lint.yml 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
  1. # Workaround to enable usage of mixed SSH and Docker GitLab CI runners
  2. .template_lint:
  3. stage: lint
  4. extends:
  5. - .job_rules_default
  6. .template_lint_rails:
  7. extends:
  8. - .template_lint
  9. services:
  10. - !reference [.services, postgresql]
  11. before_script:
  12. - !reference [.scripts, source_rvm]
  13. - !reference [.scripts, bundle_install]
  14. - !reference [.scripts, configure_environment]
  15. - !reference [.scripts, zammad_db_init]
  16. variables:
  17. ZAMMAD_SAFE_MODE: 1
  18. # Must be a separate job because it uses a custom image.
  19. 'lint: shellcheck':
  20. extends:
  21. - .template_lint
  22. image: koalaman/shellcheck-alpine:stable
  23. cache: []
  24. before_script: []
  25. script:
  26. - shellcheck -S warning $(find . -name "*.sh" -o -name "functions" | egrep -v "/vendor|node_modules/")
  27. after_script: []
  28. 'lint: i18n & rails':
  29. extends:
  30. - .template_lint_rails
  31. cache: !reference [.cache, read_only_full]
  32. script:
  33. - !reference [.scripts, pnpm_install]
  34. - echo "Checking .po file syntax…"
  35. - for FILE in i18n/*.pot i18n/*.po; do echo "Checking $FILE"; msgfmt -o /dev/null -c $FILE; done
  36. - echo "Checking .pot catalog consistency…"
  37. - bundle exec rails generate zammad:translation_catalog --check
  38. - echo "Checking consistency of Settings types file…"
  39. - bundle exec rails generate zammad:setting_types --check
  40. - echo "Rails zeitwerk:check autoloader check…"
  41. - bundle exec rails zeitwerk:check
  42. - .gitlab/check_graphql_api_consistency.sh
  43. - echo "Checking consistency of setting types API"
  44. - bundle exec rails generate zammad:setting_types --check
  45. 'lint: ruby & security':
  46. extends:
  47. - .template_lint
  48. before_script:
  49. - !reference [.scripts, source_rvm]
  50. - !reference [.scripts, bundle_install]
  51. after_script: []
  52. artifacts:
  53. expire_in: 1 week
  54. paths:
  55. - tmp/brakeman-report.html
  56. when: on_failure
  57. script:
  58. - echo "Rubocop check…"
  59. - bundle exec .dev/rubocop/validate_todos.rb
  60. - bundle exec rubocop --parallel
  61. - echo "bundler-audit security check…"
  62. - gem install bundler-audit
  63. - bundle-audit update
  64. - bundle-audit
  65. - echo "Brakeman security check…"
  66. - bundle exec brakeman -o /dev/stdout -o tmp/brakeman-report.html
  67. - echo "Checking if yard can generate documentation…"
  68. - bundle exec yard --no-output --no-progress
  69. - echo "Verify that vendored gems are not world writable"
  70. - GEM_FILES=$(find vendor/ -name "*.rb" -perm -002)
  71. - if [[ ! -z "$GEM_FILES" ]]; then echo $GEM_FILES; exit 1; fi # Raise error if files were found.
  72. - echo "Finally, ensure cleanup.sh passes…"
  73. - script/build/cleanup.sh
  74. 'lint: coffee & css':
  75. extends:
  76. - .template_lint
  77. cache: !reference [.cache, read_only_nodejs]
  78. before_script:
  79. - !reference [.scripts, pnpm_install]
  80. script:
  81. - echo "Coffeelint check…"
  82. - coffeelint --rules ./.dev/coffeelint/rules/* app/
  83. - echo "Stylelint check…"
  84. - pnpm lint:css
  85. - echo "Checking if chat assets need a rebuild…"
  86. - echo "Please see public/assets/chat/README.md for build instructions."
  87. - cp public/assets/chat/chat.js tmp/chat.js
  88. - pnpm install --dir public/assets/chat
  89. - (cd public/assets/chat && pnpm exec gulp build)
  90. - cmp public/assets/chat/chat.js tmp/chat.js
  91. 'lint: js':
  92. extends:
  93. - .template_lint
  94. cache:
  95. - !reference [.cache, read_only_nodejs]
  96. - !reference [.cache, read_write_eslint]
  97. before_script:
  98. - cp pnpm-lock.yaml tmp/pnpm-lock.yaml # Save original state of pnpm-lock.yaml
  99. - !reference [.scripts, pnpm_install]
  100. - !reference [.scripts, source_rvm]
  101. script:
  102. - echo "Checking if pnpm-lock.yaml is up-to-date"
  103. - "if ! diff pnpm-lock.yaml tmp/pnpm-lock.yaml; then echo 'Error: pnpm-lock.yaml is not up-to-date'; exit 1; fi"
  104. - echo "TypeScript compiler check…"
  105. - pnpm lint:ts
  106. - echo "ESLint check…"
  107. - pnpm lint:js
  108. - pnpm analyse:vite-bundle -t list -o ./tmp/vite-bundle-stats.yml
  109. - .gitlab/verify_vite_bundle_size.rb
  110. # Artifacts are stored for failed jobs
  111. artifacts:
  112. expire_in: 1 week
  113. when: on_failure
  114. paths:
  115. - tmp/vite-bundle-stats.yml
  116. # Must be a separate job because it may fail and is only executed manually.
  117. 'lint: orphaned ruby gems':
  118. extends:
  119. - .template_lint_rails
  120. allow_failure: true
  121. rules:
  122. - when: manual
  123. script:
  124. - bundle exec rake zammad:ci:bundle:orphaned 5
  125. 'update CI variables':
  126. extends:
  127. - .template_lint_rails
  128. rules:
  129. - if: $CI_PIPELINE_SOURCE != "schedule"
  130. when: manual
  131. allow_failure: true
  132. - when: on_success
  133. script:
  134. - bundle exec rake zammad:ci:update_ci_variables
  135. 'lint: secret_detection':
  136. extends: .template_lint
  137. image:
  138. name: "zricethezav/gitleaks:latest"
  139. entrypoint: [""]
  140. cache: []
  141. before_script: []
  142. script:
  143. # Since we clone with GIT_DEPTH=1, the commit has the entire codebase as a diff.
  144. # Otherwise, we'd need to use --no-git to scan the entire codebase, but that is slower
  145. # as it also traverses directories not scanned by git.
  146. - gitleaks detect --report-path secret-detection-report.json --verbose
  147. after_script: []
  148. # # GitLab can show this in a security widget, but that seems to be useless at this point (offers empty file for download).
  149. # artifacts:
  150. # reports:
  151. # secret_detection: secret-detection-report.json