.pre-deploy-uber-space-setup: &pre-deploy-uber-space-setup
- apk add rsync openssh-client
- eval $(ssh-agent -s)
- echo "$CI_DEPLOYMENT_PRIVATE_KEY" | tr -d '\r' | ssh-add -
- mkdir --mode 700 -p ~/.ssh
- echo "$UBERSPACE_KNOWN_HOST" >> ~/.ssh/known_hosts
include:
- project: "fit-connect/pipeline"
ref: main
file: "trivy.gitlab-ci.yml"
- project: "fit-connect/pipeline"
ref: main
file: "workflows/no-duplicate-pipelines.gitlab-ci.yml"
stages:
- lint
- cve-scan
- build
- deploy
variables:
DEPLOY_SERVER: fitko@dorado.uberspace.de
reuse:
stage: lint
variables:
DOCKER_REGISTRY_READ: docker.fjd.de
image:
name: $DOCKER_REGISTRY_READ/fsfe/reuse:latest
entrypoint: [""]
script:
- reuse lint
cache: []
build:
stage: build
image: node:lts-alpine
variables:
GIT_BRANCH: $CI_COMMIT_REF_NAME
before_script:
- apk add git
- yarn install
script:
- export NEXT_PUBLIC_BASE_PATH="" && [[ "$CI_COMMIT_REF_NAME" != "main" ]] && export NEXT_PUBLIC_BASE_PATH="/entwicklungsportal/$CI_COMMIT_REF_SLUG"
- echo $NEXT_PUBLIC_BASE_PATH
- yarn export
artifacts:
paths:
- out/
expire_in: 1 hour
cache:
paths:
- node_modules/
deploy:preview:
stage: deploy
image: alpine:latest
environment:
name: preview/$CI_COMMIT_REF_NAME
on_stop: undeploy:preview
auto_stop_in: 1 week
url: https://preview.docs.fitko.dev/entwicklungsportal/$CI_COMMIT_REF_SLUG/
rules:
- if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
before_script:
- *pre-deploy-uber-space-setup
script:
- ssh $DEPLOY_SERVER mkdir -p preview.docs.fitko.dev/entwicklungsportal
- rsync -rLvzc4 -e 'ssh -o CheckHostIP=no' --progress --delete ./out/. $DEPLOY_SERVER:preview.docs.fitko.dev/entwicklungsportal/$CI_COMMIT_REF_SLUG
deploy:
stage: deploy
image: alpine:latest
environment:
name: live
url: https://docs.fitko.de/
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
when: manual
before_script:
- *pre-deploy-uber-space-setup
script:
- rsync -rLvzc4 -e 'ssh -o CheckHostIP=no' --progress --delete ./out/. $DEPLOY_SERVER:docs.fitko.de/entwicklungsportal/
undeploy:preview:
stage: .post
image: alpine:latest
environment:
name: preview/$CI_COMMIT_REF_NAME
action: stop
needs:
- deploy:preview
rules:
- if: $CI_MERGE_REQUEST_ID
when: manual
before_script:
- *pre-deploy-uber-space-setup
script:
- ssh $DEPLOY_SERVER "rm -rf preview.docs.fitko.dev/entwicklungsportal/$CI_COMMIT_REF_SLUG/"
# the `yarn.lock` file has to be scanned explicitely
trivy-filesystem:
stage: cve-scan
image:
name: $DOCKER_REGISTRY_READ/aquasec/trivy:latest
entrypoint: [""]
script:
- trivy filesystem --download-db-only
- trivy filesystem --scanners vuln,config --exit-code 1 --severity HIGH,CRITICAL yarn.lock
- trivy filesystem --scanners vuln,config --exit-code 0 --severity UNKNOWN,LOW,MEDIUM yarn.lock
cache: []
yarn-audit:
stage: cve-scan
image: node:lts-alpine
script:
- yarn audit --level high || (test $? -lt 8 && echo "Moderate vulnerabilities found, proceeding anyway.")