Compare revisions

semantic-release-bot · Benguria Elguezabal, Gorka · Guilhem Bonnefille · Pierre Smeyers · Guilhem Bonnefille · Pierre Smeyers
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-variables:
-  GIT_STRATEGY: clone
-
 include:
  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/extract@master
    inputs:
@@ -21,6 +18,9 @@ include:
  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master
    inputs:
      semantic-release-job-tags: ["docker"]
+  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitleaks/gitlab-ci-gitleaks@master
+    inputs:
+      gitleaks-job-tags: ["docker"]

 stages:
  - build
@@ -30,6 +30,7 @@ stages:
 variables:
  GITLAB_CI_FILES: "templates/gitlab-ci-docker.yml"
  BASH_SHELLCHECK_FILES: "*.sh"
+  GIT_STRATEGY: clone

 semantic-release:
  rules:

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-## [5.10.3](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.2...5.10.3) (2024-07-02)
+# [5.11.0](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.3...5.11.0) (2024-07-26)


-### Bug Fixes
+### Features
+
+* display tools' version ([9fa5118](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/9fa51183755b94e02af9a3151eccc5ba9be75b15))
+
+# [5.11.0](https://gitlab.com/to-be-continuous/docker/compare/5.10.3...5.11.0) (2024-07-05)
+
+
+### Features

-* **Trivy:** Trivy 0.53.0 added the clean subcommand for semantic cache management ([e3a9540](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/e3a954080b1150ae35c403cffdb71ae750c9a741))
+* display tools' version ([9fa5118](https://gitlab.com/to-be-continuous/docker/commit/9fa51183755b94e02af9a3151eccc5ba9be75b15))

-## [5.10.2](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/compare/5.10.1...5.10.2) (2024-05-13)
+## [5.10.3](https://gitlab.com/to-be-continuous/docker/compare/5.10.2...5.10.3) (2024-07-01)


 ### Bug Fixes

-* **workflow:** disable MR pipeline from prod & integ branches ([6460d7b](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/docker/commit/6460d7bba7a231ff68b163c861a4b40f37ee08bb))
+* **Trivy:** Trivy 0.53.0 added the clean subcommand for semantic cache management ([e3a9540](https://gitlab.com/to-be-continuous/docker/commit/e3a954080b1150ae35c403cffdb71ae750c9a741))

 ## [5.10.2](https://gitlab.com/to-be-continuous/docker/compare/5.10.1...5.10.2) (2024-05-05)


--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@ Add the following to your `gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.3
+  - component: gitlab.com/to-be-continuous/docker/gitlab-ci-docker@5.10.2
    # 2: set/override component inputs
    inputs:
      build-tool: buildah # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/docker'
-    ref: '5.10.3'
+    ref: '5.10.2'
    file: '/templates/gitlab-ci-docker.yml'

 variables:

--- a/templates/gitlab-ci-docker-ecr.yml
+++ b/templates/gitlab-ci-docker-ecr.yml
@@ -45,7 +45,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.3"]
+      command: ["--service", "docker", "5.11.0"]
    - name: "$TBC_AWS_PROVIDER_IMAGE"
      alias: "aws-auth-provider"
  id_tokens:

--- a/templates/gitlab-ci-docker-gcp.yml
+++ b/templates/gitlab-ci-docker-gcp.yml
@@ -44,7 +44,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.3"]
+      command: ["--service", "docker", "5.11.0"]
    - name: "$TBC_GCP_PROVIDER_IMAGE"
      alias: "gcp-auth-provider"
  variables:

--- a/templates/gitlab-ci-docker-vault.yml
+++ b/templates/gitlab-ci-docker-vault.yml
@@ -22,7 +22,7 @@ variables:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.3"]
+      command: ["--service", "docker", "5.11.0"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -697,7 +697,7 @@ stages:
 .docker-base:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.3"]
+      command: ["--service", "docker", "5.11.0"]
  before_script:
    - !reference [.docker-scripts]

@@ -715,6 +715,9 @@ stages:
  before_script:
  - !reference [.docker-scripts]
  - create_kaniko_cache_dir
+  - |
+    log_info "Kaniko version:"
+    /kaniko/executor version


 .docker-dind-base:
@@ -730,7 +733,7 @@ stages:
    _TRACE: "${TRACE}"
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "docker", "5.10.3"]
+      command: ["--service", "docker", "5.11.0"]
    - name: $DOCKER_DIND_IMAGE
      alias: docker
      command:
@@ -743,6 +746,9 @@ stages:
  before_script:
    - !reference [.docker-scripts]
    - if ! wait_for_docker_daemon; then fail "Docker-in-Docker is not enabled on this runner. Either use a Docker-in-Docker capable runner, or disable this job by setting \$DOCKER_BUILD_TOOL to a different value"; fi
+    - |
+      log_info "Docker version:"
+      docker version

 # ==================================================
 # Stage: build
@@ -757,7 +763,11 @@ docker-hadolint:
  dependencies: []
  script:
    - autoconfig_hadolint
+    - |
+      log_info "Hadolint version:"
+      hadolint -v
    - mkdir -p -m 777 reports
+    - log_info "Scanning ${DOCKER_FILE}..."
    - dockerfile_hash=$(echo "$DOCKER_FILE" | md5sum | cut -d" " -f1)
    # Output in Code Climate format (GitLab integration)
    - hadolint --no-fail -f gitlab_codeclimate $DOCKER_HADOLINT_ARGS $hadolint_config_opts "$DOCKER_FILE" > "reports/docker-hadolint-${dockerfile_hash}.codeclimate.json"
@@ -864,6 +874,9 @@ docker-buildah-build:
          buildah_cache_args="--layers --cache-from $buildah_build_cache --cache-to $buildah_build_cache"
          log_info "Build cache enabled; CLI options: ${buildah_cache_args}"
      fi
+    - |
+      log_info "Buildah version:"
+      buildah version
    # build and push image
    - buildah build --file "$DOCKER_FILE" --tag $DOCKER_SNAPSHOT_IMAGE $buildah_cache_args --build-arg http_proxy="$http_proxy" --build-arg https_proxy="$https_proxy" --build-arg no_proxy="$no_proxy" $DOCKER_METADATA $DOCKER_BUILD_ARGS "$(docker_context_path)"
    - buildah push --digestfile .img-digest.txt "$DOCKER_SNAPSHOT_IMAGE"
@@ -899,7 +912,9 @@ docker-healthcheck:
  variables:
    GIT_STRATEGY: none
  stage: package-test
-  script: |
+  script:
+  - log_info "Healthchecking ${DOCKER_SNAPSHOT_IMAGE}..."
+  - |
    # Test by internal health_check (Recommended way, more info https://docs.docker.com/engine/reference/builder/#healthcheck)
    # This looks complicated but you normally don't have to touch this...
    function unexpected_error() {
@@ -966,9 +981,15 @@ docker-trivy:
  stage: package-test
  variables:
    TRIVY_CACHE_DIR: ".trivycache/"
-  script: |
+  script:
+  - log_info "Scanning vulnerabilities from ${DOCKER_SNAPSHOT_IMAGE}..."
+  - |
+    log_info "Trivy version:"
+    trivy version
+  - |
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    trivy clean --scan-cache || trivy image --clear-cache
+  - |
    export TRIVY_USERNAME=${DOCKER_REGISTRY_SNAPSHOT_USER:-${DOCKER_REGISTRY_USER:-$CI_REGISTRY_USER}}
    export TRIVY_PASSWORD=${DOCKER_REGISTRY_SNAPSHOT_PASSWORD:-${DOCKER_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
    basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
@@ -1015,6 +1036,10 @@ docker-sbom:
    name: $DOCKER_SBOM_IMAGE
    entrypoint: [""]
  script:
+    - log_info "Extracting SBOM from ${DOCKER_SNAPSHOT_IMAGE}..."
+    - |
+      log_info "Syft version:"
+      /syft version
    - mkdir -p -m 777 reports
    - basename=$(echo "${DOCKER_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
    - /syft scan ${TRACE+-vv} $DOCKER_SNAPSHOT_IMAGE $DOCKER_SBOM_OPTS -o cyclonedx-json=reports/docker-sbom-${basename}.cyclonedx.json
@@ -1068,8 +1093,12 @@ docker-publish:
        log_warn "\\e[93mYou should consider distinguishing snapshot and release images as they do not differ. Skipping publish phase as image has already been created by previous job.\\e[0m"
        exit 0
      fi
+    - |
+      log_info "Skopeo version:"
+      skopeo -v
    - BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
    # 1: push main image
+    - log_info "Copying ${DOCKER_SNAPSHOT_IMAGE} to ${DOCKER_RELEASE_IMAGE}..."
    - skopeo copy --src-authfile "$BUILDTOOL_HOME/skopeo/.docker/src-config.json" --dest-authfile "$BUILDTOOL_HOME/skopeo/.docker/dest-config.json" ${DOCKER_PUBLISH_ARGS} "docker://$DOCKER_SNAPSHOT_IMAGE" "docker://$DOCKER_RELEASE_IMAGE"
    - |
      log_info "Well done your image is pushed and can be pulled with: docker pull $DOCKER_RELEASE_IMAGE"
No results found