diff --git a/README.md b/README.md index 31f737c8614e5ce6cae7f36abcbf4f98e2fe9594..e058330c6fdf9795628764605a8287f225a09989 100644 --- a/README.md +++ b/README.md @@ -89,7 +89,6 @@ It is bound to the `test` stage, and uses the following variables: | :lock: `SONAR_GITLAB_TOKEN` | GitLab [access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with `api` scope. When set, activates the [Sonar GitLab plugin](https://github.com/gabrie-allaigre/sonar-gitlab-plugin/#plugins-properties) integration. | _none_ | | `SONAR_BRANCH_ANALYSIS_DISABLED` | Set to `true` to disable automatic [Pull Request Analysis](https://docs.sonarqube.org/latest/analysis/pull-request/) and [Branch Analysis](https://docs.sonarqube.org/latest/branches/overview/) | _none_ (enabled) | | `SONAR_GITLAB_ARGS` | Extra arguments to use with [Sonar GitLab plugin](https://github.com/gabrie-allaigre/sonar-gitlab-plugin/#plugins-properties) | `-Dsonar.gitlab.url=${CI_SERVER_URL} -Dsonar.gitlab.user_token=${SONAR_GITLAB_TOKEN} -Dsonar.gitlab.project_id=${CI_PROJECT_ID} -Dsonar.gitlab.commit_sha=${CI_COMMIT_SHA} -Dsonar.gitlab.ref_name=${CI_COMMIT_REF_NAME}` | -| `SONAR_AUTO_ON_DEV_DISABLED` | When set to `true`, SonarQube analysis becomes **manual** on development branches (automatic otherwise) | _none_ | | `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enables check of SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) | _none_ (disabled) | #### Automatic Branch Analysis & Pull Request Analysis @@ -316,7 +315,7 @@ The key should not have a passphrase (see [how to generate a new SSH key pair](h Specify :lock: `$GIT_PRIVATE_KEY` as protected project variable with the private part of the deploy key. ```PEM ------BEGIN OPENSSH PRIVATE KEY----- +-----BEGIN 0PENSSH PRIVATE KEY----- blablabla -----END OPENSSH PRIVATE KEY----- ``` diff --git a/kicker.json b/kicker.json index cc9e493494a18ea45787ba598530d87bd7060d17..b3bbba3c40e780f462358f20cacf309d37b72707 100644 --- a/kicker.json +++ b/kicker.json @@ -89,11 +89,6 @@ "default": "-Dsonar.gitlab.url=${CI_SERVER_URL} -Dsonar.gitlab.user_token=${SONAR_GITLAB_TOKEN} -Dsonar.gitlab.project_id=${CI_PROJECT_ID} -Dsonar.gitlab.commit_sha=${CI_COMMIT_SHA} -Dsonar.gitlab.ref_name=${CI_COMMIT_REF_NAME}", "advanced": true }, - { - "name": "SONAR_AUTO_ON_DEV_DISABLED", - "description": "When set, SonarQube analysis becomes **manual** on development branches (automatic otherwise)", - "type": "boolean" - }, { "name": "SONAR_QUALITY_GATE_ENABLED", "description": "Enable blocking check of SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) (for `master` branch)", diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml index 7bd78948e1706fd765da5cb178a56d00d3a2d51b..a1ee039d7c79dec6d408530d3c83170d8073c225 100644 --- a/templates/gitlab-ci-maven.yml +++ b/templates/gitlab-ci-maven.yml @@ -13,14 +13,33 @@ # program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth # Floor, Boston, MA 02110-1301, USA. # ========================================================================================= -# default workflow rules +# default workflow rules: Merge Request pipelines workflow: rules: - # exclude merge requests - - if: $CI_MERGE_REQUEST_ID + # prevent branch pipeline when an MR is open (prefer MR pipeline) + - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS' when: never - when: always +# test job prototype: implement adaptive pipeline rules +.test-policy: + rules: + # on tag: auto & failing + - if: $CI_COMMIT_TAG + # on ADAPTIVE_PIPELINE_DISABLED: auto & failing + - if: '$ADAPTIVE_PIPELINE_DISABLED == "true"' + # on production or integration branch(es): auto & failing + - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF' + # early stage (dev branch, no MR): manual & non-failing + - if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null' + when: manual + allow_failure: true + # Draft MR: auto & non-failing + - if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/' + allow_failure: true + # else (Ready MR): auto & failing + - when: on_success + variables: # variabilized tracking image TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master" @@ -489,16 +508,7 @@ mvn-sonar: # exclude if $SONAR_URL not set - if: '$SONAR_URL == null || $SONAR_URL == ""' when: never - # on tags: auto - - if: $CI_COMMIT_TAG - # on production or integration: auto - - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF' - # else (non-production, non-integration branches): manual if $SONAR_AUTO_ON_DEV_DISABLED - - if: '$SONAR_AUTO_ON_DEV_DISABLED == "true"' - when: manual - allow_failure: true - # else: auto & allow failure - - allow_failure: true + - !reference [.test-policy, rules] mvn-dependency-check: extends: .mvn-base @@ -507,6 +517,12 @@ mvn-dependency-check: dependencies: [] script: - mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args $MAVEN_DEPENDENCY_CHECK_ARGS + artifacts: + name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" + expire_in: 1 day + when: always + paths: + - "${MAVEN_PROJECT_DIR}/**/target/dependency-check-report.*" rules: # on schedule: auto - if: '$CI_PIPELINE_SOURCE == "schedule"' @@ -515,12 +531,6 @@ mvn-dependency-check: # all other cases: manual & non-blocking - when: manual allow_failure: true - artifacts: - name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" - expire_in: 1 day - when: always - paths: - - "${MAVEN_PROJECT_DIR}/**/target/dependency-check-report.*" mvn-forbid-snapshot-dependencies: extends: .mvn-base @@ -531,10 +541,7 @@ mvn-forbid-snapshot-dependencies: # exclude if disabled - if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"' when: never - # on production or integration branches: auto - - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF' - # else (feature branches): auto & non-blocking - - allow_failure: true + - !reference [.test-policy, rules] mvn-snapshot: extends: .mvn-base