From 9f7b48c3336f1724f301d6efb8cfccf73a64a2ab Mon Sep 17 00:00:00 2001
From: Melroy van den Berg <melroy@melroy.org>
Date: Sat, 22 Jan 2022 19:23:07 +0100
Subject: [PATCH] Improve gitlab ci

---
 .gitlab-ci.yml | 51 ++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 37 insertions(+), 14 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d1db068..156df20 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,30 +1,31 @@
 image: danger89/gtk3-docker-cmake-ninja:2.5
-
 stages:
   - build
   #- upload
+  - test
   - release
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
   PACKAGE_REGISTRY_URL: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/dweb-browser/${CI_COMMIT_TAG}"
   RELEASE_LINKS_URL: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}/assets/links"
+  SAST_EXCLUDED_PATHS: "lib"
 
 doxygen:
   stage: build
   script:
-    - ./scripts/build-docs.sh
+    - ""./scripts/build-docs.sh"
   artifacts:
-    name: "Doxygen"
+    name: Doxygen
     paths:
       - build_docs/docs/html/
 
 linux_build:
   stage: build
   script: 
-    - ./scripts/build-lnx-prod.sh
+    - ""./scripts/build-lnx-prod.sh"
   artifacts:
-    name: "Packages"
+    name: Packages
     expire_in: 4 weeks
     paths:
     - build_prod/libreweb-browser-*.deb
@@ -33,29 +34,51 @@ linux_build:
 
 static_code_analysis:
   stage: build
-  script: ./scripts/cpp-check.sh
+  script: "./scripts/cpp-check.sh"
 
 code_style_guidelines:
   stage: build
-  script: ./scripts/check-format.sh
+  script: "./scripts/check-format.sh"
 
+# TODO: Testing!
 #unit_test:
 #  stage: test
 #  script :
 
+sast:
+  stage: test
+  artifacts:
+    reports:
+      sast: gl-sast-report.json
+ variables:
+    SEARCH_MAX_DEPTH: 3
+
+include:
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+
 # Upload artifacts & Create new release
 upload_and_release:
   stage: release # upload
   image: curlimages/curl:latest
   rules:
-    - if: '$CI_PROJECT_NAMESPACE == "libreweb" && $CI_COMMIT_TAG'
+    - if: $CI_PROJECT_NAMESPACE == "libreweb" && $CI_COMMIT_TAG
   script:
-    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.deb ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.deb'
-    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.rpm ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.rpm'
-    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz'
-    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json" --request POST --data "{\"name\":\"LibreWeb Browser (Compressed binary)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz\",\"link_type\":\"package\"}" ${RELEASE_LINKS_URL}'
-    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json" --request POST --data "{\"name\":\"LibreWeb Browser (Red-Hat/Fedora/openSUSE)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.rpm\",\"link_type\":\"package\"}" ${RELEASE_LINKS_URL}'
-    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json" --request POST --data "{\"name\":\"LibreWeb Browser (Debian/Ubuntu/Linux Mint)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.deb\",\"link_type\":\"package\"}" ${RELEASE_LINKS_URL}'
+    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.deb
+      ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.deb'
+    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.rpm
+      ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.rpm'
+    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build_prod/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz
+      ${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz'
+    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json"
+      --request POST --data "{\"name\":\"LibreWeb Browser (Compressed binary)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.tar.gz\",\"link_type\":\"package\"}"
+      ${RELEASE_LINKS_URL}'
+    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json"
+      --request POST --data "{\"name\":\"LibreWeb Browser (Red-Hat/Fedora/openSUSE)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.rpm\",\"link_type\":\"package\"}"
+      ${RELEASE_LINKS_URL}'
+    - 'curl --header "PRIVATE-TOKEN: ${ACCESS_TOKEN}" --header "Content-Type: application/json"
+      --request POST --data "{\"name\":\"LibreWeb Browser (Debian/Ubuntu/Linux Mint)\",\"url\":\"${PACKAGE_REGISTRY_URL}/libreweb-browser-v${CI_COMMIT_TAG}.deb\",\"link_type\":\"package\"}"
+      ${RELEASE_LINKS_URL}'
 
 # Create new release
 #release: