"'
|
|
# run on schedule
|
|
- if: '$CI_PIPELINE_SOURCE == "schedule"'
|
|
# never run on dependency-update branches to avoid loops
|
|
- if: "$CI_COMMIT_BRANCH =~ /^dependency-updates-/"
|
|
when: never
|