Merge remote-tracking branch 'upstream/master'

# Conflicts: # .gitlab-ci.yml # CHANGELOG.md # templates/gitlab-ci-golang.yml

Merge remote-tracking branch 'upstream/master'
2d082a4e · Benguria Elguezabal, Gorka · ecd2b436 · 8af0555e · 2d082a4e · 2d082a4e
Commit 2d082a4e authored 3 months ago by Benguria Elguezabal, Gorka
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [4.12.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/golang/compare/4.11.1...4.12.0) (2025-01-29)
+# [4.13.0](https://gitlab.com/to-be-continuous/golang/compare/4.12.3...4.13.0) (2025-04-30)
+
+
+### Features
+
+* use go image for sbom job ([9b7e4ee](https://gitlab.com/to-be-continuous/golang/commit/9b7e4ee0ebbefc34c3cf374d72cbed10ed8ba7c6))
+
+## [4.12.3](https://gitlab.com/to-be-continuous/golang/compare/4.12.2...4.12.3) (2025-03-28)
+
+
+### Bug Fixes
+
+* typo in glc_major_ver ([e2cb9cf](https://gitlab.com/to-be-continuous/golang/commit/e2cb9cfc856ca19e8518b1a748386c4b2511e588))
+
+## [4.12.2](https://gitlab.com/to-be-continuous/golang/compare/4.12.1...4.12.2) (2025-03-27)
+
+
+### Bug Fixes
+
+* **ci-lint:** golangci-lint V2 no longer support --out-format arg ([d645607](https://gitlab.com/to-be-continuous/golang/commit/d645607caa016391f948362624be0311a29145fd))
+* **ci-lint:** golangci-lint V2 no longer support 'goimports' as a linter, but as formatter ([2f6c020](https://gitlab.com/to-be-continuous/golang/commit/2f6c0203e9ee0bf87078522c1e4cbae77322de21))
+
+## [4.12.1](https://gitlab.com/to-be-continuous/golang/compare/4.12.0...4.12.1) (2025-01-31)
+
+
+### Bug Fixes
+
+* **sbom:** only generate SBOMs on prod branches, integ branches and release tags ([261e8ce](https://gitlab.com/to-be-continuous/golang/commit/261e8ceb2d360768de0cc8fe3326cc9dfea4c121))
+
+# [4.12.0](https://gitlab.com/to-be-continuous/golang/compare/4.11.1...4.12.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
@@ -4,8 +4,8 @@ This project implements a GitLab CI/CD template to build, test and analyse your

 ## Usage

-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) 
-or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) 
+or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.

 ### Use as a CI/CD component

@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/golang/gitlab-ci-golang@4.12.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/golang/gitlab-ci-golang@4.13.0
    # 2: set/override component inputs
    inputs:
      image: "registry.hub.docker.com/library/golang:buster" # ⚠ this is only an example
@@ -28,7 +28,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/golang'
-    ref: '4.12.0'
+    ref: '4.13.0'
    file: '/templates/gitlab-ci-golang.yml'

 variables:
@@ -42,7 +42,7 @@ The Go template uses some global configuration used throughout all jobs.

 | Input / Variable | Description                                                                                                | Default value   |
 |------------------|------------------------------------------------------------------------------------------------------------|-----------------|
-| `image` / `GO_IMAGE` | The Docker image used to run Go for `go-build` <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/golang:bookworm` |
+| `image` / `GO_IMAGE` | The Docker image used to run Go for `go-build` <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/golang:bookworm` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_IMAGE) |
 | `test-image` / `GO_TEST_IMAGE` | The Docker image used to run Go for `go-test` <br/>:warning: **set the version required by your project**  | _none_ |
 | `project-dir` / `GO_PROJECT_DIR` | Go project root directory                                                                                  | `.`             |
 | `goproxy` / `GOPROXY` | URL of Go module proxy                                                                                     | _none_          |
@@ -113,7 +113,7 @@ If `GO_TEST_IMAGE` is set, separate `go-build` and `go-test` jobs will be run in

 Separating `build` and `test` jobs can be useful to use different images (and hence different tools) or if you want to build muli-platform binaries.

-Here is a `.gitlab-ci.yml` example that triggers a build on 3 target platforms using the [parallel matrix jobs](https://docs.gitlab.com/ee/ci/yaml/#parallel-matrix-jobs) pattern:
+Here is a `.gitlab-ci.yml` example that triggers a build on 3 target platforms using the [parallel matrix jobs](https://docs.gitlab.com/ci/yaml/#parallel-matrix-jobs) pattern:

 ```yaml
 variables:
@@ -155,9 +155,9 @@ In addition to a textual report in the console, the test jobs produce the follow
 |-----------------------------------------------------|------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
 | `$GO_PROJECT_DIR/reports/go-test.native.txt`        | native Go test report (text)                                                       | N/A                                                                                                                   |
 | `$GO_PROJECT_DIR/reports/go-test.native.json`       | native Go test report (json)                                                       | [SonarQube integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-execution-parameters/#go) |
-| `$GO_PROJECT_DIR/reports/go-test.xunit.xml`         | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s)                        | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportsjunit)                 |
+| `$GO_PROJECT_DIR/reports/go-test.xunit.xml`         | [xUnit](https://en.wikipedia.org/wiki/XUnit) test report(s)                        | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsjunit)                 |
 | `$GO_PROJECT_DIR/reports/go-coverage.native.out`    | native Go coverage                                                                 | N/A                                                                                                                   |
-| `$GO_PROJECT_DIR/reports/go-coverage.cobertura.xml` | [Cobertura XML](https://gcovr.com/en/stable/output/cobertura.html) coverage report | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscoverage_report)       |
+| `$GO_PROJECT_DIR/reports/go-coverage.cobertura.xml` | [Cobertura XML](https://gcovr.com/en/stable/output/cobertura.html) coverage report | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscoverage_report)       |

 ### `go-ci-lint` job

@@ -167,8 +167,8 @@ It is bound to the `build` stage, and uses the following variables:

 | Input / Variable | Description                                                                                              | Default value                          |
 |-----------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------|
-| `ci-lint-image` / `GO_CI_LINT_IMAGE` | The Docker image used to run `golangci-lint`                                                             | `registry.hub.docker.com/golangci/golangci-lint:latest-alpine` |
-| `ci-lint-args` / `GO_CI_LINT_ARGS` | `golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options) | `-E gosec,goimports ./...`             |
+| `ci-lint-image` / `GO_CI_LINT_IMAGE` | The Docker image used to run `golangci-lint`                                                             | `registry.hub.docker.com/golangci/golangci-lint:latest-alpine` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_CI_LINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_CI_LINT_IMAGE) |
+| `ci-lint-args` / `GO_CI_LINT_ARGS` | `golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options) | `-E gosec ./...`             |
 | `ci-lint-disabled` / `GO_CI_LINT_DISABLED` | Set to `true` to disable this job                                                                        | _none_ (enabled)                        |
 | `go-ci-lint-job-tags` / `GO_CI_LINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

@@ -176,7 +176,7 @@ In addition to a textual report in the console, this job produces the following

 | Report                                                | Format                                                   | Usage                                                                                                       |
 |-------------------------------------------------------|----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| `$GO_PROJECT_DIR/reports/go-ci-lint.codeclimate.json` | [Code Climate](https://docs.codeclimate.com/docs/pylint) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportscodequality) |
+| `$GO_PROJECT_DIR/reports/go-ci-lint.codeclimate.json` | [Code Climate](https://docs.codeclimate.com/docs/pylint) | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportscodequality) |
 | `$GO_PROJECT_DIR/reports/go-ci-lint.checkstyle.xml`   | Checkstyle                                               | [SonarQube integration](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/importing-external-issues/external-analyzer-reports/)                        |

 ### `go-semgrep` job
@@ -188,7 +188,7 @@ It is bound to the `test` stage, and uses the following variables:
 | Input / Variable | Description | Default Value |
 | ---------------- | ----------- | ------------- |
 | `semgrep-disabled` / `GO_SEMGREP_DISABLED` | Set to `true` to disable this job | _none_ |
-| `semgrep-image` / `GO_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` |
+| `semgrep-image` / `GO_SEMGREP_IMAGE` | The Docker image used to run [Semgrep](https://semgrep.dev/docs/) | `registry.hub.docker.com/semgrep/semgrep:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-GO_SEMGREP_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-GO_SEMGREP_IMAGE) |
 | `semgrep-args` / `GO_SEMGREP_ARGS` | Semgrep [scan options](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | `--metrics off --disable-version-check` |
 | `semgrep-rules` / `GO_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Segmrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/golang p/gosec` |
 | `semgrep-download-rules-enabled` / `GO_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` |
@@ -204,7 +204,7 @@ In addition to a textual report in the console, this job produces the following

 | Report | Format | Usage |
 | ------ | ------ | ----- |
-| `$GO_PROJECT_DIR/reports/golang-semgrep.gitlab.json` | [GitLab's SAST format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [GitLab integration](https://docs.gitlab.com/ee/ci/yaml/artifacts_reports.html#artifactsreportssast) |
+| `$GO_PROJECT_DIR/reports/golang-semgrep.gitlab.json` | [GitLab's SAST format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [GitLab integration](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportssast) |
 | `$GO_PROJECT_DIR/reports/golang-semgrep.native.json` | [Semgrep's JSON format](https://semgrep.dev/docs/cli-reference#semgrep-scan-command-options) | [DefectDojo integration](https://docs.defectdojo.com/en/connecting_your_tools/parsers/file/semgrep/)<br/>_This report is generated only if DefectDojo template is detected_ |

 ### `go-mod-outdated` job
@@ -262,7 +262,8 @@ It is bound to the `test` stage, and uses the following variables:
 | Input / Variable | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `GO_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
-| `sbom-image` / `GO_SBOM_IMAGE` | Image of cyclonedx-gomod used for SBOM analysis | `registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest` |
+| `TBC_SBOM_MODE`                      | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `GO_SBOM_DISABLED` takes precedence | `onrelease` |
+| `sbom-image` / `GO_SBOM_IMAGE` | Specific Docker image used to run cyclonedx-gomod | `$GO_IMAGE` |
 | `sbom-opts` / `GO_SBOM_OPTS` | [@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis | `-main .` |
 | `go-sbom-job-tags` / `GO_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |


--- a/kicker.json
+++ b/kicker.json
@@ -144,7 +144,7 @@
        {
          "name": "GO_CI_LINT_ARGS",
          "description": "`golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options)",
-          "default": "-E gosec,goimports ./...",
+          "default": "-E gosec ./...",
          "advanced": true
        },
        {
@@ -182,9 +182,19 @@
      "description": "This job generates a file listing all dependencies using [cyclonedx-gomod](https://github.com/CycloneDX/cyclonedx-gomod)",
      "disable_with": "GO_SBOM_DISABLED",
      "variables": [
+        {
+          "name": "TBC_SBOM_MODE",
+          "type": "enum",
+          "values": ["onrelease", "always"],
+          "description": "Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline)",
+          "advanced": true,
+          "default": "onrelease"
+        },
        {
          "name": "GO_SBOM_IMAGE",
-          "default": "registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest"
+          "description": "Specific Docker image used to run cyclonedx-gomod",
+          "advanced": true,
+          "default": "$GO_IMAGE"
        },
        {
          "name": "GO_SBOM_OPTS",

--- a/templates/gitlab-ci-golang.yml
+++ b/templates/gitlab-ci-golang.yml
@@ -80,7 +80,7 @@ spec:
      default: registry.hub.docker.com/golangci/golangci-lint:latest-alpine
    ci-lint-args:
      description: '`golangci-lint` [command line arguments](https://github.com/golangci/golangci-lint#command-line-options)'
-      default: -E gosec,goimports ./...
+      default: -E gosec ./...
    semgrep-image:
      description: The Docker image used to run [Semgrep](https://semgrep.dev/docs/)
      default: registry.hub.docker.com/semgrep/semgrep:latest
@@ -109,7 +109,8 @@ spec:
      type: boolean
      default: false
    sbom-image:
-      default: registry.hub.docker.com/cyclonedx/cyclonedx-gomod:latest
+      description: Specific Docker image used to run cyclonedx-gomod
+      default: '$GO_IMAGE'
    sbom-opts:
      description: '[@cyclonedx/cyclonedx-gomod options](https://github.com/CycloneDX/cyclonedx-gomod#usage) used for SBOM analysis'
      default: -main .
@@ -197,7 +198,18 @@ workflow:
    # else (Ready MR): auto & failing
    - when: on_success

+# software delivery job prototype: run on production and integration branches + release pipelines
+.delivery-policy:
+  rules:
+    # on tag with release pattern
+    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+    # on production or integration branch(es)
+    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+
 variables:
+  # Global TBC SBOM Mode (onrelease -> only generate SBOMs for releases, always -> generate SBOMs for all refs)
+  TBC_SBOM_MODE: "onrelease"
+
  # Default Go project root directory
  GO_PROJECT_DIR: $[[ inputs.project-dir ]]

@@ -261,6 +273,8 @@ variables:
  PROD_REF: /^(master|main)$/
  # default integration ref name (pattern)
  INTEG_REF: /^develop$/
+  # default release tag name (pattern)
+  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-\.]+)?(\+[a-zA-Z0-9-\.]+)?$/'

 stages:
  - build
@@ -625,7 +639,7 @@ stages:
  image: $GO_IMAGE
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "golang", "4.12.0"]
+      command: ["--service", "golang", "4.13.0"]
  variables:
    # The directory where 'go install' will install a command.
    GOBIN: "$CI_PROJECT_DIR/$GO_PROJECT_DIR/bin"
@@ -743,7 +757,14 @@ go-ci-lint:
  script:
    - mkdir -p -m 777 reports
    # produce all reports at once
-    - golangci-lint run --out-format "colored-line-number:stdout,code-climate:reports/go-ci-lint.codeclimate.json,checkstyle:reports/go-ci-lint.checkstyle.xml" $GO_CI_LINT_ARGS
+    - |
+      glc_major_ver=$(golangci-lint version | cut -d' ' -f4 | cut -d'.' -f1)
+      if [[ "$glc_major_ver" == "1" ]]
+      then
+        golangci-lint run --out-format "colored-line-number:stdout,code-climate:reports/go-ci-lint.codeclimate.json,checkstyle:reports/go-ci-lint.checkstyle.xml" $GO_CI_LINT_ARGS
+      else
+        golangci-lint run --output.text.path stdout --output.code-climate.path reports/go-ci-lint.codeclimate.json --output.checkstyle.path reports/go-ci-lint.checkstyle.xml $GO_CI_LINT_ARGS
+      fi
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    expire_in: 1 day
@@ -826,7 +847,7 @@ go-sbom:
  image:
    name: $GO_SBOM_IMAGE
    entrypoint: [""]
-  # manage separate GitLab cache to prevent permission denied error (this image being rootless, it can't rewrite Go cache - owned by root)
+  # manage separate GitLab cache to prevent permission denied error (cyclonedx-gomod image being rootless, it can't rewrite Go cache - owned by root)
  # see: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29663
  cache:
    key: "$CI_COMMIT_REF_SLUG-golang-sbom"
@@ -836,10 +857,10 @@ go-sbom:
  dependencies: []
  needs: []
  script:
+    - command -v cyclonedx-gomod > /dev/null || go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
    - mkdir -p -m 777 reports
    - go_mode=$(go_build_mode)
-    - |
-      cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
+    - cyclonedx-gomod "${go_mode:0:3}" -json -output reports/go-sbom.cyclonedx.json $GO_SBOM_OPTS
    - chmod a+r reports/go-sbom.cyclonedx.json
  artifacts:
    name: "SBOM for golang from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
@@ -854,7 +875,13 @@ go-sbom:
    # exclude if disabled
    - if: '$GO_SBOM_DISABLED == "true"'
      when: never
-    - !reference [.test-policy, rules]
+    # 'always' mode: run
+    - if: '$TBC_SBOM_MODE == "always"'
+    # exclude unsupported modes
+    - if: '$TBC_SBOM_MODE != "onrelease"'
+      when: never
+    # 'onrelease' mode: use common software delivery rules
+    - !reference [.delivery-policy, rules]
  tags: $[[ inputs.go-sbom-job-tags ]]

 go-govulncheck: