exemplo 1
pensando aqui que seu runner é docker socket-bindind, apenas 1 vm com os runners configurados como socket-binding.
stages:
- lang
- sast
- image
- deploy
- loadtest
- acceptance
- dast
- notify
### lang stage #############
linter:
stage: lang
tags:
- shell
only:
- dev
variables:
GIT_STRATEGY: none
script:
- echo running linter test || true
style:
stage: lang
dependencies:
- linter
tags:
- shell
only:
- dev
variables:
GIT_STRATEGY: none
script:
- echo running style test || true
smell:
stage: lang
dependencies:
- style
tags:
- shell
only:
- dev
variables:
GIT_STRATEGY: none
script:
- echo running code smell test || true
unit:
stage: lang
dependencies:
- smell
tags:
- shell
only:
- dev
variables:
GIT_STRATEGY: none
script:
- echo running unit tests || true
### sast stage #############
sast_scanner:
stage: sast
tags:
- shell
only:
- dev
variables:
GIT_STRATEGY: none
script:
- echo "running static automated security test (sast)" || true
### image stage #############
compose_linter:
stage: image
image: pipelinecomponents/yamllint
tags:
- docker
only:
- dev
script:
- yamllint docker-compose.yml
image_linter:
stage: image
dependencies:
- compose_linter
image: pipelinecomponents/hadolint
tags:
- docker
only:
- dev
script:
- hadolint Dockerfile
image_build_push:
stage: image
dependencies:
- image_linter
image: docker:26.1.3
tags:
- dind
only:
- dev
before_script:
- docker info
script:
- docker build -t bolha/app:versao
- docker login -u $REGISTRY_USER -p $REGISTRY_PASS https://registry.bolha.dev
- docker tag bola/app registry.bolha.dev/bolha/app:$CI_PIPELINE_ID
- docker push registry.bolha.dev/bolha/app:$CI_PIPELINE_ID
- docker image rm registry.bolha.dev/bolha/app:$CI_PIPELINE_ID
- docker image rm app:latestz
image_scanner:
stage: image
dependencies:
- image_build
image:
name: aquasec/trivy:latest
entrypoint: [""]
variables:
GIT_STRATEGY: none
TRIVY_NO_PROGRESS: "true"
tags:
- dind
only:
- dev
- release/sprint1
script:
-
- trivy -v
- trivy image --clear-cache
- trivy image --download-db-only
- trivy image --exit-code 0 image_name_here
- trivy image --exit-code 0 --severity CRITICAL image_name_here
### deploy stage #############
deploy_dev:
stage: deploy
dependencies:
- image_build_push
tags:
- docker
image:
name: bitnami/kubectl:1.30
entrypoint: [""]
only:
- dev
- release/sprint1
before_script:
- echo $KUBE_CREDENTIALS | base64 -d > config
- export KUBECONFIG=config
script:
- echo "executing k8s dev rollout..."
deploy_stg:
stage: deploy
dependencies:
- push
tags:
- docker
image:
name: bitnami/kubectl:1.30
entrypoint: [""]
only:
- staging
before_script:
- echo $KUBE_CREDENTIALS | base64 -d > config
- export KUBECONFIG=config
script:
- echo "executing k8s staging rollout..."
deploy_prd:
stage: deploy
dependencies:
- push
tags:
- docker
image:
name: bitnami/kubectl:1.30
entrypoint: [""]
only:
- production
before_script:
- echo $KUBE_CREDENTIALS | base64 -d > config
- export KUBECONFIG=config
script:
- echo "executing k8s production rollout..."
### load-test stage #############
simple_loadtest_dev:
stage: loadtest
dependencies:
- deploy_dev
tags:
- docker
only:
- dev
- release/sprint1
image:
name: loadimpact/k6:latest
entrypoint: [""]
script:
- echo "executing k6 againt app with 1000 requests in 30s..."
- echo "k6 run .performance-test.js"
simple_loadtest_stg:
stage: loadtest
dependencies:
- deploy_stg
tags:
- docker
only:
- staging
image:
name: loadimpact/k6:latest
entrypoint: [""]
script:
- echo "executing k6 againt app with 1000 requests in 30s..."
- echo "k6 run .performance-test.js"
simple_loadtest_prd:
stage: loadtest
dependencies:
- deploy_prd
tags:
- docker
only:
- production
image:
name: loadimpact/k6:latest
entrypoint: [""]
script:
- echo "executing k6 againt app with 1000 requests in 30s..."
- echo "k6 run .performance-test.js"
### acceptance-test stage #############
acceptance_test_dev:
stage: acceptance
dependencies:
- simple_loadtest_dev
tags:
- shell
only:
- dev
- release/sprint1
variables:
GIT_STRATEGY: none
script:
- echo running acceptance tests || true
acceptance_test_stg:
stage: acceptance
dependencies:
- simple_loadtest_stg
tags:
- shell
only:
- staging
variables:
GIT_STRATEGY: none
script:
- echo running acceptance tests || true
acceptance_test_prd:
stage: acceptance
dependencies:
- simple_loadtest_prd
tags:
- shell
only:
- production
variables:
GIT_STRATEGY: none
script:
- echo running acceptance tests || true
### dast stage #############
dast_scanner_dev:
stage: dast
dependencies:
- acceptance_test_dev
tags:
- shell
only:
- dev
- release/sprint1
variables:
GIT_STRATEGY: none
script:
- echo "running a dynamic automatic security test (dast)" || true
dast_scanner_stg:
stage: dast
dependencies:
- acceptance_test_stg
tags:
- shell
only:
- staging
variables:
GIT_STRATEGY: none
script:
- echo "running a dynamic automatic security test (dast)" || true
dast_scanner_prd:
stage: dast
dependencies:
- acceptance_test_prd
tags:
- shell
only:
- production
variables:
GIT_STRATEGY: none
script:
- echo "running a dynamic automatic security test (dast)" || true
### notify stage #############
notify_dev:
stage: notify
dependencies:
- dast_scanner_dev
tags:
- shell
only:
- dev
- release/sprint1
variables:
GIT_STRATEGY: none
script:
- echo notifying teams || true
notify_stg:
stage: notify
dependencies:
- dast_scanner_stg
tags:
- shell
only:
- staging
variables:
GIT_STRATEGY: none
script:
- echo notifying teams || true
notify_prd:
stage: notify
dependencies:
- dast_scanner_prd
tags:
- shell
only:
- production
variables:
GIT_STRATEGY: none
script:
- echo notifying teams || true