-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
143 lines (134 loc) · 3.83 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
include:
- project: jitesoft/gitlab-ci-lib
file: Scan/trivy.yml
- project: jitesoft/gitlab-ci-lib
file: OCI/sign.yml
variables:
PLATFORMS: "linux/amd64,linux/arm64"
stages:
- build
- containerize
- sign
- cache
- scan
check:
rules:
- if: '$CI_PIPELINE_SOURCE == "schedule"'
when: always
- if: '$CI_PIPELINE_SOURCE == "web"'
when: always
- when: never
stage: build
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
script:
- apk add --no-cache jq
- VERSION=$(wget -qO- https://api.github.com/repos/cloudflare/cfssl/releases | jq -r ".[0].tag_name")
- VERSION=${VERSION#?} # Remove v
- touch version.txt
- |
if [ ! -z "${FORCE_BUILD+x}" ] || [ "${VERSION}" != "$(cat version.txt)" ]; then
echo "${VERSION} and $(cat version.txt) differ. Running build."
curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[VERSION]=${VERSION}" -F "variables[BUILD]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
else
echo "${VERSION} and $(cat version.txt) where equal. Running scan."
curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[VERSION]=${VERSION}" -F "variables[SCAN]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
fi
cache:
paths:
- version.txt
policy: pull
download:
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
rules:
- if: "$BUILD"
when: always
- when: never
stage: .pre
script:
- wget https://github.com/cloudflare/cfssl/archive/refs/tags/v${VERSION}.tar.gz
artifacts:
paths:
- v${VERSION}.tar.gz
expire_in: 1 day
build:
stage: build
image: registry.gitlab.com/jitesoft/dockerfiles/go:latest
needs:
- job: download
artifacts: true
rules:
- if: "$BUILD"
when: on_success
- when: never
parallel:
matrix:
- { GOARCH: "amd64", GIT_STRATEGY: "none" }
- { GOARCH: "arm64", GIT_STRATEGY: "none" }
- { GOARCH: "ppc64le", GIT_STRATEGY: "none" }
- { GOARCH: "s390x", GIT_STRATEGY: "none" }
- { GOARCH: "arm", GO_ARM: "v7", GIT_STRATEGY: "none"}
script:
- apk add --no-cache file
- tar -xzf v${VERSION}.tar.gz
- cd cfssl-${VERSION}
- go build -ldflags="-s -w -X github.com/cloudflare/cfssl/cli/version.version=${VERSION}" -o bin/ ./cmd/...
- cd ..
- mkdir -p bin/${GOARCH}
- mv cfssl-${VERSION}/bin/* bin/${GOARCH}/
- file bin/${GOARCH}/cfssl
artifacts:
paths:
- bin
expire_in: 1 day
tags: [ native-amd64 ]
containerize:
image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
stage: containerize
rules:
- if: "$BUILD"
when: on_success
- when: never
needs:
- job: build
artifacts: true
script:
- cp entrypoint bin/
- TAGS=$(helper "${CI_REGISTRY_IMAGE},ghcr.io/jitesoft/cfssl,jitesoft/cfssl" "latest,${VERSION}")
- docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le,linux/s390x --progress plain --push ${TAGS} --build-arg VERSION=${VERSION} .
tags: [ buildx, jitesoft, protected ]
sign:
extends: .sign
tags: [ jitesoft, protected, buildx ]
stage: sign
variables:
COSIGN_ANNOTATIONS: "-a sig=jitesoft-bot"
SIGN_TAGS: "${VERSION},latest"
SIGN_IMAGES: "jitesoft/cfssl,${CI_REGISTRY_IMAGE},ghcr.io/jitesoft/cfssl"
rules:
- if: "$BUILD"
when: on_success
- when: never
scan:
stage: scan
extends: .container_scanning
rules:
- if: "$SCAN"
when: always
- if: "$BUILD"
when: on_success
- when: never
variables:
GIT_STRATEGY: none
SCANNING_IMAGE_NAME: "${CI_REGISTRY_IMAGE}:latest"
create-cache:
stage: cache
script:
- echo "${VERSION}" > version.txt
cache:
paths:
- version.txt
policy: push
rules:
- if: "$BUILD"
when: on_success
- when: never