feat: adaptive pipeline

BREAKING CHANGE: change default workflow from Branch pipeline to MR pipeline

README.md

@@ -17,7 +17,7 @@ include:
     file: '/templates/gitlab-ci-gitleaks.yml'
 ```
 
-## `gitleaks` and `gitleaks-quick` jobs configuration
+## `gitleaks` jobs configuration
 
 Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
 They use the following configuration.
@@ -27,8 +27,6 @@ They use the following configuration.
 | `GITLEAKS_IMAGE`      | The Docker image used to run Gitleaks  | `zricethezav/gitleaks:latest` |
 | `GITLEAKS_RULES`      | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
 | `GITLEAKS_ARGS`       | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
-| `GITLEAKS_QUICK_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches) | `--verbose` _(audit on the current branch)_ |
-| `GITLEAKS_QUICK_DEPTH` | Number of commits to scan (on feature branches) | `10` | 
 
 ### Configuring Gitleaks rules
 

templates/gitlab-ci-gitleaks.yml

@@ -13,14 +13,33 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
-# default workflow rules
+# default workflow rules: Merge Request pipelines
 workflow:
   rules:
-    # exclude merge requests
-    - if: $CI_MERGE_REQUEST_ID
+    # prevent branch pipeline when an MR is open (prefer MR pipeline)
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
       when: never
     - when: always
 
+# test job prototype: implement adaptive pipeline rules
+.test-policy:
+  rules:
+    # on tag: auto & failing
+    - if: $CI_COMMIT_TAG
+    # on ADAPTIVE_PIPELINE_DISABLED: auto & failing
+    - if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'
+    # on production or integration branch(es): auto & failing
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+    # early stage (dev branch, no MR): manual & non-failing
+    - if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'
+      when: manual
+      allow_failure: true
+    # Draft MR: auto & non-failing
+    - if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'
+      allow_failure: true
+    # else (Ready MR): auto & failing
+    - when: on_success
+
 variables:
   # variabilized tracking image
   TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
@@ -28,9 +47,7 @@ variables:
   # Default Docker image (can be overridden)
   GITLEAKS_IMAGE: "zricethezav/gitleaks:latest"
   GITLEAKS_ARGS: "--verbose"
-  GITLEAKS_QUICK_DEPTH: "10"
 
-  GITLEAKS_QUICK_ARGS: "--verbose"
   # default production ref name (pattern)
   PROD_REF: '/^(master|main)$/'
   # default integration ref name (pattern)
@@ -210,17 +227,4 @@ gitleaks:
     paths:
       - gitleaks/
   rules:
-    # on production and integration branch(es)
-    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'
-
-# quick analysis on dev branches
-gitleaks-quick:
-  extends: gitleaks
-  variables:
-    GIT_DEPTH: "${GITLEAKS_QUICK_DEPTH}"
-  script:
-    - gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS
-  rules:
-    # only on non-production, non-integration branches
-    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
-      allow_failure: true
+    - !reference [.test-policy, rules]