-
Notifications
You must be signed in to change notification settings - Fork 28
/
.gitlab-ci.yml
77 lines (69 loc) · 2.48 KB
/
.gitlab-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
include:
- project: 'prodsec/scp-scanning/gitlab-checkmarx'
ref: latest
file: '/templates/.sast_scan.yml'
- project: 'ci-cd/templates'
ref: master
file: '/prodsec/.oss-scan.yml'
image:
name: "docker-hub.repo.splunkdev.net/eclipse-temurin:17.0.6_10-jdk"
variables:
ANDROID_COMPILE_SDK: "34"
ANDROID_BUILD_TOOLS: "34.0.0"
ANDROID_COMMAND_LINE_TOOLS: "7302050"
.prepare-android-environment:
before_script:
- apt-get --quiet update --yes
- apt-get --quiet install --yes wget tar unzip lib32stdc++6 lib32z1
- wget --quiet --output-document=android-sdk.zip https://dl.google.com/android/repository/commandlinetools-linux-${ANDROID_COMMAND_LINE_TOOLS}_latest.zip
- unzip -d android-sdk-linux android-sdk.zip
- echo y | android-sdk-linux/cmdline-tools/bin/sdkmanager --sdk_root=. "platforms;android-${ANDROID_COMPILE_SDK}" >/dev/null
- echo y | android-sdk-linux/cmdline-tools/bin/sdkmanager --sdk_root=. "platform-tools" >/dev/null
- echo y | android-sdk-linux/cmdline-tools/bin/sdkmanager --sdk_root=. "build-tools;${ANDROID_BUILD_TOOLS}" >/dev/null
- export ANDROID_SDK_ROOT=$PWD
- export PATH=$PATH:$PWD/platform-tools/
# temporarily disable checking for EPIPE error and use yes to accept all licenses
- set +o pipefail
- yes | android-sdk-linux/cmdline-tools/bin/sdkmanager --sdk_root=. --licenses
- set -o pipefail
stages:
- build
- verify
- release
build:
stage: build
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
extends: .prepare-android-environment
script:
- touch local.properties
- ./gradlew build publish
sast-scan:
stage: verify
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
extends: .sast_scan
variables:
SAST_SCANNER: "Semgrep"
# Fail build on high severity security vulnerabilities
alert_mode: "policy"
oss-scan:
extends: .oss-scan
stage: verify
before_script:
- JAVA_HOME=/usr/lib/jvm/java-17-openjdk
- PATH=$JAVA_HOME/bin:$PATH
- touch local.properties
rules:
- if: '$CI_COMMIT_REF_NAME == "main"'
release:
stage: release
rules:
- if: '$CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/'
extends: .prepare-android-environment
variables:
script:
- touch local.properties
- export ORG_GRADLE_PROJECT_signingKey=$GPG_SECRET_KEY
- export ORG_GRADLE_PROJECT_signingPassword=$GPG_PASSWORD
- ./gradlew -Prelease=true --no-build-cache --no-daemon --rerun-tasks build signMavenPublication publishToSonatype closeAndReleaseSonatypeStagingRepository