feat: GitLab CI/CD component migration

requires GitLab 16.6 or later

feat: GitLab CI/CD component migration
5c32520f · Pierre Smeyers · 5996b0cd · 5c32520f · 5c32520f · 5c32520f
Commit 5c32520f authored 1 year ago by Pierre Smeyers
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ include:
    file: '/templates/validation.yml'
  - project: 'to-be-continuous/bash'
    ref: '3.3'
-    file: 'templates/gitlab-ci-bash.yml'
+    file: '/templates/gitlab-ci-bash.yml'
  - project: 'to-be-continuous/semantic-release'
    ref: '3.7'
    file: '/templates/gitlab-ci-semrel.yml'

--- a/README.md
+++ b/README.md
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."

  # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md

  # replace in template and variants
  for tmpl in templates/*.yml
  do
-    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
    mv -f "$tmpl.next" "$tmpl"
  done
 else

--- a/kicker.json
+++ b/kicker.json
@@ -3,6 +3,8 @@
  "description": "Build, test and analyse your [Maven](https://maven.apache.org/)-based projects",
  "template_path": "templates/gitlab-ci-maven.yml",
  "kind": "build",
+  "prefix": "maven",
+  "is_component": true,
  "variables": [
    {
      "name": "MAVEN_IMAGE",
@@ -231,7 +233,13 @@
            {
              "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
              "type": "enum",
-			 "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
+              "values": [
+                "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+                "LOW,MEDIUM,HIGH,CRITICAL",
+                "MEDIUM,HIGH,CRITICAL",
+                "HIGH,CRITICAL",
+                "CRITICAL"
+              ],
              "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
              "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
            },

--- a/logo.png
+++ b/logo.png
--- a/templates/gitlab-ci-maven-jib.yml
+++ b/templates/gitlab-ci-maven-jib.yml
 # =====================================================================================================================
 # === JIB template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    jib-snapshot-image:
+      description: Maven Jib Snapshot image
+      default: $CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG
+    jib-release-image:
+      description: Maven Jib Release image
+      default: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
+    skopeo-image:
+      description: The image used to publish images with Skopeo
+      default: quay.io/skopeo/stable:latest
+    jib-build-args:
+      description: '[Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage)'
+      default: -Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE
+    jib-prod-publish-strategy:
+      description: Defines the publish to production strategy.
+      options:
+      - none
+      - manual
+      - auto
+      default: manual
+    jib-publish-args:
+      description: Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)
+      default: ''
+    trivy-disabled:
+      description: Disable Maven Trivy
+      type: boolean
+      default: false
+    trivy-image:
+      description: The docker image used to scan images with Trivy
+      default: registry.hub.docker.com/aquasec/trivy:latest
+    trivy-addr:
+      description: The Trivy server address
+      default: ''
+    trivy-security-level-threshold:
+      description: 'Severities of vulnerabilities to be displayed (comma separated values:
+        `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
+      options:
+      - UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+      - LOW,MEDIUM,HIGH,CRITICAL
+      - MEDIUM,HIGH,CRITICAL
+      - HIGH,CRITICAL
+      - CRITICAL
+      default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+    trivy-args:
+      description: Additional `trivy client` arguments
+      default: --ignore-unfixed --vuln-type os
+    sbom-image:
+      default: registry.hub.docker.com/anchore/syft:debug
+    sbom-opts:
+      description: Options for syft used for SBOM analysis
+      default: --catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger
+---
 variables:
-  MAVEN_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
-  MAVEN_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"
-  MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
-  MAVEN_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
-  MAVEN_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"
-  MAVEN_JIB_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
-  MAVEN_JIB_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
-  MAVEN_JIB_BUILD_ARGS: "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE"
-  MAVEN_JIB_PROD_PUBLISH_STRATEGY: "manual"
-  MAVEN_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
+  MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
+  MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
+  MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
+  MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
+  MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
+  MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
+  MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
+  MAVEN_JIB_BUILD_ARGS: $[[ inputs.jib-build-args ]]
+  MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
+  MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
+  MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
+  MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
+  MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]

 .mvn-jib-scripts: &mvn-jib-scripts |
  # BEGSCRIPT

--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -13,6 +13,122 @@
 # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth 
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
+spec:
+  inputs:
+    image:
+      description: The Docker image used to run Maven - **set the version required by
+        your project**
+      default: registry.hub.docker.com/library/maven:latest
+    project-dir:
+      description: Maven project root directory
+      default: .
+    cfg-dir:
+      description: The Maven configuration directory
+      default: .m2
+    settings-file:
+      description: The Maven `settings.xml` file path
+      default: ${MAVEN_CFG_DIR}/settings.xml
+    opts:
+      description: '[Global Maven options](http://maven.apache.org/configure.html#maven_opts-environment-variable)'
+      default: >-
+        -Dhttps.protocols=TLSv1.2
+        -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository
+        -Dorg.slf4j.simpleLogger.showDateTime=true
+        -Djava.awt.headless=true
+    cli-opts:
+      description: Additional [Maven options](https://maven.apache.org/ref/3-LATEST/maven-embedder/cli.html)
+        used on the command line
+      default: >-
+        --no-transfer-progress
+        --batch-mode
+        --errors
+        --fail-at-end
+        --show-version
+        -DinstallAtEnd=true
+        -DdeployAtEnd=true
+    build-args:
+      description: Maven arguments for the build & test job
+      default: org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report
+    sonar-host-url:
+      description: SonarQube server url
+      default: ''
+    sonar-base-args:
+      description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
+      default: >-
+        sonar:sonar
+        -Dsonar.links.homepage=${CI_PROJECT_URL}
+        -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
+        -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
+    sonar-quality-gate-enabled:
+      description: 'Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/)
+        verification.
+
+
+        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._'
+      type: boolean
+      default: false
+    dependency-check-disabled:
+      description: Disable Dependency-Check
+      type: boolean
+      default: false
+    dependency-check-args:
+      description: Maven arguments for Dependency Check job
+      default: >-
+        org.owasp:dependency-check-maven:aggregate
+        -DretireJsAnalyzerEnabled=false
+        -DassemblyAnalyzerEnabled=false
+        -Dformats=HTML,JSON,XML
+    mvn-forbid-snapshot-dependencies-disabled:
+      description: Disable Snapshot dependencies verification
+      type: boolean
+      default: false
+    sbom-disabled:
+      description: Disable Software Bill of Materials
+      type: boolean
+      default: false
+    sbom-gen-args:
+      description: Maven command used for SBOM analysis
+      default: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
+    deploy-enabled:
+      description: Enable Publish
+      type: boolean
+      default: false
+    deploy-args:
+      description: Maven arguments for the deploy job
+      default: deploy -Dmaven.test.skip=true
+    deploy-from-unprotected-disabled:
+      description: Set to limit snapshot publication to protected branches
+      type: boolean
+      default: false
+    deploy-snapshot-with-slug-enabled:
+      description: Enable to inject the Git branch slug in SNAPSHOT versions
+      type: boolean
+      default: false
+    release-args:
+      description: Maven arguments for the release job
+      default: release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true
+    release-version:
+      description: 'Explicit version to use when triggering a release
+        _Otherwise uses the current snapshot version from `pom.xml`)_'
+      default: ''
+    release-scm-comment-prefix:
+      description: Maven release plugin [scmCommentPrefix](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmCommentPrefix)
+        parameter
+      default: 'chore(maven-release): '
+    release-scm-release-comment:
+      description: 'Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment)
+        parameter
+        (since Maven `3.0.0-M1`)'
+      default: ''
+    release-scm-dev-comment:
+      description: 'Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment)
+        parameter
+        (since Maven `3.0.0-M1`)'
+      default: ''
+    mvn-semrel-release-disabled:
+      description: Disable semantic-release integration
+      default: ''
+---
 # default workflow rules: Merge Request pipelines
 workflow:
  rules:
@@ -59,70 +175,53 @@ variables:
  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"

  # Default Maven project root directory
-  MAVEN_PROJECT_DIR: .
-
+  MAVEN_PROJECT_DIR: $[[ inputs.project-dir ]]
  # Maven image (can be overridden)
-  MAVEN_IMAGE: "registry.hub.docker.com/library/maven:latest"
-
+  MAVEN_IMAGE: $[[ inputs.image ]]
  # default production ref name (pattern)
  PROD_REF: '/^(master|main)$/'
  # default integration ref name (pattern)
  INTEG_REF: '/^develop$/'
  # default release tag name (pattern)
  RELEASE_REF: '/^v?[0-9]+\.[0-9]+\.[0-9]+$/'
-
  # default configuration directory
-  MAVEN_CFG_DIR: ".m2"
+  MAVEN_CFG_DIR: $[[ inputs.cfg-dir ]]
  # default settings.xml file path
-  MAVEN_SETTINGS_FILE: "$MAVEN_CFG_DIR/settings.xml"
-
+  MAVEN_SETTINGS_FILE: $[[ inputs.settings-file ]]
  # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode` to make this work.
-  MAVEN_OPTS: >-
-    -Dhttps.protocols=TLSv1.2
-    -Dmaven.repo.local=${MAVEN_CFG_DIR}/repository
-    -Dorg.slf4j.simpleLogger.showDateTime=true
-    -Djava.awt.headless=true
-
+  MAVEN_OPTS: $[[ inputs.opts ]]
  # As of Maven 3.3.0 instead of this you may define these options in `.mvn/maven.config` so the same config is used
  # when running from the command line.
  # `installAtEnd` and `deployAtEnd` are only effective with recent version of the corresponding plugins.
-  MAVEN_CLI_OPTS: >-
-    --no-transfer-progress
-    --batch-mode
-    --errors
-    --fail-at-end
-    --show-version
-    -DinstallAtEnd=true
-    -DdeployAtEnd=true
-
+  MAVEN_CLI_OPTS: $[[ inputs.cli-opts ]]
  # Maven build arguments
-  MAVEN_BUILD_ARGS: "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report"
-
+  MAVEN_BUILD_ARGS: $[[ inputs.build-args ]]
  # Sonar base analysis default args
  # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
  # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
-  SONAR_BASE_ARGS: >-
-    sonar:sonar
-    -Dsonar.links.homepage=${CI_PROJECT_URL}
-    -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
-    -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
-
+  SONAR_BASE_ARGS: $[[ inputs.sonar-base-args ]]
  # Dependency Check arguments
-  MAVEN_DEPENDENCY_CHECK_ARGS: >-
-    org.owasp:dependency-check-maven:aggregate
-    -DretireJsAnalyzerEnabled=false
-    -DassemblyAnalyzerEnabled=false
-    -Dformats=HTML,JSON,XML
-  
+  MAVEN_DEPENDENCY_CHECK_ARGS: $[[ inputs.dependency-check-args ]]
  # SBOM genenration arguments
-  MAVEN_SBOM_GEN_ARGS: org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
-
+  MAVEN_SBOM_GEN_ARGS: $[[ inputs.sbom-gen-args ]]
  # Maven deploy arguments
-  MAVEN_DEPLOY_ARGS: "deploy -Dmaven.test.skip=true"
-
+  MAVEN_DEPLOY_ARGS: $[[ inputs.deploy-args ]]
  # Maven release arguments
-  MAVEN_RELEASE_ARGS: "release:prepare -DtagNameFormat=@{project.version} -Darguments=-Dmaven.test.skip=true"
-  MAVEN_RELEASE_SCM_COMMENT_PREFIX: "chore(maven-release): "
+  MAVEN_RELEASE_ARGS: $[[ inputs.release-args ]]
+  MAVEN_RELEASE_SCM_COMMENT_PREFIX: $[[ inputs.release-scm-comment-prefix ]]
+
+  SONAR_HOST_URL: $[[ inputs.sonar-host-url ]]
+  SONAR_QUALITY_GATE_ENABLED: $[[ inputs.sonar-quality-gate-enabled ]]
+  MAVEN_DEPENDENCY_CHECK_DISABLED: $[[ inputs.dependency-check-disabled ]]
+  MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED: $[[ inputs.mvn-forbid-snapshot-dependencies-disabled ]]
+  MAVEN_SBOM_DISABLED: $[[ inputs.sbom-disabled ]]
+  MAVEN_DEPLOY_ENABLED: $[[ inputs.deploy-enabled ]]
+  MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED: $[[ inputs.deploy-from-unprotected-disabled ]]
+  MAVEN_DEPLOY_SNAPSHOT_WITH_SLUG_ENABLED: $[[ inputs.deploy-snapshot-with-slug-enabled ]]
+  MAVEN_RELEASE_VERSION: $[[ inputs.release-version ]]
+  MAVEN_RELEASE_SCM_RELEASE_COMMENT: $[[ inputs.release-scm-release-comment ]]
+  MAVEN_RELEASE_SCM_DEV_COMMENT: $[[ inputs.release-scm-dev-comment ]]
+  MVN_SEMREL_RELEASE_DISABLED: $[[ inputs.mvn-semrel-release-disabled ]]

 stages:
  - build