default: interruptible: true stages: - prepare - deploy - qa - post-qa - dast include: - local: .gitlab/ci/global.gitlab-ci.yml - local: .gitlab/ci/review-apps/rules.gitlab-ci.yml - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml - local: .gitlab/ci/review-apps/dast-api.gitlab-ci.yml .base-before_script: &base-before_script - source ./scripts/utils.sh - source ./scripts/review_apps/review-apps.sh dont-interrupt-me: extends: .rules:dont-interrupt stage: prepare interruptible: false script: - echo "This jobs makes sure this pipeline won't be interrupted! See https://docs.gitlab.com/ee/ci/yaml/#interruptible." review-build-cng-env: extends: - .default-retry - .review:rules:review-build-cng image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}ruby:${RUBY_VERSION}-alpine3.16 stage: prepare needs: # We need this job because we need its `cached-assets-hash.txt` artifact, so that we can pass the assets image tag to the downstream CNG pipeline. - pipeline: $PARENT_PIPELINE_ID job: build-assets-image variables: BUILD_ENV: build.env before_script: - source ./scripts/utils.sh - install_gitlab_gem script: - 'ruby -r./scripts/trigger-build.rb -e "puts Trigger.variables_for_env_file(Trigger::CNG.new.variables)" > $BUILD_ENV' - echo "GITLAB_ASSETS_TAG=$(assets_image_tag)" >> $BUILD_ENV - ruby -e 'puts "FULL_RUBY_VERSION=#{RUBY_VERSION}"' >> build.env - cat $BUILD_ENV artifacts: reports: dotenv: $BUILD_ENV paths: - $BUILD_ENV expire_in: 7 days when: always review-build-cng: extends: .review:rules:review-build-cng stage: prepare needs: ["review-build-cng-env"] inherit: variables: false variables: TOP_UPSTREAM_SOURCE_PROJECT: "${TOP_UPSTREAM_SOURCE_PROJECT}" TOP_UPSTREAM_SOURCE_REF: "${TOP_UPSTREAM_SOURCE_REF}" TOP_UPSTREAM_SOURCE_JOB: "${TOP_UPSTREAM_SOURCE_JOB}" TOP_UPSTREAM_SOURCE_SHA: "${TOP_UPSTREAM_SOURCE_SHA}" TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID: "${TOP_UPSTREAM_MERGE_REQUEST_PROJECT_ID}" TOP_UPSTREAM_MERGE_REQUEST_IID: "${TOP_UPSTREAM_MERGE_REQUEST_IID}" GITLAB_REF_SLUG: "${GITLAB_REF_SLUG}" # CNG pipeline specific variables GITLAB_VERSION: "${GITLAB_VERSION}" GITLAB_TAG: "${GITLAB_TAG}" GITLAB_ASSETS_TAG: "${GITLAB_ASSETS_TAG}" FORCE_RAILS_IMAGE_BUILDS: "${FORCE_RAILS_IMAGE_BUILDS}" CE_PIPELINE: "${CE_PIPELINE}" # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$CE_PIPELINE'` will evaluate to `false` when this variable is empty EE_PIPELINE: "${EE_PIPELINE}" # Based on https://docs.gitlab.com/ee/ci/jobs/job_control.html#check-if-a-variable-exists, `if: '$EE_PIPELINE'` will evaluate to `false` when this variable is empty GITLAB_ELASTICSEARCH_INDEXER_VERSION: "${GITLAB_ELASTICSEARCH_INDEXER_VERSION}" GITLAB_KAS_VERSION: "${GITLAB_KAS_VERSION}" GITLAB_METRICS_EXPORTER_VERSION: "${GITLAB_METRICS_EXPORTER_VERSION}" GITLAB_PAGES_VERSION: "${GITLAB_PAGES_VERSION}" GITLAB_SHELL_VERSION: "${GITLAB_SHELL_VERSION}" GITLAB_WORKHORSE_VERSION: "${GITLAB_WORKHORSE_VERSION}" GITALY_SERVER_VERSION: "${GITALY_SERVER_VERSION}" RUBY_VERSION: "${FULL_RUBY_VERSION}" trigger: project: gitlab-org/build/CNG-mirror branch: $TRIGGER_BRANCH strategy: depend .review-workflow-base: extends: - .default-retry image: ${REVIEW_APPS_IMAGE} variables: HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}" DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}" GITLAB_HELM_CHART_REF: "afcef7854ac72c5ff958035ef210ba6c68ec800b" # 6.8.0: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/afcef7854ac72c5ff958035ef210ba6c68ec800b environment: name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE} # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN} on_stop: trigger-review-stop review-deploy: extends: - .review-workflow-base - .review:rules:review-deploy stage: deploy image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}dtzar/helm-kubectl:3.9.3 needs: - review-build-cng - review-delete-deployment # We always want to start from a clean slate (i.e. no helm release, no k8s namespace) cache: key: "review-deploy-dependencies-charts-${GITLAB_HELM_CHART_REF}-v1" paths: - "gitlab-${GITLAB_HELM_CHART_REF}" environment: action: start before_script: - export GITLAB_SHELL_VERSION=$( environment_url.txt - echo "QA_GITLAB_URL=${CI_ENVIRONMENT_URL}" > environment.env - *base-before_script - !reference [".use-kube-context", before_script] script: - run_timed_command "check_kube_domain" - run_timed_command "download_chart" - run_timed_command "deploy" || (display_deployment_debug && exit 1) - run_timed_command "verify_deploy" || (display_deployment_debug && exit 1) - run_timed_command "disable_sign_ups" || (display_deployment_debug && exit 1) - run_timed_command "verify_commit_sha" || (display_deployment_debug && exit 1) after_script: # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan. # Set DAST_RUN to true when jobs are manually scheduled. - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi artifacts: paths: - environment_url.txt - curl-logs/ reports: dotenv: environment.env expire_in: 7 days when: always review-deploy-sample-projects: extends: - .review-workflow-base - .review:rules:review-deploy stage: deploy needs: ["review-deploy"] environment: action: prepare before_script: - export GITLAB_SHELL_VERSION=$( environment_url.txt - *base-before_script - !reference [".use-kube-context", before_script] script: - date - create_sample_projects .review-stop-base: extends: .review-workflow-base environment: action: stop variables: # We're cloning the repo instead of downloading the script for now # because some repos are private and CI_JOB_TOKEN cannot access files. # See https://gitlab.com/gitlab-org/gitlab/issues/191273 GIT_DEPTH: 1 review-delete-deployment: extends: - .review-stop-base - .review:rules:review-delete-deployment dependencies: [] stage: prepare before_script: - source ./scripts/utils.sh - source ./scripts/review_apps/review-apps.sh - !reference [".use-kube-context", before_script] script: - retry delete_helm_release trigger-review-stop: extends: - .review-stop-base - .review:rules:trigger-review-stop stage: deploy needs: [] before_script: - source ./scripts/utils.sh - install_gitlab_gem script: - review_stop_job_id="$(scripts/api/get_job_id.rb --pipeline-id "${PARENT_PIPELINE_ID}" --job-name "review-stop")" - | curl --request POST --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/jobs/${review_stop_job_id}/play"