default: interruptible: true stages: - prepare - deploy - post-deploy - qa - post-qa - dast include: - local: .gitlab/ci/cng/main.gitlab-ci.yml - local: .gitlab/ci/global.gitlab-ci.yml - local: .gitlab/ci/review-apps/rules.gitlab-ci.yml - local: .gitlab/ci/review-apps/qa.gitlab-ci.yml - local: .gitlab/ci/review-apps/dast.gitlab-ci.yml - local: .gitlab/ci/review-apps/dast-api.gitlab-ci.yml .base-before_script: &base-before_script - source ./scripts/utils.sh - source ./scripts/review_apps/review-apps.sh dont-interrupt-me: extends: .rules:dont-interrupt stage: prepare interruptible: false script: - echo "This jobs makes sure this pipeline won't be interrupted! See https://docs.gitlab.com/ee/ci/yaml/#interruptible." review-build-cng-env: extends: - .review-build-cng-env - .default-retry - .review:rules:review-build-cng - .fast-no-clone-job variables: # We use > instead of | because we want the files to be space-separated. FILES_TO_DOWNLOAD: > GITALY_SERVER_VERSION GITLAB_ELASTICSEARCH_INDEXER_VERSION GITLAB_KAS_VERSION GITLAB_PAGES_VERSION GITLAB_SHELL_VERSION scripts/trigger-build.rb VERSION before_script: - apk add --no-cache --update curl # Not present in ruby-alpine, so we add it manually - !reference [".fast-no-clone-job", before_script] - !reference [".review-build-cng-env", before_script] - mv VERSION GITLAB_WORKHORSE_VERSION # GITLAB_WORKHORSE_VERSION is a symlink to VERSION review-build-cng: extends: - .review-build-cng - .review:rules:review-build-cng needs: ["review-build-cng-env"] .review-workflow-base: image: ${REVIEW_APPS_IMAGE} variables: HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}" DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}" GITLAB_HELM_CHART_PROJECT_URL: "https://gitlab.com/gitlab-org/charts/gitlab" GITLAB_HELM_REPO_URL: "https://charts.gitlab.io" GITLAB_REPO_URL: ${CI_PROJECT_URL} GITLAB_IMAGE_REPOSITORY: "registry.gitlab.com/gitlab-org/build/cng-mirror" GITLAB_IMAGE_SUFFIX: "ee" GITLAB_REVIEW_APP_BASE_CONFIG_FILE: "scripts/review_apps/base-config.yaml" GITLAB_HELM_CHART_REF: "75b1486a9aec212d0f49ef1251526d8e51004bbc" # 7.0.1: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/75b1486a9aec212d0f49ef1251526d8e51004bbc environment: name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE} # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN} on_stop: trigger-review-stop review-deploy: extends: - .review-workflow-base - .review:rules:review-deploy - .fast-no-clone-job stage: deploy image: ${GITLAB_DEPENDENCY_PROXY_ADDRESS}dtzar/helm-kubectl:3.9.3 needs: - review-build-cng - review-delete-deployment # We always want to start from a clean slate (i.e. no helm release, no k8s namespace) cache: key: "review-deploy-dependencies-charts-${GITLAB_HELM_CHART_REF}-v1" paths: - "gitlab-${GITLAB_HELM_CHART_REF}" environment: action: start variables: # We use > instead of | because we want the files to be space-separated. FILES_TO_DOWNLOAD: > GITALY_SERVER_VERSION GITLAB_SHELL_VERSION scripts/review_apps/review-apps.sh scripts/review_apps/seed-dast-test-data.sh VERSION before_script: - apk add --no-cache --update curl # Not present in ruby-alpine, so we add it manually - !reference [".fast-no-clone-job", before_script] - mv VERSION GITLAB_WORKHORSE_VERSION # GITLAB_WORKHORSE_VERSION is a symlink to VERSION - export GITLAB_SHELL_VERSION=$( environment_url.txt - echo "QA_GITLAB_URL=${CI_ENVIRONMENT_URL}" > environment.env - *base-before_script - !reference [".use-kube-context", before_script] script: - run_timed_command "retry delete_helm_release" - run_timed_command "check_kube_domain" - run_timed_command "download_chart" - run_timed_command "deploy" || (display_deployment_debug && exit 1) - run_timed_command "verify_deploy" || (display_deployment_debug && exit 1) - run_timed_command "disable_sign_ups" || (display_deployment_debug && exit 1) - run_timed_command "verify_commit_sha" || (display_deployment_debug && exit 1) after_script: # Run seed-dast-test-data.sh only when DAST_RUN is set to true. This is to pupulate review app with data for DAST scan. # Set DAST_RUN to true when jobs are manually scheduled. - if [ "$DAST_RUN" == "true" ]; then source scripts/review_apps/seed-dast-test-data.sh; TRACE=1 trigger_proj_user_creation; fi artifacts: paths: - environment_url.txt - curl-logs/ reports: dotenv: environment.env expire_in: 7 days when: always review-deploy-sample-projects: extends: - .review-workflow-base - .review:rules:review-deploy stage: deploy needs: ["review-deploy"] environment: action: prepare before_script: - export GITLAB_SHELL_VERSION=$( environment_url.txt - *base-before_script - !reference [".use-kube-context", before_script] script: - date - create_sample_projects .review-stop-base: extends: .review-workflow-base timeout: 15min environment: action: stop variables: # We're cloning the repo instead of downloading the script for now # because some repos are private and CI_JOB_TOKEN cannot access files. # See https://gitlab.com/gitlab-org/gitlab/issues/191273 GIT_DEPTH: 1 review-delete-deployment: extends: - .review-stop-base - .review:rules:review-delete-deployment dependencies: [] stage: prepare before_script: - source ./scripts/utils.sh - source ./scripts/review_apps/review-apps.sh - !reference [".use-kube-context", before_script] script: - retry delete_helm_release trigger-review-stop: extends: - .review-stop-base - .review:rules:trigger-review-stop stage: deploy needs: [] before_script: - source ./scripts/utils.sh - install_gitlab_gem script: - review_stop_job_id="$(scripts/api/get_job_id.rb --pipeline-id "${PARENT_PIPELINE_ID}" --job-name "review-stop")" - | curl --request POST --header "Private-Token: ${PROJECT_TOKEN_FOR_CI_SCRIPTS_API_USAGE}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/jobs/${review_stop_job_id}/play"