-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path.gitlab-ci.yml
105 lines (92 loc) · 2.39 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
workflow:
auto_cancel:
on_new_commit: interruptible
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "push"
- if: $CI_PIPELINE_SOURCE == "schedule"
stages:
- build
- security
- publish
variables:
GRADLE_OPTS: -Dorg.gradle.daemon=false
# ------------------------------ Conditions
.if-merge-request-or-main: &if-merge-request-or-main
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
- if: $CI_PIPELINE_SOURCE == "schedule"
when: never
.if-main: &if-main
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_PIPELINE_SOURCE == "schedule"
when: never
.if-release: &if-release
- if: '$CI_COMMIT_TAG =~ /^\d+.\d+.\d+.*/'
- if: $CI_PIPELINE_SOURCE == "schedule"
when: never
# ------------------------------ Security
security:dependencies:
stage: security
interruptible: true
needs: [ ]
variables:
TRIVY_CACHE_DIR: ".trivycache/"
cache:
paths:
- .trivycache/
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
allow_failure: true
- if: '$CI_COMMIT_TAG =~ /^\d+.\d+.\d+.*/'
allow_failure: false
- if: $CI_PIPELINE_SOURCE == "schedule"
allow_failure: false
artifacts:
when: always
reports:
dependency_scanning: report.json
before_script:
- ./gradlew dependenciesForAll --write-locks --no-parallel > dependencies.txt
script:
- trivy repo ./ --exit-code 0
- trivy repo ./ --exit-code 0 --format template --template "@/contrib/gitlab.tpl" --output report.json
- trivy repo ./ --exit-code 1 --severity CRITICAL
tags:
- linux
# ------------------------------ Build
build:
stage: build
interruptible: true
rules:
- *if-merge-request-or-main
before_script:
- export JAVA_HOME=/Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home
script:
- ./gradlew clean build
tags:
- macos
# ------------------------------ Publish
publish:
stage: publish
rules:
- *if-main
- *if-release
before_script:
- export JAVA_HOME=/Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home
script:
- ./gradlew clean publish
tags:
- macos
publish:documentation:
stage: publish
rules:
- *if-release
before_script:
- export JAVA_HOME=/home/sdks/zulu-17
script:
- ./gradlew
-DpublishDocs.root=/var/www/docs/kmbed
publishDocs
tags:
- linux