version: 39 jobs: - name: Release steps: - !CheckoutStep name: checkout cloneCredential: !HttpCredential accessTokenSecret: onedev-token withLfs: false withSubmodules: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set up cache templateName: set up cache condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set build version templateName: set build version condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: build runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | set -e set -o pipefail buildVersion=@build_version@ projectDir=`pwd` mvn -Dmaven.deploy.username=@job_token@ -Dmaven.deploy.password=@secrets:maven-deploy-password@ deploy # Prepare for artifact and site publish cp server-product/target/onedev-${buildVersion}.zip . mkdir server-plugin-archetype-${buildVersion} cd server-plugin/server-plugin-archetype mvn help:effective-pom -Doutput=$projectDir/server-plugin-archetype-${buildVersion}/pom.xml cd $projectDir sed -i 's/\/onedev-build\/workspace\/server-plugin\/server-plugin-archetype\///' server-plugin-archetype-${buildVersion}/pom.xml cp -r server-plugin/server-plugin-archetype/src server-plugin-archetype-${buildVersion} zip -r server-plugin-archetype-${buildVersion}.zip server-plugin-archetype-${buildVersion} tar zcvf server-plugin-archetype-${buildVersion}.tar.gz server-plugin-archetype-${buildVersion} unzip onedev-${buildVersion}.zip tar zcvf onedev-${buildVersion}.tar.gz onedev-${buildVersion} sha256sum onedev-${buildVersion}.zip > onedev-${buildVersion}.zip.sha256 sha256sum onedev-${buildVersion}.tar.gz > onedev-${buildVersion}.tar.gz.sha256 sha256sum server-plugin-archetype-${buildVersion}.zip > server-plugin-archetype-${buildVersion}.zip.sha256 sha256sum server-plugin-archetype-${buildVersion}.tar.gz > server-plugin-archetype-${buildVersion}.tar.gz.sha256 cp server-product/docker/*.yaml . # Prepare for docker image build cd $projectDir/server-product/target cp -r ../docker docker unzip onedev-$buildVersion.zip -d docker mv docker/onedev-$buildVersion docker/app cp -r agent docker/ cd $projectDir echo "$buildVersion" | cut -d. -f1 > buildVersion.major echo "$buildVersion" | cut -d. -f1,2 > buildVersion.major.minor useTTY: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: scan templateName: scan vulnerabilities paramMatrix: - name: Scan Path valuesProvider: !SpecifiedValues values: - - server-product/target/docker/app secret: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !PublishArtifactStep name: publish artifacts artifacts: '*.zip *.tar.gz *.sha256 *.yaml' condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !PublishMarkdownReportStep name: publish incompatibility report reportName: Incompatibilities filePatterns: server-product/system/incompatibilities/** startPage: server-product/system/incompatibilities/incompatibilities.md condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !BuildImageStep name: build server docker image buildPath: server-product/target/docker dockerfile: server-product/target/docker/Dockerfile.server output: !RegistryOutput tags: 1dev/server 1dev/server:@build_version@ 1dev/server:@file:buildVersion.major@ 1dev/server:@file:buildVersion.major.minor@ platforms: linux/amd64,linux/arm64 condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !BuildImageStep name: build agent docker image buildPath: server-product/target/docker dockerfile: server-product/target/docker/Dockerfile.agent output: !RegistryOutput tags: 1dev/agent platforms: linux/amd64,linux/arm64 condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: publish helm chart runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | set -e buildVersion=@build_version@ projectDir=`pwd` cd $projectDir/server-product/helm ./prepare.sh cd $projectDir/server-product/target/helm-chart curl -u @job_token@:@secret:onedev-token@ -X POST --upload-file ./onedev-${buildVersion}.tgz https://code.onedev.io/onedev/~helm useTTY: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: publish GH release runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | set -e set -o pipefail buildVersion=@build_version@ projectDir=`pwd` echo "Creating release tag..." git config --global user.name "Robin Shen" git config --global user.email "robin@@onedev.io" git config --global --add safe.directory /onedev-build/workspace git tag v$buildVersion -m "Release tag" git push -f origin v$buildVersion:v$buildVersion git config --global --unset http.extraHeader git push -f https://robin:@secrets:github-token@@@github.com/theonedev/onedev v$buildVersion:v$buildVersion echo "Creating release in GitHub..." releaseId=$(curl -u robinshine:@secrets:github-token@ https://api.github.com/repos/theonedev/onedev/releases/tags/v$buildVersion | jq '.id') releaseJson="{\"name\":\"$buildVersion\",\"tag_name\":\"v$buildVersion\",\"body\":\"## Installation Guide\n\nhttps://docs.onedev.io/category/installation-guide\n\n## Change Log\n\nhttps://code.onedev.io/onedev/server/~builds/@build_number@/fixed-issues?query=%22State%22+is+%22Released%22+order+by+%22Type%22+asc+%2C+%22Priority%22+desc\n\n## Incompatibilities\n\nhttps://code.onedev.io/onedev/server/~builds/@build_number@/markdown/Incompatibilities/server-product/system/incompatibilities/incompatibilities.md\"}" acceptHeader="Accept: application/vnd.github.v3+json" if [ "$releaseId" == "null" ]; then curl -u robinshine:@secrets:github-token@ -X POST -H "$acceptHeader" -d "$releaseJson" https://api.github.com/repos/theonedev/onedev/releases else curl -u robinshine:@secrets:github-token@ -X PATCH -H "$acceptHeader" -d "$releaseJson" https://api.github.com/repos/theonedev/onedev/releases/$releaseId fi useTTY: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CloseIterationStep name: close milestone iterationName: '@build_version@' accessTokenSecret: onedev-token condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 - name: Publish Site steps: - !CommandStep name: build runInContainer: true image: ubuntu interpreter: !DefaultInterpreter commands: "apt update \napt install -y zip\nbuildVersion=`ls onedev-*.tar.gz | grep -Po 'onedev-\\K.*(?=.tar.gz)'`\ntar zxvf onedev-$buildVersion.tar.gz\nmv onedev-$buildVersion onedev-latest\ntar zcvf onedev-latest.tar.gz onedev-latest\nzip -r onedev-latest.zip onedev-latest\nsha256sum onedev-latest.zip > onedev-latest.zip.sha256\nsha256sum onedev-latest.tar.gz > onedev-latest.tar.gz.sha256\necho $buildVersion > build_version\n" useTTY: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !SetBuildVersionStep name: set version buildVersion: '@file:build_version@' condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !PublishSiteStep name: publish artifacts: onedev-latest* condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL jobDependencies: - jobName: Release requireSuccessful: true artifacts: onedev-*.zip onedev-*.tar.gz retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 - name: Publish Test Images steps: - !CheckoutStep name: checkout cloneCredential: !HttpCredential accessTokenSecret: onedev-token withLfs: false withSubmodules: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set up cache templateName: set up cache condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set build version templateName: set build version condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: build runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | set -e mvn -Dmaven.test.skip=true package -Pee cd server-product/target cp -r ../docker docker buildVersion=`ls onedev-*.zip|sed -e 's/onedev-\(.*\).zip/\1/'` unzip onedev-$buildVersion.zip -d docker mv docker/onedev-$buildVersion docker/app cp -r agent docker/ useTTY: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !BuildImageStep name: build server docker image buildPath: server-product/target/docker dockerfile: server-product/target/docker/Dockerfile.server output: !RegistryOutput tags: 1dev/server:test platforms: '@param:Platforms@' condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !BuildImageStep name: build agent docker image buildPath: server-product/target/docker dockerfile: server-product/target/docker/Dockerfile.agent output: !RegistryOutput tags: 1dev/agent:test platforms: '@param:Platforms@' condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL paramSpecs: - !ChoiceParam name: Platforms allowMultiple: true allowEmpty: false choiceProvider: !SpecifiedChoices choices: - value: linux/amd64 color: '#0d87e9' - value: linux/arm64 color: '#0d87e9' retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 - name: Scan Vulnerabilities steps: - !CheckoutStep name: checkout cloneCredential: !HttpCredential accessTokenSecret: onedev-token withLfs: false withSubmodules: true cloneDepth: 1 condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set up maven cache templateName: set up cache condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: build runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | mvn clean package useTTY: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: scan templateName: scan vulnerabilities paramMatrix: - name: Scan Path valuesProvider: !SpecifiedValues values: - - server-product/target/sandbox secret: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL triggers: - !ScheduleTrigger cronExpression: 0 0 1 * * ? retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 postBuildActions: - !SendNotificationAction condition: failed receivers: user(robin) - name: CI steps: - !CheckoutStep name: checkout cloneCredential: !HttpCredential accessTokenSecret: onedev-token withLfs: false withSubmodules: true cloneDepth: 1 condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set up cache templateName: set up cache condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: set build version templateName: set build version condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: build runInContainer: true image: '@property:buildEnvironment@' interpreter: !DefaultInterpreter commands: | mvn package useTTY: true condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !UseTemplateStep name: scan templateName: scan vulnerabilities paramMatrix: - name: Scan Path valuesProvider: !SpecifiedValues values: - - server-product/target/sandbox secret: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL triggers: - !BranchUpdateTrigger branches: main projects: onedev/server retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 - name: Sync Main (GitHub) steps: - !CheckoutStep name: checkout cloneCredential: !DefaultCredential {} withLfs: false withSubmodules: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !CommandStep name: sync runInContainer: true image: alpine/git:1.0.7 interpreter: !DefaultInterpreter commands: | git config --global --unset http.extraHeader git push -f https://robinshine:@secrets:github-token@@@github.com/theonedev/onedev.git useTTY: false condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL triggers: - !BranchUpdateTrigger branches: main projects: onedev/server retryCondition: never maxRetries: 3 retryDelay: 30 timeout: 3600 imports: - projectPath: onedev revision: main accessTokenSecret: onedev-token stepTemplates: - name: scan vulnerabilities steps: - !TrivyCacheStep name: cache key: trivy condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL - !RootFSScannerStep name: scan detectVulnerabilities: true scanPath: '@param:Scan Path@' failThreshold: HIGH reportName: Vulnerabilities ignorePath: .trivyignore condition: ALL_PREVIOUS_STEPS_WERE_SUCCESSFUL paramSpecs: - !TextParam name: Scan Path allowEmpty: false multiline: false