Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # README.md # templates/gitlab-ci-docker.yml

Merge remote-tracking branch 'upstream/master'
9536692a · Benguria Elguezabal, Gorka · 388bbd02 · 33c6d6e7 · 9536692a · 9536692a
Commit 9536692a authored 2 months ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [6.1.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/6.0.0...6.1.0) (2025-01-29)
+## [6.1.7](https://gitlab.com/to-be-continuous/docker/compare/6.1.6...6.1.7) (2025-04-25)
+
+
+### Bug Fixes
+
+* install custom CA certs before awk ([45b8cb3](https://gitlab.com/to-be-continuous/docker/commit/45b8cb399cd5f73455d5e2be81f51e1672b46823))
+
+## [6.1.6](https://gitlab.com/to-be-continuous/docker/compare/6.1.5...6.1.6) (2025-04-18)
+
+
+### Bug Fixes
+
+* allow installation of missing package awk ([bb602d8](https://gitlab.com/to-be-continuous/docker/commit/bb602d8e845bafa90c043f082f3ee35571679b49))
+
+## [6.1.5](https://gitlab.com/to-be-continuous/docker/compare/6.1.4...6.1.5) (2025-04-18)
+
+
+### Bug Fixes
+
+* switch to official image with awk for buildah and skopeo ([b8a065a](https://gitlab.com/to-be-continuous/docker/commit/b8a065ad216851bebbc52fb5445d24b9b76f9835))
+
+## [6.1.4](https://gitlab.com/to-be-continuous/docker/compare/6.1.3...6.1.4) (2025-04-11)
+
+
+### Bug Fixes
+
+* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([214ae5d](https://gitlab.com/to-be-continuous/docker/commit/214ae5dfc6e6661eed8eb5dd62ad4fc1bcc7d5b7))
+
+## [6.1.3](https://gitlab.com/to-be-continuous/docker/compare/6.1.2...6.1.3) (2025-03-11)
+
+
+### Bug Fixes
+
+* **sbom:** disable file catalogers for Syft SBOM (to minimize SBOM file) ([c95c2d4](https://gitlab.com/to-be-continuous/docker/commit/c95c2d47738d29e2640c3bf5e8b4199064d7c231))
+
+## [6.1.2](https://gitlab.com/to-be-continuous/docker/compare/6.1.1...6.1.2) (2025-02-01)
+
+
+### Bug Fixes
+
+* homogenize new TBC envsubst mechanism ([8c6e14a](https://gitlab.com/to-be-continuous/docker/commit/8c6e14aa3409a8c5e51290eb316f284162ee2a11))
+
+## [6.1.1](https://gitlab.com/to-be-continuous/docker/compare/6.1.0...6.1.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([5102c5f](https://gitlab.com/to-be-continuous/docker/commit/5102c5f45fb71368cb24e54c150d79154cf7c287))
+
+# [6.1.0](https://gitlab.com/to-be-continuous/docker/compare/6.0.0...6.1.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
--- a/docker.r2.yml
+++ b/docker.r2.yml
@@ -3,7 +3,7 @@ files:
    documentation: ./README.md
    changelog: ./CHANGELOG.md
 data:
-    description: "Build, check and inspect your containers with Docker"
+    description: "Build, test and secure your container images out of a Dockerfile"
    public: true
    labels:
    - to be continuous

--- a/kicker.json
+++ b/kicker.json
 {
  "name": "Docker",
-  "description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
+  "description": "Build, test and secure your container images out of a `Dockerfile`",
  "template_path": "templates/gitlab-ci-docker.yml",
  "kind": "package",
  "prefix": "docker",
@@ -21,7 +21,7 @@
    {
      "name": "DOCKER_BUILDAH_IMAGE",
      "description": "The image used to run buildah\n\n_for buildah build only_",
-      "default": "quay.io/buildah/stable:latest"
+      "default": "quay.io/containers/aio:latest"
    },
    {
      "name": "DOCKER_IMAGE",
@@ -36,7 +36,7 @@
    {
      "name": "DOCKER_SKOPEO_IMAGE",
      "description": "The image used to publish docker image with Skopeo",
-      "default": "quay.io/skopeo/stable:latest"
+      "default": "quay.io/containers/aio:latest"
    },
    {
      "name": "DOCKER_FILE",
@@ -246,6 +246,14 @@
      "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
      "disable_with": "DOCKER_SBOM_DISABLED",
      "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
        {
          "name": "DOCKER_SBOM_IMAGE",
          "default": "registry.hub.docker.com/anchore/syft:debug"
@@ -253,7 +261,7 @@
        {
          "name": "DOCKER_SBOM_OPTS",
          "description": "Options for syft used for SBOM analysis",
-          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
+          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
          "advanced": true
        },
        {
@@ -317,7 +325,7 @@
        },
        {
          "name": "GCP_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
          "default": "$CI_SERVER_URL",
          "advanced": true
        },
@@ -327,7 +335,7 @@
        },
        {
          "name": "GCP_OIDC_PROVIDER",
-          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
+          "description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
        },
        {
          "name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
@@ -379,22 +387,22 @@
        },
        {
          "name": "AWS_OIDC_AUD",
-          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
+          "description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
          "default": "$CI_SERVER_URL",
          "advanced": true
        },
        {
          "name": "AWS_OIDC_ROLE_ARN",
-          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
+          "description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_"
        },
        {
          "name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",
-          "description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
+          "description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
          "advanced": true
        },
        {
          "name": "AWS_RELEASE_OIDC_ROLE_ARN",
-          "description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
+          "description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
          "advanced": true
        },
        {

--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -15,20 +15,20 @@ spec:
        different from default)_
      default: ''
    aws-oidc-aud:
-      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
      default: $CI_SERVER_URL
    aws-oidc-role-arn:
      description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
-        authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+        authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
      default: ''
    aws-snapshot-oidc-role-arn:
      description: IAM Role ARN associated with GitLab for the snapshot image _(only
-        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
        and if different from default)_
      default: ''
    aws-release-oidc-role-arn:
      description: IAM Role ARN associated with GitLab for the release image _(only
-        required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
+        required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
        and if different from default)_
      default: ''
 ---
@@ -45,7 +45,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "6.1.0"]
+      command: ["--service", "docker", "6.1.7"]
    - name: "$TBC_AWS_PROVIDER_IMAGE"
      alias: "aws-auth-provider"
  id_tokens:

--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -4,7 +4,7 @@
 spec:
  inputs:
    gcp-oidc-aud:
-      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
+      description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
      default: $CI_SERVER_URL
    gcp-oidc-account:
      description: Default Service Account to which impersonate with OpenID Connect
@@ -12,7 +12,7 @@ spec:
      default: ''
    gcp-oidc-provider:
      description: Default Workload Identity Provider associated with GitLab to [authenticate
-        with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
+        with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
      default: ''
    gcp-snapshot-oidc-account:
      description: Service Account to use to push the snapshot image _(only define if
@@ -44,7 +44,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "6.1.0"]
+      command: ["--service", "docker", "6.1.7"]
    - name: "$TBC_GCP_PROVIDER_IMAGE"
      alias: "gcp-auth-provider"
  variables:

--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "6.1.0"]
+      command: ["--service", "docker", "6.1.7"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -33,7 +33,7 @@ spec:
        The image used to run buildah

        _for buildah build only_
-      default: quay.io/buildah/stable:latest
+      default: quay.io/containers/aio:latest
    image:
      description: |-
        The image used to run the docker client
@@ -48,7 +48,7 @@ spec:
      default: registry.hub.docker.com/library/docker:dind
    skopeo-image:
      description: The image used to publish docker image with Skopeo
-      default: quay.io/skopeo/stable:latest
+      default: quay.io/containers/aio:latest
    file:
      description: The path to your `Dockerfile`
      default: Dockerfile
@@ -169,7 +169,7 @@ spec:
      default: registry.hub.docker.com/anchore/syft:debug
    sbom-opts:
      description: Options for syft used for SBOM analysis
-      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
    hadolint-job-tags:
      description: tags to filter applicable runners for hadolint job
      type: array
@@ -249,7 +249,18 @@ workflow:
    # else (Ready MR): auto & failing
    - when: on_success

+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
  DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
  DOCKER_IMAGE: $[[ inputs.image ]]
  DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
@@ -283,6 +294,8 @@ variables:
  PROD_REF: '/^(master|main)$/'
  # default integration ref name (pattern)
  INTEG_REF: '/^develop$/'
+  # default release tag name (pattern)
+  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'

  # don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
  DOCKER_METADATA: $[[ inputs.metadata ]]
@@ -372,6 +385,30 @@ stages:
    fi
  }

+  function maybe_install_awk() {
+    if ! command -v awk > /dev/null
+    then
+      if command -v apt-get > /dev/null
+      then
+        # Debian
+        apt-get update
+        apt-get install --no-install-recommends --yes --quiet awk
+      elif command -v apk > /dev/null
+      then
+        # Alpine
+        apk add --no-cache gawk
+      elif command -v dnf > /dev/null
+      then 
+        # Fedora
+        dnf install -y -q awk
+      else
+        log_error "... didn't find any supported package manager to install awk"
+        exit 1
+      fi
+    fi
+  }
+
+
  function unscope_variables() {
    _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
    if [[ -z "$_scoped_vars" ]]; then return; fi
@@ -558,9 +595,82 @@ stages:
    fail "... timeout reached: halt"
  }

-  function awkenvsubst() {
-    # performs variables escaping: '&' for gsub + JSON chars ('\' and '"')
-    awk '{while(match($0,"[$%]{[^}]*}")) {var=substr($0,RSTART+2,RLENGTH-3);val=ENVIRON[var];gsub(/["\\&]/,"\\\\&",val);gsub("[$%]{"var"}",val)}}1'
+  function tbc_envsubst() {
+    awk '
+      BEGIN {
+        count_replaced_lines = 0
+        # ASCII codes
+        for (i=0; i<=255; i++)
+          char2code[sprintf("%c", i)] = i
+      }
+      # determine encoding (from env or from file extension)
+      function encoding() {
+        enc = ENVIRON["TBC_ENVSUBST_ENCODING"]
+        if (enc != "")
+          return enc
+        if (match(FILENAME, /\.(json|yaml|yml)$/))
+          return "jsonstr"
+        return "raw"
+      }
+      # see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
+      function uriencode(str) {
+        len = length(str)
+        enc = ""
+        for (i=1; i<=len; i++) {
+          c = substr(str, i, 1);
+          if (index("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.!~*'\''()", c))
+            enc = enc c
+          else
+            enc = enc "%" sprintf("%02X", char2code[c])
+        }
+        return enc
+      }
+      /# *nosubst/ {
+        print $0
+        next
+      }
+      {
+        orig_line = $0
+        line = $0
+        count_repl_in_line = 0
+        # /!\ 3rd arg (match) not supported in BusyBox awk
+        while (match(line, /[$%]\{([[:alnum:]_]+)\}/)) {
+          expr_start = RSTART
+          expr_len = RLENGTH
+          # get var name
+          var = substr(line, expr_start+2, expr_len-3)
+          # get var value (from env)
+          val = ENVIRON[var]
+          # check variable is set
+          if (val == "") {
+            printf("[\033[1;93mWARN\033[0m] Environment variable \033[33;1m%s\033[0m is not set or empty\n", var) > "/dev/stderr"
+          } else {
+            enc = encoding()
+            if (enc == "jsonstr") {
+              gsub(/["\\]/, "\\\\&", val)
+              gsub("\n", "\\n", val)
+              gsub("\r", "\\r", val)
+              gsub("\t", "\\t", val)
+            } else if (enc == "uricomp") {
+              val = uriencode(val)
+            } else if (enc == "raw") {
+            } else {
+              printf("[\033[1;93mWARN\033[0m] Unsupported encoding \033[33;1m%s\033[0m: ignored\n", enc) > "/dev/stderr"
+            }
+          }
+          # replace expression in line
+          line = substr(line, 1, expr_start - 1) val substr(line, expr_start + expr_len)
+          count_repl_in_line++
+        }
+        if (count_repl_in_line) {
+          if (count_replaced_lines == 0)
+            printf("[\033[1;94mINFO\033[0m] Variable expansion occurred in file \033[33;1m%s\033[0m:\n", FILENAME) > "/dev/stderr"
+          count_replaced_lines++
+          printf("> line %s: %s\n", NR, orig_line) > "/dev/stderr"
+        }
+        print line
+      }
+    ' "$@"
  }

  function configure_registries_auth() {
@@ -593,7 +703,7 @@ stages:
    mkdir -p "$BUILDTOOL_HOME/.docker"
    if [ -f "${DOCKER_CONFIG_FILE}" ]
    then
-      awkenvsubst < "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
+      TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
    else
      echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
    fi
@@ -632,6 +742,7 @@ stages:

  function init_workspace() {
    install_custom_ca_certs
+    maybe_install_awk
    unscope_variables
    eval_all_secrets
    configure_registries_auth
@@ -710,7 +821,7 @@ stages:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "6.1.0"]
+      command: ["--service", "docker", "6.1.7"]
  before_script:
    - !reference [.docker-scripts]

@@ -737,7 +848,7 @@ stages:
  extends: .docker-base
  image: $DOCKER_IMAGE
  variables:
-    # disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-disabled
+    # disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ci/docker/using_docker_build/#tls-disabled
    DOCKER_HOST: tcp://docker:2375
    DOCKER_TLS_CERTDIR: ""
    # make visible DEFAULT_CA_CERTS and CUSTOM_CA_CERTS variables to the service (we MUST use different variable names)
@@ -746,7 +857,7 @@ stages:
    _TRACE: "${TRACE}"
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "6.1.0"]
+      command: ["--service", "docker", "6.1.7"]
    - name: $DOCKER_DIND_IMAGE
      alias: docker
      command:
@@ -1064,12 +1175,19 @@ docker-sbom:
      cyclonedx:
        - "reports/docker-sbom-*.cyclonedx.json"
  rules:
-    # exclude if disabled
+    # exclude if disabled (template specific)
    - if: '$DOCKER_SBOM_DISABLED == "true"'
      when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
  tags: $[[ inputs.docker-sbom-job-tags ]]

+
 # ==================================================
 # Stage: publish
 # ==================================================