.gitlab-ci.yml

---

image: "python:3.7"

variables:
  SAST_EXCLUDED_ANALYZERS: "eslint"
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  PIP_INDEX_URL: "https://artefakt.dev.sbb.berlin/repository/pypi-central/simple"

cache:
  - key:
      files:
        - requirements.txt
        - requirements-dev.txt
    paths:
      - .cache/pip/
      - .venv/
  - key: "${CI_PIPELINE_ID}"
    paths:
      - test-reports/

.prepare_sast:
  before_script:
    - export HTTP_PROXY=http://proxy.sbb.spk-berlin.de:3128
    - export HTTPS_PROXY=http://proxy.sbb.spk-berlin.de:3128
    - apk --update add build-base

.prepare_tests:
  before_script:
    - export HTTP_PROXY=http://proxy.sbb.spk-berlin.de:3128
    - export HTTPS_PROXY=http://proxy.sbb.spk-berlin.de:3128
    - python --version
    - pip install --upgrade pip
    - pip install -e .[dev]
    - mkdir -p /data/log

include:
  - template: Security/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml

stages:
  - analysis
  - test
  - sonarqube

linting:
  stage: analysis
  extends:
    - .prepare_tests
  script:
    - flake8 --exit-zero --statistics --doctests ocrd_butler/ tests/

tests:
  stage: test
  extends:
    - .prepare_tests
  script:
    - export PROFILE=test
    - pytest tests --doctest-modules ocrd_butler
    - coverage xml
  coverage: '/^TOTAL\s+\d+\s+\d+\s+\d+\s+\d+\s+(\d+\%)/'
  artifacts:
    when: always
    paths:
      - test-reports/coverage.xml
      - test-reports/test-report.xml
    reports:
      junit: test-reports/test-report.xml
      cobertura: test-reports/coverage.xml
    expire_in: 80 weeks

bandit-sast:
  extends:
    - .prepare_sast
    - .sast-analyzer
  artifacts:
    when: always
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json
    expire_in: 80 weeks

semgrep-sast:
  extends:
    - .prepare_sast
    - .sast-analyzer
  artifacts:
    when: always
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json
    expire_in: 80 weeks

sonarqube-check:
  stage: sonarqube
  variables:
    SONAR_TOKEN: $SONAR_TOKEN
    SONAR_HOST_URL: "http://code-quality.dev.sbb.berlin:9000"
    GIT_DEPTH: 0
  image:
    name: "sonarsource/sonar-scanner-cli:latest"
  script:
    - sonar-scanner

...