-
Notifications
You must be signed in to change notification settings - Fork 20
/
.gitlab-ci.yml
188 lines (166 loc) · 5.19 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#file: noinspection YAMLSchemaValidation
---
include:
- template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
stages:
- 🧪 test
- 📋 lint
- 🏗 build
- 📦 publish
- 📣 release
variables:
# CI config
PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
# Secrets (set in GitLab CI/CD settings)
# - SAFETY_API_KEY
# - https://start.1password.com/open/i?a=QSB6V7TUNVEOPPPWR6G7S2ARJ4&v=k34cpwfkqaxp2r56u4aklza6ni&i=swbuhnii4ego6qycyqknvtk7gi&h=magic.1password.eu
cache:
paths:
- .cache/pip # for pipx/pip
- .venv/ # for project dependencies
image: python:3.9-slim
.before_script_python: &before_script_python
# setup python
- python --version
- python -m pip install --upgrade pip
# setup poetry
- python -m pip install pipx
- python -m pipx install poetry==1.8.2
- python -m pipx ensurepath
- export PATH=/root/.local/bin:$PATH
- poetry --version
- poetry config virtualenvs.in-project true
- poetry check
.before_script_python_app_deps: &before_script_python_app_deps
- *before_script_python
# setup app deps
- poetry install --no-interaction --no-ansi
.before_script_release: &before_script_release
- apk add --no-cache curl jq
# Jobs
pytest:
stage: 🧪 test
needs: []
before_script:
- *before_script_python_app_deps
script:
- poetry run pytest -o junit_family=xunit2 --junitxml=test-results.xml --cov --cov-report=html --continue-on-collection-errors
# --continue-on-collection-errors counteracts `-x` flag set in pyproject.toml
coverage: '/Total coverage: \d+\.\d+/'
artifacts:
when: always
reports:
junit: test-results.xml
paths:
- htmlcov
expire_in: 1 month
rules:
-
changes:
- '**/*.py'
- 'pyproject.toml'
- 'poetry.lock'
if: '$CI_COMMIT_BRANCH != "main" && $CI_COMMIT_TAG == null'
ruff:
stage: 📋 lint
needs: []
before_script:
- *before_script_python_app_deps
script:
- poetry run ruff check src/ tests/
- poetry run ruff format --check src/ tests/
rules:
-
changes:
- '**/*.py'
if: '$CI_COMMIT_BRANCH != "main" && $CI_COMMIT_TAG == null'
safety:
stage: 📋 lint
needs: []
before_script:
- *before_script_python_app_deps
script:
- poetry run safety --stage cicd scan --detailed-output
rules:
-
changes:
- '.safety-policy.yml'
- 'poetry.lock'
if: '$CI_COMMIT_BRANCH != "main" && $CI_COMMIT_TAG == null'
build:
stage: 🏗 build
needs: []
before_script:
- *before_script_python
script:
- poetry build
artifacts:
paths:
- dist/
expire_in: 1 month
rules:
-
changes:
- '**/*.py'
- 'pyproject.toml'
- 'poetry.lock'
if: '$CI_COMMIT_BRANCH != "main" || $CI_COMMIT_TAG != null'
publish:
stage: 📦 publish
needs:
- job: build
artifacts: true
before_script:
- *before_script_python
- poetry config pypi-token.pypi $PYPI_TOKEN --local
- poetry check
script:
- poetry publish --no-interaction
rules:
- if: $CI_COMMIT_TAG
release:
stage: 📣 release
needs:
- job: publish
image: registry.gitlab.com/gitlab-org/release-cli:latest
before_script:
- *before_script_release
- export TAG_NO_PREFIX=$(echo $CI_COMMIT_TAG | cut -c 2-)
# for a string v0.8.13, replace last digit to always be 0
- export TAG_NO_PATCH=$(echo $CI_COMMIT_TAG | sed 's/[0-9]$/0/')
- 'curl -s -H "Authorization: Bearer $PROJECT_ACCESS_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/milestones?title=$CI_COMMIT_TAG" > milestone_exact.json'
- 'curl -s -H "Authorization: Bearer $PROJECT_ACCESS_TOKEN" "$CI_API_V4_URL/projects/$CI_PROJECT_ID/milestones?title=$TAG_NO_PATCH" > milestone-minor.json'
- export MILESTONE_TITLE_EXACT=$(cat milestone_exact.json | jq -r ".[0] | .title") && rm milestone_exact.json
- export MILESTONE_TITLE_MINOR=$(cat milestone-minor.json | jq -r ".[0] | .title") && rm milestone-minor.json
- >
if [ "$MILESTONE_TITLE_EXACT" != "null" ]; then
export MILESTONE_TITLE=$MILESTONE_TITLE_EXACT
elif [ "$MILESTONE_TITLE_MINOR" != "null" ]; then
export MILESTONE_TITLE=$MILESTONE_TITLE_MINOR
else
export MILESTONE_TITLE=""
fi
- curl -s -L -O https://github.com/taiki-e/parse-changelog/releases/download/v0.6.8/parse-changelog-x86_64-unknown-linux-musl.tar.gz
- tar -xzf parse-changelog-x86_64-unknown-linux-musl.tar.gz -C /usr/local/bin/
- parse-changelog CHANGELOG.md "$TAG_NO_PREFIX" > changelog.txt
# the release section cannot access variables defined in a script but can read from a file :|
- echo "$TAG_NO_PREFIX" > tag_no_prefix.txt
- echo "$MILESTONE_TITLE" > milestone_title.txt
script:
- echo 'releasing'
release:
name: $(cat tag_no_prefix.txt)
tag_name: $CI_COMMIT_TAG
milestones:
- $(cat milestone_title.txt)
description: $(cat changelog.txt)
assets:
links:
- name: README
url: '$CI_PROJECT_URL/-/blob/$CI_COMMIT_TAG/README.md'
link_type: runbook
- name: Python Package
url: 'https://pypi.org/project/flask-entra-auth/$(cat tag_no_prefix.txt)/'
link_type: package
rules:
- if: $CI_COMMIT_TAG