stages: - test - security - build - publish - release # --------------------------------------------------------------------------- # Test # --------------------------------------------------------------------------- test: stage: test image: python:3.11-slim tags: [linux] before_script: - pip config set global.extra-index-url https://pypi.org/simple script: - pip install .[dev] - python -m pytest tests/ -q rules: - if: $CI_COMMIT_TAG # --------------------------------------------------------------------------- # Security # --------------------------------------------------------------------------- security: stage: security image: python:3.11-slim tags: [linux] before_script: - pip config set global.extra-index-url https://pypi.org/simple script: - pip install .[security] - bandit -c bandit.yaml -r src/ -f json -o bandit-results.json --exit-zero - bandit -c bandit.yaml -r src/ -f screen || true - pip install . - pip-audit -f json -o pip-audit-results.json --desc || true - python tools/security/check_results.py --bandit bandit-results.json --pip-audit pip-audit-results.json artifacts: when: always paths: - bandit-results.json - pip-audit-results.json expire_in: 30 days rules: - if: $CI_COMMIT_TAG # --------------------------------------------------------------------------- # Build — each OS in its own isolated container # --------------------------------------------------------------------------- build-sdist: stage: build image: python:3.11-slim tags: [linux] script: - pip install build - python -m build --outdir dist/ artifacts: paths: - dist/*.tar.gz - dist/*.whl expire_in: 90 days rules: - if: $CI_COMMIT_TAG build-deb: stage: build image: debian:bookworm-slim tags: [linux] script: - apt-get update -qq - apt-get install -y --no-install-recommends python3 python3-pip python3-venv ruby ruby-dev gcc make libffi-dev - gem install fpm --no-document - bash build/linux-deb/build.sh artifacts: paths: - dist/*.deb expire_in: 90 days rules: - if: $CI_COMMIT_TAG before_script: - mkdir -p dist - ln -sf "$(pwd)/dist" /out build-rpm: stage: build image: fedora:41 tags: [linux] script: - dnf install -y --setopt=install_weak_deps=False python3 python3-pip python3-devel ruby ruby-devel rubygem-json gcc gcc-c++ make rpm-build libffi-devel redhat-rpm-config - gem install fpm --no-document - bash build/linux-rpm/build.sh artifacts: paths: - dist/*.rpm expire_in: 90 days rules: - if: $CI_COMMIT_TAG before_script: - mkdir -p dist - ln -sf "$(pwd)/dist" /out build-windows: stage: build image: python:3.12-slim tags: [linux] script: - apt-get update -qq - apt-get install -y --no-install-recommends nsis - pip install pynsist - bash build/windows/build.sh artifacts: paths: - dist/*.exe expire_in: 90 days rules: - if: $CI_COMMIT_TAG before_script: - mkdir -p dist - ln -sf "$(pwd)/dist" /out # --------------------------------------------------------------------------- # Publish — upload all artifacts to GitLab Package Registry # --------------------------------------------------------------------------- publish: stage: publish image: python:3.11-slim tags: [linux] before_script: - pip config set global.extra-index-url https://pypi.org/simple script: - pip install twine - twine upload --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi -u gitlab-ci-token -p ${CI_JOB_TOKEN} dist/*.tar.gz dist/*.whl dependencies: - build-sdist rules: - if: $CI_COMMIT_TAG