-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
70 lines (67 loc) · 2.71 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
include:
- template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
- project: 'security/container-scanning'
file: '.ESnet-container-scan.yml'
- component: $CI_SERVER_FQDN/ht/cicd-common/harbor-cve@main
inputs:
harbor_host: $HSITE
harbor_user: $HUSER_CVE
harbor_token: $HTOKEN_CVE
harbor_project: $CI_PROJECT_NAMESPACE
build:
stage: build
image: docker:26.1
services:
- docker:26.1-dind
tags:
- ht-docker
variables:
# example PUBLISH_TAG: wharf.es.net/ht/xilinx-labtools-docker:18106-g1b221f5c
PUBLISH_TAG: $HSITE/$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME:$CI_PIPELINE_ID-g$CI_COMMIT_SHORT_SHA
SC_FW_BASE_URL: https://dispense.es.net/Linux/xilinx/
before_script:
# Download optional assets from dispense which are not directly available on xilinx.com
- wget -q -P sc-fw-extra https://dispense.es.net/Linux/xilinx/sc-fw-u280-4.3.15-e7c874dfed8b39991ece9606f14bcc55.txt
- wget -q -P sc-fw-extra https://dispense.es.net/Linux/xilinx/sc-fw-u280-4.3.27-86ad998ebd4a64a737957f4bc8fd9cbc.txt
- wget -q -P sc-fw-extra https://dispense.es.net/Linux/xilinx/sc-fw-u280-4.3.31-3df2cd43aeeee780f6bd16547d47a0d4.txt
- wget -q -P sc-fw-extra https://dispense.es.net/Linux/xilinx/sc-fw-u55-7.1.17-fb6d693b58a437cc186916fce5fa13bd.txt
- wget -q -P sc-fw-extra https://dispense.es.net/Linux/xilinx/sc-fw-u55-7.1.23-53c604b35fd124c316ce1b477ab75689.txt
# Download optional assets from dispense which match the files that external users would download manually
- wget -q -P sc-fw-downloads https://dispense.es.net/Linux/xilinx/SC_U280_4_3_31.zip
- wget -q -P sc-fw-downloads https://dispense.es.net/Linux/xilinx/SC_U55C_7_1_23.zip
script:
# Auth to external registry
- docker login -u "$HUSER" -p "$HTOKEN" "$HSITE"
# Build and push
- docker build --pull -t $PUBLISH_TAG$TAG_SUFFIX .
- docker push $PUBLISH_TAG$TAG_SUFFIX
# Capture the published tag for downstream CI jobs
- |
cat <<EOF >> build.env
CS_IMAGE=$PUBLISH_TAG$TAG_SUFFIX
EOF
- cat build.env
- |
echo Image published as: $PUBLISH_TAG$TAG_SUFFIX
timeout: 2h
artifacts:
reports:
dotenv:
build.env
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
- if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
variables:
TAG_SUFFIX: -dev
pull_cve_allowlist:
extends: .harbor_cve_allowlist
container_scanning:
variables:
CS_REGISTRY_USER: $HUSER_RO
CS_REGISTRY_PASSWORD: $HTOKEN_RO
TRIVY_TIMEOUT: "1h"
# use 'dependencies' here rather than 'needs' since the gitlab container scanning
# include sets 'dependencies: []' which takes precedence over 'needs'
dependencies:
- pull_cve_allowlist
- build