diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index af7db7e4f982ad5b421ec421c68d27efa48a154b..3b00bb0814e9e1333fa3a9be6872b8c1c094546e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,50 +1,47 @@
---
-stages:
- - test
- - build
- - deploy-beta
- - deploy-staging
- - deploy-production
+# You can override the included template(s) by including variable overrides
+# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
+# Note that environment variables can be set in several places
+# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables
+stages:
+- test
+- build
+- deploy-beta
+- deploy-staging
+- deploy-production
image: registry.forgemia.inra.fr/urgi-is/docker-rare/docker-browsers:latest
-
# Disable the Gradle daemon for Continuous Integration servers as correctness
# is usually a priority over speed in CI environments. Using a fresh
# runtime for each build is more reliable since the runtime is completely
# isolated from any previous builds.
variables:
GRADLE_OPTS: "-Dorg.gradle.daemon=false"
- GRADLE_USER_HOME: $CI_PROJECT_DIR/.gradle
+ GRADLE_USER_HOME: "$CI_PROJECT_DIR/.gradle"
APP_NAME: faidare
- JAR_PATH: "backend/build/libs/${APP_NAME}.jar"
+ JAR_PATH: backend/build/libs/${APP_NAME}.jar
GIT_DEPTH: 0
-
# Gradle cache for all jobs
cache:
key: "$CI_COMMIT_REF_NAME"
paths:
- - ".gradle"
- - "frontend/.gradle/"
- - "frontend/node_modules/"
-
-
-# TESTS
-
+ - ".gradle"
+ - frontend/.gradle/
+ - frontend/node_modules/
lint:
stage: test
tags:
- - openstack
+ - openstack
script: "./gradlew lint"
-
test-and-sonarqube:
stage: test
tags:
- - openstack
+ - openstack
# the backend tests need an elasticsearch instance
services:
# even if that would be ideal
@@ -52,171 +49,172 @@ test-and-sonarqube:
# because we need to pass some variables, but they are passed to _all_ containers
# so they fail the start of other docker images like urgi/docker-browsers
# the only solution is to override the entrypoint of the service and pass the arguments manually
- - name: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
- alias: elasticsearch
- # discovery.type=single-node
- # single-node is necessary to start in development mode
- # so there will be no bootstrap checks that would fail on CI
- # especially the error regarding
- # `max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]`
- command: ["bin/elasticsearch", "-Ediscovery.type=single-node"]
+ - name: docker.elastic.co/elasticsearch/elasticsearch:6.5.4
+ alias: elasticsearch
+ # discovery.type=single-node
+ # single-node is necessary to start in development mode
+ # so there will be no bootstrap checks that would fail on CI
+ # especially the error regarding
+ # `max virtual memory areas vm.max_map_count [65530] is too low, increase to at least [262144]`
+ command:
+ - bin/elasticsearch
+ - "-Ediscovery.type=single-node"
variables:
GRADLE_OPTS: "-Dorg.gradle.daemon=true"
SONAR_BRANCH_OPTS: "-Dsonar.pullrequest.key=$CI_MERGE_REQUEST_ID -Dsonar.pullrequest.branch=$CI_COMMIT_REF_NAME"
script:
- - ./gradlew :frontend:test --parallel
- - ./gradlew :backend:test --parallel
- - find /tmp/node/*/bin -name node -exec ln -s {} /tmp/node/node \;
- - export PATH="/tmp/node/:$PATH"
- - ./gradlew -s sonarqube -x test $SONAR_BRANCH_OPTS
+ - "./gradlew :frontend:test --parallel"
+ - "./gradlew :backend:test --parallel"
+ - find /tmp/node/*/bin -name node -exec ln -s {} /tmp/node/node \;
+ - export PATH="/tmp/node/:$PATH"
+ - "./gradlew -s sonarqube -x test $SONAR_BRANCH_OPTS"
artifacts:
reports:
junit:
- - ./backend/build/test-results/test/TEST-*.xml
- - ./frontend/karma-junit-tests-report/TEST*.xml
+ - "./backend/build/test-results/test/TEST-*.xml"
+ - "./frontend/karma-junit-tests-report/TEST*.xml"
only:
refs:
- - merge_requests
-
+ - merge_requests
test-and-sonarqube-master:
extends: test-and-sonarqube
variables:
- SONAR_BRANCH_OPTS: ""
+ SONAR_BRANCH_OPTS: ''
only:
refs:
- - master
-
+ - master
# BUILD
-
build:
tags:
- - openstack
+ - openstack
stage: build
script:
- - ./gradlew assemble
+ - "./gradlew assemble"
artifacts:
paths:
- - "$JAR_PATH"
+ - "$JAR_PATH"
expire_in: 1 week
-
# DEPLOY
-
.deploy-to-vm-proxmox: &deploy_to_vm_proxmox
# Hidden job which serves as template for executed jobs below.
# See https://docs.gitlab.com/ee/ci/yaml/#anchors
retry: 2
script:
## SSH initialization
- - eval $(ssh-agent -s)
- - ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully connected on $(hostname)"'
+ - eval $(ssh-agent -s)
+ - ssh-add <(echo "${SSH_PRIVATE_KEY}")
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER}@${SERVER_IP} 'echo "Successfully connected on $(hostname)"'
# Copy jar
- - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER}@${SERVER_IP}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
- # Restarting service with the updated jar and the according Spring profiles enabled
- - ssh ${SERVER_USER}@${SERVER_IP} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- - eval $(ssh-agent -k)
- - echo "Deploy done. Application should be available at http://${SERVER_IP}:${APP_PORT}/${CONTEXT_PATH}"
+ - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER}@${SERVER_IP}:/tmp/${APP_NAME}-${ENV}.jar
+ - ssh ${SERVER_USER}@${SERVER_IP} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ # Restarting service with the updated jar and the according Spring profiles enabled
+ - ssh ${SERVER_USER}@${SERVER_IP} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
+ - eval $(ssh-agent -k)
+ - echo "Deploy done. Application should be available at http://${SERVER_IP}:${APP_PORT}/${CONTEXT_PATH}"
only:
changes:
- - .gitlab-ci.yml
- - backend/src/**/*
- - frontend/**/*
-
+ - ".gitlab-ci.yml"
+ - backend/src/**/*
+ - frontend/**/*
.deploy-to-vm-openstack: &deploy_to_vm_openstack
# Hidden job which serves as template for executed jobs below.
# See https://docs.gitlab.com/ee/ci/yaml/#anchors
retry: 2
tags:
- - openstack
+ - openstack
script:
## SSH initialization
- - eval $(ssh-agent -s)
- - ssh-add <(echo "${SSH_PRIVATE_KEY}")
- - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} 'echo "Successfully connected on $(hostname)"'
- # Copy jar
- - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}:/tmp/${APP_NAME}-${ENV}.jar
- - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
- # Restarting service with the updated jar and the according Spring profiles enabled
- - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
- - eval $(ssh-agent -k)
- - echo "Deploy done. Application should be available at http://${SERVER_IP_OPENSTACK}:${APP_PORT}/${CONTEXT_PATH}"
+ - eval $(ssh-agent -s)
+ - ssh-add <(echo "${SSH_PRIVATE_KEY}")
+ - ssh -o StrictHostKeyChecking=no ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} 'echo "Successfully connected on $(hostname)"'
+ # Copy jar
+ - scp ./backend/build/libs/${APP_NAME}.jar ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK}:/tmp/${APP_NAME}-${ENV}.jar
+ - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo mv /tmp/${APP_NAME}-${ENV}.jar /opt/bootapp/${APP_NAME}-${ENV}.jar ; sudo chown -R bootapp:bootapp /opt/bootapp/"
+ # Restarting service with the updated jar and the according Spring profiles enabled
+ - ssh ${SERVER_USER_OPENSTACK}@${SERVER_IP_OPENSTACK} "sudo systemctl restart bootapp@${APP_NAME}-${ENV}"
+ - eval $(ssh-agent -k)
+ - echo "Deploy done. Application should be available at http://${SERVER_IP_OPENSTACK}:${APP_PORT}/${CONTEXT_PATH}"
only:
changes:
- - .gitlab-ci.yml
- - backend/src/**/*
- - frontend/**/*
+ - ".gitlab-ci.yml"
+ - backend/src/**/*
+ - frontend/**/*
when: manual
allow_failure: false
deploy-to-beta:
stage: deploy-beta
- extends: .deploy-to-vm-openstack
+ extends: ".deploy-to-vm-openstack"
variables:
- APP_PORT: ${BETA_FAIDARE_PORT}
+ APP_PORT: "${BETA_FAIDARE_PORT}"
ENV: beta
CONTEXT_PATH: faidare-beta
except:
refs:
- - master
+ - master
only:
refs:
- - branches
+ - branches
when: always
deploy-to-staging:
stage: deploy-staging
- extends: .deploy-to-vm-openstack
+ extends: ".deploy-to-vm-openstack"
variables:
- APP_PORT: ${STAGING_FAIDARE_PORT}
+ APP_PORT: "${STAGING_FAIDARE_PORT}"
ENV: staging
CONTEXT_PATH: faidare-staging
only:
refs:
- - branches
+ - branches
except:
refs:
- - master
+ - master
when: manual
deploy-to-int:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${INT_FAIDARE_PORT}
+ APP_PORT: "${INT_FAIDARE_PORT}"
ENV: int
CONTEXT_PATH: faidare-int
only:
refs:
- - master
+ - master
when: manual
deploy-to-prod-public:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${PROD_PUBLIC_FAIDARE_PORT}
+ APP_PORT: "${PROD_PUBLIC_FAIDARE_PORT}"
ENV: prod-public
CONTEXT_PATH: faidare
only:
refs:
- - master
+ - master
when: manual
deploy-to-prod-private:
stage: deploy-production
- extends: .deploy-to-vm-proxmox
+ extends: ".deploy-to-vm-proxmox"
variables:
- APP_PORT: ${PROD_PRIVATE_FAIDARE_PORT}
+ APP_PORT: "${PROD_PRIVATE_FAIDARE_PORT}"
ENV: prod-private
CONTEXT_PATH: faidare-private
only:
refs:
- - master
+ - master
when: manual
+
+sast:
+ stage: test
+include:
+- template: Security/SAST.gitlab-ci.yml
diff --git a/.secrets.baseline b/.secrets.baseline
index d3ef77762f5b265ef889ac52eb82c0c51f4bb108..432815a5902c26778e2cb810373afa7911cc5e74 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
"files": "frontend/package-lock.json|^.secrets.baseline$",
"lines": null
},
- "generated_at": "2020-11-30T10:19:27Z",
+ "generated_at": "2021-04-16T10:58:04Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
@@ -51,21 +51,21 @@
"hashed_secret": "2907dcd1b70a82032e52be9b6b804abbb4a7525e",
"is_secret": false,
"is_verified": false,
- "line_number": 83,
+ "line_number": 81,
"type": "Base64 High Entropy String"
},
{
"hashed_secret": "dd447c7c799dd4ebaacca8f0ad3da45a097d7211",
"is_secret": false,
"is_verified": false,
- "line_number": 174,
+ "line_number": 167,
"type": "Base64 High Entropy String"
},
{
"hashed_secret": "8074db38f8a8acec1a147bc5daf2799ff6693fff",
"is_secret": false,
"is_verified": false,
- "line_number": 189,
+ "line_number": 182,
"type": "Base64 High Entropy String"
}
],