Skip to content
Snippets Groups Projects
Commit 0b07845e authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: adaptive pipeline

BREAKING CHANGE: change default workflow from Branch pipeline to MR pipeline
parent 8152b5b0
Branches
Tags
No related merge requests found
......@@ -17,7 +17,7 @@ include:
file: '/templates/gitlab-ci-gitleaks.yml'
```
## `gitleaks` and `gitleaks-quick` jobs configuration
## `gitleaks` jobs configuration
Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
They use the following configuration.
......@@ -27,8 +27,6 @@ They use the following configuration.
| `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `zricethezav/gitleaks:latest` |
| `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
| `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
| `GITLEAKS_QUICK_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches) | `--verbose` _(audit on the current branch)_ |
| `GITLEAKS_QUICK_DEPTH` | Number of commits to scan (on feature branches) | `10` |
### Configuring Gitleaks rules
......
......@@ -13,14 +13,33 @@
# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA.
# =========================================================================================
# default workflow rules
# default workflow rules: Merge Request pipelines
workflow:
rules:
# exclude merge requests
- if: $CI_MERGE_REQUEST_ID
# prevent branch pipeline when an MR is open (prefer MR pipeline)
- if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
when: never
- when: always
# test job prototype: implement adaptive pipeline rules
.test-policy:
rules:
# on tag: auto & failing
- if: $CI_COMMIT_TAG
# on ADAPTIVE_PIPELINE_DISABLED: auto & failing
- if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'
# on production or integration branch(es): auto & failing
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
# early stage (dev branch, no MR): manual & non-failing
- if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'
when: manual
allow_failure: true
# Draft MR: auto & non-failing
- if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'
allow_failure: true
# else (Ready MR): auto & failing
- when: on_success
variables:
# variabilized tracking image
TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
......@@ -28,9 +47,7 @@ variables:
# Default Docker image (can be overridden)
GITLEAKS_IMAGE: "zricethezav/gitleaks:latest"
GITLEAKS_ARGS: "--verbose"
GITLEAKS_QUICK_DEPTH: "10"
GITLEAKS_QUICK_ARGS: "--verbose"
# default production ref name (pattern)
PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern)
......@@ -210,17 +227,4 @@ gitleaks:
paths:
- gitleaks/
rules:
# on production and integration branch(es)
- if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'
# quick analysis on dev branches
gitleaks-quick:
extends: gitleaks
variables:
GIT_DEPTH: "${GITLEAKS_QUICK_DEPTH}"
script:
- gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS
rules:
# only on non-production, non-integration branches
- if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
allow_failure: true
- !reference [.test-policy, rules]
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment