forked from spiffe/spire
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.gitlab-ci.yml
111 lines (103 loc) · 3.34 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
image: registry.gitlab.com/testifysec/spire/builder:v0.0.2
stages:
- clone
- deps
- build
- verify
- upload
- release
variables:
GIT_STRATEGY: none
clone:
stage: clone
script:
- witness run -s clone -a gitlab -a gcp-iit --spiffe-socket=unix:///run/spire/sockets/agent.sock -r https://log.testifysec.io -o /dev/null -- bash -c \
"git clone ${CI_REPOSITORY_URL} . && git reset --hard ${CI_COMMIT_SHA}"
- git rev-parse --verify HEAD > commithash
- witness -c ./witness/.witness-ci.yaml verify -p ./witness/ci-gate-policy.signed.json -f commithash
artifacts:
exclude:
- commithash
paths:
- ./*
deps:
stage: deps
dependencies:
- "clone"
script:
- witness -c ./witness/.witness-ci.yaml run -s deps -- /bin/sh -c "go mod vendor"
artifacts:
exclude:
- .git
paths:
- ./*
- ./vendor/*
# Build the binaries
build-server:
stage: build
dependencies:
- "deps"
script:
- witness run -s build -c witness/.witness-ci.yaml -o /dev/null -- bash -c "go build -ldflags '-s -w -X github.com/spiffe/spire/pkg/common/version.githash='${CI_COMMIT_SHORT_SHA} -o bin/spire-server ./cmd/spire-server"
artifacts:
paths:
- ./bin/*
- ./witness/.witness-ci.yaml
- ./witness/artifact-policy.signed.json
- ./witness/testpub.pem
build-agent:
stage: build
dependencies:
- "deps"
script:
- witness run -s build -c witness/.witness-ci.yaml -o /dev/null -- bash -c "go build -ldflags '-s -w -X github.com/spiffe/spire/pkg/common/version.githash='${CI_COMMIT_SHORT_SHA} -o bin/spire-agent ./cmd/spire-agent"
artifacts:
paths:
- ./bin/*
build-k8s-workload-registrar:
stage: build
dependencies:
- "deps"
script:
- witness run -s build -c witness/.witness-ci.yaml -o /dev/null -- bash -c "go build -ldflags '-s -w -X github.com/spiffe/spire/pkg/common/version.githash='${CI_COMMIT_SHORT_SHA} -o bin/k8s-workload-registrar ./support/k8s/k8s-workload-registrar"
artifacts:
paths:
- ./bin/*
build-oidc-discovery-provider:
stage: build
dependencies:
- "deps"
script:
- witness run -s build -c witness/.witness-ci.yaml -o /dev/null -- bash -c "go build -ldflags '-s -w -X github.com/spiffe/spire/pkg/common/version.githash='${CI_COMMIT_SHORT_SHA} -o bin/oidc-discovery-provider ./support/oidc-discovery-provider"
artifacts:
paths:
- ./bin/*
verify:
dependencies:
- "build-server"
- "build-agent"
- "build-k8s-workload-registrar"
- "build-oidc-discovery-provider"
stage: verify
script:
- for i in $(ls -1 ./bin/*); do witness -c ./witness/.witness-ci.yaml verify -p ./witness/artifact-policy.signed.json -f $i; done
artifacts:
paths:
- ./bin/*
- ./witness/artifact-policy.signed.json
- ./witness/testpub.pem
upload:
stage: upload
image: curlimages/curl:latest
rules:
- if: $CI_COMMIT_TAG
script:
- |
curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file bin/spire-agent ${PACKAGE_REGISTRY_URL}/spire-agent/${CI_COMMIT_TAG}/bin/spire-agent
release:
stage: release
image: registry.gitlab.com/gitlab-org/release-cli:latest
script:
- |
release-cli create --name "Release $CI_COMMIT_TAG" --tag-name $CI_COMMIT_TAG \
--assets-link "{\"name\":\"spire-agent",\"url\":\"${PACKAGE_REGISTRY_URL}/spire-agent/${CI_COMMIT_TAG}/bin/spire-agent" \