lint.yml 4.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151
  1. # Workaround to enable usage of mixed SSH and Docker GitLab CI runners
  2. .template_lint:
  3. stage: lint
  4. extends:
  5. - .job_rules_default
  6. .template_lint_rails:
  7. extends:
  8. - .template_lint
  9. services:
  10. - !reference [.services, postgresql]
  11. before_script:
  12. - !reference [.scripts, source_rvm]
  13. - !reference [.scripts, bundle_install]
  14. - !reference [.scripts, configure_environment]
  15. - !reference [.scripts, zammad_db_init]
  16. variables:
  17. ZAMMAD_SAFE_MODE: 1
  18. # Must be a separate job because it uses a custom image.
  19. 'lint: shellcheck':
  20. extends:
  21. - .template_lint
  22. image: koalaman/shellcheck-alpine:stable
  23. cache: []
  24. before_script: []
  25. script:
  26. - shellcheck -S warning $(find . -name "*.sh" -o -name "functions" | egrep -v "/vendor|node_modules/")
  27. after_script: []
  28. 'lint: i18n & rails':
  29. extends:
  30. - .template_lint_rails
  31. cache: !reference [.cache, read_only_full]
  32. script:
  33. - !reference [.scripts, pnpm_install]
  34. - echo "Checking .po file syntax…"
  35. - for FILE in i18n/*.pot i18n/*.po; do echo "Checking $FILE"; msgfmt -o /dev/null -c $FILE; done
  36. - echo "Checking .pot catalog consistency…"
  37. - bundle exec rails generate zammad:translation_catalog --check
  38. - echo "Checking consistency of Settings types file…"
  39. - bundle exec rails generate zammad:setting_types --check
  40. - echo "Rails zeitwerk:check autoloader check…"
  41. - bundle exec rails zeitwerk:check
  42. - .gitlab/check_graphql_api_consistency.sh
  43. - echo "Checking consistency of setting types API"
  44. - bundle exec rails generate zammad:setting_types --check
  45. 'lint: ruby & security':
  46. extends:
  47. - .template_lint
  48. before_script:
  49. - !reference [.scripts, source_rvm]
  50. - !reference [.scripts, bundle_install]
  51. after_script: []
  52. artifacts:
  53. expire_in: 1 week
  54. paths:
  55. - tmp/brakeman-report.html
  56. when: on_failure
  57. script:
  58. - echo "Rubocop check…"
  59. - bundle exec .dev/rubocop/validate_todos.rb
  60. - bundle exec rubocop --parallel
  61. - echo "bundler-audit security check…"
  62. - gem install bundler-audit
  63. - bundle-audit update
  64. - bundle-audit
  65. - echo "Brakeman security check…"
  66. - bundle exec brakeman -o /dev/stdout -o tmp/brakeman-report.html
  67. - echo "Checking if yard can generate documentation…"
  68. - bundle exec yard --no-output --no-progress
  69. - echo "Verify that vendored gems are not world writable"
  70. - GEM_FILES=$(find vendor/ -name "*.rb" -perm -002)
  71. - if [[ ! -z "$GEM_FILES" ]]; then echo $GEM_FILES; exit 1; fi # Raise error if files were found.
  72. - echo "Finally, ensure cleanup.sh passes…"
  73. - script/build/cleanup.sh
  74. 'lint: coffee & css':
  75. extends:
  76. - .template_lint
  77. cache: !reference [.cache, read_only_nodejs]
  78. before_script:
  79. - !reference [.scripts, pnpm_install]
  80. script:
  81. - echo "Coffeelint check…"
  82. - coffeelint --rules ./.dev/coffeelint/rules/* app/
  83. - echo "Stylelint check…"
  84. - pnpm lint:css
  85. 'lint: js':
  86. extends:
  87. - .template_lint
  88. cache:
  89. - !reference [.cache, read_only_nodejs]
  90. - !reference [.cache, read_write_eslint]
  91. before_script:
  92. - !reference [.scripts, pnpm_install]
  93. - !reference [.scripts, source_rvm]
  94. script:
  95. - echo "TypeScript compiler check…"
  96. - pnpm lint:ts
  97. - echo "ESLint check…"
  98. - pnpm lint:js
  99. - pnpm analyse:vite-bundle -t list -o ./tmp/vite-bundle-stats.yml
  100. - .gitlab/verify_vite_bundle_size.rb
  101. # Artifacts are stored for failed jobs
  102. artifacts:
  103. expire_in: 1 week
  104. when: on_failure
  105. paths:
  106. - tmp/vite-bundle-stats.yml
  107. # Must be a separate job because it may fail and is only executed manually.
  108. 'lint: orphaned ruby gems':
  109. extends:
  110. - .template_lint_rails
  111. allow_failure: true
  112. rules:
  113. - when: manual
  114. script:
  115. - bundle exec rake zammad:ci:bundle:orphaned 5
  116. 'update CI variables':
  117. extends:
  118. - .template_lint_rails
  119. rules:
  120. - if: $CI_PIPELINE_SOURCE != "schedule"
  121. when: manual
  122. allow_failure: true
  123. - when: on_success
  124. script:
  125. - bundle exec rake zammad:ci:update_ci_variables
  126. 'lint: secret_detection':
  127. extends: .template_lint
  128. image:
  129. name: "zricethezav/gitleaks:latest"
  130. entrypoint: [""]
  131. cache: []
  132. before_script: []
  133. script:
  134. # Since we clone with GIT_DEPTH=1, the commit has the entire codebase as a diff.
  135. # Otherwise, we'd need to use --no-git to scan the entire codebase, but that is slower
  136. # as it also traverses directories not scanned by git.
  137. - gitleaks detect --report-path secret-detection-report.json --verbose
  138. after_script: []
  139. # # GitLab can show this in a security widget, but that seems to be useless at this point (offers empty file for download).
  140. # artifacts:
  141. # reports:
  142. # secret_detection: secret-detection-report.json