-
Notifications
You must be signed in to change notification settings - Fork 4
/
.gitlab-ci.yml
55 lines (52 loc) · 1.55 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
include:
- template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
- project: 'security/container-scanning'
file: '.ESnet-container-scan.yml'
- component: $CI_SERVER_FQDN/ht/cicd-common/harbor-cve@main
inputs:
harbor_host: $HSITE
harbor_user: $HUSER_CVE
harbor_token: $HTOKEN_CVE
harbor_project: $CI_PROJECT_NAMESPACE
build:
stage: build
image: docker:26.1
services:
- docker:26.1-dind
tags:
- ht-docker
variables:
PUBLISH_TAG: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-g$CI_COMMIT_SHORT_SHA
script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- docker build --pull -t $PUBLISH_TAG$TAG_SUFFIX .
# push using a more user friendly name for other repo users of this image
- docker push $PUBLISH_TAG$TAG_SUFFIX
# Capture the published tag for downstream CI jobs
- |
cat <<EOF >> build.env
CS_IMAGE=$PUBLISH_TAG$TAG_SUFFIX
EOF
- cat build.env
- |
echo Image published as: $PUBLISH_TAG$TAG_SUFFIX
timeout: 3h
artifacts:
reports:
dotenv:
build.env
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
- if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
variables:
TAG_SUFFIX: -dev
pull_cve_allowlist:
extends: .harbor_cve_allowlist
container_scanning:
variables:
TRIVY_TIMEOUT: "1h"
# use 'dependencies' here rather than 'needs' since the gitlab container scanning
# include sets 'dependencies: []' which takes precedence over 'needs'
dependencies:
- pull_cve_allowlist
- build