.gitlab-ci.yml
include:
- template: Code-Quality.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml
- template: Security/Dependency-Scanning.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- component: ${CI_SERVER_FQDN}/gitlab-org/components/danger-review/danger-review@1.4.1
stages:
- prepare
- lint
- test
- post-test
variables:
FF_USE_FASTZIP: 'true'
TRANSFER_METER_FREQUENCY: "1s"
DOCKER_VERSION: "20.10.15"
BUNDLE_FROZEN: "true"
GO_VERSION: "1.23"
GOPATH: $CI_PROJECT_DIR/.GOPATH
DEBIAN_VERSION: "bookworm"
RUBY_VERSION: "3.2.5"
BUNDLE_PATH: vendor/ruby
POLICY: pull
CI_DEBUG_SERVICES: 'true'
RUST_VERSION: "1.73"
UBI_VERSION: "8.6"
IMAGE_TAG: "rubygems-3.5-git-2.45-exiftool-12.60"
GITLAB_ADVANCED_SAST_ENABLED: 'true'
workflow:
rules: &workflow_rules
# For merge requests, create a pipeline.
- if: '$CI_MERGE_REQUEST_IID'
# For `main` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
- if: '$CI_COMMIT_BRANCH == "main"'
# For tags, create a pipeline.
- if: '$CI_COMMIT_TAG'
.rules:go-changes:
rules:
- changes:
- 'go.mod'
- 'go.sum'
- '**/*.go'
default:
image: registry.gitlab.com/gitlab-org/gitlab-build-images/debian-${DEBIAN_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
tags:
- gitlab-org
.use-docker-in-docker:
image: docker:${DOCKER_VERSION}
services:
- docker:${DOCKER_VERSION}-dind
tags:
# See https://gitlab.com/gitlab-com/www-gitlab-com/-/issues/7019 for tag descriptions
- gitlab-org-docker
.cached-go: &cached_go
- key:
prefix: "golang-${GO_VERSION}-cache"
files:
- go.mod
- go.sum
policy: $POLICY
paths:
- .GOPATH/pkg/mod/
.cached-ruby: &cached_ruby
- key:
prefix: "ruby-${RUBY_VERSION}-cache"
files:
- Gemfile.lock
policy: $POLICY
paths:
- ${BUNDLE_PATH}
.cached-go-job:
variables:
CACHE_COMPRESSION_LEVEL: "fastest"
cache:
- *cached_go
.cached-ruby-job:
cache:
- *cached_ruby
.cached-job:
cache:
- *cached_go
- *cached_ruby
.go-matrix-job:
parallel:
matrix:
- GO_VERSION: ["1.22", "1.23"]
################################################################################
# Prepare jobs
################################################################################
bundle:install:
stage: prepare
extends: .cached-ruby-job
variables:
POLICY: pull-push
script:
- bundle install --jobs $(nproc)
modules:download:
stage: prepare
extends:
- .cached-go-job
- .go-matrix-job
variables:
POLICY: pull-push
script:
- go mod download
################################################################################
# Test jobs
################################################################################
.test-job:
needs: ['bundle:install', 'modules:download']
rules: !reference [".rules:go-changes", rules]
variables:
GITALY_CONNECTION_INFO: '{"address":"tcp://gitaly:8075", "storage":"default"}'
before_script:
# Set up the environment to run integration tests (still written in Ruby)
- make build
- cp config.yml.example config.yml
- go version
- which go
services:
- name: registry.gitlab.com/gitlab-org/build/cng/gitaly:master
# Disable the hooks so we don't have to stub the GitLab API
command: ["bash", "-c", "mkdir -p /home/git/repositories && rm -rf /srv/gitlab-shell/hooks/* && touch /srv/gitlab-shell/.gitlab_shell_secret && exec /usr/bin/env GITALY_TESTING_NO_GIT_HOOKS=1 /scripts/process-wrapper"]
alias: gitaly
tests:
extends:
- .cached-job
- .go-matrix-job
- .test-job
script:
- make verify test_fancy
after_script:
- make coverage
coverage: '/\d+.\d+%/'
artifacts:
when: always
paths:
- cover.xml
reports:
junit: cover.xml
tests_without_cgo:
extends:
- .cached-job
- .go-matrix-job
- .test-job
variables:
CGO_ENABLED: 0
script:
- make verify test_fancy
tests:fips:
image: registry.gitlab.com/gitlab-org/gitlab-build-images/ubi-${UBI_VERSION}-ruby-${RUBY_VERSION}-golang-${GO_VERSION}-rust-${RUST_VERSION}:${IMAGE_TAG}
extends:
- .cached-job
- .test-job
variables:
FIPS_MODE: 1
script:
- make test_fancy
race:
extends:
- .cached-go-job
- .go-matrix-job
- .test-job
script:
- make test_golang_race
code_quality:
stage: lint
extends: .use-docker-in-docker
rules: *workflow_rules
code_navigation:
stage: post-test
image: sourcegraph/lsif-go:v1.9
allow_failure: true
script:
- lsif-go
artifacts:
reports:
lsif: dump.lsif
# SAST
semgrep-sast:
stage: lint
rules: *workflow_rules
gitlab-advanced-sast:
stage: lint
rules: *workflow_rules
# Dependency Scanning
gemnasium-dependency_scanning:
stage: lint
rules: *workflow_rules
# Secret Detection
secret_detection:
stage: lint
rules: *workflow_rules
build-package-and-qa:
stage: post-test
trigger:
project: 'gitlab-org/build/omnibus-gitlab-mirror'
branch: 'master'
strategy: depend
inherit:
variables: false
variables:
GITLAB_SHELL_VERSION: $CI_MERGE_REQUEST_SOURCE_BRANCH_SHA
TOP_UPSTREAM_SOURCE_PROJECT: $CI_PROJECT_PATH
TOP_UPSTREAM_SOURCE_REF: $CI_COMMIT_REF_NAME
TOP_UPSTREAM_SOURCE_JOB: $CI_JOB_URL
ee: "true"
rules:
# For MRs that change dependencies, we want to automatically ensure builds
# aren't broken. In such cases, we don't want the QA tests to be run
# automatically, but still available for developers to manually run.
- if: '$CI_MERGE_REQUEST_IID'
changes:
- go.sum
variables:
BUILD_ON_ALL_OS: "true"
MANUAL_QA_TEST: "true"
allow_failure: false
# For other MRs, we still provide this job as a manual job for developers
# to obtain a package for testing and run QA tests.
- if: '$CI_MERGE_REQUEST_IID'
when: manual
allow_failure: true
needs: []
modules:tidy:
stage: lint
needs: ['modules:download']
script:
- go mod tidy
- git diff --exit-code go.mod go.sum
lint:
stage: lint
script:
# Write the code coverage report to gl-code-quality-report.json
# and print linting issues to stdout in the format: path/to/file:line description
# remove `--issues-exit-code 0` or set to non-zero to fail the job if linting issues are detected
- apt update && apt install -y jq
- make lint GOLANGCI_LINT_ARGS="--out-format code-climate:gl-code-quality-report-temp.json,line-number"
- cat gl-code-quality-report-temp.json | jq '[ .[] | select(.severity == "warning").severity |= "minor" ]' > gl-code-quality-report.json
- rm -f gl-code-quality-report-temp.json
artifacts:
reports:
codequality: gl-code-quality-report.json
paths:
- gl-code-quality-report.json
nilaway:
stage: lint
rules: !reference [".rules:go-changes", rules]
before_script:
- go install go.uber.org/nilaway/cmd/nilaway@latest
script:
- ${GOPATH}/bin/nilaway ./... > /tmp/out.txt 2>&1 || true
- cat /tmp/out.txt
allow_failure: true