feat: migrate to CI/CD component

requires GitLab 16.6 or later

feat: migrate to CI/CD component
e15efce4 · Pierre Smeyers · fc2cc9b5 · e15efce4 · e15efce4 · e15efce4
Commit e15efce4 authored 1 year ago by Pierre Smeyers
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ include:
    file: '/templates/validation.yml'
  - project: 'to-be-continuous/bash'
    ref: '3.3'
-    file: 'templates/gitlab-ci-bash.yml'
+    file: '/templates/gitlab-ci-bash.yml'
  - project: 'to-be-continuous/semantic-release'
    ref: '3.7'
    file: '/templates/gitlab-ci-semrel.yml'

--- a/README.md
+++ b/README.md
@@ -9,13 +9,36 @@ When run on other branches, Gitleaks will run a quick analysis on the current br
 ## Usage
-In order to include this template in your project, add the following to your `gitlab-ci.yml`:
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) 
+or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+### Use as a CI/CD component
+Add the following to your `gitlab-ci.yml`:
 ```yaml
 include:
+  # 1: include the component
+  - component: gitlab.com/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.3.0
+    # 2: set/override component inputs
+    inputs:
+      args: "--no-banner" # ⚠ this is only an example
+```
+### Use as a CI/CD template (legacy)
+Add the following to your `gitlab-ci.yml`:
+```yaml
+include:
+  # 1: include the template
  - project: 'to-be-continuous/gitleaks'
    ref: '2.3.0'
    file: '/templates/gitlab-ci-gitleaks.yml'
+variables:
+  # 2: set/override template variables
+  GITLEAKS_ARGS: "--no-banner" # ⚠ this is only an example
 ```
 ## `gitleaks` jobs configuration
@@ -23,11 +46,11 @@ include:
 Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).
 They use the following configuration.
-| Name                  | Description                            | Default value     |
+| Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
-| `GITLEAKS_IMAGE`      | The Docker image used to run Gitleaks  | `registry.hub.docker.com/zricethezav/gitleaks:latest` |
+| `image` / `GITLEAKS_IMAGE` | The Docker image used to run Gitleaks  | `registry.hub.docker.com/zricethezav/gitleaks:latest` |
-| `GITLEAKS_RULES`      | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
+| `rules` / `GITLEAKS_RULES` | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |
-| `GITLEAKS_ARGS`       | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
+| `args` / `GITLEAKS_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |
 ### Configuring Gitleaks rules

--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
  # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md
  # replace in template and variants
  for tmpl in templates/*.yml
  do
-    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
    mv -f "$tmpl.next" "$tmpl"
  done
 else

--- a/kicker.json
+++ b/kicker.json
@@ -3,6 +3,8 @@
  "description": "Detect and prevent hardcoded secrets in your Git repository with [Gitleaks](https://github.com/zricethezav/gitleaks/wiki)",
  "template_path": "templates/gitlab-ci-gitleaks.yml",
  "kind": "analyse",
+  "prefix": "gitleaks",
+  "is_component": true,
  "variables": [
    {
      "name": "GITLEAKS_IMAGE",

--- a/logo.png
+++ b/logo.png
--- a/templates/gitlab-ci-gitleaks.yml
+++ b/templates/gitlab-ci-gitleaks.yml
@@ -14,6 +14,25 @@
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
 # default workflow rules: Merge Request pipelines
+spec:
+  inputs:
+    image:
+      description: The Docker image used to run Gitleaks
+      default: registry.hub.docker.com/zricethezav/gitleaks:latest
+    rules:
+      description: Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks/wiki/Configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project).
+      default: ''
+    args:
+      description: '[Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches)'
+      default: --verbose
+    quick-args:
+      description: '[Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches)'
+      default: --verbose
+    quick-depth:
+      description: Number of commits to scan (on feature branches)
+      type: number
+      default: 10
+---
 workflow:
  rules:
    # prevent branch pipeline when an MR is open (prefer MR pipeline)
@@ -56,16 +75,19 @@ workflow:
 variables:
  # variabilized tracking image
-  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
+  TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
  # Default Docker image (can be overridden)
-  GITLEAKS_IMAGE: "registry.hub.docker.com/zricethezav/gitleaks:latest"
+  GITLEAKS_IMAGE: $[[ inputs.image ]]
-  GITLEAKS_ARGS: "--verbose"
+  GITLEAKS_ARGS: $[[ inputs.args ]]
+  GITLEAKS_RULES: $[[ inputs.rules ]]
+  GITLEAKS_QUICK_ARGS: $[[ inputs.quick-args ]]
+  GITLEAKS_QUICK_DEPTH: $[[ inputs.quick-depth ]]
  # default production ref name (pattern)
-  PROD_REF: '/^(master|main)$/'
+  PROD_REF: /^(master|main)$/
  # default integration ref name (pattern)
-  INTEG_REF: '/^develop$/'
+  INTEG_REF: /^develop$/
 stages:
  - build