-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
142 lines (126 loc) · 4.95 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
stages:
- publish
- scan
variables:
DOCKER_DRIVER: overlay2
MAJOR_VERSION: '9'
MINOR_VERSION: '9.0'
FULL_VERSION: '9.0.0'
# PR builds
build-v9.0.0-pr:
extends: .build-version-pr
variables:
FULL_VERSION: '9.0.0'
image: docker:latest
before_script: ['docker info']
services: ['docker:dind']
stage: publish
tags: [docker]
except: [master, tags]
build-v8.22.0-pr:
extends: .build-version-pr
variables:
FULL_VERSION: '8.22.0'
image: docker:latest
before_script: ['docker info']
services: ['docker:dind']
stage: publish
tags: [docker]
except: [master, tags]
# ---
# Main builds
build-v9.0.0:
extends: .build-version
variables:
MAJOR_VERSION: '9'
MINOR_VERSION: '9.0'
FULL_VERSION: '9.0.0'
PUBLISH_MAJOR_TAG: 'true'
PUBLISH_LATEST_TAG: 'true'
image: docker:latest
before_script: ['docker info']
services: ['docker:dind']
stage: publish
only: [master, tags]
tags: [docker]
build-v8.22.0:
extends: .build-version
variables:
MAJOR_VERSION: '8'
MINOR_VERSION: '8.22'
FULL_VERSION: '8.22.0'
PUBLISH_MAJOR_TAG: 'true'
image: docker:latest
before_script: ['docker info']
services: ['docker:dind']
stage: publish
only: [master, tags]
tags: [docker]
container_scanning:
image: docker:stable
stage: scan
variables:
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE
CI_APPLICATION_TAG: $FULL_VERSION
allow_failure: true
services:
- docker:stable-dind
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-container-scanning-report.json]
only: [master, tags]
container_scanning-pr:
image: docker:stable
stage: scan
variables:
CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE
CI_APPLICATION_TAG: $CI_COMMIT_REF_SLUG
allow_failure: true
services:
- docker:stable-dind
script:
- docker run -d --name db arminc/clair-db:latest
- docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
- apk add -U wget ca-certificates
- docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
- wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
- mv clair-scanner_linux_amd64 clair-scanner
- chmod +x clair-scanner
- touch clair-whitelist.yml
- while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
- retries=0
- echo "Waiting for clair daemon to start"
- while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; echo -n "." ; if [ $retries -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; retries=$(($retries+1)) ; done
- ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
artifacts:
paths: [gl-container-scanning-report.json]
except: [master, tags]
.build-version-pr:
script:
- docker build --build-arg SENTRY_VERSION=$FULL_VERSION -t $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG --label org.opencontainers.image.revision=$CI_COMMIT_SHA .
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
- docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
.build-version:
script:
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
- docker build --build-arg SENTRY_VERSION=$FULL_VERSION -t $CI_REGISTRY_IMAGE:$FULL_VERSION --label org.opencontainers.image.revision=$CI_COMMIT_SHA .
- docker tag $CI_REGISTRY_IMAGE:$FULL_VERSION $CI_REGISTRY_IMAGE:$MINOR_VERSION
- docker tag $CI_REGISTRY_IMAGE:$FULL_VERSION $CI_REGISTRY_IMAGE:$MAJOR_VERSION
- docker tag $CI_REGISTRY_IMAGE:$FULL_VERSION $CI_REGISTRY_IMAGE:latest
- docker push $CI_REGISTRY_IMAGE:$FULL_VERSION
- docker push $CI_REGISTRY_IMAGE:$MINOR_VERSION
- if [ $PUBLISH_MAJOR_TAG ]; then docker push $CI_REGISTRY_IMAGE:$MAJOR_VERSION; fi
- if [ $PUBLISH_LATEST_TAG ]; then docker push $CI_REGISTRY_IMAGE:latest; fi