stages: - test - deploy workflow: rules: # For merge requests, create a pipeline. - if: '$CI_MERGE_REQUEST_IID' # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.). - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' # For tags, create a pipeline. - if: '$CI_COMMIT_TAG' .default: image: ruby:2.7 tags: - gitlab-org before_script: - gem install bundler - bundle install -j $(nproc) --path vendor cache: key: files: - Gemfile - gitlab-dangerfiles.gemspec paths: - vendor/ruby - Gemfile.lock policy: pull test:rspec: extends: .default stage: test script: - bundle exec rspec test:rufo: extends: .default stage: test script: - bundle exec rufo --check . include: - template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml - project: 'gitlab-org/quality/pipeline-common' file: '/ci/gem-release.yml' # run security jobs on MRs # see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991 brakeman-sast: rules: - if: '$CI_MERGE_REQUEST_IID' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' gemnasium-dependency_scanning: rules: - if: '$CI_MERGE_REQUEST_IID' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' bundler-audit-dependency_scanning: rules: - if: '$CI_MERGE_REQUEST_IID' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' license_scanning: rules: - if: '$CI_MERGE_REQUEST_IID' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH' secret_detection: rules: - if: '$CI_MERGE_REQUEST_IID' - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'