adds job tags

b15d9feb · Benguria Elguezabal, Gorka · 2ce90721 · b15d9feb · b15d9feb · b15d9feb
Commit b15d9feb authored Jul 25, 2024 by Benguria Elguezabal, Gorka
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@ It uses the following variable:
 | Input / Variable      | Description                              | Default value     |
 | --------------------- | ---------------------------------------- | ----------------- |
 | `build-args` / `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` |
+| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 #### About Code Coverage

@@ -116,6 +117,7 @@ This job uses the following variables:
 | :lock: `SONAR_PASSWORD`  | SonarQube password (depends on your authentication method)             | _none_ |
 | `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
 | `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
+| `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 #### Recommended minimal configuration

@@ -172,6 +174,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `dependency-check-disabled` / `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ |
 | `dependency-check-args` / `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` |
+| `mvn-dependency-check-job-tags` / `MVN_DEPENDENCY_CHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |


 A Dependency Check is a quite long operation and therefore the job is configured to be ran __manually__ by default.
@@ -217,6 +220,7 @@ It is bound to the `test` stage, and uses the following variables:
 | Input / Variable      | Description                            | Default value     |
 | --------------------- | -------------------------------------- | ----------------- |
 | `mvn-forbid-snapshot-dependencies-disabled` / `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
+| `mvn-no-snapshot-deps-job-tags` / `MVN_NO_SNAPSHOT_DEPS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 ### `mvn-sbom` job

@@ -228,6 +232,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
+| `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 ### `mvn-release` &amp; `mvn-deploy-*` jobs

@@ -255,6 +260,9 @@ They are bound to the `publish` stage, and use the following variables:
 | `release-scm-release-comment` / `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
 | `release-scm-dev-comment` / `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
 | `mvn-semrel-release-disabled` / `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (disabled) |
+| `mvn-release-job-tags` / `MVN_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
+| `mvn-deploy-release-job-tags` / `MVN_DEPLOY_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |
+| `mvn-deploy-snapshot-job-tags` / `MVN_DEPLOY_SNAPSHOT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 More info:

@@ -485,6 +493,7 @@ The template uses GitLab registries and authentication defaults. See the Docker
 | `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
 | `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning  | `registry.hub.docker.com/aquasec/trivy:latest` |
 | `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
+| `mvn-trivy-job-tags` / `MVN_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |


 ##### Jib build and publish configuration
@@ -500,6 +509,7 @@ the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-
 | `jib-build-args` / `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` |
 | `jib-publish-args` / `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings`  | _none_ |
 | `jib-prod-publish-strategy` / `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`.   | `manual` |
+| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]`            |

 #### Usage


--- a/kicker.json
+++ b/kicker.json
@@ -47,6 +47,62 @@
      "description": "Maven arguments for the build & test job",
      "default": "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report",
      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_BUILD_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_SONAR_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_DEPENDENCY_CHECK_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_NO_SNAPSHOT_DEPS_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_SBOM_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_DEPLOY_RELEASE_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
+    },
+    {
+      "name": "MVN_MVN_RELEASE_JOB_TAGS",
+      "description": "Tags to be used for selecting runners for the job",
+      "type": "array",
+      "default": [],
+      "advanced": true
    }
  ],
  "features": [
@@ -304,6 +360,41 @@
        {
          "name": "MAVEN_JIB_PUBLISH_ARGS",
          "description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
+        },
+        {
+          "name": "MVN_MVN_BUILD_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
+        },
+        {
+          "name": "MVN_MVN_SBOM_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
+        },
+        {
+          "name": "MVN_MVN_TRIVY_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
+        },
+        {
+          "name": "MVN_MVN_DEPLOY_RELEASE_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
+        },
+        {
+          "name": "MVN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
+          "description": "Tags to be used for selecting runners for the job",
+          "type": "array",
+          "default": [],
+          "advanced": true
        }
      ]
    }

--- a/templates/gitlab-ci-maven-jib.yml
+++ b/templates/gitlab-ci-maven-jib.yml
@@ -53,6 +53,27 @@ spec:
    sbom-opts:
      description: Options for syft used for SBOM analysis
      default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java
+    mvn-build-job-tags:
+      description: tags to filter applicable runners for mvn-build job
+      type: array
+      default: []
+    mvn-sbom-job-tags:
+      description: tags to filter applicable runners for mvn-sbom job
+      type: array
+      default: []
+    mvn-trivy-job-tags:
+      description: tags to filter applicable runners for mvn-trivy job
+      type: array
+      default: []
+    mvn-deploy-release-job-tags:
+      description: tags to filter applicable runners for mvn-deploy-release job
+      type: array
+      default: []
+    mvn-deploy-snapshot-job-tags:
+      description: tags to filter applicable runners for mvn-deploy-snapshot job
+      type: array
+      default: []
+
 ---
 variables:
  MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -123,6 +144,7 @@ mvn-build:
    reports:
      dotenv:
        - jib.env
+  tags: $[[ inputs.mvn-build-job-tags ]]

 mvn-sbom:
  extends: .mvn-base
@@ -147,6 +169,7 @@ mvn-sbom:
    reports:
      cyclonedx: 
        - "reports/mvn-sbom-*.cyclonedx.json"
+  tags: $[[ inputs.mvn-sbom-job-tags ]]

 mvn-trivy:
  extends: .mvn-base
@@ -196,6 +219,7 @@ mvn-trivy:
    - if: '$MAVEN_TRIVY_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.mvn-trivy-job-tags ]]

 mvn-deploy-release:
  extends: .mvn-base
@@ -259,6 +283,7 @@ mvn-deploy-release:
    - if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "manual"'
      when: manual
    - if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "auto"'
+  tags: $[[ inputs.mvn-deploy-release-job-tags ]]

 # =====================================================================================================================
 # === Disable Maven template jobs not required for Docker Jib pipeline
@@ -268,3 +293,4 @@ mvn-deploy-release:
 mvn-deploy-snapshot:
  rules:
    - when: never
+  tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -128,6 +128,41 @@ spec:
    mvn-semrel-release-disabled:
      description: Disable semantic-release integration
      default: ''
+    mvn-build-job-tags:
+      description: tags to filter applicable runners for mvn-build job
+      type: array
+      default: []
+    mvn-sonar-job-tags:
+      description: tags to filter applicable runners for mvn-sonar job
+      type: array
+      default: []
+    mvn-dependency-check-job-tags:
+      description: tags to filter applicable runners for mvn-dependency-check job
+      type: array
+      default: []
+    mvn-no-snapshot-deps-job-tags:
+      description: tags to filter applicable runners for mvn-no-snapshot-deps job
+      type: array
+      default: []
+    mvn-sbom-job-tags:
+      description: tags to filter applicable runners for mvn-sbom job
+      type: array
+      default: []
+    mvn-deploy-snapshot-job-tags:
+      description: tags to filter applicable runners for mvn-deploy-snapshot job
+      type: array
+      default: []
+    mvn-deploy-release-job-tags:
+      description: tags to filter applicable runners for mvn-deploy-release job
+      type: array
+      default: []
+    mvn-release-job-tags:
+      description: tags to filter applicable runners for mvn-release job
+      type: array
+      default: []
+
+
+
 ---
 # default workflow rules: Merge Request pipelines
 workflow:
@@ -633,6 +668,7 @@ mvn-build:
      # version may have been altered
      - "${MAVEN_PROJECT_DIR}/**/pom.xml"
      - "${MAVEN_PROJECT_DIR}/**/target"
+  tags: $[[ inputs.mvn-build-job-tags ]]

 # Sonar job
 mvn-sonar:
@@ -671,6 +707,7 @@ mvn-sonar:
    - if: '($SONAR_HOST_URL == null || $SONAR_HOST_URL == "") && ($SONAR_URL == null || $SONAR_URL == "")'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.mvn-sonar-job-tags ]]

 mvn-dependency-check:
  extends: .mvn-base
@@ -696,6 +733,7 @@ mvn-dependency-check:
    # all other cases: manual & non-blocking
    - when: manual
      allow_failure: true
+  tags: $[[ inputs.mvn-dependency-check-job-tags ]]

 mvn-no-snapshot-deps:
  extends: .mvn-base
@@ -708,6 +746,7 @@ mvn-no-snapshot-deps:
    - if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.mvn-no-snapshot-deps-job-tags ]]

 mvn-sbom:
  extends: .mvn-base
@@ -731,6 +770,7 @@ mvn-sbom:
    - if: '$MAVEN_SBOM_DISABLED == "true"'
      when: never
    - !reference [.test-policy, rules]
+  tags: $[[ inputs.mvn-sbom-job-tags ]]

 mvn-deploy-snapshot:
  extends: .mvn-base
@@ -746,6 +786,7 @@ mvn-deploy-snapshot:
      when: never
    # exclude unprotected ref if disabled
    - if: '$MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED != "true" || $CI_COMMIT_REF_PROTECTED == "true"'
+  tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]

 mvn-deploy-release:
  extends: .mvn-base
@@ -758,6 +799,7 @@ mvn-deploy-release:
      when: never
    # on tag with release pattern: auto
    - if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+  tags: $[[ inputs.mvn-deploy-release-job-tags ]]

 mvn-release:
  extends: .mvn-base
@@ -796,3 +838,4 @@ mvn-release:
    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
      when: manual
      allow_failure: true
+  tags: $[[ inputs.mvn-release-job-tags ]]