From 96c2920b8da419cedefe67e9cd497df146f94b49 Mon Sep 17 00:00:00 2001
From: Timothy Stone <gitlab@petmystone.com>
Date: Sun, 2 Jul 2023 10:33:31 +0000
Subject: [PATCH] feat(jib): add Maven Jib variant to build container images
for your Java applications
---
README.md | 87 ++++++++++++
kicker.json | 95 +++++++++++++
templates/gitlab-ci-maven-jib.yml | 212 ++++++++++++++++++++++++++++++
3 files changed, 394 insertions(+)
create mode 100644 templates/gitlab-ci-maven-jib.yml
diff --git a/README.md b/README.md
index 81bbf05..d6b0458 100644
--- a/README.md
+++ b/README.md
@@ -362,3 +362,90 @@ Note that the password should be an access token with `write_repository` scope a
...
</scm>
```
+
+## Variants
+
+### Jib variant
+
+This variant builds optimized Docker and OCI images for your Java applications (without deep mastery of Docker best-practices) with [Jib](https://github.com/GoogleContainerTools/jib).
+
+#### Configuration
+
+This variant uses the [Jib Maven Plugin](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin) to build a Docker container and publish that container to a registry.
+
+##### Images and registries config
+
+| Name | Description | Default value |
+| -------------------------------------------- | ------------------------ | ------------------------------------------------- |
+| `MAVEN_JIB_SNAPSHOT_IMAGE` | Container snapshot image | `$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG` |
+| `MAVEN_JIB_RELEASE_IMAGE` | Container release image | `$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME` |
+| :lock: `MAVEN_JIB_REGISTRY_USER` | Default registry username for image registry | `$CI_REGISTRY_USER` _(default GitLab registry user)_ |
+| :lock: `MAVEN_JIB_REGISTRY_PASSWORD` | Default registry password for image registry | `$CI_REGISTRY_PASSWORD` _(default GitLab registry password)_ |
+| :lock: `MAVEN_JIB_REGISTRY_SNAPSHOT_USER` | Registry username for snapshot image registry.<br/> Only set if different from default. | _none_ |
+| :lock: `MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD`| Registry password for snapshot image registry.<br/> Only set if different from default. | _none_ |
+| :lock: `MAVEN_JIB_REGISTRY_RELEASE_USER` | Registry username for release image registry.<br/> Only set if different from default. | _none_ |
+| :lock: `MAVEN_JIB_REGISTRY_RELEASE_PASSWORD` | Registry password for release image registry.<br/> Only set if different from default. | _none_ |
+
+The template uses GitLab registries and authentication defaults. See the Docker template for configuring alternate [registries and credentials](https://gitlab.com/to-be-continuous/docker#registries-and-credentials).
+
+##### Security scanning and reporting
+
+| Name | Description | Default value |
+| -------------------------------------- | ------------------------ | ------------------------------------------------- |
+| `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
+| `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-catalogerE` |
+| `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
+| `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
+| `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
+
+
+##### Jib build and publish configuration
+
+Tho `mvn-build` job produces and uploads the container snapshot to the registry provided in `$MAVEN_JIB_SNAPSHOT_IMAGE` via the Jib `build` goal, e.g., `mvn verify com.google.cloud.tools:jib-maven-plugin:build`.
+
+Publishing the release image follows the two-phase Maven release and deploy model. The `mvn-release` job is responsible for versioning and tagging
+the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-deploy-release` job deploys, or "releases," the container via [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md) to the provided registry in `$MAVEN_JIB_RELEASE_IMAGE`.
+
+| Name | Description | Default value |
+| --------------------------------- | ---------------------------------------------------------- | ----------------- |
+| `MAVEN_SKOPEO_IMAGE` | The image used to publish docker image with Skopeo | `quay.io/skopeo/stable:latest` |
+| `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` |
+| `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ |
+| `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` |
+
+#### Usage
+
+See the Jib [Quickstart](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin)
+for minimal guidance on the use of the plugin for your project. If you're here, you probably have a use case,
+i.e., you kicked off a [JHipster](https://jhipster.tech/) project and found Jib pre-configured for containerization.
+
+The template uses GitLab registries and authentication defaults. See the Docker template for configuring alternate [registries and credentials](https://gitlab.com/to-be-continuous/docker#registries-and-credentials).
+
+`$MAVEN_JIB_BUILD_ARGS` sets the snapshot container publish registry via a System Property, `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE`. This can be declaratively provided in the POM configuration for the Jib plugin and omitted, e.g., `#MAVEN_JIB_BUILD_ARGS` or `$MAVEN_JIB_BUILD_ARGS: ""` in the project `.gitlab-ci.yml`.
+This is advanced usage and should be understood in context of how `skopeo copy` works in the production pipeline.
+
+#### Registry authorization
+
+The variant tooling, Jib and Skopeo, support [Docker configuration files (default)](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-docker-configuration-files).
+Jib supports additional authentication methods, including [credential helpers](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-docker-credential-helpers),
+[the POM and CLI](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-specific-credentials),
+and [even Maven Settings](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#using-specific-credentials), e.g., `.m2/settings.xml`.
+
+All authentication methods should use masked GitLab environment variables.
+
+#### Example
+
+```yaml
+include:
+ # main template
+ - project: 'to-be-continuous/maven'
+ ref: '3.5.0'
+ file: '/templates/gitlab-ci-maven.yml'
+ # Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
+ - project: 'to-be-continuous/maven'
+ ref: '3.5.0'
+ file: '/templates/gitlab-ci-maven-jib.yml'
+
+variables:
+```
+
diff --git a/kicker.json b/kicker.json
index b968e39..57b9223 100644
--- a/kicker.json
+++ b/kicker.json
@@ -197,5 +197,100 @@
}
]
}
+ ],
+ "variants": [
+ {
+ "id": "jib",
+ "name": "Jib",
+ "description": "Build Docker and OCI images for your Java applications with [Jib](https://github.com/GoogleContainerTools/jib)",
+ "template_path": "templates/gitlab-ci-maven-jib.yml",
+ "features": [
+ {
+ "id": "mvn-trivy",
+ "name": "Maven Trivy",
+ "description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis",
+ "disable_with": "MAVEN_TRIVY_DISABLED",
+ "variables": [
+ {
+ "name": "MAVEN_TRIVY_IMAGE",
+ "description": "The docker image used to scan images with Trivy",
+ "default": "registry.hub.docker.com/aquasec/trivy:latest",
+ "advanced": true
+ },
+ {
+ "name": "MAVEN_TRIVY_ADDR",
+ "type": "url",
+ "description": "The Trivy server address"
+ },
+ {
+ "name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
+ "type": "enum",
+ "values": ["UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "LOW,MEDIUM,HIGH,CRITICAL", "MEDIUM,HIGH,CRITICAL", "HIGH,CRITICAL", "CRITICAL"],
+ "description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
+ "default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+ },
+ {
+ "name": "MAVEN_TRIVY_ARGS",
+ "description": "Additional `trivy client` arguments",
+ "default": "--ignore-unfixed --vuln-type os",
+ "advanced": true
+ }
+ ]
+ },
+ {
+ "id": "mvn-sbom",
+ "name": "Maven Software Bill of Materials",
+ "description": "This job generates a file listing all dependencies using [syft](https://github.com/anchore/syft)",
+ "disable_with": "MAVEN_SBOM_DISABLED",
+ "variables": [
+ {
+ "name": "MAVEN_SBOM_IMAGE",
+ "default": "registry.hub.docker.com/anchore/syft:debug",
+ "advanced": true
+ },
+ {
+ "name": "MAVEN_SBOM_OPTS",
+ "description": "Options for syft used for SBOM analysis",
+ "default": "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger",
+ "advanced": true
+ }
+ ]
+ }
+ ],
+ "variables": [
+ {
+ "name": "MAVEN_JIB_SNAPSHOT_IMAGE",
+ "description": "Maven Jib Snapshot image",
+ "default": "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
+ },
+ {
+ "name": "MAVEN_JIB_RELEASE_IMAGE",
+ "description": "Maven Jib Release image",
+ "default": "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
+ },
+ {
+ "name": "MAVEN_SKOPEO_IMAGE",
+ "description": "The image used to publish images with Skopeo",
+ "default": "quay.io/skopeo/stable:latest",
+ "advanced": true
+ },
+ {
+ "name": "MAVEN_JIB_BUILD_ARGS",
+ "description": "[Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage)",
+ "default": "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE"
+ },
+ {
+ "name": "MAVEN_JIB_PROD_PUBLISH_STRATEGY",
+ "description": "Defines the publish to production strategy.",
+ "type": "enum",
+ "values": ["none", "manual", "auto"],
+ "default": "manual"
+ },
+ {
+ "name": "MAVEN_JIB_PUBLISH_ARGS",
+ "description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
+ }
+ ]
+ }
]
}
diff --git a/templates/gitlab-ci-maven-jib.yml b/templates/gitlab-ci-maven-jib.yml
new file mode 100644
index 0000000..832645f
--- /dev/null
+++ b/templates/gitlab-ci-maven-jib.yml
@@ -0,0 +1,212 @@
+# =====================================================================================================================
+# === JIB template variant
+# =====================================================================================================================
+variables:
+ MAVEN_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
+ MAVEN_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"
+ MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
+ MAVEN_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
+ MAVEN_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"
+ MAVEN_JIB_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
+ MAVEN_JIB_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
+ MAVEN_JIB_BUILD_ARGS: "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE"
+ MAVEN_JIB_PROD_PUBLISH_STRATEGY: "manual"
+ MAVEN_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
+
+.mvn-jib-scripts: &mvn-jib-scripts |
+ # BEGSCRIPT
+ set -e
+
+ function configure_registries_auth() {
+ maven_jib_snapshot_authn_token=$(echo -n "${MAVEN_JIB_REGISTRY_SNAPSHOT_USER:-${MAVEN_JIB_REGISTRY_USER:-$CI_REGISTRY_USER}}:${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
+ maven_jib_snapshot_registry_host=$(echo "$MAVEN_JIB_SNAPSHOT_IMAGE" | cut -d/ -f1)
+
+ maven_jib_release_authn_token=$(echo -n "${MAVEN_JIB_REGISTRY_RELEASE_USER:-${MAVEN_JIB_REGISTRY_USER:-$CI_REGISTRY_USER}}:${MAVEN_JIB_REGISTRY_RELEASE_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
+ maven_jib_release_registry_host=$(echo "$MAVEN_JIB_RELEASE_IMAGE" | cut -d/ -f1)
+
+ maven_jib_snapshot_config_json=$(echo -n "{\"auths\":{\"$maven_jib_snapshot_registry_host\":{\"auth\":\"$maven_jib_snapshot_authn_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
+ maven_jib_release_config_json=$(echo -n "{\"auths\":{\"$maven_jib_release_registry_host\":{\"auth\":\"$maven_jib_release_authn_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
+
+ BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
+ # Create Docker auth config (supported by Jib)
+ mkdir -p "$BUILDTOOL_HOME/.docker"
+ echo "${maven_jib_snapshot_config_json}" > $BUILDTOOL_HOME/.docker/config.json
+ echo "${maven_jib_release_config_json}" > $BUILDTOOL_HOME/.docker/release-config.json
+
+ log_info "Registry authentication configured for \\e[33;1m${maven_jib_snapshot_registry_host}\\e[0m"
+ }
+
+ configure_registries_auth
+
+ # ENDSCRIPT
+
+mvn-build:
+ extends: .mvn-base
+ script:
+ # initialize Docker auth config
+ - *mvn-jib-scripts
+ # build and push snapshot container
+ - >-
+ mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args verify
+ com.google.cloud.tools:jib-maven-plugin:build
+ $MAVEN_JIB_BUILD_ARGS
+ - output_coverage
+ # create dotenv file
+ - jib_digest=$(cat target/jib-image.digest | cut -f2 -d':' )
+ - jib_repository=${MAVEN_JIB_SNAPSHOT_IMAGE%:*}
+ - jib_tag=${MAVEN_JIB_SNAPSHOT_IMAGE##*:}
+ - |
+ {
+ echo "jib_image=$MAVEN_JIB_SNAPSHOT_IMAGE"
+ echo "jib_image_digest=$jib_repository@$jib_digest"
+ echo "jib_repository=$jib_repository"
+ echo "jib_tag=$jib_tag"
+ echo "jib_digest=$jib_digest"
+ } > jib.env
+ artifacts:
+ reports:
+ dotenv:
+ - jib.env
+
+mvn-sbom:
+ extends: .mvn-base
+ stage: package-test
+ image:
+ name: $MAVEN_SBOM_IMAGE
+ entrypoint: [""]
+ # force no dependency
+ dependencies: []
+ script:
+ - mkdir -p -m 777 reports
+ - /syft packages $MAVEN_JIB_SNAPSHOT_IMAGE $MAVEN_SBOM_OPTS -o cyclonedx-json=reports/mvn-sbom-${jib_digest}.cyclonedx.json
+ - chmod a+r reports/mvn-sbom-${jib_digest}.cyclonedx.json
+ artifacts:
+ name: "SBOM for container from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
+ expire_in: 1 week
+ when: always
+ paths:
+ - "reports/mvn-jib-sbom-*.cyclonedx.json"
+ reports:
+ cyclonedx:
+ - "reports/mvn-jib-sbom-*.cyclonedx.json"
+
+mvn-trivy:
+ extends: .mvn-base
+ stage: package-test
+ image:
+ name: $MAVEN_TRIVY_IMAGE
+ entrypoint: [""]
+ dependencies: []
+ variables:
+ TRIVY_CACHE_DIR: ".trivycache/"
+ script: |
+ # cache cleanup is needed when scanning images with the same tags, it does not remove the database
+ trivy image --clear-cache
+ export TRIVY_USERNAME=${MAVEN_JIB_REGISTRY_SNAPSHOT_USER:-${MAVEN_JIB_REGISTRY_USER:-$CI_REGISTRY_USER}}
+ export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
+ export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
+ mkdir -p ./reports
+ if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then
+ log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
+ trivy image --download-db-only
+ export trivy_opts="image"
+ else
+ log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
+ export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
+ fi
+ # Add common trivy arguments
+ export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}"
+ # GitLab format (no fail)
+ trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE
+ # JSON format (no fail)
+ if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
+ then
+ trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE
+ fi
+ # console output (fail)
+ trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
+ artifacts:
+ when: always
+ paths:
+ - "reports/jib-trivy-*"
+ reports:
+ container_scanning: "reports/jib-trivy-*.gitlab.json"
+ cache:
+ paths:
+ - .trivycache/
+ rules:
+ - if: '$MAVEN_TRIVY_DISABLED == "true"'
+ when: never
+ - !reference [.test-policy, rules]
+
+mvn-deploy-release:
+ extends: .mvn-base
+ image:
+ name: "$MAVEN_SKOPEO_IMAGE"
+ entrypoint: [""]
+ stage: publish
+ variables:
+ GIT_STRATEGY: none
+ script:
+ # initialize Docker auth config
+ - *mvn-jib-scripts
+ - |
+ if [[ "${SEMREL_INFO_ON}" && "${MVN_SEMREL_RELEASE_DISABLED}" != "true" ]]
+ then
+ if [[ -z "${SEMREL_INFO_NEXT_VERSION}" ]]
+ then
+ log_warn "[semantic-release] no new version to release: skip"
+ exit 0
+ else
+ MAVEN_JIB_RELEASE_IMAGE=$(echo "$MAVEN_JIB_RELEASE_IMAGE" | sed "s/\(:.*\)\{0,1\}$/:$SEMREL_INFO_NEXT_VERSION/")
+ log_info "[semantic-release] new Image tag is set: $MAVEN_JIB_RELEASE_IMAGE"
+ fi
+ fi
+
+ if [[ "$MAVEN_JIB_SNAPSHOT_IMAGE" == "$MAVEN_JIB_RELEASE_IMAGE" ]]
+ then
+ log_warn "\\e[93mYou should consider distinguishing snapshot and release images as they do not differ. Skipping publish phase as image has already been created by previous job.\\e[0m"
+ exit 0
+ fi
+ BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
+ skopeo copy --src-authfile $BUILDTOOL_HOME/.docker/config.json --dest-authfile $BUILDTOOL_HOME/.docker/release-config.json ${MAVEN_JIB_PUBLISH_ARGS} docker://$MAVEN_JIB_SNAPSHOT_IMAGE docker://$MAVEN_JIB_RELEASE_IMAGE
+ log_info "Well done, your image is published and can be downloaded by doing: docker pull $MAVEN_JIB_RELEASE_IMAGE"
+ - jib_digest=$(skopeo inspect --authfile $BUILDTOOL_HOME/.docker/release-config.json --format='{{ .Digest }}' "docker://$MAVEN_JIB_RELEASE_IMAGE")
+ - jib_repository=${MAVEN_JIB_RELEASE_IMAGE%:*}
+ - jib_tag=${MAVEN_JIB_RELEASE_IMAGE##*:}
+ - |
+ {
+ echo "jib_image=$MAVEN_JIB_RELEASE_IMAGE"
+ echo "jib_image_digest=$jib_repository@$jib_digest"
+ echo "jib_repository=$jib_repository"
+ echo "jib_tag=$jib_tag"
+ echo "jib_digest=$jib_digest"
+ } > jib.env
+ artifacts:
+ reports:
+ dotenv:
+ - jib.env
+ rules:
+ # exclude if $MAVEN_DEPLOY_ENABLED not set
+ - if: '$MAVEN_DEPLOY_ENABLED != "true"'
+ when: never
+ # on tag: if semrel info not enabled or semrel integration disabled
+ - if: '$CI_COMMIT_TAG'
+ # exclude non-production branches
+ - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF'
+ when: never
+ # exclude if snapshot is same as release image and semrel info not enabled or semrel integration disabled
+ - if: '$MAVEN_JIB_SNAPSHOT_IMAGE == $MAVEN_JIB_RELEASE_IMAGE && ($SEMREL_INFO_ON == null || $SEMREL_INFO_ON == "" || $MVN_SEMREL_RELEASE_DISABLED == "true")'
+ when: never
+ - if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "manual"'
+ when: manual
+ - if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "auto"'
+
+# =====================================================================================================================
+# === Disable Maven template jobs not required for Docker Jib pipeline
+# =====================================================================================================================
+
+# mvn-build supersedes - deploys a snapshot container to the registry
+mvn-deploy-snapshot:
+ rules:
+ - when: never
--
GitLab