# SPDX-FileCopyrightText: 2023 Föderales Entwicklungsportal contributors
# SPDX-License-Identifier: EUPL-1.2
variables:
PROJECT_SLUG: entwicklungsportal
stages:
- lint
- cve-scan
- build
- deploy
workflow: # don't run branch pipelines except for main branch
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event" # merge request pipeline
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH # branch pipeline only for main
reuse:
stage: lint
image:
name: fsfe/reuse:latest
entrypoint: [""]
script:
- reuse lint
build:
stage: build
image: node:lts-alpine
before_script:
- apk add git
- yarn install
script:
- export NEXT_PUBLIC_BASE_PATH="" && [[ "$CI_COMMIT_REF_NAME" != "main" ]] && export NEXT_PUBLIC_BASE_PATH="/$PROJECT_SLUG/!$CI_MERGE_REQUEST_IID"
- echo $NEXT_PUBLIC_BASE_PATH
- yarn export
artifacts:
paths:
- build/
expire_in: 1 hour
cache:
paths:
- node_modules/
deploy:preview:
stage: deploy
variables:
GIT_STRATEGY: none # don't clone git repo
environment:
name: preview/$CI_MERGE_REQUEST_IID
on_stop: stop:preview
auto_stop_in: 2 week
url: https://preview.docs.fitko.dev/$PROJECT_SLUG/!$CI_MERGE_REQUEST_IID
rules:
- if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
needs:
- job: build
artifacts: false # don't fetch artifacts from build job
script:
- echo "Hey, my name is $CI_JOB_ID! I'm just here so that the upload to the preview environment is triggered."
- echo "That's a very important task and I'm very proud to help you finish that great feature you're building! :D"
- echo "There is nothing left to do here for me. Deployment will be triggered via a GitLab webhook."
- echo "Bye, bye! 👋"
deploy:production:
stage: deploy
variables:
GIT_STRATEGY: none # don't clone git repo
environment:
name: production
url: https://docs.fitko.de/
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
needs:
- job: build
artifacts: false # don't fetch artifacts from build job
script:
- echo "Hey, my name is $CI_JOB_ID! I'm just here so that the upload to the preview environment is triggered."
- echo "That's a very important task and I'm very proud to help you finish that great feature you're building! :D"
- echo "There is nothing left to do here for me. Deployment will be triggered via a GitLab webhook."
- echo "Bye, bye! 👋"
stop:preview:
stage: .post
variables:
GIT_STRATEGY: none # don't clone git repo
environment:
name: preview/$CI_MERGE_REQUEST_IID
action: stop
rules:
- if: $CI_MERGE_REQUEST_ID
when: manual
needs:
- job: deploy:preview
artifacts: false # don't fetch artifacts from upload:preview job
script:
- echo "Hey, my name is $CI_JOB_ID! I'm just here so that the preview environment gets stopped."
- echo "That's a very important task and I'm very proud to help you finish that great feature you're building! :D"
- echo "There is nothing left to do here for me. Deployment will be triggered via a GitLab webhook."
- echo "Bye, bye! 👋"
# the `yarn.lock` file has to be scanned explicitely
trivy-filesystem:
stage: cve-scan
image:
name: aquasec/trivy:latest
entrypoint: [""]
script:
- trivy filesystem --download-db-only
- trivy filesystem --scanners vuln,config --exit-code 1 --severity HIGH,CRITICAL yarn.lock
- trivy filesystem --scanners vuln,config --exit-code 0 --severity UNKNOWN,LOW,MEDIUM yarn.lock
cache: []
yarn-audit:
stage: cve-scan
image: node:lts-alpine
script:
- yarn audit --level high || (test $? -lt 8 && echo "Moderate vulnerabilities found, proceeding anyway.")