Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found
Select Git revision
  • master
  • 5
  • 5.10
  • 5.10.1
  • 5.10.2
  • 5.10.3
  • 5.11
  • 5.11.0
  • 5.11.1
  • 5.12
  • 5.12.0
  • 5.12.1
  • 5.13
  • 5.13.0
  • 5.13.1
  • 5.13.2
  • 5.13.3
  • 5.14
  • 5.14.0
  • 5.14.1
  • 6
  • 6.0
  • 6.0.0
  • 6.1
  • 6.1.0
  • 6.1.1
  • 6.1.2
  • 6.1.3
  • 6.1.4
  • 6.1.5
  • 6.1.6
  • 6.1.7
32 results

Target

Select target project
  • smartdatalab/public/ci-cd-components/docker
1 result
Select Git revision
  • master
  • 5
  • 5.10
  • 5.10.1
  • 5.10.2
  • 5.10.3
  • 5.11
  • 5.11.0
  • 5.11.1
  • 5.12
  • 5.12.0
  • 5.12.1
  • 5.13
  • 5.13.0
  • 5.13.1
  • 5.13.2
  • 5.13.3
  • 5.14
  • 5.14.0
  • 5.14.1
  • 6
  • 6.0
  • 6.0.0
  • 6.1
  • 6.1.0
  • 6.1.1
  • 6.1.2
  • 6.1.3
  • 6.1.4
  • 6.1.5
  • 6.1.6
  • 6.1.7
32 results
Show changes
Commits on Source (34)
......@@ -8,8 +8,8 @@ Closes #999
## Checklist
* General:
* [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
* [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
* [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
* [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
* Publicly usable:
* [ ] untagged runners
* [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`
......
# [6.1.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/6.0.0...6.1.0) (2025-01-29)
## [6.1.7](https://gitlab.com/to-be-continuous/docker/compare/6.1.6...6.1.7) (2025-04-25)
### Bug Fixes
* install custom CA certs before awk ([45b8cb3](https://gitlab.com/to-be-continuous/docker/commit/45b8cb399cd5f73455d5e2be81f51e1672b46823))
## [6.1.6](https://gitlab.com/to-be-continuous/docker/compare/6.1.5...6.1.6) (2025-04-18)
### Bug Fixes
* allow installation of missing package awk ([bb602d8](https://gitlab.com/to-be-continuous/docker/commit/bb602d8e845bafa90c043f082f3ee35571679b49))
## [6.1.5](https://gitlab.com/to-be-continuous/docker/compare/6.1.4...6.1.5) (2025-04-18)
### Bug Fixes
* switch to official image with awk for buildah and skopeo ([b8a065a](https://gitlab.com/to-be-continuous/docker/commit/b8a065ad216851bebbc52fb5445d24b9b76f9835))
## [6.1.4](https://gitlab.com/to-be-continuous/docker/compare/6.1.3...6.1.4) (2025-04-11)
### Bug Fixes
* **envsubst:** leave lines with '# nosubst' unchanged when substituting (used to be simply dropped) ([214ae5d](https://gitlab.com/to-be-continuous/docker/commit/214ae5dfc6e6661eed8eb5dd62ad4fc1bcc7d5b7))
## [6.1.3](https://gitlab.com/to-be-continuous/docker/compare/6.1.2...6.1.3) (2025-03-11)
### Bug Fixes
* **sbom:** disable file catalogers for Syft SBOM (to minimize SBOM file) ([c95c2d4](https://gitlab.com/to-be-continuous/docker/commit/c95c2d47738d29e2640c3bf5e8b4199064d7c231))
## [6.1.2](https://gitlab.com/to-be-continuous/docker/compare/6.1.1...6.1.2) (2025-02-01)
### Bug Fixes
* homogenize new TBC envsubst mechanism ([8c6e14a](https://gitlab.com/to-be-continuous/docker/commit/8c6e14aa3409a8c5e51290eb316f284162ee2a11))
## [6.1.1](https://gitlab.com/to-be-continuous/docker/compare/6.1.0...6.1.1) (2025-01-31)
### Bug Fixes
* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([5102c5f](https://gitlab.com/to-be-continuous/docker/commit/5102c5f45fb71368cb24e54c150d79154cf7c287))
# [6.1.0](https://gitlab.com/to-be-continuous/docker/compare/6.0.0...6.1.0) (2025-01-27)
### Features
......
......@@ -61,7 +61,7 @@ To contribute:
1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
2. Make sure the issue has been reviewed and agreed.
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.
### Git Commit Conventions
......
This diff is collapsed.
......@@ -3,7 +3,7 @@ files:
documentation: ./README.md
changelog: ./CHANGELOG.md
data:
description: "Build, check and inspect your containers with Docker"
description: "Build, test and secure your container images out of a Dockerfile"
public: true
labels:
- to be continuous
......
{
"name": "Docker",
"description": "Build, check and inspect your containers with [Docker](https://www.docker.com/)",
"description": "Build, test and secure your container images out of a `Dockerfile`",
"template_path": "templates/gitlab-ci-docker.yml",
"kind": "package",
"prefix": "docker",
......@@ -21,7 +21,7 @@
{
"name": "DOCKER_BUILDAH_IMAGE",
"description": "The image used to run buildah\n\n_for buildah build only_",
"default": "quay.io/buildah/stable:latest"
"default": "quay.io/containers/aio:latest"
},
{
"name": "DOCKER_IMAGE",
......@@ -36,7 +36,7 @@
{
"name": "DOCKER_SKOPEO_IMAGE",
"description": "The image used to publish docker image with Skopeo",
"default": "quay.io/skopeo/stable:latest"
"default": "quay.io/containers/aio:latest"
},
{
"name": "DOCKER_FILE",
......@@ -246,6 +246,14 @@
"description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
"disable_with": "DOCKER_SBOM_DISABLED",
"variables": [
{
"name": "TBC_SBOM_MODE",
"type": "enum",
"values": ["onrelease", "always"],
"description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
"advanced": true,
"default": "onrelease"
},
{
"name": "DOCKER_SBOM_IMAGE",
"default": "registry.hub.docker.com/anchore/syft:debug"
......@@ -253,7 +261,7 @@
{
"name": "DOCKER_SBOM_OPTS",
"description": "Options for syft used for SBOM analysis",
"default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
"default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
"advanced": true
},
{
......@@ -317,7 +325,7 @@
},
{
"name": "GCP_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
......@@ -327,7 +335,7 @@
},
{
"name": "GCP_OIDC_PROVIDER",
"description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)"
"description": "Default Workload Identity Provider associated with GitLab to [authenticate with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)"
},
{
"name": "GCP_SNAPSHOT_OIDC_ACCOUNT",
......@@ -379,22 +387,22 @@
},
{
"name": "AWS_OIDC_AUD",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_",
"description": "The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_",
"default": "$CI_SERVER_URL",
"advanced": true
},
{
"name": "AWS_OIDC_ROLE_ARN",
"description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_"
"description": "Default IAM Role ARN associated with GitLab _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_"
},
{
"name": "AWS_SNAPSHOT_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"description": "IAM Role ARN associated with GitLab for the snapshot image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
"name": "AWS_RELEASE_OIDC_ROLE_ARN",
"description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/) and if different from default)_",
"description": "IAM Role ARN associated with GitLab for the release image _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/) and if different from default)_",
"advanced": true
},
{
......
......@@ -15,20 +15,20 @@ spec:
different from default)_
default: ''
aws-oidc-aud:
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
aws-oidc-role-arn:
description: Default IAM Role ARN associated with GitLab _(only required for [OIDC
authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: ''
aws-snapshot-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the snapshot image _(only
required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
and if different from default)_
default: ''
aws-release-oidc-role-arn:
description: IAM Role ARN associated with GitLab for the release image _(only
required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/)
required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/)
and if different from default)_
default: ''
---
......@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.0"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
......
......@@ -4,7 +4,7 @@
spec:
inputs:
gcp-oidc-aud:
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ee/ci/cloud_services/aws/))_
description: The `aud` claim for the JWT token _(only required for [OIDC authentication](https://docs.gitlab.com/ci/cloud_services/aws/))_
default: $CI_SERVER_URL
gcp-oidc-account:
description: Default Service Account to which impersonate with OpenID Connect
......@@ -12,7 +12,7 @@ spec:
default: ''
gcp-oidc-provider:
description: Default Workload Identity Provider associated with GitLab to [authenticate
with OpenID Connect](https://docs.gitlab.com/ee/ci/cloud_services/google_cloud/)
with OpenID Connect](https://docs.gitlab.com/ci/cloud_services/google_cloud/)
default: ''
gcp-snapshot-oidc-account:
description: Service Account to use to push the snapshot image _(only define if
......@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.0"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
......
......@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.0"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
......
......@@ -33,7 +33,7 @@ spec:
The image used to run buildah
_for buildah build only_
default: quay.io/buildah/stable:latest
default: quay.io/containers/aio:latest
image:
description: |-
The image used to run the docker client
......@@ -48,7 +48,7 @@ spec:
default: registry.hub.docker.com/library/docker:dind
skopeo-image:
description: The image used to publish docker image with Skopeo
default: quay.io/skopeo/stable:latest
default: quay.io/containers/aio:latest
file:
description: The path to your `Dockerfile`
default: Dockerfile
......@@ -169,7 +169,7 @@ spec:
default: registry.hub.docker.com/anchore/syft:debug
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
hadolint-job-tags:
description: tags to filter applicable runners for hadolint job
type: array
......@@ -249,7 +249,18 @@ workflow:
# else (Ready MR): auto & failing
- when: on_success
# software delivery job prototype: run on production and integration branches + release pipelines
.delivery-policy:
rules:
# on tag with release pattern
- if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
# on production or integration branch(es)
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
variables:
# Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
TBC_SBOM_MODE: "onrelease"
DOCKER_HADOLINT_IMAGE: $[[ inputs.hadolint-image ]]
DOCKER_IMAGE: $[[ inputs.image ]]
DOCKER_DIND_IMAGE: $[[ inputs.dind-image ]]
......@@ -283,6 +294,8 @@ variables:
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
INTEG_REF: '/^develop$/'
# default release tag name (pattern)
RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'
# don't use CI_PROJECT_TITLE, kaniko doesn't support space in argument right now (https://github.com/GoogleContainerTools/kaniko/issues/1231)
DOCKER_METADATA: $[[ inputs.metadata ]]
......@@ -372,6 +385,30 @@ stages:
fi
}
function maybe_install_awk() {
if ! command -v awk > /dev/null
then
if command -v apt-get > /dev/null
then
# Debian
apt-get update
apt-get install --no-install-recommends --yes --quiet awk
elif command -v apk > /dev/null
then
# Alpine
apk add --no-cache gawk
elif command -v dnf > /dev/null
then
# Fedora
dnf install -y -q awk
else
log_error "... didn't find any supported package manager to install awk"
exit 1
fi
fi
}
function unscope_variables() {
_scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
if [[ -z "$_scoped_vars" ]]; then return; fi
......@@ -558,9 +595,82 @@ stages:
fail "... timeout reached: halt"
}
function awkenvsubst() {
# performs variables escaping: '&' for gsub + JSON chars ('\' and '"')
awk '{while(match($0,"[$%]{[^}]*}")) {var=substr($0,RSTART+2,RLENGTH-3);val=ENVIRON[var];gsub(/["\\&]/,"\\\\&",val);gsub("[$%]{"var"}",val)}}1'
function tbc_envsubst() {
awk '
BEGIN {
count_replaced_lines = 0
# ASCII codes
for (i=0; i<=255; i++)
char2code[sprintf("%c", i)] = i
}
# determine encoding (from env or from file extension)
function encoding() {
enc = ENVIRON["TBC_ENVSUBST_ENCODING"]
if (enc != "")
return enc
if (match(FILENAME, /\.(json|yaml|yml)$/))
return "jsonstr"
return "raw"
}
# see: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
function uriencode(str) {
len = length(str)
enc = ""
for (i=1; i<=len; i++) {
c = substr(str, i, 1);
if (index("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_.!~*'\''()", c))
enc = enc c
else
enc = enc "%" sprintf("%02X", char2code[c])
}
return enc
}
/# *nosubst/ {
print $0
next
}
{
orig_line = $0
line = $0
count_repl_in_line = 0
# /!\ 3rd arg (match) not supported in BusyBox awk
while (match(line, /[$%]\{([[:alnum:]_]+)\}/)) {
expr_start = RSTART
expr_len = RLENGTH
# get var name
var = substr(line, expr_start+2, expr_len-3)
# get var value (from env)
val = ENVIRON[var]
# check variable is set
if (val == "") {
printf("[\033[1;93mWARN\033[0m] Environment variable \033[33;1m%s\033[0m is not set or empty\n", var) > "/dev/stderr"
} else {
enc = encoding()
if (enc == "jsonstr") {
gsub(/["\\]/, "\\\\&", val)
gsub("\n", "\\n", val)
gsub("\r", "\\r", val)
gsub("\t", "\\t", val)
} else if (enc == "uricomp") {
val = uriencode(val)
} else if (enc == "raw") {
} else {
printf("[\033[1;93mWARN\033[0m] Unsupported encoding \033[33;1m%s\033[0m: ignored\n", enc) > "/dev/stderr"
}
}
# replace expression in line
line = substr(line, 1, expr_start - 1) val substr(line, expr_start + expr_len)
count_repl_in_line++
}
if (count_repl_in_line) {
if (count_replaced_lines == 0)
printf("[\033[1;94mINFO\033[0m] Variable expansion occurred in file \033[33;1m%s\033[0m:\n", FILENAME) > "/dev/stderr"
count_replaced_lines++
printf("> line %s: %s\n", NR, orig_line) > "/dev/stderr"
}
print line
}
' "$@"
}
function configure_registries_auth() {
......@@ -593,7 +703,7 @@ stages:
mkdir -p "$BUILDTOOL_HOME/.docker"
if [ -f "${DOCKER_CONFIG_FILE}" ]
then
awkenvsubst < "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
TBC_ENVSUBST_ENCODING=jsonstr tbc_envsubst "${DOCKER_CONFIG_FILE}" > "$BUILDTOOL_HOME/.docker/config.json"
else
echo "${docker_snapshot_config_json}" > "$BUILDTOOL_HOME/.docker/config.json"
fi
......@@ -632,6 +742,7 @@ stages:
function init_workspace() {
install_custom_ca_certs
maybe_install_awk
unscope_variables
eval_all_secrets
configure_registries_auth
......@@ -710,7 +821,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.0"]
command: ["--service", "docker", "6.1.7"]
before_script:
- !reference [.docker-scripts]
......@@ -737,7 +848,7 @@ stages:
extends: .docker-base
image: $DOCKER_IMAGE
variables:
# disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-disabled
# disable TLS between Docker client and Docker daemon : https://docs.gitlab.com/ci/docker/using_docker_build/#tls-disabled
DOCKER_HOST: tcp://docker:2375
DOCKER_TLS_CERTDIR: ""
# make visible DEFAULT_CA_CERTS and CUSTOM_CA_CERTS variables to the service (we MUST use different variable names)
......@@ -746,7 +857,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.0"]
command: ["--service", "docker", "6.1.7"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
......@@ -1064,11 +1175,17 @@ docker-sbom:
cyclonedx:
- "reports/docker-sbom-*.cyclonedx.json"
rules:
# exclude if disabled
# exclude if disabled (template specific)
- if: '$DOCKER_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.docker-sbom-job-tags ]]
# 'always' mode: run
- if: '$TBC_SBOM_MODE == "always"'
# exclude unsupported modes
- if: '$TBC_SBOM_MODE != "onrelease"'
when: never
# 'onrelease' mode: use common software delivery rules
- !reference [.delivery-policy, rules]
# ==================================================
# Stage: publish
......