[epiphany/set-sast-config-1] Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist



commit 59599cd5ea45693a5e9bbd146fd3388b8ccfdd47
Author: Jan-Michael Brummer <jan brummer tabos org>
Date:   Sun Oct 17 20:37:29 2021 +0000

    Configure SAST in `.gitlab-ci.yml`, creating this file if it does not already exist

 .gitlab-ci.yml | 159 ++++++++++++++++++++++++++++++---------------------------
 1 file changed, 83 insertions(+), 76 deletions(-)
---
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 568e49cab..d7258c229 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,116 +1,123 @@
-include: 'https://gitlab.gnome.org/GNOME/citemplates/raw/master/flatpak/flatpak_ci_initiative.yml'
-
+# You can override the included template(s) by including variable overrides
+# SAST customization: 
https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Secret Detection customization: 
https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
+# Dependency Scanning customization: 
https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
+include:
+- https://gitlab.gnome.org/GNOME/citemplates/raw/master/flatpak/flatpak_ci_initiative.yml
+- template: Security/SAST.gitlab-ci.yml
 cache:
   paths:
-    - _ccache/
-
+  - _ccache/
 variables:
-  BUNDLE: 'epiphany-git.flatpak'
-  MANIFEST_PATH: 'org.gnome.Epiphany.json'
-  RUNTIME_REPO: 'https://nightly.gnome.org/gnome-nightly.flatpakrepo'
-  FLATPAK_MODULE: 'epiphany'
-  APP_ID: 'org.gnome.Epiphany.Devel'
-  ESLINT_LOG: "eslint-report.txt"
-
+  BUNDLE: epiphany-git.flatpak
+  MANIFEST_PATH: org.gnome.Epiphany.json
+  RUNTIME_REPO: https://nightly.gnome.org/gnome-nightly.flatpakrepo
+  FLATPAK_MODULE: epiphany
+  APP_ID: org.gnome.Epiphany.Devel
+  ESLINT_LOG: eslint-report.txt
 stages:
-  - test
-
+- test
 check-code-style:
   image: registry.gitlab.gnome.org/gnome/epiphany/master:v4
   interruptible: true
   script:
-    - bash data/check-code-style
-    - eslint -o eslint-report.txt --no-color embed/web-process-extension/resources/js/ || { cat $ESLINT_LOG; 
false; }
+  - bash data/check-code-style
+  - eslint -o eslint-report.txt --no-color embed/web-process-extension/resources/js/
+    || { cat $ESLINT_LOG; false; }
   artifacts:
     paths:
-      - ${ESLINT_LOG}
+    - "${ESLINT_LOG}"
     when: on_failure
   except:
-    - gnome-*
-
+  - gnome-*
 flatpak:
-  extends: '.flatpak'
+  extends: ".flatpak"
   variables:
-    CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY} -Denable_gsb=true 
--werror'
+    CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+      -Denable_gsb=true --werror"
   except:
-    - master
-    - gnome-*
-
+  - master
+  - gnome-*
 flatpak stable:
-  extends: '.flatpak'
+  extends: ".flatpak"
   variables:
-    CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY} -Denable_gsb=true 
-Dsoup2=enabled'
+    CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+      -Denable_gsb=true -Dsoup2=enabled"
   only:
-    - gnome-*
-
+  - gnome-*
 flatpak master:
-  extends: '.flatpak'
+  extends: ".flatpak"
   variables:
-    CONFIG_OPTS: '-Dtech_preview=true -Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY} 
-Denable_gsb=true'
+    CONFIG_OPTS: "-Dtech_preview=true -Dprofile=Devel -Dunit_tests=enabled -Dgsb_api_key=${GSB_API_KEY}
+      -Denable_gsb=true"
   only:
-    - master
-
+  - master
 scanbuild:
-  extends: '.flatpak'
-  image: "registry.gitlab.gnome.org/gnome/gnome-runtime-images/llvm_bundle:master"
+  extends: ".flatpak"
+  image: registry.gitlab.gnome.org/gnome/gnome-runtime-images/llvm_bundle:master
   variables:
-    CONFIG_OPTS: '-Dprofile=Devel -Dunit_tests=enabled'
+    CONFIG_OPTS: "-Dprofile=Devel -Dunit_tests=enabled"
   script:
-    - flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app ${MANIFEST_PATH}
-    - flatpak build flatpak_app bash -c "source /usr/lib/sdk/llvm12/enable.sh; meson --prefix=/app 
${CONFIG_OPTS} _build; ninja -C _build scan-build"
-    - if [[ -n "$(ls -A _build/meson-logs/scanbuild/)" ]]; then echo "Scan build log found, assuming defects 
exist"; exit 1; fi
+  - flatpak-builder --user --disable-rofiles-fuse --stop-at=${FLATPAK_MODULE} flatpak_app
+    ${MANIFEST_PATH}
+  - flatpak build flatpak_app bash -c "source /usr/lib/sdk/llvm12/enable.sh; meson
+    --prefix=/app ${CONFIG_OPTS} _build; ninja -C _build scan-build"
+  - if [[ -n "$(ls -A _build/meson-logs/scanbuild/)" ]]; then echo "Scan build log
+    found, assuming defects exist"; exit 1; fi
   artifacts:
     when: on_failure
     paths:
-      - _build/meson-logs/scanbuild
-
+    - _build/meson-logs/scanbuild
 nightly:
-  extends: '.publish_nightly'
-  stage: .post
-  dependencies: ['flatpak master']
-
+  extends: ".publish_nightly"
+  stage: ".post"
+  dependencies:
+  - flatpak master
 canary:
-  image: 'registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master'
-  stage: 'test'
+  image: registry.gitlab.gnome.org/gnome/gnome-runtime-images/gnome:master
+  stage: test
   interruptible: true
   tags:
-    - flatpak
+  - flatpak
   variables:
-    SDK_REPO: 'https://software.igalia.com/flatpak-refs/webkit-sdk.flatpakrepo'
-    BUNDLE: 'epiphany-canary.flatpak'
+    SDK_REPO: https://software.igalia.com/flatpak-refs/webkit-sdk.flatpakrepo
+    BUNDLE: epiphany-canary.flatpak
   script:
-    - pip3 install --user requests
-    # TODO: Switch to debug? 5GB downloads though.
-    - python generate-canary-manifest.py --release
-    - flatpak remote-add --user --if-not-exists webkit-sdk ${SDK_REPO}
-    - flatpak-builder --user --install-deps-from=webkit-sdk --disable-rofiles-fuse --repo=repo 
canary_flatpak_app org.gnome.Epiphany.Canary.json
-    - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${SDK_REPO} org.gnome.Epiphany.Canary
-    - tar cf canary-repo.tar repo/
-    - rm -rf canary-repo canary_flatpak_app org.gnome.Epiphany.Canary.json webkitgtk.zip
-
+  - pip3 install --user requests
+  - python generate-canary-manifest.py --release
+  - flatpak remote-add --user --if-not-exists webkit-sdk ${SDK_REPO}
+  - flatpak-builder --user --install-deps-from=webkit-sdk --disable-rofiles-fuse --repo=repo
+    canary_flatpak_app org.gnome.Epiphany.Canary.json
+  - flatpak build-bundle repo ${BUNDLE} --runtime-repo=${SDK_REPO} org.gnome.Epiphany.Canary
+  - tar cf canary-repo.tar repo/
+  - rm -rf canary-repo canary_flatpak_app org.gnome.Epiphany.Canary.json webkitgtk.zip
   artifacts:
-    name: 'Canary Flatpak artifacts'
-    expose_as: 'Get Canary Flatpak bundle here'
-    when: 'always'
+    name: Canary Flatpak artifacts
+    expose_as: Get Canary Flatpak bundle here
+    when: always
     paths:
-      - "${BUNDLE}"
-      - "canary-repo.tar"
+    - "${BUNDLE}"
+    - canary-repo.tar
     expire_in: 14 days
   cache:
-    - key: "$CI_JOB_NAME"
-      paths:
-        - '.flatpak-builder/downloads'
-        - '.flatpak-builder/git'
-    - key: "$CI_JOB_NAME"
-      paths:
-        - '.flatpak-builder/cache'
-        - '.flatpak-builder/ccache'
+  - key: "$CI_JOB_NAME"
+    paths:
+    - ".flatpak-builder/downloads"
+    - ".flatpak-builder/git"
+  - key: "$CI_JOB_NAME"
+    paths:
+    - ".flatpak-builder/cache"
+    - ".flatpak-builder/ccache"
   except:
-    - gnome-*
-
+  - gnome-*
 canary nightly:
-  extends: '.publish_nightly'
-  stage: .post
-  dependencies: ['canary']
+  extends: ".publish_nightly"
+  stage: ".post"
+  dependencies:
+  - canary
   before_script:
-    - mv canary-repo.tar repo.tar
+  - mv canary-repo.tar repo.tar
+sast:
+  stage: test


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]