[epiphany/set-sast-config-1] Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist
- From: Jan-Michael Brummer <jbrummer src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [epiphany/set-sast-config-1] Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist
- Date: Sun, 17 Oct 2021 20:37:29 +0000 (UTC)
commit 59599cd5ea45693a5e9bbd146fd3388b8ccfdd47
Author: Jan-Michael Brummer <jan brummer tabos org>
Date: Sun Oct 17 20:37:29 2021 +0000
Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist
.gitlab-ci.yml | 159 ++++++++++++++++++++++++++++++---------------------------
1 file changed, 83 insertions(+), 76 deletions(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 568e49cab..d7258c229 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,116 +1,123 @@
-include: 'https://gitlab.gnome.org/GNOME/citemplates/raw/master/flatpak/flatpak_ci_initiative.yml'
-
+# You can override the included template(s) by including variable overrides
+# SAST customization:
https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization:
https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization:
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+include:
+- https://gitlab.gnome.org/GNOME/citemplates/raw/master/flatpak/flatpak_ci_initiative.yml
+- template: Security/SAST.gitlab-ci.yml
cache:
paths:
- - _ccache/
-
+ - _ccache/
variables:
- BUNDLE: 'epiphany-git.flatpak'
- MANIFEST_PATH: 'org.gnome.Epiphany.json'
- RUNTIME_REPO: 'https://nightly.gnome.org/gnome-nightly.flatpakrepo'
- FLATPAK_MODULE: 'epiphany'
- APP_ID: 'org.gnome.Epiphany.Devel'
- ESLINT_LOG: "eslint-report.txt"
-
+ BUNDLE: epiphany-git.flatpak
+ MANIFEST_PATH: org.gnome.Epiphany.json
+ RUNTIME_REPO: https://nightly.gnome.org/gnome-nightly.flatpakrepo
+ FLATPAK_MODULE: epiphany
+ APP_ID: org.gnome.Epiphany.Devel
+ ESLINT_LOG: eslint-report.txt
stages:
- - test
-
+- test
check-code-style:
image: registry.gitlab.gnome.org/gnome/epiphany/master:v4
interruptible: true
script:
- - bash data/check-code-style
- - eslint -o eslint-report.txt --no-color embed/web-process-extension/resources/js/ || { cat $ESLINT_LOG;
false; }
+ - bash data/check-code-style
+ - eslint -o eslint-report.txt --no-color embed/web-process-extension/resources/js/
+ || { cat $ESLINT_LOG; false; }
artifacts:
paths:
- - ${ESLINT_LOG}
+ - "${ESLINT_LOG}"
when: on_failure
except:
- - gnome-*
-
+ - gnome-*
flatpak:
- extends: '.flatpak'
+ extends: ".flatpak"
variables:
- CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY} -Denable_gsb=true
--werror'
+ CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+ -Denable_gsb=true --werror"
except:
- - master
- - gnome-*
-
+ - master
+ - gnome-*
flatpak stable:
- extends: '.flatpak'
+ extends: ".flatpak"
variables:
- CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY} -Denable_gsb=true
-Dsoup2=enabled'
+ CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+ -Denable_gsb=true -Dsoup2=enabled"
only:
- - gnome-*
-
+ - gnome-*
flatpak master:
- extends: '.flatpak'
+ extends: ".flatpak"
variables:
- CONFIG_OPTS: '-Dtech_preview=true -Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
-Denable_gsb=true'
+ CONFIG_OPTS: "-Dtech_preview=true -Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+ -Denable_gsb=true"
only:
- - master
-
+ - master
scanbuild:
- extends: '.flatpak'
- image: "registry.gitlab.gnome.org/gnome/gnome-runtime-images/llvm_bundle:master"
+ extends: ".flatpak"
+ image: registry.gitlab.gnome.org/gnome/gnome-runtime-images/llvm_bundle:master
variables:
- CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled'
+ CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled"
script:
- - flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app ${MANIFEST_PATH}
- - flatpak build flatpak_app bash -c "source /usr/lib/sdk/llvm12/enable.sh; meson --prefix=/app
${CONFIG_OPTS} _build; ninja -C _build scan-build"
- - if [[ -n "$(ls -A _build/meson-logs/scanbuild/)" ]]; then echo "Scan build log found, assuming defects
exist"; exit 1; fi
+ - flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app
+ ${MANIFEST_PATH}
+ - flatpak build flatpak_app bash -c "source /usr/lib/sdk/llvm12/enable.sh; meson
+ --prefix=/app ${CONFIG_OPTS} _build; ninja -C _build scan-build"
+ - if [[ -n "$(ls -A _build/meson-logs/scanbuild/)" ]]; then echo "Scan build log
+ found, assuming defects exist"; exit 1; fi
artifacts:
when: on_failure
paths:
- - _build/meson-logs/scanbuild
-
+ - _build/meson-logs/scanbuild
nightly:
- extends: '.publish_nightly'
- stage: .post
- dependencies: ['flatpak master']
-
+ extends: ".publish_nightly"
+ stage: ".post"
+ dependencies:
+ - flatpak master
canary:
- image: 'registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master'
- stage: 'test'
+ image: registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master
+ stage: test
interruptible: true
tags:
- - flatpak
+ - flatpak
variables:
- SDK_REPO: 'https://software.igalia.com/flatpak-refs/webkit-sdk.flatpakrepo'
- BUNDLE: 'epiphany-canary.flatpak'
+ SDK_REPO: https://software.igalia.com/flatpak-refs/webkit-sdk.flatpakrepo
+ BUNDLE: epiphany-canary.flatpak
script:
- - pip3 install --user requests
- # TODO: Switch to debug? 5GB downloads though.
- - python generate-canary-manifest.py --release
- - flatpak remote-add --user --if-not-exists webkit-sdk ${SDK_REPO}
- - flatpak-builder --user --install-deps-from=webkit-sdk --disable-rofiles-fuse --repo=repo
canary_flatpak_app org.gnome.Epiphany.Canary.json
- - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${SDK_REPO} org.gnome.Epiphany.Canary
- - tar cf canary-repo.tar repo/
- - rm -rf canary-repo canary_flatpak_app org.gnome.Epiphany.Canary.json webkitgtk.zip
-
+ - pip3 install --user requests
+ - python generate-canary-manifest.py --release
+ - flatpak remote-add --user --if-not-exists webkit-sdk ${SDK_REPO}
+ - flatpak-builder --user --install-deps-from=webkit-sdk --disable-rofiles-fuse --repo=repo
+ canary_flatpak_app org.gnome.Epiphany.Canary.json
+ - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${SDK_REPO} org.gnome.Epiphany.Canary
+ - tar cf canary-repo.tar repo/
+ - rm -rf canary-repo canary_flatpak_app org.gnome.Epiphany.Canary.json webkitgtk.zip
artifacts:
- name: 'Canary Flatpak artifacts'
- expose_as: 'Get Canary Flatpak bundle here'
- when: 'always'
+ name: Canary Flatpak artifacts
+ expose_as: Get Canary Flatpak bundle here
+ when: always
paths:
- - "${BUNDLE}"
- - "canary-repo.tar"
+ - "${BUNDLE}"
+ - canary-repo.tar
expire_in: 14 days
cache:
- - key: "$CI_JOB_NAME"
- paths:
- - '.flatpak-builder/downloads'
- - '.flatpak-builder/git'
- - key: "$CI_JOB_NAME"
- paths:
- - '.flatpak-builder/cache'
- - '.flatpak-builder/ccache'
+ - key: "$CI_JOB_NAME"
+ paths:
+ - ".flatpak-builder/downloads"
+ - ".flatpak-builder/git"
+ - key: "$CI_JOB_NAME"
+ paths:
+ - ".flatpak-builder/cache"
+ - ".flatpak-builder/ccache"
except:
- - gnome-*
-
+ - gnome-*
canary nightly:
- extends: '.publish_nightly'
- stage: .post
- dependencies: ['canary']
+ extends: ".publish_nightly"
+ stage: ".post"
+ dependencies:
+ - canary
before_script:
- - mv canary-repo.tar repo.tar
+ - mv canary-repo.tar repo.tar
+sast:
+ stage: test
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]