-
Notifications
You must be signed in to change notification settings - Fork 101
/
.cirrus.yml
104 lines (94 loc) · 4.56 KB
/
.cirrus.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
env:
# see https://github.com/SonarSource/re-terraform-aws-vault/blob/master/orders/bubble-cfamily.yaml
CIRRUS_VAULT_URL: https://vault.sonar.build:8200
CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci
CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}
ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release username]
ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release access_token]
# Mend scan global configuration
MEND_API_KEY: VAULT[development/kv/data/mend data.apikey]
# Staging image configuration
DOCKER_REPOX_BUILDS_REGISTRY: repox-sonarsource-docker-builds.jfrog.io
DOCKER_IMAGE: "sonarsource/sonar-scanner-cli"
STAGING_IMAGE_TAG: "${DOCKER_REPOX_BUILDS_REGISTRY}/${DOCKER_IMAGE}:${CI_BUILD_NUMBER}"
ec2_instance: &EC2_TEMPLATE
experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051
image: docker-builder-v*
type: t2.xlarge
region: eu-central-1
only_sonarsource_qa: &ONLY_SONARSOURCE_QA
only_if: $CIRRUS_CRON == "" && $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BUILD_SOURCE == 'api' )
build_task:
<<: *ONLY_SONARSOURCE_QA
ec2_instance:
<<: *EC2_TEMPLATE
login_script:
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
build_script:
- echo "Build and push the ${STAGING_IMAGE_TAG} image"
- docker build --tag "${STAGING_IMAGE_TAG}" --push .
# Scan the current image built and pushed to Artifactory
mend_task:
# run only on default and long-term branches
only_if: $CIRRUS_CRON == "" && $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*")
ec2_instance:
<<: *EC2_TEMPLATE
login_script:
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
setup_script:
- apt-get remove -y unattended-upgrades
- apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre
- curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar
- echo "docker.includes=.*${CIRRUS_BRANCH}.*" >> .cirrus/wss-unified-agent.config
pull_script:
- docker pull "${STAGING_IMAGE_TAG}"
mend_scan_script:
# Retag the image to have a clean project name on Mend
- docker tag "${STAGING_IMAGE_TAG}" "${DOCKER_IMAGE}:${CIRRUS_BRANCH}"
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
depends_on: build
# Scan the latest image published on Docker Hub
latest_mend_task:
only_if: $CIRRUS_CRON == 'nightly-mend-scan'
ec2_instance:
<<: *EC2_TEMPLATE
setup_script:
- apt-get remove -y unattended-upgrades
- apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre
- curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar
- echo "docker.includes=.*latest-from-docker-hub.*" >> .cirrus/wss-unified-agent.config
pull_script:
- docker pull "${DOCKER_IMAGE}:latest"
mend_scan_script:
# Retag the image to have a clean project name on Mend
- docker tag "${DOCKER_IMAGE}:latest" "${DOCKER_IMAGE}:latest-from-docker-hub"
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
test_docker_builder:
<<: *ONLY_SONARSOURCE_QA
submodules_script:
- git submodule init
- git submodule update
login_script:
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
test_script:
- apt-get update && apt-get install -qy bats
- echo "Checking out the sonar-scanning-examples repository"
- git clone https://github.com/SonarSource/sonar-scanning-examples.git target_repository
- echo "Test the ${STAGING_IMAGE_TAG} image"
- TEST_IMAGE="${STAGING_IMAGE_TAG}" bats --tap test
depends_on: build
sonar_scan_task:
<<: *ONLY_SONARSOURCE_QA
eks_container:
region: eu-central-1
cluster_name: ${CIRRUS_CLUSTER_NAME}
namespace: default
image: sonarsource/sonar-scanner-cli:latest
cpu: 4
memory: 4G
env:
SONAR_TOKEN: VAULT[development/kv/data/next data.token]
SONAR_HOST_URL: VAULT[development/kv/data/next data.url]
script:
- source .cirrus/scan.sh
depends_on: build