-
Notifications
You must be signed in to change notification settings - Fork 34
/
.gitlab-ci.yml
77 lines (68 loc) · 1.68 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
include:
- project: 'prodsec/scp-scanning/gitlab-checkmarx'
ref: latest
file: '/templates/.sast_scan.yml'
- project: 'ci-cd/templates'
ref: master
file: '/prodsec/.oss-scan.yml'
image:
name: "docker.repo.splunkdev.net/ci-cd/ci-container/maven-3.8-jdk-17:1.15.0"
stages:
- build
- verify
- release
- post-release
build:
stage: build
script:
- ./gradlew build -x :smoke-tests:test --scan --no-daemon --stacktrace
sast-scan:
stage: verify
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
extends: .sast_scan
variables:
SAST_SCANNER: "Semgrep"
# Fail build on high severity security vulnerabilities
alert_mode: "policy"
oss-scan:
stage: verify
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
extends: .oss-scan
tags: []
snapshot:
stage: release
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
script:
- ./gradlew assemble publishToSonatype --no-daemon --stacktrace
release:
stage: release
artifacts:
when: always
paths:
- dist/
rules:
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
before_script:
- ./scripts/install-gh-deps.sh
script:
- ./scripts/release.sh "$CI_COMMIT_TAG"
publish-docker-image:
stage: post-release
rules:
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
before_script:
- ./scripts/install-docker-deps.sh
- ./scripts/install-gh-deps.sh
script:
- ./scripts/publish-docker-image.sh "$CI_COMMIT_TAG"
propagate-version:
stage: post-release
rules:
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+(-alpha)?.*/'
before_script:
- ./scripts/install-gh-deps.sh
script:
- ./scripts/propagate-version.sh "$CI_COMMIT_TAG"