diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index d163e3317ff2d7afc26c886f7d15a8db3316ed19..6e5dffbe9a0a49c6afbd9d0fba936ad2c1e199ca 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -10,7 +10,7 @@ include: file: '/templates/validation.yml' - project: 'to-be-continuous/bash' ref: '3.3' - file: 'templates/gitlab-ci-bash.yml' + file: '/templates/gitlab-ci-bash.yml' - project: 'to-be-continuous/semantic-release' ref: '3.7' file: '/templates/gitlab-ci-semrel.yml' diff --git a/README.md b/README.md index 0a4e11bb95c7f6d9c297b0ac299a9a39fad3f541..9876c5574db23b2784f8f12da89e1d3c49892f9b 100644 --- a/README.md +++ b/README.md @@ -4,27 +4,54 @@ This project implements a GitLab CI/CD template to build, test and analyse your ## Usage -In order to include this template in your project, add the following to your `gitlab-ci.yml`: +This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) +or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. + +### Use as a CI/CD component + +Add the following to your `gitlab-ci.yml`: ```yaml include: + # 1: include the component + - component: gitlab.com/to-be-continuous/maven/gitlab-ci-maven@3.8.0 + # 2: set/override component inputs + inputs: + # ⚠ this is only an example + image: registry.hub.docker.com/library/maven:3.8-openjdk-18 + deploy-enabled: true +``` + +### Use as a CI/CD template (legacy) + +Add the following to your `gitlab-ci.yml`: + +```yaml +include: + # 1: include the template - project: 'to-be-continuous/maven' ref: '3.8.0' file: '/templates/gitlab-ci-maven.yml' + +variables: + # 2: set/override template variables + # ⚠ this is only an example + MAVEN_IMAGE: registry.hub.docker.com/library/maven:3.8-openjdk-18 + MAVEN_DEPLOY_ENABLED: "true" ``` ## Global configuration The Maven template uses some global configuration throughout all jobs. -| Name | description | default value | +| Input / Variable | Description | Default value | | --------------------- |--------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------| -| `MAVEN_IMAGE` | The Docker image used to run Maven <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/maven:latest` | -| `MAVEN_PROJECT_DIR` | Maven projet root directory | `.` | -| `MAVEN_CFG_DIR` | The Maven configuration directory | `.m2` | -| `MAVEN_SETTINGS_FILE` | The Maven `settings.xml` file path | `${MAVEN_CFG_DIR}/settings.xml` | -| `MAVEN_OPTS` | [Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable) | `-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true` | -| `MAVEN_CLI_OPTS` | Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html) used on the command line | `--no-transfer-progress --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true` | +| `image` / `MAVEN_IMAGE` | The Docker image used to run Maven <br/>:warning: **set the version required by your project** | `registry.hub.docker.com/library/maven:latest` | +| `project-dir` / `MAVEN_PROJECT_DIR` | Maven projet root directory | `.` | +| `cfg-dir` / `MAVEN_CFG_DIR` | The Maven configuration directory | `.m2` | +| `settings-file` / `MAVEN_SETTINGS_FILE` | The Maven `settings.xml` file path | `${MAVEN_CFG_DIR}/settings.xml` | +| `opts` / `MAVEN_OPTS` | [Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable) | `-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true` | +| `cli-opts` / `MAVEN_CLI_OPTS` | Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html) used on the command line | `--no-transfer-progress --batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true` | ### About `$MAVEN_CFG_DIR` @@ -51,9 +78,9 @@ for test jobs dependency reasons (some test jobs such as SONAR analysis have a d It uses the following variable: -| Name | description | default value | +| Input / Variable | Description | Default value | | --------------------- | ---------------------------------------- | ----------------- | -| `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` | +| `build-args` / `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` | #### About Code Coverage @@ -81,14 +108,14 @@ More info: This job, **disabled by default**, is bound to the `test` stage and performs a SonarQube analysis of your code. This job uses the following variables: -| Name | description | default value | +| Input / Variable | Description | Default value | | ------------------------ | -------------------------------------- | ----------------- | -| `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | +| `sonar-host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | | :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube/latest/user-guide/user-account/generating-and-using-tokens/#using-a-token) (depends on your authentication method) | _none_ | | :lock: `SONAR_LOGIN` | SonarQube [login](https://docs.sonarsource.com/sonarqube/latest/extension-guide/web-api/#http-basic-access) (depends on your authentication method) | _none_ | | :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ | -| `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | -| `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) | +| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` | +| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) | #### Recommended minimal configuration @@ -141,10 +168,10 @@ analysis. It is bound to the `test` stage, and uses the following variables: -| Name | description | default value | +| Input / Variable | Description | Default value | | --------------------- | -------------------------------------- | ----------------- | -| `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ | -| `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` | +| `dependency-check-disabled` / `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ | +| `dependency-check-args` / `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` | A Dependency Check is a quite long operation and therefore the job is configured to be ran __manually__ by default. @@ -187,9 +214,9 @@ Failure is allowed in feature branches. It is bound to the `test` stage, and uses the following variables: -| Name | description | default value | +| Input / Variable | Description | Default value | | --------------------- | -------------------------------------- | ----------------- | -| `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ | +| `mvn-forbid-snapshot-dependencies-disabled` / `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ | ### `mvn-sbom` job @@ -197,10 +224,10 @@ This job generates a [SBOM](https://cyclonedx.org/) file listing all dependencie It is bound to the `test` stage, and uses the following variables: -| Name | description | default value | +| Input / Variable | Description | Default value | | --------------------- | -------------------------------------- | ----------------- | -| `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | -| `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` | +| `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | +| `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` | ### `mvn-release` & `mvn-deploy-*` jobs @@ -216,18 +243,18 @@ These jobs are **disabled by default** and - when enabled - respectively perform They are bound to the `publish` stage, and use the following variables: -| Name | description | default value | +| Input / Variable | Description | Default value | | ----------------------------------- | ------------------------------------------------------------ | ----------------- | -| `MAVEN_DEPLOY_ENABLED` | Set to `true` to enable release and publish jobs | _none_ (disabled) | -| `MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED`| Set to `true` to limit snapshot publication to protected branches | _none_ (disabled) | -| `MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED`| Set to `true` to inject the Git branch slug in SNAPSHOT versions | _none_ (disabled) | -| `MAVEN_DEPLOY_ARGS` | Maven arguments for the `mvn-deploy` job | `deploy -Dmaven.test.skip=true` | -| `MAVEN_RELEASE_ARGS` | Maven arguments for the `mvn-release` job | `release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true` | -| `MAVEN_RELEASE_VERSION` | Explicit version to use when triggering a release | _none_ (uses the current snapshot version from `pom.xml`) | -| `MAVEN_RELEASE_SCM_COMMENT_PREFIX` | Maven release plugin [scmCommentPrefix](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmCommentPrefix) parameter | `chore(maven-release): ` | -| `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) | -| `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) | -| `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (disabled) | +| `deploy-enabled` / `MAVEN_DEPLOY_ENABLED` | Set to `true` to enable release and publish jobs | _none_ (disabled) | +| `deploy-from-unprotected-disabled` / `MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED` | Set to `true` to limit snapshot publication to protected branches | _none_ (disabled) | +| `deploy-snapshot-with-slug-enabled` / `MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED` | Set to `true` to inject the Git branch slug in SNAPSHOT versions | _none_ (disabled) | +| `deploy-args` / `MAVEN_DEPLOY_ARGS` | Maven arguments for the `mvn-deploy` job | `deploy -Dmaven.test.skip=true` | +| `release-args` / `MAVEN_RELEASE_ARGS` | Maven arguments for the `mvn-release` job | `release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true` | +| `release-version` / `MAVEN_RELEASE_VERSION` | Explicit version to use when triggering a release | _none_ (uses the current snapshot version from `pom.xml`) | +| `release-scm-comment-prefix` / `MAVEN_RELEASE_SCM_COMMENT_PREFIX` | Maven release plugin [scmCommentPrefix](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmCommentPrefix) parameter | `chore(maven-release): ` | +| `release-scm-release-comment` / `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) | +| `release-scm-dev-comment` / `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) | +| `mvn-semrel-release-disabled` / `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (disabled) | More info: @@ -436,10 +463,10 @@ This variant uses the [Jib Maven Plugin](https://github.com/GoogleContainerTools ##### Images and registries config -| Name | Description | Default value | +| Input / Variable | Description | Default value | | -------------------------------------------- | ------------------------ | ------------------------------------------------- | -| `MAVEN_JIB_SNAPSHOT_IMAGE` | Container snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` | -| `MAVEN_JIB_RELEASE_IMAGE` | Container release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` | +| `jib-snapshot-image` / `MAVEN_JIB_SNAPSHOT_IMAGE` | Container snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` | +| `jib-release-image` / `MAVEN_JIB_RELEASE_IMAGE` | Container release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` | | :lock: `MAVEN_JIB_REGISTRY_USER` | Default registry username for image registry | `$CI_REGISTRY_USER` _(default GitLab registry user)_ | | :lock: `MAVEN_JIB_REGISTRY_PASSWORD` | Default registry password for image registry | `$CI_REGISTRY_PASSWORD` _(default GitLab registry password)_ | | :lock: `MAVEN_JIB_REGISTRY_SNAPSHOT_USER` | Registry username for snapshot image registry.<br/> Only set if different from default. | _none_ | @@ -451,13 +478,13 @@ The template uses GitLab registries and authentication defaults. See the Docker ##### Security scanning and reporting -| Name | Description | Default value | +| Input / Variable | Description | Default value | | -------------------------------------- | ------------------------ | ------------------------------------------------- | -| `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` | -| `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-catalogerE` | -| `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` | -| `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` | +| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` | +| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-catalogerE` | +| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` | +| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` | ##### Jib build and publish configuration @@ -467,12 +494,12 @@ Tho `mvn-build` job produces and uploads the container snapshot to the registry Publishing the release image follows the two-phase Maven release and deploy model. The `mvn-release` job is responsible for versioning and tagging the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-deploy-release` job deploys, or "releases," the container via [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md) to the provided registry in `$MAVEN_JIB_RELEASE_IMAGE`. -| Name | Description | Default value | +| Input / Variable | Description | Default value | | --------------------------------- | ---------------------------------------------------------- | ----------------- | -| `MAVEN_SKOPEO_IMAGE` | The image used to publish docker image with Skopeo | `quay.io/skopeo/stable:latest` | -| `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` | -| `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ | -| `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` | +| `skopeo-image` / `MAVEN_SKOPEO_IMAGE` | The image used to publish docker image with Skopeo | `quay.io/skopeo/stable:latest` | +| `jib-build-args` / `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` | +| `jib-publish-args` / `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ | +| `jib-prod-publish-strategy` / `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` | #### Usage @@ -499,13 +526,7 @@ All authentication methods should use masked GitLab environment variables. ```yaml include: # main template - - project: 'to-be-continuous/maven' - ref: '3.8.0' - file: '/templates/gitlab-ci-maven.yml' + - component: gitlab.com/to-be-continuous/maven/gitlab-ci-maven@3.8.0 # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template - - project: 'to-be-continuous/maven' - ref: '3.8.0' - file: '/templates/gitlab-ci-maven-jib.yml' - -variables: + - component: gitlab.com/to-be-continuous/maven/gitlab-ci-maven-jib@3.8.0 ``` diff --git a/bumpversion.sh b/bumpversion.sh index f06829a406ca8da98e570e8ad7d8bb22367b668d..ed44d7b68b0e09f6d2cf557f7a15e52553246341 100755 --- a/bumpversion.sh +++ b/bumpversion.sh @@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..." # replace in README - sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next + sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next mv -f README.md.next README.md # replace in template and variants for tmpl in templates/*.yml do - sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next" + sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next" mv -f "$tmpl.next" "$tmpl" done else diff --git a/kicker.json b/kicker.json index 3ecf39714045601afa2ad266aff695722c1df383..23270ab6355b1826b9bcbab271712ee7cd4fba21 100644 --- a/kicker.json +++ b/kicker.json @@ -3,6 +3,8 @@ "description": "Build, test and analyse your [Maven](https://maven.apache.org/)-based projects", "template_path": "templates/gitlab-ci-maven.yml", "kind": "build", + "prefix": "maven", + "is_component": true, "variables": [ { "name": "MAVEN_IMAGE", @@ -205,98 +207,104 @@ } ], "variants": [ - { - "id": "jib", - "name": "Jib", - "description": "Build Docker and OCI images for your Java applications with [Jib](https://github.com/GoogleContainerTools/jib)", - "template_path": "templates/gitlab-ci-maven-jib.yml", - "features": [ - { - "id": "mvn-trivy", - "name": "Maven Trivy", - "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis", - "disable_with": "MAVEN_TRIVY_DISABLED", - "variables": [ - { - "name": "MAVEN_TRIVY_IMAGE", - "description": "The docker image used to scan images with Trivy", - "default": "registry.hub.docker.com/aquasec/trivy:latest", - "advanced": true - }, - { - "name": "MAVEN_TRIVY_ADDR", - "type": "url", - "description": "The Trivy server address" - }, - { - "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD", - "type": "enum", - "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"], - "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)", - "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - }, - { - "name": "MAVEN_TRIVY_ARGS", - "description": "Additional `trivy client` arguments", - "default": "--ignore-unfixed --vuln-type os", - "advanced": true - } - ] - }, - { - "id": "mvn-sbom", - "name": "Maven Software Bill of Materials", - "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)", - "disable_with": "MAVEN_SBOM_DISABLED", - "variables": [ - { - "name": "MAVEN_SBOM_IMAGE", - "default": "registry.hub.docker.com/anchore/syft:debug", - "advanced": true - }, - { - "name": "MAVEN_SBOM_OPTS", - "description": "Options for syft used for SBOM analysis", - "default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger", - "advanced": true - } - ] - } - ], - "variables": [ - { - "name": "MAVEN_JIB_SNAPSHOT_IMAGE", - "description": "Maven Jib Snapshot image", - "default": "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG" - }, - { - "name": "MAVEN_JIB_RELEASE_IMAGE", - "description": "Maven Jib Release image", - "default": "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME" - }, - { - "name": "MAVEN_SKOPEO_IMAGE", - "description": "The image used to publish images with Skopeo", - "default": "quay.io/skopeo/stable:latest", - "advanced": true - }, - { - "name": "MAVEN_JIB_BUILD_ARGS", - "description": "[Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage)", - "default": "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE" - }, - { - "name": "MAVEN_JIB_PROD_PUBLISH_STRATEGY", - "description": "Defines the publish to production strategy.", - "type": "enum", - "values": ["none", "manual", "auto"], - "default": "manual" - }, - { - "name": "MAVEN_JIB_PUBLISH_ARGS", - "description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)" - } - ] - } + { + "id": "jib", + "name": "Jib", + "description": "Build Docker and OCI images for your Java applications with [Jib](https://github.com/GoogleContainerTools/jib)", + "template_path": "templates/gitlab-ci-maven-jib.yml", + "features": [ + { + "id": "mvn-trivy", + "name": "Maven Trivy", + "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis", + "disable_with": "MAVEN_TRIVY_DISABLED", + "variables": [ + { + "name": "MAVEN_TRIVY_IMAGE", + "description": "The docker image used to scan images with Trivy", + "default": "registry.hub.docker.com/aquasec/trivy:latest", + "advanced": true + }, + { + "name": "MAVEN_TRIVY_ADDR", + "type": "url", + "description": "The Trivy server address" + }, + { + "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD", + "type": "enum", + "values": [ + "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + "LOW,MEDIUM,HIGH,CRITICAL", + "MEDIUM,HIGH,CRITICAL", + "HIGH,CRITICAL", + "CRITICAL" + ], + "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)", + "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + }, + { + "name": "MAVEN_TRIVY_ARGS", + "description": "Additional `trivy client` arguments", + "default": "--ignore-unfixed --vuln-type os", + "advanced": true + } + ] + }, + { + "id": "mvn-sbom", + "name": "Maven Software Bill of Materials", + "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)", + "disable_with": "MAVEN_SBOM_DISABLED", + "variables": [ + { + "name": "MAVEN_SBOM_IMAGE", + "default": "registry.hub.docker.com/anchore/syft:debug", + "advanced": true + }, + { + "name": "MAVEN_SBOM_OPTS", + "description": "Options for syft used for SBOM analysis", + "default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger", + "advanced": true + } + ] + } + ], + "variables": [ + { + "name": "MAVEN_JIB_SNAPSHOT_IMAGE", + "description": "Maven Jib Snapshot image", + "default": "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG" + }, + { + "name": "MAVEN_JIB_RELEASE_IMAGE", + "description": "Maven Jib Release image", + "default": "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME" + }, + { + "name": "MAVEN_SKOPEO_IMAGE", + "description": "The image used to publish images with Skopeo", + "default": "quay.io/skopeo/stable:latest", + "advanced": true + }, + { + "name": "MAVEN_JIB_BUILD_ARGS", + "description": "[Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage)", + "default": "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE" + }, + { + "name": "MAVEN_JIB_PROD_PUBLISH_STRATEGY", + "description": "Defines the publish to production strategy.", + "type": "enum", + "values": ["none", "manual", "auto"], + "default": "manual" + }, + { + "name": "MAVEN_JIB_PUBLISH_ARGS", + "description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)" + } + ] + } ] } diff --git a/logo.png b/logo.png index 2dd51fb18916b429323eb0296756f1f8aa740a46..0776126ab1c1593539e5261ffd3733b75d7c85c3 100644 Binary files a/logo.png and b/logo.png differ diff --git a/templates/gitlab-ci-maven-jib.yml b/templates/gitlab-ci-maven-jib.yml index 7e0875a2d16d00543032663b67bc0976d60a802d..395c91e2fa0f9293a75a3995c91c6ac4feb8de6e 100644 --- a/templates/gitlab-ci-maven-jib.yml +++ b/templates/gitlab-ci-maven-jib.yml @@ -1,17 +1,73 @@ # ===================================================================================================================== # === JIB template variant # ===================================================================================================================== +spec: + inputs: + jib-snapshot-image: + description: Maven Jib Snapshot image + default: $CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG + jib-release-image: + description: Maven Jib Release image + default: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME + skopeo-image: + description: The image used to publish images with Skopeo + default: quay.io/skopeo/stable:latest + jib-build-args: + description: '[Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage)' + default: -Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE + jib-prod-publish-strategy: + description: Defines the publish to production strategy. + options: + - none + - manual + - auto + default: manual + jib-publish-args: + description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) + default: '' + trivy-disabled: + description: Disable Maven Trivy + type: boolean + default: false + trivy-image: + description: The docker image used to scan images with Trivy + default: registry.hub.docker.com/aquasec/trivy:latest + trivy-addr: + description: The Trivy server address + default: '' + trivy-security-level-threshold: + description: 'Severities of vulnerabilities to be displayed (comma separated values: + `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)' + options: + - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + - LOW,MEDIUM,HIGH,CRITICAL + - MEDIUM,HIGH,CRITICAL + - HIGH,CRITICAL + - CRITICAL + default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + trivy-args: + description: Additional `trivy client` arguments + default: --ignore-unfixed --vuln-type os + sbom-image: + default: registry.hub.docker.com/anchore/syft:debug + sbom-opts: + description: Options for syft used for SBOM analysis + default: --catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger +--- variables: - MAVEN_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug" - MAVEN_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger" - MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - MAVEN_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest" - MAVEN_TRIVY_ARGS: "--ignore-unfixed --vuln-type os" - MAVEN_JIB_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG" - MAVEN_JIB_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME" - MAVEN_JIB_BUILD_ARGS: "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE" - MAVEN_JIB_PROD_PUBLISH_STRATEGY: "manual" - MAVEN_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest" + MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]] + MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]] + MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]] + MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]] + MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]] + MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]] + MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]] + MAVEN_JIB_BUILD_ARGS: $[[ inputs.jib-build-args ]] + MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]] + MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]] + MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]] + MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]] + MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]] .mvn-jib-scripts: &mvn-jib-scripts | # BEGSCRIPT diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index 616fa22b41ce7742fec8164d97d039cc2bf42977..c468b4da2832a2c62f5f8bbaef7b295a3b2b6720 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -13,6 +13,122 @@ # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth # Floor, Boston, MA 02110-1301, USA. # ========================================================================================= +spec: + inputs: + image: + description: The Docker image used to run Maven - **set the version required by + your project** + default: registry.hub.docker.com/library/maven:latest + project-dir: + description: Maven project root directory + default: . + cfg-dir: + description: The Maven configuration directory + default: .m2 + settings-file: + description: The Maven `settings.xml` file path + default: ${MAVEN_CFG_DIR}/settings.xml + opts: + description: '[Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable)' + default: >- + -Dhttps.protocols=TLSv1.2 + -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository + -Dorg.slf4j.simpleLogger.showDateTime=true + -Djava.awt.headless=true + cli-opts: + description: Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html) + used on the command line + default: >- + --no-transfer-progress + --batch-mode + --errors + --fail-at-end + --show-version + -DinstallAtEnd=true + -DdeployAtEnd=true + build-args: + description: Maven arguments for the build & test job + default: org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report + sonar-host-url: + description: SonarQube server url + default: '' + sonar-base-args: + description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) + default: >- + sonar:sonar + -Dsonar.links.homepage=${CI_PROJECT_URL} + -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines + -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues + sonar-quality-gate-enabled: + description: 'Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) + verification. + + + _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._' + type: boolean + default: false + dependency-check-disabled: + description: Disable Dependency-Check + type: boolean + default: false + dependency-check-args: + description: Maven arguments for Dependency Check job + default: >- + org.owasp:dependency-check-maven:aggregate + -DretireJsAnalyzerEnabled=false + -DassemblyAnalyzerEnabled=false + -Dformats=HTML,JSON,XML + mvn-forbid-snapshot-dependencies-disabled: + description: Disable Snapshot dependencies verification + type: boolean + default: false + sbom-disabled: + description: Disable Software Bill of Materials + type: boolean + default: false + sbom-gen-args: + description: Maven command used for SBOM analysis + default: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom + deploy-enabled: + description: Enable Publish + type: boolean + default: false + deploy-args: + description: Maven arguments for the deploy job + default: deploy -Dmaven.test.skip=true + deploy-from-unprotected-disabled: + description: Set to limit snapshot publication to protected branches + type: boolean + default: false + deploy-snapshot-with-slug-enabled: + description: Enable to inject the Git branch slug in SNAPSHOT versions + type: boolean + default: false + release-args: + description: Maven arguments for the release job + default: release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true + release-version: + description: 'Explicit version to use when triggering a release + _Otherwise uses the current snapshot version from `pom.xml`)_' + default: '' + release-scm-comment-prefix: + description: Maven release plugin [scmCommentPrefix](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmCommentPrefix) + parameter + default: 'chore(maven-release): ' + release-scm-release-comment: + description: 'Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) + parameter + (since Maven `3.0.0-M1`)' + default: '' + release-scm-dev-comment: + description: 'Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) + parameter + (since Maven `3.0.0-M1`)' + default: '' + mvn-semrel-release-disabled: + description: Disable semantic-release integration + default: '' +--- # default workflow rules: Merge Request pipelines workflow: rules: @@ -59,70 +175,53 @@ variables: TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master" # Default Maven project root directory - MAVEN_PROJECT_DIR: . - + MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]] # Maven image (can be overridden) - MAVEN_IMAGE: "registry.hub.docker.com/library/maven:latest" - + MAVEN_IMAGE: $[[ inputs.image ]] # default production ref name (pattern) PROD_REF: '/^(master|main)$/' # default integration ref name (pattern) INTEG_REF: '/^develop$/' # default release tag name (pattern) RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+$/' - # default configuration directory - MAVEN_CFG_DIR: ".m2" + MAVEN_CFG_DIR: $[[ inputs.cfg-dir ]] # default settings.xml file path - MAVEN_SETTINGS_FILE: "$MAVEN_CFG_DIR/settings.xml" - + MAVEN_SETTINGS_FILE: $[[ inputs.settings-file ]] # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode` to make this work. - MAVEN_OPTS: >- - -Dhttps.protocols=TLSv1.2 - -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository - -Dorg.slf4j.simpleLogger.showDateTime=true - -Djava.awt.headless=true - + MAVEN_OPTS: $[[ inputs.opts ]] # As of Maven 3.3.0 instead of this you may define these options in `.mvn/maven.config` so the same config is used # when running from the command line. # `installAtEnd` and `deployAtEnd` are only effective with recent version of the corresponding plugins. - MAVEN_CLI_OPTS: >- - --no-transfer-progress - --batch-mode - --errors - --fail-at-end - --show-version - -DinstallAtEnd=true - -DdeployAtEnd=true - + MAVEN_CLI_OPTS: $[[ inputs.cli-opts ]] # Maven build arguments - MAVEN_BUILD_ARGS: "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report" - + MAVEN_BUILD_ARGS: $[[ inputs.build-args ]] # Sonar base analysis default args # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/ # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/ - SONAR_BASE_ARGS: >- - sonar:sonar - -Dsonar.links.homepage=${CI_PROJECT_URL} - -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines - -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues - + SONAR_BASE_ARGS: $[[ inputs.sonar-base-args ]] # Dependency Check arguments - MAVEN_DEPENDENCY_CHECK_ARGS: >- - org.owasp:dependency-check-maven:aggregate - -DretireJsAnalyzerEnabled=false - -DassemblyAnalyzerEnabled=false - -Dformats=HTML,JSON,XML - + MAVEN_DEPENDENCY_CHECK_ARGS: $[[ inputs.dependency-check-args ]] # SBOM genenration arguments - MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom - + MAVEN_SBOM_GEN_ARGS: $[[ inputs.sbom-gen-args ]] # Maven deploy arguments - MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true" - + MAVEN_DEPLOY_ARGS: $[[ inputs.deploy-args ]] # Maven release arguments - MAVEN_RELEASE_ARGS: "release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true" - MAVEN_RELEASE_SCM_COMMENT_PREFIX: "chore(maven-release): " + MAVEN_RELEASE_ARGS: $[[ inputs.release-args ]] + MAVEN_RELEASE_SCM_COMMENT_PREFIX: $[[ inputs.release-scm-comment-prefix ]] + + SONAR_HOST_URL: $[[ inputs.sonar-host-url ]] + SONAR_QUALITY_GATE_ENABLED: $[[ inputs.sonar-quality-gate-enabled ]] + MAVEN_DEPENDENCY_CHECK_DISABLED: $[[ inputs.dependency-check-disabled ]] + MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED: $[[ inputs.mvn-forbid-snapshot-dependencies-disabled ]] + MAVEN_SBOM_DISABLED: $[[ inputs.sbom-disabled ]] + MAVEN_DEPLOY_ENABLED: $[[ inputs.deploy-enabled ]] + MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED: $[[ inputs.deploy-from-unprotected-disabled ]] + MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED: $[[ inputs.deploy-snapshot-with-slug-enabled ]] + MAVEN_RELEASE_VERSION: $[[ inputs.release-version ]] + MAVEN_RELEASE_SCM_RELEASE_COMMENT: $[[ inputs.release-scm-release-comment ]] + MAVEN_RELEASE_SCM_DEV_COMMENT: $[[ inputs.release-scm-dev-comment ]] + MVN_SEMREL_RELEASE_DISABLED: $[[ inputs.mvn-semrel-release-disabled ]] stages: - build