Compare revisions

Pierre Smeyers · Pierre Smeyers · semantic-release-bot · Benguria Elguezabal, Gorka · Benguria Elguezabal, Gorka · Benguria Elguezabal, Gorka
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 include:
-  - project: 'to-be-continuous/tools/gitlab-ci'
-    ref: 'master'
-    file: '/templates/extract.yml'
-  - project: 'to-be-continuous/tools/gitlab-ci'
-    ref: 'master'
-    file: '/templates/validation.yml'
-  - project: 'to-be-continuous/kicker'
-    ref: 'master'
-    file: '/templates/validation.yml'
-  - project: 'to-be-continuous/bash'
-    ref: '3.4'
-    file: '/templates/gitlab-ci-bash.yml'
-  - project: 'to-be-continuous/semantic-release'
-    ref: '3.8'
-    file: '/templates/gitlab-ci-semrel.yml'    
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/extract@master
+    inputs:
+      extract-script-job-tags: ["docker"]
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/validation@master
+    inputs:
+      check-links-job-tags: ["docker"]
+      tbc-check-job-tags: ["docker"]
+      tbc-check-image: registry.gitlab.com/gbenguria/tbc-check:main
+      gitlab-ci-lint-job-tags: ["docker"]
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/kicker/validation@master
+    inputs:
+      kicker-validation-job-tags: ["docker"]
+      schema-base-url: "https://git.code.tecnalia.com/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/bash/gitlab-ci-bash@master
+    inputs:
+      bash-shellcheck-job-tags: ["docker"]
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master
+    inputs:
+      semantic-release-job-tags: ["docker"]

 stages:
  - build

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
+## [5.10.2](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.1...5.10.2) (2024-05-13)
+
+
+### Bug Fixes
+
+* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb))
+
+## [5.10.2](https://gitlab.com/to-be-continuous/docker/compare/5.10.1...5.10.2) (2024-05-05)
+
+
+### Bug Fixes
+
+* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://gitlab.com/to-be-continuous/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb))
+
 ## [5.10.1](https://gitlab.com/to-be-continuous/docker/compare/5.10.0...5.10.1) (2024-04-03)



--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.1
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.2
    # 2: set/override component inputs
    inputs:
      build-tool: buildah # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/docker'
-    ref: '5.10.1'
+    ref: '5.10.2'
    file: '/templates/gitlab-ci-docker.yml'

 variables:
@@ -273,6 +273,7 @@ It is bound to the `build` stage, and uses the following variables:
 | `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
 | `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image                     | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`       |
 | `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments        | _(none)_                        |
+| `hadolint-job-tags` / `DOCKER_HADOLINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.

@@ -307,6 +308,9 @@ It is bound to the `package-build` stage, and uses the following variables:
 | `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label                                                                                                               | OCI Image Format Specification |
 | `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
 | `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED`      | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
+| `kaniko-build-job-tags` / `DOCKER_KANIKO_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
+| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
+| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):

@@ -375,6 +379,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
 | `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
 | `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check         | _(none)_ |
+| `healthcheck-job-tags` / `DOCKER_HEALTHCHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 In case your Docker image is not intended to run as a service and only contains a *client tool* (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).

@@ -405,6 +410,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
 | `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
 | `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
+| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 In addition to a textual report in the console, this job produces the following reports, kept for one day:

@@ -424,6 +430,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `sbom-disabled` / `DOCKER_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug` |
 | `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger` |
+| `docker-sbom-job-tags` / `DOCKER_DOCKER_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 ### `docker-publish` job

@@ -437,6 +444,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
 | `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
 | `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags))       | _(none)_          |
 | `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
+| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):


--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -33,7 +33,7 @@ if [[ "$curVer" ]]; then
  # replace in template and variants
  for tmpl in templates/*.yml
  do
-    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[ *\"--service\", *\"\(.*\)\", *\"$curVer\" *\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
    mv -f "$tmpl.next" "$tmpl"
  done
 else

--- a/kicker.json
+++ b/kicker.json
@@ -120,6 +120,34 @@
      "description": "Set to `true` to disable the build cache.",
      "type": "boolean",
      "advanced": true
+    },
+    {
+      "name": "DOCKER_KANIKO_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_DIND_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_BUILDAH_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "DOCKER_DOCKER_PUBLISH_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
    }
  ],
  "features": [
@@ -138,6 +166,13 @@
          "name": "DOCKER_HADOLINT_ARGS",
          "description": "Additional `hadolint` arguments",
          "advanced": true
+        },
+        {
+          "name": "DOCKER_HADOLINT_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
        }
      ]
    },
@@ -163,6 +198,13 @@
          "name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
          "description": "Arguments sent to the running container for health check",
          "advanced": true
+        },
+        {
+          "name": "DOCKER_HEALTHCHECK_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
        }
      ]
    },
@@ -205,6 +247,13 @@
          "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
          "description": "OCI repository to retrieve Trivy Java Database from",
          "advanced": true
+        },
+        {
+          "name": "DOCKER_DOCKER_TRIVY_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
        }
      ]
    },
@@ -223,6 +272,13 @@
          "description": "Options for syft used for SBOM analysis",
          "default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger",
          "advanced": true
+        },
+        {
+          "name": "DOCKER_DOCKER_SBOM_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
        }
      ]
    }

--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -45,7 +45,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.1"]
+      command: ["--service", "docker", "5.10.2"]
    - name: "$TBC_AWS_PROVIDER_IMAGE"
      alias: "aws-auth-provider"
  id_tokens:

--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -44,7 +44,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.1"]
+      command: ["--service", "docker", "5.10.2"]
    - name: "$TBC_GCP_PROVIDER_IMAGE"
      alias: "gcp-auth-provider"
  variables:

--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.1"]
+      command: ["--service", "docker", "5.10.2"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -185,12 +185,48 @@ spec:
    sbom-opts:
      description: Options for syft used for SBOM analysis
      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger
+    hadolint-job-tags:
+      description: tags to filter applicable runners for hadolint job
+      type: array
+      default: []
+    kaniko-build-job-tags:
+      description: tags to filter applicable runners for kaniko build job
+      type: array
+      default: []
+    dind-build-job-tags:
+      description: tags to filter applicable runners for dind build job
+      type: array
+      default: []
+    buildah-build-job-tags:
+      description: tags to filter applicable runners for buildah build job
+      type: array
+      default: []
+    healthcheck-job-tags:
+      description: tags to filter applicable runners for healthcheck job
+      type: array
+      default: []
+    docker-trivy-job-tags:
+      description: tags to filter applicable runners for docker-trivy job
+      type: array
+      default: []
+    docker-sbom-job-tags:
+      description: tags to filter applicable runners for docker-sbom job
+      type: array
+      default: []
+    docker-publish-job-tags:
+      description: tags to filter applicable runners for docker-publish job
+      type: array
+      default: []
+
 ---
 # default workflow rules: Merge Request pipelines
 workflow:
  rules:
-    # prevent branch pipeline when an MR is open (prefer MR pipeline)
-    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+    # prevent MR pipeline originating from production or integration branch(es)
+    - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $PROD_REF || $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME =~ $INTEG_REF'
+      when: never
+    # on non-prod, non-integration branches: prefer MR pipeline over branch pipeline
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
      when: never
    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*tag(,[^],]*)*\]/" && $CI_COMMIT_TAG'
      when: never
@@ -661,7 +697,7 @@ stages:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.1"]
+      command: ["--service", "docker", "5.10.2"]
  before_script:
    - !reference [.docker-scripts]

@@ -694,7 +730,7 @@ stages:
    _TRACE: "${TRACE}"
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.1"]
+      command: ["--service", "docker", "5.10.2"]
    - name: $DOCKER_DIND_IMAGE
      alias: docker
      command:
@@ -747,6 +783,7 @@ docker-hadolint:
    - if: '$DOCKER_HADOLINT_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.hadolint-job-tags ]]

 # ==================================================
 # Stage: package-build
@@ -774,6 +811,7 @@ docker-kaniko-build:
        - docker.env
  rules:
    - if: '$DOCKER_BUILD_TOOL == "kaniko"'
+  tags: $[[ inputs.kaniko-build-job-tags ]]

 docker-dind-build:
  extends: .docker-dind-base
@@ -811,6 +849,7 @@ docker-dind-build:
        - docker.env
  rules:
    - if: '$DOCKER_BUILD_TOOL == "dind"'
+  tags: $[[ inputs.dind-build-job-tags ]]

 docker-buildah-build:
  extends: .docker-base
@@ -848,6 +887,7 @@ docker-buildah-build:
        - docker.env
  rules:
    - if: '$DOCKER_BUILD_TOOL == "buildah"'
+  tags: $[[ inputs.buildah-build-job-tags ]]

 # ==================================================
 # Stage: package-test
@@ -915,6 +955,7 @@ docker-healthcheck:
    - if: '$DOCKER_BUILD_TOOL != "dind"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.healthcheck-job-tags ]]

 # Security audit with trivy
 docker-trivy:
@@ -965,6 +1006,7 @@ docker-trivy:
    - if: '$DOCKER_TRIVY_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.docker-trivy-job-tags ]]

 docker-sbom:
  extends: .docker-base
@@ -991,6 +1033,7 @@ docker-sbom:
    - if: '$DOCKER_SBOM_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.docker-sbom-job-tags ]]

 # ==================================================
 # Stage: publish
@@ -1062,3 +1105,4 @@ docker-publish:
    - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
      when: manual
    - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
+  tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file
No results found