Skip to content
Snippets Groups Projects
Commit 0b07845e authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

feat: adaptive pipeline

BREAKING CHANGE: change default workflow from Branch pipeline to MR pipeline
parent 8152b5b0
Branches
Tags
No related merge requests found
...@@ -17,7 +17,7 @@ include: ...@@ -17,7 +17,7 @@ include:
file: '/templates/gitlab-ci-gitleaks.yml' file: '/templates/gitlab-ci-gitleaks.yml'
``` ```
## `gitleaks` and `gitleaks-quick` jobs configuration ## `gitleaks` jobs configuration
Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch). Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
They use the following configuration. They use the following configuration.
...@@ -27,8 +27,6 @@ They use the following configuration. ...@@ -27,8 +27,6 @@ They use the following configuration.
| `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `zricethezav/gitleaks:latest` | | `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks | `zricethezav/gitleaks:latest` |
| `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) | | `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
| `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` | | `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
| `GITLEAKS_QUICK_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches) | `--verbose` _(audit on the current branch)_ |
| `GITLEAKS_QUICK_DEPTH` | Number of commits to scan (on feature branches) | `10` |
### Configuring Gitleaks rules ### Configuring Gitleaks rules
......
...@@ -13,14 +13,33 @@ ...@@ -13,14 +13,33 @@
# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
# Floor, Boston, MA 02110-1301, USA. # Floor, Boston, MA 02110-1301, USA.
# ========================================================================================= # =========================================================================================
# default workflow rules # default workflow rules: Merge Request pipelines
workflow: workflow:
rules: rules:
# exclude merge requests # prevent branch pipeline when an MR is open (prefer MR pipeline)
- if: $CI_MERGE_REQUEST_ID - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
when: never when: never
- when: always - when: always
# test job prototype: implement adaptive pipeline rules
.test-policy:
rules:
# on tag: auto & failing
- if: $CI_COMMIT_TAG
# on ADAPTIVE_PIPELINE_DISABLED: auto & failing
- if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'
# on production or integration branch(es): auto & failing
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
# early stage (dev branch, no MR): manual & non-failing
- if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'
when: manual
allow_failure: true
# Draft MR: auto & non-failing
- if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'
allow_failure: true
# else (Ready MR): auto & failing
- when: on_success
variables: variables:
# variabilized tracking image # variabilized tracking image
TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
...@@ -28,9 +47,7 @@ variables: ...@@ -28,9 +47,7 @@ variables:
# Default Docker image (can be overridden) # Default Docker image (can be overridden)
GITLEAKS_IMAGE: "zricethezav/gitleaks:latest" GITLEAKS_IMAGE: "zricethezav/gitleaks:latest"
GITLEAKS_ARGS: "--verbose" GITLEAKS_ARGS: "--verbose"
GITLEAKS_QUICK_DEPTH: "10"
GITLEAKS_QUICK_ARGS: "--verbose"
# default production ref name (pattern) # default production ref name (pattern)
PROD_REF: '/^(master|main)$/' PROD_REF: '/^(master|main)$/'
# default integration ref name (pattern) # default integration ref name (pattern)
...@@ -210,17 +227,4 @@ gitleaks: ...@@ -210,17 +227,4 @@ gitleaks:
paths: paths:
- gitleaks/ - gitleaks/
rules: rules:
# on production and integration branch(es) - !reference [.test-policy, rules]
- if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'
# quick analysis on dev branches
gitleaks-quick:
extends: gitleaks
variables:
GIT_DEPTH: "${GITLEAKS_QUICK_DEPTH}"
script:
- gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS
rules:
# only on non-production, non-integration branches
- if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
allow_failure: true
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment