Skip to content
Snippets Groups Projects
Commit da81efb6 authored by Florian Sesser's avatar Florian Sesser
Browse files

Merge branch 'develop' into 'staging'

Bring Staging up to current Develop version

See merge request opensource/PrivateStorageio!71
parents 666e741d 7b6060b8
No related branches found
No related tags found
3 merge requests!85Update production to staging,!74Fix the empty machines,!71Bring Staging up to current Develop version
Pipeline #357 passed
......@@ -8,6 +8,17 @@ unit-tests:
script:
- "nix-shell --run 'nix-build nixos/unit-tests.nix' && cat result"
vulnerability-scan:
stage: "test"
script:
- "ci-tools/vulnerability-scan security-report.json"
- "ci-tools/count-vulnerabilities <security-report.json"
artifacts:
paths:
- "security-report.json"
expose_as: "security report"
system-tests:
stage: "test"
timeout: "3 hours"
......@@ -18,15 +29,20 @@ deploy-to-staging:
stage: "deploy"
only:
- "staging"
environment:
name: "staging"
url: "https://privatestorage-staging.com/"
script:
- echo -n "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
- echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the staging environment."
- echo "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
- echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the $CI_ENVIRONMENT_NAME environment."
deploy-to-production:
stage: "deploy"
only:
- "production"
environment:
name: "production"
url: "https://privatestorage.io/"
script:
- echo -n "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
- echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the production environment."
- echo "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
- echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the $CI_ENVIRONMENT_NAME environment."
#!/usr/bin/env python3
from sys import stdin
from json import load
def main():
vulnix_report = load(stdin)
print("Vulnerable packages: {}".format(len(vulnix_report)))
print("Vulnerability count: {}".format(
len(set(sum((deriv["affected_by"] for deriv in vulnix_report), []))),
))
if __name__ == '__main__':
main()
#!/usr/bin/env sh
set -xeo pipefail
#
# `morph build ...` output is like
#
# Selected 2/2 hosts (name filter:-0, limits:-0):
# 0: xx.xx.xx.xx (secrets: 1, health checks: 0)
# 1: yy.yy.yy.yy (secrets: 2, health checks: 0)
#
# /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
# nix result path:
# /nix/store/d7spc457nnzh0rnv0f5lh1q2j435j1b9-morph
#
# Get the last line so we can scan it.
#
OUTPUT=$1
[ -e scan-target ] && rm -v scan-target
nix-shell --run '
set -x
if morph_result=$(morph build morph/grid/testing/grid.nix 2>&1); then
object=$(echo "$morph_result" | tail -n 1)
ln -s "$object" scan-target
else
echo "$morph_result"
# exit status 0-3 reserved for vulnix result.
exit 4
fi
'
# vulnix exits with an error status if there are vulnerabilities. We told
# GitLab to allow this by setting `allow_failure` to true in the GitLab CI
# config. vulnix exit status indicates what vulnix thinks happened. If we
# upgrade to a newer GitLab then we can make GitLab pipeline behavior vary
# based on this.
#
# For now, allow 0 (no errors), 1 (only whitelisted errors), and 2
# (non-whitelisted errors). 3 indicates unexpected error so we let that
# propagate.
set +e
nix-shell -p vulnix --run 'vulnix --json ./scan-target/' | tee "$OUTPUT"
vulnix_status=$?
set -e
echo "vulnix status: $vulnix_status"
if [ $vulnix_status -eq 3 ]; then
exit $vulnix_status
else
exit 0
fi
......@@ -6,7 +6,12 @@ import ../../lib/make-grid.nix {
config = ./config.json;
nodes = cfg:
let
sshUsers = import ../../../../PrivateStorageSecrets/staging-users.nix;
importDef = default: path: (
if builtins.pathExists path
then import path
else default
);
sshUsers = importDef {} ../../../../PrivateStorageSecrets/staging-users.nix;
in {
"payments.privatestorage-staging.com" = import ../../lib/issuer.nix ({
inherit sshUsers;
......
......@@ -4,6 +4,6 @@ in
pkgs.fetchFromGitHub {
owner = "PrivateStorageio";
repo = "ZKAPAuthorizer";
rev = "6cd0c32cc53a9734e2cb7c19a9ad28d479612197";
sha256 = "0i1r75471yjj4bfi5814ihrcyjk1zdz8rzm06bngij3n70svqhsm";
rev = "e4430a0050cef286b723da7f8013c7affd5a58f7";
sha256 = "148d79zppsd6bnyagbx126s9x9yy975dx6rrbm26dh98kl1r8mbh";
}
\ No newline at end of file
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment