diff --git a/.gitignore b/.gitignore index 574fe32b04533cd4854491fea23fa54a18abd6d3..024eb667ba69e7bed3260dd1bbb07eaba5376a26 100644 --- a/.gitignore +++ b/.gitignore @@ -1,14 +1,15 @@ +__pycache__ .coverage -cov.xml .DS_Store .eggs -*.pyc -coverage.xml .ipynb_checkpoints* .mypy_cache .pytest_cache -htmlcov .vscode +*.egg-info +*.pyc build +coverage.xml dist -*.egg-info \ No newline at end of file +htmlcov +junit.xml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c7e2878665e06bbdff96e062bb14f0303873d926..e6f77b92fc3bab4d66f10fb137e748ef39a71a64 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,4 +1,4 @@ -image: ${DEVOPS_REGISTRY}usgs/python:3.9-obspy +image: code.usgs.gov:5001/devops/images/usgs/python:3.10-obspy stages: - init @@ -28,7 +28,6 @@ workflow: - IMAGE_NAME=usgs/${APP_NAME}:${CI_COMMIT_REF_SLUG} - IMAGE_NAME=${IMAGE_NAME/:master/:latest} - INTERNAL_IMAGE_NAME=${CODE_REGISTRY_IMAGE}/${IMAGE_NAME} - - STACK_NAME=${APP_NAME} .deploy: extends: @@ -90,6 +89,22 @@ workflow: APP_DEPLOY_DIR: "/geomag/geomag-algorithms" REQUIRED_PREFIX: "/geomag" +# template for jobs that need docker-in-docker +.dind: + # TODO: refactor Docker build to different runner + # before_script: + # - | + # echo "${CI_REGISTRY_PASSWORD}" | docker login \ + # --username "${CI_REGISTRY_USER}" \ + # --password-stdin \ + # "${CI_REGISTRY}" + image: code.usgs.gov:5001/devops/images/usgs/docker:20 + services: + - alias: docker + name: code.usgs.gov:5001/devops/images/usgs/docker:20-dind + variables: + DOCKER_DRIVER: overlay2 + # rules to define which branches should trigger actions .development-env: &development-env if: $CI_PROJECT_PATH != $UPSTREAM_PATH @@ -106,7 +121,7 @@ workflow: .production-env: &production-env if: > $CI_PROJECT_PATH == $UPSTREAM_PATH - && ( $CI_COMMIT_BRANCH == 'production' || $CI_COMMIT_TAG) + && ( $CI_COMMIT_BRANCH == 'production' || $CI_COMMIT_TAG ) variables: ENVIRONMENT: production @@ -127,7 +142,6 @@ Poetry: # install into .venv for artifact - poetry config virtualenvs.in-project true --local - poetry install - - poetry run safety check stage: init variables: PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip" @@ -136,21 +150,28 @@ Poetry: # Test Stage ## -------------------------------------------------- -Python Build: +Audit: + needs: + - Poetry + script: + - poetry run poe audit + stage: test + +Build: needs: - Poetry script: - poetry build stage: test -Python Lint: +Lint: needs: - Poetry script: - - poetry run black --check . + - poetry run poe lint stage: test -Python Test: +Test: artifacts: reports: coverage_report: @@ -160,8 +181,7 @@ Python Test: needs: - Poetry script: - - poetry run pytest --cov=geomagio --junitxml junit.xml - - poetry run coverage xml + - poetry run poe test stage: test ## -------------------------------------------------- @@ -171,9 +191,9 @@ Python Test: Build Docker Image: extends: - .adjust_image_names - image: ${DEVOPS_REGISTRY}docker:19.03-git + - .dind needs: - - Python Build + - Build script: - LOCAL_IMAGE="local/${IMAGE_NAME}" ## build image @@ -186,8 +206,6 @@ Build Docker Image: "." ## trivy scan before push - - wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz - - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz # fail LOW,MEDIUM vulnerabilities that have a fix available - ./trivy image --exit-code 1 --ignore-unfixed --severity LOW,MEDIUM "${LOCAL_IMAGE}"; # fail HIGH,CRITICAL vulnerabilities @@ -203,17 +221,13 @@ Build Docker Image: docker tag "${LOCAL_IMAGE}" "${IMAGE}"; docker push "${IMAGE}"; done - services: - - alias: docker - name: ${DEVOPS_REGISTRY}docker:19.03-dind stage: integration tags: + # TODO: refactor to separate build/publish steps - build variables: APP_NAME: geomag-algorithms - DOCKER_DRIVER: overlay2 - FROM_IMAGE: ${DEVOPS_REGISTRY}usgs/python:3.9-obspy - TRIVY_VERSION: "0.27.1" + FROM_IMAGE: code.usgs.gov:5001/devops/images/usgs/python:3.10-obspy ## -------------------------------------------------- # Deploy Stage diff --git a/pyproject.toml b/pyproject.toml index 4de69450022bf96151d7ef4194426254f88c41b3..41503ae5b9acf35f2a0d866959a8584ccdf79c00 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -78,6 +78,9 @@ copy-absolutes = "geomagio.processing.copy_absolutes:main" [tool.poe.tasks] # e.g. "poetry run poe lint" +audit = [ + { shell = "safety check"} +] lint = [ { shell = "black --check ." }, # TODO: fix isort warnings then enable this check