After having used pronto in combination with Github for some time, I tried setting it up in combination with a Gitlab installation.
The CI flow itself runs just fine, but there aren't any merge request comments being added like I expected. It looks like it doesn't do anything Gitlab-related but there aren't any error messages either.
My configuration (relevant parts) looks as follows:
stages:
- security
.shared-variables: &shared-variables
PRONTO_GITLAB_API_ENDPOINT: "https://gitlab.example.com/api/v4"
PRONTO_PULL_REQUEST_ID: $CI_MERGE_REQUEST_IID
# PRONTO_GITLAB_API_PRIVATE_TOKEN is set from within GitLab
brakeman:
stage: security
only:
- merge_requests
variables:
<<: *shared-variables
BUNDLE_GEMFILE: Gemfile-pronto-brakeman
cache:
key: brakeman
paths:
- .gem
before_script:
- export PATH=$GEM_HOME/bin:$PATH
- |
cat > $BUNDLE_GEMFILE << EOF
git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
gem 'pronto'
gem 'brakeman'
# TODO: change back once https://github.com/prontolabs/pronto-brakeman/pull/21 is merged & published
gem 'pronto-brakeman', github: 'zenom/pronto-brakeman'
EOF
- bundle install --jobs $(nproc)
script:
# this part of the pipeline only uses the brakeman runner
- bundle exec pronto run --exit-code -f gitlab_mr -r brakeman -c origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME
bundle-audit:
stage: security
only:
- merge_requests
variables:
<<: *shared-variables
BUNDLE_GEMFILE=Gemfile-pronto-bundler_audit
before_script:
- export PATH=$GEM_HOME/bin:$PATH
- |
cat > $BUNDLE_GEMFILE << EOF
git_source(:github) { |repo_name| "https://github.com/#{repo_name}.git" }
gem 'pronto'
# Latest changes haven't been published yet
gem 'bundler-audit', github: 'rubysec/bundler-audit'
gem 'pronto-bundler_audit'
EOF
- gem update --system
- bundle install --jobs $(nproc)
- bundle exec bundle-audit update
script:
# Note that bundler_audit is fixed to scan `Gemfile.lock`
- bundle exec pronto run --exit-code -f gitlab_mr -r bundler_audit -c origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME