jjb/ci_gate_security/opnfv-ci-gate-security.yaml

   1 ---
   2 # SPDX-license-identifier: Apache-2.0
   3 ########################
   4 # Job configuration for opnfv-anteater (security audit)
   5 ########################
   6 - project:
   7
   8     name: anteaterfw
   9
  10     project: anteaterfw
  11
  12     repo:
  13       - apex
  14       - apex-os-net-config
  15       - apex-puppet-tripleo
  16       - apex-tripleo-heat-templates
  17       - armband
  18       - auto
  19       - availability
  20       - bamboo
  21       - barometer
  22       - bottlenecks
  23       - calipso
  24       - clover
  25       - conductor
  26       - container4nfv
  27       - cperf
  28       - daisy
  29       - doctor
  30       - domino
  31       - dovetail
  32       - dpacc
  33       - enfv
  34       - fds
  35       - fuel
  36       - ipv6
  37       - joid
  38       - kvmfornfv
  39       - models
  40       - moon
  41       - nfvbench
  42       - onosfw
  43       - opera
  44       - opnfvdocs
  45       - orchestra
  46       - ovn4nfv
  47       - ovno
  48       - ovsnfv
  49       - parser
  50       - pharos
  51       - pharos-tools
  52       - promise
  53       - qtip
  54       - releng
  55       - releng-anteater
  56       - releng-testresults
  57       - releng-utils
  58       - releng-xci
  59       - samplevnf
  60       - sdnvpn
  61       - securityscanning
  62       - sfc
  63       - snaps
  64       - stor4nfv
  65       - storperf
  66       - ves
  67       - vswitchperf
  68       - yardstick
  69
  70     jobs:
  71       - 'opnfv-security-audit-verify-{stream}'
  72       - 'opnfv-security-audit-{repo}-weekly-{stream}'
  73
  74     stream:
  75       - master:
  76           branch: '{stream}'
  77           gs-pathname: ''
  78           disabled: false
  79
  80 ########################
  81 # job templates
  82 ########################
  83 - job-template:
  84     name: 'opnfv-security-audit-{repo}-weekly-{stream}'
  85
  86     disabled: '{obj:disabled}'
  87
  88     parameters:
  89       - opnfv-build-defaults
  90       - string:
  91           name: ANTEATER_SCAN_PATCHSET
  92           default: "false"
  93           description: "Have anteater scan patchsets (true) or full project (false)"
  94       - project-parameter:
  95           project: '{repo}'
  96           branch: '{branch}'
  97
  98     scm:
  99       - git-scm-gerrit
 100
 101     triggers:
 102       - timed: '@weekly'
 103
 104     builders:
 105       - anteater-security-audit-weekly
 106
 107     publishers:
 108       # defined in jjb/global/releng-macros.yml
 109       - 'email-{repo}-ptl':
 110           subject: 'OPNFV Security Scan Result: {repo}'
 111       - workspace-cleanup:
 112           fail-build: false
 113
 114 - job-template:
 115     name: 'opnfv-security-audit-verify-{stream}'
 116
 117     disabled: '{obj:disabled}'
 118
 119     parameters:
 120       - label:
 121           name: SLAVE_LABEL
 122           default: 'opnfv-build'
 123           description: 'Slave label on Jenkins'
 124           all-nodes: false
 125           node-eligibility: 'ignore-offline'
 126       - project-parameter:
 127           project: $GERRIT_PROJECT
 128           branch: '{branch}'
 129       - string:
 130           name: GIT_BASE
 131           default: https://gerrit.opnfv.org/gerrit/$PROJECT
 132           # yamllint disable rule:line-length
 133           description: "Used for overriding the GIT URL coming from Global Jenkins configuration in case if the stuff is done on none-LF HW."
 134           # yamllint enable rule:line-length
 135
 136     scm:
 137       - git-scm-gerrit
 138
 139     # yamllint disable rule:line-length
 140     triggers:
 141       - gerrit:
 142           server-name: 'gerrit.opnfv.org'
 143           trigger-on:
 144             - patchset-created-event:
 145                 exclude-drafts: 'false'
 146                 exclude-trivial-rebase: 'false'
 147                 exclude-no-code-change: 'false'
 148             - draft-published-event
 149             - comment-added-contains-event:
 150                 comment-contains-value: 'recheck'
 151           projects:
 152             - project-compare-type: 'REG_EXP'
 153               project-pattern: 'apex|armband|bamboo|barometer|bottlenecks|calipso|conductor|cperf|daisy|doctor|dovetail|dpacc|enfv|fds|fuel|pharos|releng|sandbox|yardstick|infra|ipv6|kvmfornfv|models|moon'
 154               branches:
 155                 - branch-compare-type: 'ANT'
 156                   branch-pattern: '**/{branch}'
 157               file-paths:
 158                 - compare-type: ANT
 159                   pattern: '**'
 160           skip-vote:
 161             successful: true
 162             failed: true
 163             unstable: true
 164             notbuilt: true
 165     # yamllint enable rule:line-length
 166
 167     builders:
 168       - anteater-security-audit
 169       - report-security-audit-result-to-gerrit
 170     publishers:
 171       - archive-artifacts:
 172           artifacts: ".reports/*"
 173
 174 ########################
 175 # builder macros
 176 ########################
 177 - builder:
 178     name: anteater-security-audit
 179     builders:
 180       - shell:
 181           !include-raw: ./anteater-security-audit.sh
 182
 183 - builder:
 184     name: report-security-audit-result-to-gerrit
 185     builders:
 186       - shell:
 187           !include-raw: ./anteater-report-to-gerrit.sh
 188
 189 - builder:
 190     name: anteater-security-audit-weekly
 191     builders:
 192       - shell:
 193           !include-raw: ./anteater-security-audit-weekly.sh