From 77fc1c85aa5c5886832630b4b8b3474a2745f89b Mon Sep 17 00:00:00 2001
From: "Benguria Elguezabal, Gorka" <gorka.benguria@tecnalia.com>
Date: Fri, 10 May 2024 14:50:15 +0200
Subject: [PATCH] adds documentation to new variables
---
README.md | 8 ++++++++
templates/gitlab-ci-docker.yml | 18 +++++++++---------
2 files changed, 17 insertions(+), 9 deletions(-)
diff --git a/README.md b/README.md
index 4d6ca3c..436228e 100644
--- a/README.md
+++ b/README.md
@@ -273,6 +273,7 @@ It is bound to the `build` stage, and uses the following variables:
| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine` |
| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
+| `hadolint-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
@@ -307,6 +308,9 @@ It is bound to the `package-build` stage, and uses the following variables:
| `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
| `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
+| `kaniko-build-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
+| `dind-build-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
+| `buildah-build-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
@@ -375,6 +379,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
+| `healthcheck-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
@@ -405,6 +410,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
+| `docker-trivy-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
@@ -424,6 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `docker-sbom-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
### `docker-publish` job
@@ -437,6 +444,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
+| `docker-publish-job-tags` / | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 3bd7401..4b154ee 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -205,16 +205,16 @@ spec:
description: tags to filter applicable runners for healthcheck job
type: array
default: []
- trivy-job-tags:
- description: tags to filter applicable runners for trivy job
+ docker-trivy-job-tags:
+ description: tags to filter applicable runners for docker-trivy job
type: array
default: []
- sbom-job-tags:
- description: tags to filter applicable runners for sbom job
+ docker-sbom-job-tags:
+ description: tags to filter applicable runners for docker-sbom job
type: array
default: []
- publish-job-tags:
- description: tags to filter applicable runners for publish job
+ docker-publish-job-tags:
+ description: tags to filter applicable runners for docker-publish job
type: array
default: []
@@ -1006,7 +1006,7 @@ docker-trivy:
- if: '$DOCKER_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
- tags: $[[ inputs.trivy-job-tags ]]
+ tags: $[[ inputs.docker-trivy-job-tags ]]
docker-sbom:
extends: .docker-base
@@ -1033,7 +1033,7 @@ docker-sbom:
- if: '$DOCKER_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
- tags: $[[ inputs.sbom-job-tags ]]
+ tags: $[[ inputs.docker-sbom-job-tags ]]
# ==================================================
# Stage: publish
@@ -1105,4 +1105,4 @@ docker-publish:
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
- tags: $[[ inputs.publish-job-tags ]]
\ No newline at end of file
+ tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file
--
GitLab