slurm-operator/.gitlab-ci.yml at main · stackhpc/slurm-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
---

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI_COMMIT_BRANCH
    - if: $CI_COMMIT_REF_PROTECTED == "true"

stages:
  - test
  - release

variables:
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: /certs
  VERSION: 0.4.0
  CI_JOB_USER: gitlab-ci-token

.docker:
  image: docker:28.1.1
  services:
    - docker:28.1.1-dind
  before_script:
    - set -euo pipefail
    - docker info
    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
    - apk update && apk upgrade
    - apk add --no-cache bash git make helm
    - export PATH=$PATH:$HOME/go/bin/
    - wget -O go.tgz https://go.dev/dl/go1.24.3.linux-amd64.tar.gz
    - tar -C /usr/local -xzf go.tgz
    - export PATH=$PATH:/usr/local/go/bin
    - go env -w GOPRIVATE=github.com/SlinkyProject/*

test:
  stage: test
  extends: .docker
  script:
    - set -euo pipefail
    - apk update && apk upgrade
    - apk add --no-cache shellcheck shfmt pre-commit
    - pre-commit run --verbose --all-files --show-diff-on-failure
  coverage: /total:\s+\(statements\)\s+\d+.\d+%/
  artifacts:
    expire_in: 7 days
    paths:
      - cover.html

audit:
  stage: test
  extends: .docker
  script:
    - make govulncheck
  allow_failure: true

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
secret_detection:
  stage: test
  allow_failure: false
  artifacts:
    when: on_failure
    expire_in: 7 days
    paths:
      - gl-secret-detection-report.json

release-oci:
  stage: release
  extends: .docker
  variables:
    REGISTRY: ${DOCKER_REGISTRY}
  script:
    - set -euo pipefail
    - |
      if [ -z $DOCKER_REGISTRY_PASSWORD ] || [ -z $DOCKER_REGISTRY ] || [ -z $DOCKER_REGISTRY_USER ]; then
        echo "Runner lacks login info. Either environment variables are not defined, or runner is on an unprotected branch/tag.";
        exit 1;
      fi
    - echo "$DOCKER_REGISTRY_PASSWORD" | docker login $DOCKER_REGISTRY -u $DOCKER_REGISTRY_USER --password-stdin
    - make clean
    - make push
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true"
      when: manual

.git:
  image: alpine:latest
  before_script:
    - set -euo pipefail
    - apk update && apk upgrade
    - apk add --no-cache git
    - git version
    - |
      if [ -z $CI_AUTH_TOKEN ]; then
        echo "Runner lacks auth token. Either environment variables are not defined, or runner is on an unprotected branch/tag.";
        exit 1;
      fi
    - git remote set-url origin ${CI_PROJECT_URL/gitlab.com/oauth2:${CI_AUTH_TOKEN}@gitlab.com}.git
    - git remote -v
    - |
      if [ -z "$(echo "$VERSION" | grep -Eo "^[0-9]+\.[0-9]+\.[0-9]+$")" ]; then
        echo "VERSION is not semver: `$VERSION`"
        exit 1
      fi

release-tag:
  stage: release
  extends: .git
  script:
    - set -euo pipefail
    - tag_version="v${VERSION}"
    - echo "tag_version=${tag_version}"
    - git tag ${tag_version}
    - git push origin ${tag_version}
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true"
      when: manual

release-branch:
  stage: release
  extends: .git
  script:
    - set -euo pipefail
    - major_minor="$(echo ${VERSION} | grep -Eo "^[0-9]+\.[0-9]+")"
    - branch_name="release-${major_minor}"
    - echo "branch_name=${branch_name}"
    - git branch ${branch_name}
    - git push --set-upstream origin ${branch_name}
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual