include: - template: SAST.gitlab-ci.yml - template: Dependency-Scanning.gitlab-ci.yml - template: License-Scanning.gitlab-ci.yml - template: Secret-Detection.gitlab-ci.yml # run the pipeline only on MRs, tags, and default branch workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_COMMIT_TAG - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH default: tags: - gitlab-org image: node:14-slim stages: - test - package - publish lint: stage: test script: - npm ci - cd src/webview && npm ci && cd ../.. # webview dependencies - npm run lint lint_commit: stage: test script: - apt-get update && apt-get install -y git - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME && git checkout $CI_MERGE_REQUEST_TARGET_BRANCH_NAME && git checkout $CI_COMMIT_SHA - cd scripts/commit-lint && npm ci - node lint.js rules: - if: '$CI_MERGE_REQUEST_IID && $CI_PROJECT_VISIBILITY == "public"' # lint.js script makes an API call without authentication when: always check-ci-variables: stage: test script: - npm ci - npm run update-ci-variables allow_failure: true # could be caused by changes in gitlab-org/gitlab repo, not related to current branch test-unit: stage: test script: - apt-get update && apt-get install -y git - npm ci - npm run test-unit -- --coverage artifacts: when: always reports: junit: - reports/unit.xml test-integration: stage: test variables: DISPLAY: ':99.0' script: - apt-get update - apt-get install -y xvfb libxtst6 libnss3 libgtk-3-0 libxss1 libasound2 libsecret-1-0 git - npm ci - echo $DISPLAY - /usr/bin/Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 & - npm run test-integration artifacts: when: always reports: junit: - reports/integration.xml test-webview: stage: test script: - cd src/webview - npm ci - npm run test .package: stage: package script: - npm ci - cd src/webview && npm install && npm run build && cd ../.. # build webview - npx vsce package artifacts: paths: - '*.vsix' package_release: extends: .package artifacts: expire_in: 1 year only: - tags # We test that packaging works to prevent failed releases # Without this task we would only find out packaging errors after tagging a release package_test: extends: .package artifacts: expire_in: 10 days publish_marketplace: stage: publish script: - npx vsce publish --packagePath *.vsix -p $AZURE_ACCESS_TOKEN when: manual only: - tags publish_open_vsx: stage: publish script: - npx ovsx publish *.vsix -p $OPENVSX_ACCESS_TOKEN when: manual only: - tags # Override security scanning rules to run every time this pipeline does # This potentially can be made obsolete once: # https://gitlab.com/gitlab-org/gitlab/-/issues/217668 lands .secure-jobs-config: &secure-jobs-config needs: [] rules: - when: on_success retire-js-dependency_scanning: <<: *secure-jobs-config gemnasium-dependency_scanning: <<: *secure-jobs-config license_scanning: <<: *secure-jobs-config eslint-sast: <<: *secure-jobs-config nodejs-scan-sast: <<: *secure-jobs-config secret_detection: <<: *secure-jobs-config # We can't run the secrets detection on tags: https://gitlab.com/gitlab-org/gitlab/-/issues/254199 rules: - if: $CI_COMMIT_TAG when: 'never'