# content of service-account-credentials.json, used to access to Google Cloud Platform gcp_credentials: ENCRYPTED[ec86f04ec57d8a7f29ad6b84b41262c9d576abc533485754fdfdb24db103adf0d33ba4ba89a57d29d2549790be5abc72] env: GRADLE_OPTS: -Dorg.gradle.daemon=false -Dorg.gradle.jvmargs="-XX:+PrintFlagsFinal -XshowSettings:vm -XX:+HeapDumpOnOutOfMemoryError -XX:+UnlockExperimentalVMOptions -Djava.security.egd=file:/dev/./urandom -Dfile.encoding=UTF8 -Duser.language=en -Duser.country=US" # to be replaced by other credentials ARTIFACTORY_PRIVATE_USERNAME: ENCRYPTED[c0baa3376daa1e08d602435081d07653799cf34ab09ca92e575f3dc4176bc6cf2ebf87120e83f3aa6804f072013e8e2b] ARTIFACTORY_PRIVATE_PASSWORD: ENCRYPTED[f13d32d218c3da8008114d2c8857b2956047fbdab2163bbf186b8b89f789f0efa7504f499749a59ad5988c14e5360353] ARTIFACTORY_DEPLOY_USERNAME: public-qa-deployer ARTIFACTORY_DEPLOY_PASSWORD: ENCRYPTED[9362d735843b21b375b6e19d91e0de5216e053e229e39e2ce33a0c866306e6e3f9b08db8a0e126ca5e986fea97e975fd] ARTIFACTORY_DEPLOY_USERNAME_PRIVATE: private-qa-deployer ARTIFACTORY_DEPLOY_PASSWORD_PRIVATE: ENCRYPTED[61769719e9b775afe103dbee22141eeaa0116b3332eafb993be2a5919ff7bf017cdc519afed07dc6cac8ebbc0846f191] ARTIFACTORY_API_KEY: ENCRYPTED[d52910db749f2678f43084b18c849486d68fbc02c2f5489c7ee1085c395de9dc7575313a8b348bb5361a693dd782e07e] # download licenses for testing commercial editions GITHUB_TOKEN: ENCRYPTED[!f272985ea5b49b3cf9c414b98de6a8e9096be47bfcee52f33311ba3131a2af637c1b956f49585b7757dd84b7c030233a!] # use a permanent GitHub access token to perform a clone (by default CirrusCI uses a temporary one) CIRRUS_REPO_CLONE_TOKEN: ENCRYPTED[f20fee6519296187a473964e60afb08a1bbdc889a624fad0297b41a21d8697f8d2da4d2d245194ade630dcf46b4b581e] # notifications to burgr BURGR_URL: ENCRYPTED[24fba83587c1e9ed372b6cfdf12e4739ebe3b6e5b5082f1a2a742e840dd2e4b61fd5e281bf2632b22b3ad346c650c05c] BURGR_USERNAME: ENCRYPTED[cf7bfb936025fb763013bbfef0ab5723c0d9b53f135d79af36f9defa933f4b5fc72842bd83a97ce9b614503c1b77e6da] BURGR_PASSWORD: ENCRYPTED[bc554fc6a06c9f14cc9924cefad0a69e962a905b6d1609fc9357d458b45fc52ac74c960ad9c7382a0691433fa9dcd483] # analysis on next.sonarqube.com SONARQUBE_NEXT_TOKEN: ENCRYPTED[e3d98fa0ecceb015e9803d47f78c3040f5a710d678a631107635d69f650d4e53ecaf2e2334cc1fe0c47037ec915dcda0] # to trigger docs deployment BUDDY_WORKS_TOKEN: ENCRYPTED[9ba648f3167b6f0c0befbba2f816bfffd53260fef06fb0fe8bba0a19ae4808c8b1567c5dcee2a2ee5299a5969058f495] auto_cancellation: $CIRRUS_BRANCH != 'master' && $CIRRUS_BRANCH !=~ 'branch.*' task_only_nightly_depending_on_build_template: &TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE depends_on: build # Comment the following line and commit with message "DO NOT MERGE" in order to run # this task on your branch only_if: $CIRRUS_BRANCH == "branch-nightly-build" task_only_default_depending_on_build_template: &TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE depends_on: build only_if: >- $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_BRANCH != "branch-nightly-build" && $CIRRUS_CRON == "" && $CIRRUS_CHANGE_MESSAGE !=~ '.*\[update headers\].*' docker_build_container_template: &GKE_CONTAINER_TEMPLATE dockerfile: private/docker/Dockerfile-build builder_image_project: sonarqube-team builder_image_name: docker-builder-v20200915 cluster_name: cirrus-ci-cluster zone: us-central1-a namespace: default cpu: 1 memory: 1Gb oracle_additional_container_template: &ORACLE_ADDITIONAL_CONTAINER_TEMPLATE name: oracle image: us.gcr.io/sonarqube-team/oracle12:0.0.1 # see https://github.com/SonarSource/vms/blob/master/docker/README.md#oracle-12c to build it port: 1521 cpu: 2 memory: 5Gb env: ORACLE_PWD: sonarqube postgres_additional_container_template: &POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE name: postgres image: postgres:12.1 port: 5432 cpu: 1 memory: 1Gb env: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres reports_junit_on_failure_template: &REPORTS_JUNIT_ON_FAILURE_TEMPLATE reports_artifacts: path: "**/build/reports/**/*" junit_artifacts: path: "**/test-results/**/*.xml" format: junit screenshots_on_failure_template: &REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE screenshots_artifacts: path: "**/build/screenshots/**/*" build_task: only_if: >- $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_CRON == "" timeout_in: 90m gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 4 memory: 7Gb env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 script: - ./private/cirrus/cirrus-build.sh on_failure: reports_artifacts: path: "**/build/reports/**/*" validate_task: &VALIDATE_TASK <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE timeout_in: 90m gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 6.5 memory: 16Gb additional_containers: - <<: *POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE script: - ./private/cirrus/cirrus-validate.sh postgres106 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE validate_license_change_task: <<: *VALIDATE_TASK name: validate # Give it the same name as its counterpart, so we can reference it on GitHub. only_if: >- # Only execute if the commit message has the "[update headers]" tag. $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_BRANCH != "branch-nightly-build" && $CIRRUS_CRON == "" && $CIRRUS_CHANGE_MESSAGE =~ '.*\[update headers\].*' timeout_in: 180m # Increase timeout, as license changes impact all files, which slows down the analysis considerably. yarn_check-ci_task: <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE timeout_in: 90m gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 4 memory: 8Gb script: | ./private/cirrus/cirrus-env.sh YARN gradle yarn_check-ci on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE qa_task: <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 3 memory: 7Gb additional_containers: - <<: *POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 matrix: - QA_CATEGORY: Cat1 - QA_CATEGORY: Cat2 - QA_CATEGORY: Cat3 - QA_CATEGORY: Cat4 - QA_CATEGORY: Cat5 - QA_CATEGORY: Cat6 - QA_CATEGORY: Cat7 - QA_CATEGORY: Authentication - QA_CATEGORY: Gov - QA_CATEGORY: Dev - QA_CATEGORY: License - QA_CATEGORY: Branch - QA_CATEGORY: Upgrade script: - ./private/cirrus/cirrus-qa.sh postgres106 on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE qa_bitbucket_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 3 memory: 7Gb additional_containers: - <<: *POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE maven_cache: folder: ~/.m2 env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: BITBUCKET matrix: - name: qa_bitbucket_5.16.11 bitbucket_background_script: ./private/cirrus/cirrus-start-bitbucket.sh 5.16.11 - name: qa_bitbucket_latest bitbucket_background_script: ./private/cirrus/cirrus-start-bitbucket.sh LATEST wait_for_bitbucket_to_boot_script: secs=3600; endTime=$(( $(date +%s) + secs )); while [[ "$(curl -s -o /dev/null -w ''%{http_code}'' localhost:7990/bitbucket/status)" != "200" ]] || [ $(date +%s) -gt $endTime ]; do sleep 5; done script: - ./private/cirrus/cirrus-qa.sh postgres106 on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE qa_ha_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 2.4 memory: 10Gb additional_containers: - <<: *POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: HA gradle_cache: folder: ~/.gradle/caches script: - ./private/cirrus/cirrus-qa.sh postgres106 cleanup_before_cache_script: - ./private/cirrus/cleanup-gradle-cache.sh on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE # GitLab QA is executed in a dedicated task in order to not slow down the pipeline, as a GitLab on-prem server docker image is required. qa_gitlab_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 2.4 memory: 5Gb use_in_memory_disk: true additional_containers: - name: gitlab image: gitlab/gitlab-ce:latest port: 8080:80 cpu: 1 memory: 5Gb env: # Creating a personnal access token from rails console for test purpuse (can't do through gitlab REST API) GITLAB_POST_RECONFIGURE_SCRIPT: "gitlab-rails runner \" token = User.find_by_username('root').personal_access_tokens.create(scopes: [:api], name: 'token'); token.set_token('token-here-456'); token.save!; token_read = User.find_by_username('root').personal_access_tokens.create(scopes: [:read_api], name: 'token_read'); token_read.set_token('token-read-123'); token_read.save!; user = User.find_by_username('root'); user.password = 'adminadmin'; user.password_confirmation = 'adminadmin'; user.save!; \"" env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: GITLAB gradle_cache: folder: ~/.gradle/caches script: - ./private/cirrus/cirrus-qa.sh h2 cleanup_before_cache_script: - ./private/cirrus/cleanup-gradle-cache.sh on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE # Azure QA is executed in a dedicated task in order to not slow down the pipeline. qa_azure_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 2.4 memory: 5Gb env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: AZURE AZURE_USERNAME_LOGIN: ENCRYPTED[dcdf19769c1501408ebc22670c76d5e375cd739de2df5dfa3f215aa795296dfb257dbbcbe9bdfd33135feb04421fea1f] AZURE_CODE_READ_AND_WRITE_TOKEN: ENCRYPTED[eddc3448b40e72310f24f21241bdc1243860139d1a5aad593b016baedf03e4bba3f9e3d8d9f6329fe3b587966a8112d2] AZURE_FULL_ACCESS_TOKEN: ENCRYPTED[58779d6588e2e10d1b6f98fcc58a46957f8ef3a18e29d79abc6aa8d69ea55c23d8708e1f1af626464d309b1c7c087985] gradle_cache: folder: ~/.gradle/caches script: - ./private/cirrus/cirrus-qa.sh h2 cleanup_before_cache_script: - ./private/cirrus/cleanup-gradle-cache.sh on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE # SAML QA is executed in a dedicated task in order to not slow down the pipeline, as a Keycloak server docker image is required. qa_saml_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 2.4 memory: 10Gb additional_containers: - name: keycloak image: jboss/keycloak:7.0.0 port: 8080 cpu: 1 memory: 1Gb env: KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: admin env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: SAML gradle_cache: folder: ~/.gradle/caches script: - ./private/cirrus/cirrus-qa.sh h2 cleanup_before_cache_script: - ./private/cirrus/cleanup-gradle-cache.sh on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE # LDAP QA is executed in a dedicated task in order to not slow down the pipeline, as a LDAP server and SonarQube server are re-started on each test. qa_ldap_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 2.4 memory: 10Gb env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 QA_CATEGORY: LDAP gradle_cache: folder: ~/.gradle/caches script: - ./private/cirrus/cirrus-qa.sh h2 cleanup_before_cache_script: - ./private/cirrus/cleanup-gradle-cache.sh on_failure: <<: *REPORTS_JUNIT_SCREENSHOTS_ON_FAILURE_TEMPLATE promote_task: &PROMOTE_TASK <<: *TASK_ONLY_DEFAUT_DEPENDING_ON_BUILD_TEMPLATE depends_on: - build - validate - qa - qa_saml - qa_ldap gke_container: <<: *GKE_CONTAINER_TEMPLATE stateful: true env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 script: - ./private/cirrus/cirrus-promote.sh promote_license_change_task: <<: *PROMOTE_TASK name: promote # Give it the same name as its counterpart, so we can reference it on GitHub. only_if: >- # Only execute if the commit message has the "[update headers]" tag. $CIRRUS_BRANCH !=~ "dogfood/.*" && $CIRRUS_BRANCH != "public_master" && $CIRRUS_BRANCH != "branch-nightly-build" && $CIRRUS_CRON == "" && $CIRRUS_CHANGE_MESSAGE =~ '.*\[update headers\].*' depends_on: - build - validate deploy_docs_task: depends_on: promote only_if: $CIRRUS_BRANCH == 'dogfood-on-next' gke_container: <<: *GKE_CONTAINER_TEMPLATE env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 script: - ./private/cirrus/cirrus-trigger-deploy-docs.sh sql_mssql2019_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE memory: 5Gb additional_containers: - name: mssql image: mcr.microsoft.com/mssql/server:2019-GA-ubuntu-16.04 port: 1433 cpu: 2 memory: 5Gb env: MSSQL_PID: Developer # this is the default edition ACCEPT_EULA: Y SA_PASSWORD: sonarqube!1 script: - ./private/cirrus/cirrus-db-unit-test.sh mssql2017 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE # this is the oldest compatible version of PostgreSQL sql_postgres93_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE memory: 5Gb additional_containers: - <<: *POSTGRES_ADDITIONAL_CONTAINER_TEMPLATE image: postgres:9.3 script: - ./private/cirrus/cirrus-db-unit-test.sh postgres93 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE sql_oracle12_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE memory: 5Gb additional_containers: - <<: *ORACLE_ADDITIONAL_CONTAINER_TEMPLATE script: - ./private/cirrus/cirrus-db-unit-test.sh oracle12 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE upgd_mssql2019_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 1.5 memory: 6Gb additional_containers: - name: mssql image: mcr.microsoft.com/mssql/server:2019-GA-ubuntu-16.04 port: 1433 cpu: 2 memory: 5Gb env: MSSQL_PID: Developer # this is the default edition ACCEPT_EULA: Y SA_PASSWORD: sonarqube!1 env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 matrix: QA_CATEGORY: Upgrade script: - ./private/cirrus/cirrus-qa.sh mssql2017 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE upgd_oracle12_task: <<: *TASK_ONLY_NIGHTLY_DEPENDING_ON_BUILD_TEMPLATE gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 1.5 memory: 6Gb additional_containers: - <<: *ORACLE_ADDITIONAL_CONTAINER_TEMPLATE env: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 matrix: QA_CATEGORY: Upgrade script: - ./private/cirrus/cirrus-qa.sh oracle12 on_failure: <<: *REPORTS_JUNIT_ON_FAILURE_TEMPLATE # Software Composition Analysis (SCA): check potential vulnerabilities in dependencies. # Note that license compliance of dependencies is not checked for now. owasp_check_task: only_if: >- $CIRRUS_CRON == "nightly" || $CIRRUS_CRON == "weekly-latest" || $CIRRUS_CRON == "weekly-lts" || changesInclude('private/owasp/*.xml') timeout_in: 30m gke_container: <<: *GKE_CONTAINER_TEMPLATE cpu: 1.7 memory: 4Gb environment: # No need to clone the full history. # Depth of 1 is not enough because it would fail the build in case of consecutive pushes # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!") CIRRUS_CLONE_DEPTH: 50 SLACK_WEBHOOK_SQ: ENCRYPTED[dec8e4350cbea3b94d63098558bcb3ae9e79b71c2b6286fcfb9eb80c0953b6448b10f7271b07b5e75e52f362c25d7a8f] script: - gradle dependencyCheckAggregate on_failure: slack_notification_script: - ./private/cirrus/cirrus-owasp-notification.sh always: reports_artifacts: path: "build/reports/*"