.gitlab-ci.yml
# Docker image needed for CI
image: mobicoop/php-node-chromium:2.0.0
services:
- name: mariadb:10.4
alias: db
variables:
# Configure mysql service (https://hub.docker.com/_/mysql/)
MYSQL_DATABASE: mobicoop_db
MYSQL_ROOT_PASSWORD: mobicoop
npm_config_cache: "$CI_PROJECT_DIR/.npm"
# CYPRESS_CACHE_FOLDER: "$CI_PROJECT_DIR/cache/Cypress"
# Cache modules in between jobs
cache:
key: "$CI_JOB_STAGE-$CI_COMMIT_REF_SLUG"
paths: # excluded : not cached
- .npm
# - cache/Cypress
# - /root/.cache/Cypress
# Name of the stages that can be executed on a pipeline by the runner
stages:
- tests
- deploy
- prod_deploy
- admin_test_deploy
- admin_prod_deploy
- doc
- reports
###############################################################################################
############# Everything under this is execute for all push (branch) ##########################
###############################################################################################
# #
# # Tests for all branches except dev, master & tagged branches
# #
# branch_features: # name of the job
# stage: tests
# # variables:
# # APP_ENV: dev # /!\ important : symfony env variable /!\
# before_script:
# - npm install --unsafe-perm # Install the dependencies in the local node_modules folder
# - npm run install-all-ci # Install the dependencies in the local node_modules folder
# script:
# - npm test
# # - npm test --prefix=admin
# only:
# - pushes # job executed only on test
# except:
# refs: # job not executed for these branches & tags
# - tags
# - dev
# - test
# - master
# - /^*.-next$/
# variables:
# - $CI_COMMIT_MESSAGE =~ /skip/ # job not executed when commit message contains this expression
# cache:
# key: "$CI_JOB_STAGE-$CI_COMMIT_REF_SLUG"
# paths: # excluded : not cached
# - node_modules/
# - api/vendor/
# - client/vendor/
# - client/node_modules/
# - admin/node_modules/
###############################################################################################
############# Everything under this is execute only for Dev env (dev) ############################
###############################################################################################
#
# Deployment for dev branch
#
dev_deploy:
stage: deploy
environment:
name: dev
url: https://dev.mobicoop.io
only:
- dev
# variables:
# APP_ENV: dev # /!\ important : symfony env variable /!\
before_script:
- cd api && openssl genrsa -aes256 -passout pass:ca4ffed31ee358cc7c7083af6e5773cd -out config/jwt/private.pem 4096
- openssl rsa -in config/jwt/private.pem -passin pass:ca4ffed31ee358cc7c7083af6e5773cd -pubout -out config/jwt/public.pem
- chmod 777 config/jwt/*
- cp config/rdex/clients.json.dist config/rdex/clients.json
- cp config/rdex/operator.json.dist config/rdex/operator.json
- cp config/rdex/providers.json.dist config/rdex/providers.json && cd ../
- npm install --unsafe-perm # Install the dependencies in the local node_modules folder
- npm run install-all-ci # Install the dependencies in the local node_modules folder
# - npm run update-db
script:
# - npm run test-and-coverage
- cd client && npm run compile && cd ../
- npm run start-ci & wait-on client/public/build/entrypoints.json
# - npm run test-functional-ci-cypress
# Kill all node & php process if the e2e test are greatfully passed
# - killall node || true
# - killall php || true
- echo "${SSH_DEV_PRIVATE_KEY}" > id_rsa #
- chmod 700 id_rsa # ssh identification on docker side
- mv id_rsa ${HOME}/.ssh #
- echo "${SSH_DEV_HOST_KEY}" > "${HOME}/.ssh/known_hosts" #
- rsync --stats --quiet --group=www-data -hrvz --exclude-from=.gitlab-exclude --delete -e "ssh -o StrictHostKeyChecking=no -p $SSH_PORT" ./ ${SSH_DEV_USER}@${SSH_DEV_IP}:/var/www/dev/mobicoop # rsync the files on the server
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_DEV_USER}@${SSH_DEV_IP} "cd /var/www/dev/mobicoop/; chmod +x postDeploy.sh; ./postDeploy.sh --version=dev --version-migrate=dev --instance=mobicoop" # database migration and other after deploy works
when: manual # /!\ important : job executed manually /!\
except:
refs:
- tags # job not executed on tags
cache:
key: "$CI_JOB_STAGE-$CI_COMMIT_REF_SLUG"
paths: # excluded : not cached
- api/vendor/
- client/vendor/
###############################################################################################
############# Everything under this is execute only for Test env (test) ###################
###############################################################################################
#
# Deployment for test branch
#
test_deploy:
stage: deploy
environment:
name: test
url: https://test.mobicoop.io
only:
- /^*.-next$/
# variables:
# APP_ENV: test # /!\ important : symfony env variable /!\
before_script:
- echo API_URI=http://localhost:8080/ >> client/.env # Override default docker value for gitlab-ci
- cd api && openssl genrsa -aes256 -passout pass:ca4ffed31ee358cc7c7083af6e5773cd -out config/jwt/private.pem 4096
- openssl rsa -in config/jwt/private.pem -passin pass:ca4ffed31ee358cc7c7083af6e5773cd -pubout -out config/jwt/public.pem
- chmod 777 config/jwt/*
- cp config/rdex/clients.json.dist config/rdex/clients.json
- cp config/rdex/operator.json.dist config/rdex/operator.json
- cp config/rdex/providers.json.dist config/rdex/providers.json && cd ../
- npm install --unsafe-perm # Install the dependencies in the local node_modules folder
- npm run install-all-ci # Install the dependencies in the local node_modules folder
- npm run update-db
script:
# - npm run test-and-coverage
- npm run start-ci & wait-on client/public/build/entrypoints.json
# - npm run test-functional-ci || true
# Kill all node & php process if the e2e test are greatfully passed
- killall node || true
- killall php || true
- echo "${SSH_TEST_PRIVATE_KEY}" > id_rsa #
- chmod 700 id_rsa # ssh identification on docker side
- mv id_rsa ${HOME}/.ssh #
- echo "${SSH_TEST_HOST_KEY}" > "${HOME}/.ssh/known_hosts" #
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_TEST_USER}@${SSH_TEST_IP} "cd /var/www/test/mobicoop/client/; touch ./public/maintenance.enable; cd /var/www/test/mobicoop/api/; touch ./public/maintenance.enable;" # put the site on maintenance
- rsync --stats --quiet --group=www-data -hrvz --exclude-from=.gitlab-exclude --delete -e "ssh -o StrictHostKeyChecking=no -p $SSH_PORT" ./ ${SSH_TEST_USER}@${SSH_TEST_IP}:/var/www/test/mobicoop # rsync the files on the server
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_TEST_USER}@${SSH_TEST_IP} "cd /var/www/test/mobicoop/; chmod +x postDeploy.sh; ./postDeploy.sh --version=test --version-migrate=test --instance=mobicoop" # database migration and other after deploy works
after_script:
# Kill all node & php process if the e2e not passed
- killall node || true
- killall php || true
when: manual # /!\ important : job executed manually /!\
except:
refs:
- tags # job not executed on tags
artifacts:
paths:
# - client/cypress/screenshots
- client/public/build
- client/node_modules/
- client/vendor/
- api/vendor/
- node_modules/
expire_in: 1 week
###############################################################################################
############# Everything under this is execute only for Production (MASTER) ###################
###############################################################################################
#
# Deployment for master branch on test server
#
prod_test_deploy:
stage: prod_deploy
only: # job executed only on master branch
- master
# variables:
# APP_ENV: prod # /!\ important : symfony env variable /!\
environment:
name: prod
url: https://mobicoop.io
before_script: # This is required to send the prod type no dev, since it creates errors
#dependencies:
#- test_deploy
- echo API_URI=http://localhost:8080/ >> client/.env # Override default docker value for gitlab-ci
- cd api && openssl genrsa -aes256 -passout pass:ca4ffed31ee358cc7c7083af6e5773cd -out config/jwt/private.pem 4096
- openssl rsa -in config/jwt/private.pem -passin pass:ca4ffed31ee358cc7c7083af6e5773cd -pubout -out config/jwt/public.pem
- chmod 777 config/jwt/*
- cp config/rdex/clients.json.dist config/rdex/clients.json
- cp config/rdex/operator.json.dist config/rdex/operator.json
- cp config/rdex/providers.json.dist config/rdex/providers.json && cd ../
- npm install --unsafe-perm # Install the dependencies in the local node_modules folder
- npm run install-all-ci # Install the dependencies in the local node_modules folder
- npm run update-db
script:
- cd client && npm run compile && cd ../
- echo "${SSH_PROD_TEST_PRIVATE_KEY}" > id_rsa #
- chmod 700 id_rsa #
- mv id_rsa ${HOME}/.ssh # ssh identification on docker side
- echo "${SSH_PROD_TEST_HOST_KEY}" > "${HOME}/.ssh/known_hosts" #
- rsync --stats --quiet --group=www-data -hrvz --exclude-from=.gitlab-exclude --delete -e "ssh -o StrictHostKeyChecking=no -p $SSH_PORT" ./ ${SSH_PROD_TEST_USER}@${SSH_PROD_TEST_IP}:/var/www/prod/mobicoop # rsync the files on the server
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_TEST_USER}@${SSH_PROD_TEST_IP} "cd /var/www/prod/mobicoop/; chmod +x postDeploy.sh; ./postDeploy.sh --version=prod --version-migrate=prod --instance=mobicoop" # database migration and other after deploy works
when: manual # /!\ important : job executed manually /!\
artifacts:
paths:
# - client/cypress/screenshots
- client/public/build
- client/node_modules/
- client/vendor/
- api/vendor/
- node_modules/
expire_in: 1 week
#
# Deployment for master branch on production server
#
staging_deploy:
stage: prod_deploy
only: # job executed only on master branch
- master
# variables:
# APP_ENV: prod # /!\ important : symfony env variable /!\
environment:
name: prod
url: https://www.mobicoop.fr
before_script: # This is required to send the prod type no dev, since it creates errors
#dependencies:
#- test_deploy
- echo API_URI=http://localhost:8080/ >> client/.env # Override default docker value for gitlab-ci
- cd api && openssl genrsa -aes256 -passout pass:ca4ffed31ee358cc7c7083af6e5773cd -out config/jwt/private.pem 4096
- openssl rsa -in config/jwt/private.pem -passin pass:ca4ffed31ee358cc7c7083af6e5773cd -pubout -out config/jwt/public.pem
- chmod 777 config/jwt/*
- cp config/rdex/clients.json.dist config/rdex/clients.json
- cp config/rdex/operator.json.dist config/rdex/operator.json
- cp config/rdex/providers.json.dist config/rdex/providers.json && cd ../
- npm install --unsafe-perm # Install the dependencies in the local node_modules folder
- npm run install-all-ci # Install the dependencies in the local node_modules folder
- npm run update-db
script:
- cd client && npm run compile && cd ../
- echo "${SSH_PROD_PRIVATE_KEY}" > id_rsa #
- chmod 700 id_rsa #
- mv id_rsa ${HOME}/.ssh # ssh identification on docker side
- echo "${SSH_PROD_HOST_KEY}" > "${HOME}/.ssh/known_hosts" #
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_USER}@${SSH_PROD_IP} "cd /var/www/mobicoop/staging/client/; touch ./public/maintenance.enable; cd /var/www/mobicoop/staging/api/; touch ./public/maintenance.enable;" # put the site on maintenance
- rsync --stats --quiet --group=www-data -hrvz --exclude-from=.gitlab-exclude --delete -e "ssh -o StrictHostKeyChecking=no -p $SSH_PORT" ./ ${SSH_PROD_USER}@${SSH_PROD_IP}:/var/www/mobicoop/staging # rsync the files on the server
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_USER}@${SSH_PROD_IP} "cd /var/www/mobicoop/staging/; chmod +x postDeploy.sh; ./postDeploy.sh --version=staging --version-migrate=prod --instance=mobicoop" # database migration and other after deploy works
when: manual # /!\ important : job executed manually /!\
artifacts:
paths:
# - client/cypress/screenshots
- client/public/build
- client/node_modules/
- client/vendor/
- api/vendor/
- node_modules/
expire_in: 1 week
#
# Deployment for master branch on production server
#
prod_deploy:
stage: prod_deploy
only: # job executed only on master branch
- master
# variables:
# APP_ENV: prod # /!\ important : symfony env variable /!\
environment:
name: prod
url: https://www.mobicoop.fr
before_script: # This is required to send the prod type no dev, since it creates errors
#dependencies:
#- test_deploy
- echo API_URI=http://localhost:8080/ >> client/.env # Override default docker value for gitlab-ci
- cd api && openssl genrsa -aes256 -passout pass:ca4ffed31ee358cc7c7083af6e5773cd -out config/jwt/private.pem 4096
- openssl rsa -in config/jwt/private.pem -passin pass:ca4ffed31ee358cc7c7083af6e5773cd -pubout -out config/jwt/public.pem
- chmod 777 config/jwt/*
- cp config/rdex/clients.json.dist config/rdex/clients.json
- cp config/rdex/operator.json.dist config/rdex/operator.json
- cp config/rdex/providers.json.dist config/rdex/providers.json && cd ../
- npm install --unsafe-perm # Install the dependencies in the local node_modules folder
- npm run install-all-ci # Install the dependencies in the local node_modules folder
- npm run update-db
script:
- cd client && npm run compile && cd ../
- echo "${SSH_PROD_PRIVATE_KEY}" > id_rsa #
- chmod 700 id_rsa #
- mv id_rsa ${HOME}/.ssh # ssh identification on docker side
- echo "${SSH_PROD_HOST_KEY}" > "${HOME}/.ssh/known_hosts" #
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_USER}@${SSH_PROD_IP} "cd /var/www/mobicoop/prod/client/; touch ./public/maintenance.enable; cd /var/www/mobicoop/prod/api/; touch ./public/maintenance.enable;" # put the site on maintenance
- rsync --stats --quiet --group=www-data -hrvz --exclude-from=.gitlab-exclude --delete -e "ssh -o StrictHostKeyChecking=no -p $SSH_PORT" ./ ${SSH_PROD_USER}@${SSH_PROD_IP}:/var/www/mobicoop/prod # rsync the files on the server
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_USER}@${SSH_PROD_IP} "cd /var/www/mobicoop/prod/; chmod +x postDeploy.sh; ./postDeploy.sh --version=prod --version-migrate=prod --instance=mobicoop" # database migration and other after deploy works
when: manual # /!\ important : job executed manually /!\
artifacts:
paths:
# - client/cypress/screenshots
- client/public/build
- client/node_modules/
- client/vendor/
- api/vendor/
- node_modules/
expire_in: 1 week
###############################################################################################
########## Admin ###################
###############################################################################################
admin_test_deploy:
image: alpine:3.6
stage: admin_test_deploy
environment:
name: test
url: https://bo.test.mobicoop.io/
only:
- /^*.-next$/
# variables:
# APP_ENV: test # /!\ important : symfony env variable /!\
before_script:
- apk update && apk add openssh-client bash
script:
# run ssh-agent
- eval $(ssh-agent -s)
# add ssh key stored in SSH_TEST_PRIVATE_KEY variable to the agent store
- bash -c 'ssh-add <(echo "$SSH_TEST_PRIVATE_KEY")'
# create ssh directory
- mkdir -p ~/.ssh
# add server prod ip to known hosts
- ssh-keyscan -H $SSH_TEST_IP >> ~/.ssh/known_hosts
# disable strict host key checking, to avoid error if server ip changes !
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# ru docker container
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_TEST_USER}@${SSH_TEST_IP} "docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker stop ${ADMIN_CONTAINER_NAME}; docker pull ${CI_REGISTRY_IMAGE}:${RELEASE_VERSION}; docker run -d --env-file=/var/www/test/mobicoop/admin.env --name=${ADMIN_CONTAINER_NAME} -p 127.0.0.1:${ADMIN_DOCKER_PORT}:80/tcp --rm ${CI_REGISTRY_IMAGE}:${RELEASE_VERSION}"
when: manual # /!\ important : job executed manually /!\
except:
refs:
- tags # job not executed on tags
variables:
- $CI_COMMIT_MESSAGE =~ /skipci/ # job not executed when commit message contains this expression
admin_prod_deploy:
image: alpine:3.6
stage: admin_prod_deploy
environment:
name: prod
url: https://admin.mobicoop.fr/
only:
- master
# variables:
# APP_ENV: test # /!\ important : symfony env variable /!\
before_script:
- apk update && apk add openssh-client bash
script:
# run ssh-agent
- eval $(ssh-agent -s)
# add ssh key stored in SSH_PROD_PRIVATE_KEY variable to the agent store
- bash -c 'ssh-add <(echo "$SSH_PROD_PRIVATE_KEY")'
# create ssh directory
- mkdir -p ~/.ssh
# add server prod ip to known hosts
- ssh-keyscan -H $SSH_PROD_IP >> ~/.ssh/known_hosts
# disable strict host key checking, to avoid error if server ip changes !
- '[[ -f /.dockerenv ]] && echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config'
# ru docker container
- ssh -o StrictHostKeyChecking=no -p ${SSH_PORT} ${SSH_PROD_USER}@${SSH_PROD_IP} "cd /var/www/mobicoop/prod/; docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}; docker stop ${ADMIN_CONTAINER_NAME}; docker pull ${CI_REGISTRY_IMAGE}; docker run -d --env-file=admin.prod.env --name=${ADMIN_CONTAINER_NAME} -p 127.0.0.1:${ADMIN_DOCKER_PORT}:80/tcp --rm ${CI_REGISTRY_IMAGE}"
when: manual # /!\ important : job executed manually /!\
except:
refs:
- tags # job not executed on tags
variables:
- $CI_COMMIT_MESSAGE =~ /skipci/ # job not executed when commit message contains this expression
###############################################################################################
########## Deploy the produciton documentation based on master branch ###################
###############################################################################################
pages:
stage: doc
script:
- echo 'Deploying all the doc...'
- npm run download-tools
- npm run generateDocs
- mkdir .public
- cp -r docs/* .public
- mv .public public
dependencies:
- prod_deploy
artifacts:
paths:
- public
only:
- master
when: manual # /!\ important : job executed manually /!\
###############################################################################################
########## Everything under this is execute only for Reports security on default branch (Dev) #
###############################################################################################
#
# Static Application Security Testing (SAST)
# (gitlab preconfigured job)
#
sast:
stage: reports
image: docker:stable
cache: {}
variables:
DOCKER_DRIVER: overlay2
allow_failure: true
services:
- docker:stable-dind
script:
- export SP_VERSION=$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')
- docker run
--env SAST_CONFIDENCE_LEVEL="${SAST_CONFIDENCE_LEVEL:-3}"
--volume "$PWD:/code"
--volume /var/run/docker.sock:/var/run/docker.sock
"registry.gitlab.com/gitlab-org/security-products/sast:$SP_VERSION" /app/bin/run /code
artifacts:
reports:
sast: gl-sast-report.json
only: # job executed only on dev & master branches
- dev