.gitlab-ci.yml 6.71 KB
Newer Older
1 2 3
# Note that the rspec job below uses a different image that also
# includes chromedriver. If we update the Ruby version for this image,
# we should also update it for the rspec job.
4
image: dev.gitlab.org:5005/gitlab/gitlab-build-images:www-gitlab-com-2.4
5

6
variables:
7
  GIT_DEPTH: "10"
8 9
  # Speed up middleman
  NO_CONTRACTS: "true"
10

11 12 13 14
.install: &install
  bundle install --jobs 4 --path vendor

before_script: [*install]
Robert Speicher's avatar
Robert Speicher committed
15

16
cache:
Takuya Noguchi's avatar
Takuya Noguchi committed
17
  key: "web_ruby-2.4.4"
18
  paths:
19
    - tmp/cache
20
    - vendor
21

22
stages:
23
  - prepare
24
  - build
25
  - deploy
26
  - dast
27

28
lint 0 2:
29
  stage: build
30 31 32
  script:
    - bundle exec rake lint
  tags:
33
    - gitlab-org
34

35
lint 1 2:
36 37
  cache: {}
  before_script: []
38
  stage: build
39 40 41
  script:
    - yarn install
    - yarn run eslint
42
    - yarn run yamllint
43 44 45
  tags:
    - gitlab-org

46
crop_pictures:
47
  cache: {}
48
  before_script: []
49
  stage: prepare
50
  script:
51
    - bin/crop-team-pictures
52 53
  artifacts:
    paths:
54 55
      - data/team.yml
      - data/pets.yml
56
      - source/images/team/
57
      - source/community/alumni/index.html.haml
58 59 60
  tags:
    - gitlab-org

61 62 63 64 65 66 67 68 69 70 71
pngbot_commit:
  image: registry.gitlab.com/jramsay/pngbot:v0.1.0
  before_script: []
  cache: {}
  except:
    - master
  stage: prepare
  script:
    - pngbot
  tags:
    - gitlab-org
72 73 74
  only:
   changes:
     - "**/*.png"
75

Matija Čupić's avatar
Matija Čupić committed
76
rubocop:
77
  stage: build
Matija Čupić's avatar
Matija Čupić committed
78
  script:
Matija Čupić's avatar
Matija Čupić committed
79
    - bundle exec rubocop
Matija Čupić's avatar
Matija Čupić committed
80 81 82
  tags:
    - gitlab-org

83
rspec:
84
  image: dev.gitlab.org:5005/gitlab/gitlab-build-images:ruby-2.4.5-git-2.18-chrome-69.0-docker-18.06.1
85
  stage: build
Sean McGivern's avatar
Sean McGivern committed
86
  allow_failure: true
87 88 89 90 91
  script:
    - bundle exec rspec
  tags:
    - gitlab-org

92
enforce_relative_links:
93
  stage: build
94
  image: alpine
95
  allow_failure: true
96
  cache: {}
97 98
  before_script:
    - apk add --update the_silver_searcher
99
  script:
100
    - set +o errexit
101
    - ag --filename --numbers --break --nogroup --depth -1 --stats --path-to-ignore ./.relative_links_ignore '(?<!`|")https?://about.gitlab.com(?!`|\S*")' ./source && rc="$?" || rc="$?"
102
    - if [ "$rc" -eq 0 ]; then exit 1; else exit 0; fi
103 104
  tags:
    - gitlab-org
105

Matija Čupić's avatar
Matija Čupić committed
106 107
check_links:
  before_script: []
108
  image: coala/base
109
  stage: build
Matija Čupić's avatar
Matija Čupić committed
110
  script:
Matija Čupić's avatar
Matija Čupić committed
111
    - git fetch --unshallow && git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*" && git fetch origin master
Matija Čupić's avatar
Matija Čupić committed
112
    - git diff --numstat origin/master..$CI_COMMIT_REF_NAME -- | awk '/(.+\.md)|(.+\.haml)/ { print $3 }' > new_files
Matija Čupić's avatar
Matija Čupić committed
113
    - coala --no-config --ci --bears InvalidLinkBear --settings follow_redirects=True --files="$(paste -s -d, new_files)"
Matija Čupić's avatar
Matija Čupić committed
114
  when: manual
Matija Čupić's avatar
Matija Čupić committed
115
  allow_failure: true
Matija Čupić's avatar
Matija Čupić committed
116 117 118 119 120
  except:
    - master
  tags:
    - gitlab-org

121
generate-handbook-changelog:
122 123
  stage: build
  script:
124
    - bundle exec bin/generate_handbook_changelog
125 126 127 128 129
  only:
    - schedules
  tags:
    - gitlab-org

130
.build_base: &build_base
131
  before_script:
132
    - find source/images/team -type f ! -name '*-crop.jpg' -delete
133
    - *install
134
  stage: build
135 136
  dependencies:
    - crop_pictures
137
  artifacts:
138
    expire_in: 7 days
139
    paths:
Mark Pundsack's avatar
Mark Pundsack committed
140
      - public/
141
      - source/images/team/
142
  tags:
143
    - gitlab-org
144 145 146 147 148 149 150 151 152 153

build_branch:
  <<: *build_base
  script:
    - bundle exec rake build
  except:
    - master

build_master:
  <<: *build_base
154 155
  variables:
    MIDDLEMAN_ENV: 'production'
156 157 158 159
  script:
    - bundle exec rake build pdfs
  only:
    - master
160

161
codequality:
162
  stage: deploy
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184
  image: docker:stable
  allow_failure: true
  before_script: []
  cache: {}
  dependencies: []
  tags: []
  services:
    - docker:stable-dind
  variables:
    DOCKER_DRIVER: overlay2
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env SOURCE_CODE="$PWD"
        --volume "$PWD":/code
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/codequality:$SP_VERSION" /code
  artifacts:
    paths:
      - codeclimate.json

dependency_scanning:
185
  stage: deploy
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203
  image: docker:stable
  allow_failure: true
  before_script: []
  cache: {}
  dependencies: []
  tags: []
  services:
    - docker:stable-dind
  variables:
    DOCKER_DRIVER: overlay2
  script:
    - export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
    - docker run
        --env DEP_SCAN_DISABLE_REMOTE_CHECKS="${DEP_SCAN_DISABLE_REMOTE_CHECKS:-false}"
        --volume "$PWD:/code"
        --volume /var/run/docker.sock:/var/run/docker.sock
        "registry.gitlab.com/gitlab-org/security-products/dependency-scanning:$SP_VERSION" /code
  artifacts:
204 205
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
206

207 208
review:
  stage: deploy
209
  allow_failure: true
210 211
  before_script: []
  cache: {}
212 213 214
  dependencies:
    - build_branch
  variables:
215
    GIT_STRATEGY: none
216
  script:
217 218 219
    # We sometimes have absolute URLs, this replaces them with correct ones for the review app
    - >
      find public/ -regextype egrep -iregex ".*\.(html|js|css|json|xml|txt)" -exec \
220
        sed --in-place "s#https\?://about.gitlab.com#https://$CI_COMMIT_REF_SLUG.about-src.gitlab.com#g" "{}" +;
221
    - rsync --ignore-times --checksum --delete -avz public ~/pages/$CI_COMMIT_REF_SLUG
222
    - rm -rf ./public/
223
  environment:
224
    name: review/$CI_COMMIT_REF_SLUG
225
    url: https://$CI_COMMIT_REF_SLUG.about-src.gitlab.com
226 227
    on_stop: review_stop
  only:
228
    - branches@gitlab-com/www-gitlab-com
229
  except:
230
    - master@gitlab-com/www-gitlab-com
231 232 233 234 235 236 237 238 239
  tags:
    - deploy
    - review-apps

review_stop:
  stage: deploy
  before_script: []
  artifacts: {}
  cache: {}
240
  dependencies: []
Mark Pundsack's avatar
Mark Pundsack committed
241 242
  variables:
    GIT_STRATEGY: none
243
  script:
244
    - rm -rf ~/pages/$CI_COMMIT_REF_SLUG
245 246
  when: manual
  environment:
247
    name: review/$CI_COMMIT_REF_SLUG
248 249
    action: stop
  only:
250
    - branches@gitlab-com/www-gitlab-com
251
  except:
252
    - master@gitlab-com/www-gitlab-com
253 254 255 256
  tags:
    - deploy
    - review-apps

Robert Speicher's avatar
Robert Speicher committed
257
deploy:
258
  stage: deploy
Marin Jankovski's avatar
Marin Jankovski committed
259
  cache: {}
260
  variables:
261
    GIT_STRATEGY: none
262
  dependencies:
263
    - build_master
264
  before_script: []
Robert Speicher's avatar
Robert Speicher committed
265
  script:
266
    - rsync --ignore-times --checksum --delete -avz public/ ~/public/
267
    - rm -rf ./public/
268 269 270
  environment:
    name: production
    url: https://about.gitlab.com
Robert Speicher's avatar
Robert Speicher committed
271
  tags:
272
    - deploy
Robert Speicher's avatar
Robert Speicher committed
273
  only:
274
    - master@gitlab-com/www-gitlab-com
275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290

dast:
  stage: dast
  only:
    - branches@gitlab-com/www-gitlab-com
  except:
    - master@gitlab-com/www-gitlab-com
  image: registry.gitlab.com/gitlab-org/security-products/zaproxy
  allow_failure: true
  before_script: []
  cache: {}
  dependencies: []
  tags: []
  services: []
  variables:
    DOCKER_DRIVER: overlay2
291
    DAST_WEB_SITE: https://$CI_COMMIT_REF_SLUG.about-src.gitlab.com
292 293 294 295 296 297
  script:
    - if [ -z $DAST_WEB_SITE ]; then echo "Please configure DAST_WEB_SITE env variable" && exit 1; fi
    - mkdir /zap/wrk/
    - /zap/zap-baseline.py -J gl-dast-report.json -t $DAST_WEB_SITE || true
    - cp /zap/wrk/gl-dast-report.json .
  artifacts:
298 299
    reports:
      dast: gl-dast-report.json