rails_template_18f 2.0.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3286e663d05b9b712a5b1f3fa2aa1403016f0822be9fd26d0999200701dab318
-  data.tar.gz: 04e5124a24452f747270e42aaa1b5455de3b0ce4362ff455e94554984214473e
+  metadata.gz: bab13c0d757c29b86c139635bed3f016cc486d38299b7aa90533d888b6995d69
+  data.tar.gz: 447e73554b32dd86782cf52c4cda2699f55c4e0706c05f813e82515a2e61912f
 SHA512:
-  metadata.gz: 954b939ea264b5200c01e8122da1001e0c099f072b370de98926ce9dcaef154a6e00568353a4fff191addfaf1cd7cc4f85549454c6984b29ff9c537af8207f17
-  data.tar.gz: c85daa74d0ca528fbbe4a3d260a720206194635a12c6a73fde878e19384870a601e78f789b513c43bfd57c4290ef6e6f85bcb409717ad646628ca1966318e09b
+  metadata.gz: cad79214c9110e3fb33968b8c6d1fc98477c6c979bc58724e9b88f57985456ca7d404515dd004891dade32d4e95183f1a90c12d4d05ee87753f52867f9efde94
+  data.tar.gz: ecb278387c12d47fc9bc611f26c0787fa7c4c2dda43fa14ce8f176bfb4cf9d0d2c6b04718ab0faa3569b4f5897e9d65cdc0b0944972c64648e8e401d9b341881

data/CHANGELOG.md

@@ -1,5 +1,18 @@
 ## [Unreleased]
 
+## [2.2.0] - 2025-06-27
+
+- Prevent non-compliant hostnames by replacing underscores with dashes
+- use shadowenv for configuring terraform backend secrets
+- use GitLab http backend for terraform state storage whenever configuring both terraform and GitLab CI
+- Create GitLabCI jobs for oscal and auditree generators
+- fixes for deploying to the sandbox-gsa cloug.gov org
+
+## [2.1.0] - 2025-04-29
+
+- Terraform generator updates to remove the old cloudfoundy-community provider and reduce the need for cloud.gov service accounts
+- New GitLab CI generator for use with DevTools GitLab
+
 ## [2.0.0] - 2025-01-16
 
 - Default new apps to Rails 8, including support for thruster proxy

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rails_template_18f (2.0.0)
+    rails_template_18f (2.2.0)
       activesupport (~> 8.0.1)
       colorize (~> 1.1)
       railties (~> 8.0.1)
@@ -71,11 +71,11 @@ GEM
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     minitest (5.25.4)
-    nokogiri (1.18.0-arm64-darwin)
+    nokogiri (1.18.8-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.0-x86_64-darwin)
+    nokogiri (1.18.8-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.0-x86_64-linux-gnu)
+    nokogiri (1.18.8-x86_64-linux-gnu)
       racc (~> 1.4)
     parallel (1.26.3)
     parser (3.3.6.0)
@@ -85,8 +85,9 @@ GEM
       date
       stringio
     racc (1.8.1)
-    rack (3.1.8)
-    rack-session (2.0.0)
+    rack (3.1.16)
+    rack-session (2.1.1)
+      base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
@@ -171,12 +172,13 @@ GEM
     unicode-display_width (3.1.3)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
-    uri (1.0.2)
+    uri (1.0.3)
     useragent (0.16.11)
     zeitwerk (2.7.1)
 
 PLATFORMS
   arm64-darwin-23
+  arm64-darwin-24
   x86_64-darwin-20
   x86_64-darwin-21
   x86_64-linux

data/lib/generators/rails_template18f/active_storage/active_storage_generator.rb

@@ -20,12 +20,13 @@ module RailsTemplate18f
         environment "config.active_storage.service = :local", env: "ci"
         append_to_file "config/storage.yml", <<~EOYAML
 
+          <% cgc = CloudGovConfig.new %>
           amazon:
             service: S3
-            access_key_id: <%= CloudGovConfig.dig(:s3, :credentials, :access_key_id) %>
-            secret_access_key: <%= CloudGovConfig.dig(:s3, :credentials, :secret_access_key) %>
+            access_key_id: <%= cgc.dig(:s3, :credentials, :access_key_id) %>
+            secret_access_key: <%= cgc.dig(:s3, :credentials, :secret_access_key) %>
             region: us-gov-west-1
-            bucket: <%= CloudGovConfig.dig(:s3, :credentials, :bucket) %>
+            bucket: <%= cgc.dig(:s3, :credentials, :bucket) %>
         EOYAML
       end
 

data/lib/generators/rails_template18f/auditree/auditree_generator.rb

@@ -41,7 +41,7 @@ module RailsTemplate18f
             plant-helper -f /tmp/rspec.json -c assessment-plans -d "RSpec run assessment plan"
               -t 31536000 -l #{auditree_evidence_locker}
 
-      - name: Plan assessment results in evidence locker
+      - name: Plant assessment results in evidence locker
         uses: ./.github/actions/auditree-cmd
         env:
           GITHUB_TOKEN: ${{ secrets.AUDITREE_GITHUB_TOKEN }}
@@ -54,6 +54,19 @@ PLANT_HELPER_STEPS
         end
       end
 
+      def copy_gitlab_actions
+        if file_exists? ".gitlab-ci.yml"
+          directory "gitlab", ".gitlab"
+          insert_into_file ".gitlab-ci.yml", "  - local: \".gitlab/auditree.yml\"\n", after: /^include:\n/
+          insert_into_file ".gitlab-ci.yml", "  AUDITREE_VERSION: #{docker_auditree_tag}\n", after: /^variables:\n/
+          insert_into_file ".gitlab-ci.yml", <<EOY, after: /^\s+- bundle exec rspec\n/
+  artifacts:
+    paths:
+      - tmp/oscal/**/*
+EOY
+        end
+      end
+
       def update_readme
         if file_content("README.md").match?("## Documentation")
           insert_into_file "README.md", readme_contents, after: "## Documentation\n"
@@ -74,7 +87,7 @@ PLANT_HELPER_STEPS
         end
 
         def auditree_evidence_locker
-          options[:evidence_locker].present? ? options[:evidence_locker] : "https://github.com/GSA-TTS/TKTK_#{app_name}_evidence"
+          options[:evidence_locker].present? ? options[:evidence_locker] : "REPLACE_THIS_WITH_YOUR_EVIDENCE_LOCKER_REPO"
         end
 
         def git_email
@@ -98,10 +111,9 @@ PLANT_HELPER_STEPS
             1. Docker desktop must be running
             1. Initialize the config file with `bin/auditree init`
             1. Create an evidence locker repository with a default or blank README
-            1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your Github Actions secrets.
-            1. Update `config/auditree.template.json` with the repo addresses for your locker and code repos
-            #{(options[:evidence_locker].blank? && file_exists?(".github/workflows/rspec.yml")) ? "1. Update `.github/workflows/rspec.yml` with the locker repository URL" : ""}
-            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle
+            1. Update `config/auditree.template.json` with the repo address for your locker
+            #{ci_readme_contents.chomp}
+            1. Copy the `devtools_cloud_gov` component definition into the project with the latest docker-trestle after [setting up docker-trestle](#initial-trestle-setup)
 
             #### Ongoing use
 
@@ -109,6 +121,24 @@ PLANT_HELPER_STEPS
             auditree and using new checks.
           README
         end
+
+        def ci_readme_contents
+          if file_exists? ".gitlab-ci.yml"
+            <<~README
+              1. Remove the `repo_integrity` section of `config/auditree.template.json`
+              1. Create a gitlab personal access token with `write_repository` scope to interact with the code repo and evidence locker and set as `AUDITREE_GITLAB_TOKEN` secret within your CI/CD variables.
+              #{options[:evidence_locker].blank? ? "1. Update `.gitlab/auditree.yml` with the locker repository URL" : ""}
+            README
+          elsif file_exists? ".github/workflows"
+            <<~README
+              1. Update `config/auditree.template.json` with the repo address for your code repos
+              1. Create a github personal access token to interact with the code repo and evidence locker and set as `AUDITREE_GITHUB_TOKEN` secret within your Github Actions secrets.
+              #{options[:evidence_locker].blank? ? "1. Update `.github/workflows/rspec.yml` with the locker repository URL" : ""}
+            README
+          else
+            ""
+          end
+        end
       end
     end
   end

data/lib/generators/rails_template18f/auditree/templates/gitlab/auditree.yml.tt

@@ -0,0 +1,48 @@
+.auditree:setup:
+  inherit:
+    default: false
+  image: "ghcr.io/gsa-tts/auditree:${AUDITREE_VERSION}"
+  variables:
+    CDEF: "${CI_PROJECT_DIR}/doc/compliance/oscal/component-definitions/devtools_cloud_gov/component-definition.json"
+    AUDITREE_CONFIG: "${CI_PROJECT_DIR}/config/auditree.template.json"
+  before_script:
+    - git config --global user.name "$GITLAB_USER_NAME"
+    - git config --global user.email "$GITLAB_USER_EMAIL"
+    - cf api api.fr.cloud.gov
+    - cd $HOME
+    - export GITLAB_TOKEN="auditree-gitlab-token:${AUDITREE_GITLAB_TOKEN}"
+
+auditree:
+  extends: .auditree:setup
+  stage: scan
+  script:
+    - fetch -c "$CDEF" -t "$AUDITREE_CONFIG"
+    - check -c "$CDEF" -t "$AUDITREE_CONFIG" -o "$CI_PROJECT_DIR"
+  artifacts:
+    paths:
+      - auditree.json
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+rspec:plant:
+  extends: .auditree:setup
+  stage: test
+  needs: ["rspec"]
+  variables:
+    PLAN_FILE: "${CI_PROJECT_DIR}/tmp/oscal/assessment-plans/rspec/assessment-plan.json"
+    RESULT_FILE: "${CI_PROJECT_DIR}/tmp/oscal/assessment-results/rspec/assessment-results.json"
+  script:
+    - |
+      if [ -f "$PLAN_FILE" ]; then
+        plant-helper -f "$PLAN_FILE" -c assessment-plans -d "RSpec run assessment plan" -t 31536000 -l "<%= auditree_evidence_locker %>"
+      else
+        echo "No plan file, skipping plant"
+      fi
+    - |
+      if [ -f "$RESULT_FILE" ]; then
+        plant-helper -f "$RESULT_FILE" -c assessment-results -d "RSpec run assessment results" -t 31536000 -l "<%= auditree_evidence_locker %>"
+      else
+        echo "No result file, skipping plant"
+      fi
+  rules:
+    - if: $CI_PIPELINE_SOURCE != "schedule"

data/lib/generators/rails_template18f/circleci/templates/circleci/config.yml.tt

@@ -314,13 +314,15 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/plan:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           out: staging.out
           var_file: staging.tfvars
           var: >-
             rails_master_key="$RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
-            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
@@ -332,6 +334,9 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           plan: staging.out<% if terraform_manage_spaces? %>
 
@@ -358,13 +363,15 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/plan:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           out: production.out
           var_file: production.tfvars
           var: >-
             rails_master_key="$PRODUCTION_RAILS_MASTER_KEY",
             cf_user="$CF_USERNAME",
-            cf_password="$CF_PASSWORD"
       - persist_to_workspace:
           root: .
           paths:
@@ -376,6 +383,9 @@ jobs:
       - attach_workspace:
           at: .
       - terraform/apply:
+          environment:
+            CF_API_URL: "https://api.fr.cloud.gov"
+            CF_USER: "$CF_USERNAME"
           path: terraform
           plan: production.out<% end %>
 

data/lib/generators/rails_template18f/cloud_gov_config/cloud_gov_config_generator.rb

@@ -12,14 +12,6 @@ module RailsTemplate18f
           Install a helper class to retrieve configuration from ENV["VCAP_SERVICES"]
       DESC
 
-      def install_climate_control
-        return if gem_installed?("climate_control")
-        gem_group :test do
-          gem "climate_control", "~> 1.2"
-        end
-        bundle_install
-      end
-
       def install_model_and_test
         copy_file "app/models/cloud_gov_config.rb"
         copy_file "spec/models/cloud_gov_config_spec.rb"

data/lib/generators/rails_template18f/cloud_gov_config/templates/app/models/cloud_gov_config.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
 
 class CloudGovConfig
-  ENV_VARIABLE = "VCAP_SERVICES"
+  attr_reader :vcap_services
 
-  def self.dig(*path)
-    return nil if ENV[ENV_VARIABLE].blank?
-    first, *rest = path
-    vcap_services[first]&.first&.dig(*rest)
+  def initialize(env = ENV["VCAP_SERVICES"])
+    @vcap_services = env.blank? ? {} : JSON.parse(env).with_indifferent_access
   end
 
-  def self.vcap_services
-    @vcap_services ||= JSON.parse(ENV[ENV_VARIABLE]).with_indifferent_access
+  def dig(*path)
+    first, *rest = path
+    vcap_services[first]&.first&.dig(*rest)
   end
 end

data/lib/generators/rails_template18f/cloud_gov_config/templates/spec/models/cloud_gov_config_spec.rb

@@ -3,35 +3,29 @@
 require "rails_helper"
 
 RSpec.describe CloudGovConfig, type: :model do
-  subject { described_class }
-
-  describe ".dig" do
-    context "VCAP_SERVICES is blank" do
-      it "returns nil" do
-        expect(subject.dig(:s3, :credentials, :bucket)).to be_nil
+  describe "#dig" do
+    [nil, "", "{}"].each do |blank|
+      context "VCAP_SERVICES is #{blank.inspect}" do
+        subject { described_class.new blank }
+        it "returns nil" do
+          expect(subject.dig(:s3, :credentials, :bucket)).to be_nil
+        end
       end
     end
 
     context "VCAP_SERVICES is set" do
+      subject { described_class.new vcap }
       let(:bucket_name) { "bucket-name" }
       let(:vcap) {
         {
-          s3: [
-            {
-              credentials: {
-                bucket: bucket_name
-              }
+          s3: [{
+            credentials: {
+              bucket: bucket_name
             }
-          ]
-        }
+          }]
+        }.to_json
       }
 
-      around do |example|
-        ClimateControl.modify VCAP_SERVICES: vcap.to_json do
-          example.run
-        end
-      end
-
       it "can find a path" do
         expect(subject.dig(:s3, :credentials, :bucket)).to eq bucket_name
       end

data/lib/generators/rails_template18f/github_actions/github_actions_generator.rb

@@ -17,10 +17,6 @@ module RailsTemplate18f
 
       def install_actions
         directory "github", ".github"
-        if !oscal_dir_exists?
-          remove_file ".github/workflows/validate-ssp.yml"
-          remove_file ".github/workflows/assemble-ssp.yml"
-        end
         if !terraform_manage_spaces?
           remove_file ".github/workflows/terraform-production.yml"
           remove_file ".github/workflows/deploy-production.yml"

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-production.yml

@@ -47,8 +47,10 @@ jobs:
       - name: Terraform apply
         uses: dflook/terraform-apply@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/deploy-staging.yml

@@ -47,8 +47,10 @@ jobs:
       - name: Terraform apply
         uses: dflook/terraform-apply@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-production.yml

@@ -57,8 +57,10 @@ jobs:
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/github_actions/templates/github/workflows/terraform-staging.yml

@@ -57,8 +57,10 @@ jobs:
       - name: terraform plan
         uses: dflook/terraform-plan@v1
         env:
+          CF_API_URL: "https://api.fr.cloud.gov"
+          CF_USER: ${{ secrets.CF_USERNAME }}
+          CF_PASSWORD: ${{ secrets.CF_PASSWORD }}
           TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
-          TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
           TF_VAR_rails_master_key: ${{ secrets.RAILS_MASTER_KEY }}
           TERRAFORM_PRE_RUN: |
             apt-get update

data/lib/generators/rails_template18f/gitlab_ci/gitlab_ci_generator.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module RailsTemplate18f
+  module Generators
+    class GitlabCiGenerator < ::Rails::Generators::Base
+      include Base
+      include CloudGovOptions
+
+      class_option :node_version, desc: "Node version to test against in actions"
+      class_option :postgres_version, default: "15", desc: "PostgreSQL version "
+
+      desc <<~DESC
+        Description:
+          Install GitLab CI workflow files
+      DESC
+
+      def install_actions
+        template "gitlab-ci.yml", ".gitlab-ci.yml"
+        directory "gitlab", ".gitlab"
+      end
+
+      def update_readme
+        if file_content("README.md").match?(/^## CI\/CD$/)
+          insert_into_file "README.md", readme_cicd, after: "## CI/CD\n"
+          insert_into_file "README.md", readme_staging_deploy, after: "#### Staging\n"
+          insert_into_file "README.md", readme_prod_deploy, after: "#### Production\n"
+          insert_into_file "README.md", readme_credentials, after: "#### Credentials and other Secrets\n"
+        else
+          append_to_file "README.md", <<~EOM
+            ## CI/CD
+            #{readme_cicd}
+
+            ### Deployment
+
+            #### Staging
+            #{readme_staging_deploy}
+
+            #### Production
+            #{readme_prod_deploy}
+
+            #### Credentials and other Secrets
+            #{readme_credentials}
+          EOM
+        end
+      end
+
+      def update_boundary_diagram
+        boundary_filename = "doc/compliance/apps/application.boundary.md"
+        insert_into_file boundary_filename, <<EOB, after: "Boundary(cicd, \"CI/CD Pipeline\") {\n"
+    System_Ext(gitlabci, "GitLab w/ DevTools Runner", "GSA-controlled code repository and Continuous Integration Service")
+EOB
+        insert_into_file boundary_filename, <<~EOB, before: "@enduml"
+          Rel(developer, gitlabci, "Publish code", "git ssh (22)")
+          Rel(gitlabci, cg_api, "Deploy App", "Auth: SpaceDeployer Service Account, https (443)")
+        EOB
+      end
+
+      no_tasks do
+        def readme_cicd
+          <<~EOM
+
+            GitLab CI is used to run all tests and scans as part of pull requests.
+
+            Security scans are also run on a scheduled basis. DEVELOPER TODO: create a pipeline schedule in the GitLab UI and update this sentence with the cadence.
+          EOM
+        end
+
+        def readme_staging_deploy
+          <<~EOM
+
+            Deploys to staging happen via terraform on every push to the `main` branch in GitLab.
+
+            The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+            | Secret Name | Description |
+            | ----------- | ----------- |
+            | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+            | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+            | `RAILS_MASTER_KEY` | `config/master.key` |
+          EOM
+        end
+
+        def readme_prod_deploy
+          if terraform_manage_spaces?
+            <<~EOM
+
+              Deploys to production happen via terraform on every push to the `production` branch in GitLab.
+
+              The following secrets must be set within the masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/)
+
+              | Secret Name | Description |
+              | ----------- | ----------- |
+              | `CF_USERNAME` | cloud.gov SpaceDeployer username |
+              | `CF_PASSWORD` | cloud.gov SpaceDeployer password |
+              | `PRODUCTION_RAILS_MASTER_KEY` | `config/credentials/production.key`. Should be marked as `Protected`. |
+            EOM
+          else
+            "Production deploys are not supported in the sandbox organization."
+          end
+        end
+
+        def readme_credentials
+          <<~EOM
+
+            1. Store variables that must be secret using masked and hidden [CI/CD variables](https://docs.gitlab.com/ci/variables/) in GitLab
+            1. Add the appropriate `-var` arguments to the `terraform:plan:<env>` and `terraform:apply:<env>` jobs like the existing `-var rails_master_key=`
+          EOM
+        end
+      end
+
+      private
+
+      def postgres_version
+        options[:postgres_version]
+      end
+
+      def node_version
+        if options[:node_version].present?
+          options[:node_version]
+        elsif File.exist?(nvmrc_path)
+          File.read(nvmrc_path).strip
+        else
+          "20.16"
+        end
+      end
+
+      def node_major
+        node_version.split(".").first
+      end
+
+      def nvmrc_path
+        @nvmrc_path ||= File.expand_path(".nvmrc", destination_root)
+      end
+    end
+  end
+end

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/node.yml.tt

@@ -0,0 +1,11 @@
+.setup-node:
+  - curl -fsSL https://deb.nodesource.com/setup_<%= node_major %>.x -o nodesource_setup.sh
+  - bash nodesource_setup.sh
+  - apt-get install -y nodejs
+  - npm install --global yarn
+
+.yarn-install:
+  - PUPPETEER_SKIP_DOWNLOAD=true yarn install --frozen-lockfile --no-progress
+
+.install-puppet-deps:
+  - apt-get update && apt-get install -y chromium

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/rails.yml

@@ -0,0 +1,75 @@
+include:
+  - local: ".gitlab/ruby.yml"
+  - local: ".gitlab/node.yml"
+
+# Cache Helpers
+.cache-dependencies:
+  variables:
+    WORKER_MEMORY: 2G
+  cache:
+    key:
+      files:
+        - Gemfile.lock
+        - yarn.lock
+      prefix: dependencies
+    paths:
+      - vendor/ruby
+      - node_modules/
+    policy: pull
+
+# Language Helpers
+.setup-languages:
+  before_script:
+    - !reference [.setup-ruby]
+    - !reference [.setup-node]
+
+# Project Helpers
+.setup-project:
+  services:
+    - name: "postgres:${POSTGRES_VERSION}"
+      alias: pg
+  before_script:
+    - !reference [.setup-ruby]
+    - export DATABASE_URL="postgres://postgres:${POSTGRES_PASSWORD}@${WSR_SERVICE_HOST_pg}:5432/${POSTGRES_DB}"
+    - bin/rails db:prepare
+
+.run-server:
+  extends: .setup-project
+  dependencies: []
+  variables:
+    RAILS_ENV: ci
+    SECRET_KEY_BASE_DUMMY: 1
+  before_script:
+    - !reference [.setup-node]
+    - !reference [.setup-project, before_script]
+    - bin/rake assets:precompile
+    - PORT=3000 bin/rails server > /dev/null 2>&1 &
+    - sleep 5
+
+.owasp:setup:
+  stage: scan
+  extends: .run-server
+  image: "rcahearngsa/owasp-ruby:${RUBY_VERSION}"
+  variables:
+    WORKER_MEMORY: 3G
+    WORKER_DISK: 6G
+  before_script:
+    - !reference [.run-server, before_script]
+    - ln -s $PWD /zap/wrk
+  artifacts:
+    expose_as: "OWASP Report"
+    paths:
+      - zap_report.html
+
+.assets:builder:
+  stage: deploy
+  extends: .setup-languages
+  dependencies: []
+  variables:
+    SECRET_KEY_BASE_DUMMY: 1
+  script:
+    - bin/rake assets:precompile
+    - bin/rake assets:clean
+  artifacts:
+    paths:
+      - public/assets

data/lib/generators/rails_template18f/gitlab_ci/templates/gitlab/ruby.yml

@@ -0,0 +1,7 @@
+.setup-ruby:
+  - export PATH=$PATH:/usr/local/bundle/bin
+  - bundle config set --local path 'vendor/ruby'
+  - bundle config set --local deployment true
+
+.bundle-install:
+  - bundle install