gitlab CI template

.coveragerc

[run]
branch = True
source = my_django_lib
omit =
  src/my_django_lib/settings.py
  */__init__.py

[paths]
source = src

[report]
fail_under = 80
show_missing = True

.gitlab-ci.yml

image: python:3.7-alpine

stages:
  - build
  - lint
  - test
  - security
  - release
  - post_release

packaging:
  stage: build
  script:
    - pip install poetry==1.0.0a4  # FIXME: need pre-release for export
    - poetry build
    - poetry export -f requirements.txt
    - mkdir artifacts
    - mv dist artifacts/packages
    - pip wheel -w artifacts/wheelhouse -r requirements.txt
    - cp artifacts/packages/*.whl artifacts/wheelhouse
  artifacts:
    expire_int: 1 day
    paths:
      - artifacts

black:
  stage: lint
  script:
    - pip install black
    - black src/ tests/ --check

mypy:
  stage: lint
  script:
    - apk --no-cache add --update gcc musl-dev
    - pip install mypy
    - mypy src/

coverage:
  stage: lint
  script:
    - pip install artifacts/wheelhouse/*
    - pip install pytest-cov
    - pytest tests/ --cov
  coverage: '/TOTAL.*?(\d{1,3}%)/'

pytest:
  stage: test
  script:
    - pip install artifacts/wheelhouse/*
    - pip install pytest pytest-sugar
    - pytest tests/

safety:
  stage: security
  script:
    - pip install poetry==1.0.0a4  # FIXME: need pre-release for export
    - pip install safety
    - poetry export -f requirements.txt
    - safety check -r requirements.txt

bandit:
  stage: security
  script:
    - pip install bandit
    - bandit -r src/

sphinx:
  stage: release
  only:
    - tags
  script:
    - pip install artifacts/wheelhouse/*
    - pip install sphinx
    - sphinx-apidoc --no-toc --module-first -o docs/autodoc src/my_django_lib
    - sphinx-build docs public
  artifacts:
    paths:
      - public

upload:
  stage: release
  only:
    - tags
  script:
    - pip install poetry
    - poetry publish -u ${PYPI_USER} -p ${PYPI_PASSWORD} dist/*

ensure_pipy:
  stage: post_release
  only:
    - tags
  script:
    - apk add --no-cache --upgrade grep
    - VERSION=$(grep pyproject.toml -e '(?<=^version = ")(.*)(?=")' -Po)
    - pip install my_django_lib==${VERSION}

scripts.local_wheelhouse.sh

#!/usr/bin/env bash
set -euf -o pipefail

# get location of project root
PROJECT_DIR="$(dirname "$(dirname "$(readlink -f "${0}")")")"

# store dockerfile in temp dir
echo "Creating temporary workspace and writing Dockerfile..."
TMP=$(mktemp -d)
trap "{ rm -rf ${TMP}; }" EXIT
cat << EOF > ${TMP}/Dockerfile
FROM python:3.7-alpine

COPY src src
COPY poetry.lock .
COPY pyproject.toml .

RUN pip install poetry==1.0.0a2 && \
    poetry lock && \
    poetry build -f wheel && \
    poetry export -f requirements.txt && \
    pip wheel -w wheels -r requirements.txt && \
    mv dist/* wheels
EOF

# build image, run container, and copy wheelhouse to project root on host
echo "Building image..."
docker build -f ${TMP}/Dockerfile -t 'wheelhouse_builder' ${PROJECT_DIR}
echo "Running container..."
docker run --cidfile ${TMP}/wheelhouse.cid 'wheelhouse_builder'
echo "Cleaning up former wheelhouse and copying over new one from container..."
rm -fr ${PROJECT_DIR}/wheels
docker cp $(cat ${TMP}/wheelhouse.cid):/wheels ${PROJECT_DIR}/wheels
echo "Done."

.gitlab-ci.yml : What this gist is about.
.coveragerc: One lint step uses coverage.py, and that tool is no good without a config. This one is a reasonable starting point.
scripts.local_wheelhouse.sh: The base image is alpine, so if you want to test a deployment the way it runs in the pipeline, having this script to start a container from its artifacts it is handy.