diff --git a/README.md b/README.md
index d2177322f96bc79edec924847a4b6bce383043d7..4c9e376a3d21986ad7e42d515f097286705dbe6f 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@ It uses the following variable:
| Input / Variable | Description | Default value |
| --------------------- | ---------------------------------------- | ----------------- |
| `build-args` / `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` |
+| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### About Code Coverage
@@ -116,6 +117,7 @@ This job uses the following variables:
| :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ |
| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
+| `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Recommended minimal configuration
@@ -172,6 +174,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `dependency-check-disabled` / `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ |
| `dependency-check-args` / `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` |
+| `mvn-dependency-check-job-tags` / `MVN_DEPENDENCY_CHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
A Dependency Check is a quite long operation and therefore the job is configured to be ran __manually__ by default.
@@ -217,6 +220,7 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- |
| `mvn-forbid-snapshot-dependencies-disabled` / `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
+| `mvn-no-snapshot-deps-job-tags` / `MVN_NO_SNAPSHOT_DEPS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-sbom` job
@@ -228,6 +232,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
+| `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-release` & `mvn-deploy-*` jobs
@@ -255,6 +260,9 @@ They are bound to the `publish` stage, and use the following variables:
| `release-scm-release-comment` / `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `release-scm-dev-comment` / `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `mvn-semrel-release-disabled` / `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (disabled) |
+| `mvn-release-job-tags` / `MVN_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
+| `mvn-deploy-release-job-tags` / `MVN_DEPLOY_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
+| `mvn-deploy-snapshot-job-tags` / `MVN_DEPLOY_SNAPSHOT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
More info:
@@ -485,6 +493,7 @@ The template uses GitLab registries and authentication defaults. See the Docker
| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
+| `mvn-trivy-job-tags` / `MVN_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
##### Jib build and publish configuration
@@ -500,6 +509,7 @@ the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-
| `jib-build-args` / `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` |
| `jib-publish-args` / `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ |
| `jib-prod-publish-strategy` / `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` |
+| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Usage
diff --git a/kicker.json b/kicker.json
index 6da98c7844d658a5c77825c75d3ea1a93cc70dc0..a05c01fc7e200550e292db2fe242b0f4d2bfec49 100644
--- a/kicker.json
+++ b/kicker.json
@@ -47,6 +47,62 @@
"description": "Maven arguments for the build & test job",
"default": "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report",
"advanced": true
+ },
+ {
+ "name": "MVN_MVN_BUILD_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_SONAR_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_DEPENDENCY_CHECK_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_NO_SNAPSHOT_DEPS_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_SBOM_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_DEPLOY_RELEASE_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_RELEASE_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
}
],
"features": [
@@ -304,6 +360,41 @@
{
"name": "MAVEN_JIB_PUBLISH_ARGS",
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
+ },
+ {
+ "name": "MVN_MVN_BUILD_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_SBOM_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_TRIVY_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_DEPLOY_RELEASE_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
+ },
+ {
+ "name": "MVN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
+ "description": "Tags to be used for selecting runners for the job",
+ "type": "array",
+ "default": [],
+ "advanced": true
}
]
}
diff --git a/templates/gitlab-ci-maven-jib.yml b/templates/gitlab-ci-maven-jib.yml
index 589b865636dfcdf04509956546d3cbbf196470b0..6db8dbd703f887b51a87037dfeb5a617a98c58cd 100644
--- a/templates/gitlab-ci-maven-jib.yml
+++ b/templates/gitlab-ci-maven-jib.yml
@@ -53,6 +53,27 @@ spec:
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java
+ mvn-build-job-tags:
+ description: tags to filter applicable runners for mvn-build job
+ type: array
+ default: []
+ mvn-sbom-job-tags:
+ description: tags to filter applicable runners for mvn-sbom job
+ type: array
+ default: []
+ mvn-trivy-job-tags:
+ description: tags to filter applicable runners for mvn-trivy job
+ type: array
+ default: []
+ mvn-deploy-release-job-tags:
+ description: tags to filter applicable runners for mvn-deploy-release job
+ type: array
+ default: []
+ mvn-deploy-snapshot-job-tags:
+ description: tags to filter applicable runners for mvn-deploy-snapshot job
+ type: array
+ default: []
+
---
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -123,7 +144,8 @@ mvn-build:
reports:
dotenv:
- jib.env
-
+ tags: $[[ inputs.mvn-build-job-tags ]]
+
mvn-sbom:
extends: .mvn-base
stage: package-test
@@ -147,6 +169,7 @@ mvn-sbom:
reports:
cyclonedx:
- "reports/mvn-sbom-*.cyclonedx.json"
+ tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-trivy:
extends: .mvn-base
@@ -196,7 +219,8 @@ mvn-trivy:
- if: '$MAVEN_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
-
+ tags: $[[ inputs.mvn-trivy-job-tags ]]
+
mvn-deploy-release:
extends: .mvn-base
image:
@@ -259,6 +283,7 @@ mvn-deploy-release:
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "auto"'
+ tags: $[[ inputs.mvn-deploy-release-job-tags ]]
# =====================================================================================================================
# === Disable Maven template jobs not required for Docker Jib pipeline
@@ -268,3 +293,4 @@ mvn-deploy-release:
mvn-deploy-snapshot:
rules:
- when: never
+ tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
diff --git a/templates/gitlab-ci-maven.yml b/templates/gitlab-ci-maven.yml
index 6fd4562d9d3012871ae676b694d4d87d54d0b5e9..164fc256b85f18b77b78fccb1a0075844ccbd282 100644
--- a/templates/gitlab-ci-maven.yml
+++ b/templates/gitlab-ci-maven.yml
@@ -128,6 +128,41 @@ spec:
mvn-semrel-release-disabled:
description: Disable semantic-release integration
default: ''
+ mvn-build-job-tags:
+ description: tags to filter applicable runners for mvn-build job
+ type: array
+ default: []
+ mvn-sonar-job-tags:
+ description: tags to filter applicable runners for mvn-sonar job
+ type: array
+ default: []
+ mvn-dependency-check-job-tags:
+ description: tags to filter applicable runners for mvn-dependency-check job
+ type: array
+ default: []
+ mvn-no-snapshot-deps-job-tags:
+ description: tags to filter applicable runners for mvn-no-snapshot-deps job
+ type: array
+ default: []
+ mvn-sbom-job-tags:
+ description: tags to filter applicable runners for mvn-sbom job
+ type: array
+ default: []
+ mvn-deploy-snapshot-job-tags:
+ description: tags to filter applicable runners for mvn-deploy-snapshot job
+ type: array
+ default: []
+ mvn-deploy-release-job-tags:
+ description: tags to filter applicable runners for mvn-deploy-release job
+ type: array
+ default: []
+ mvn-release-job-tags:
+ description: tags to filter applicable runners for mvn-release job
+ type: array
+ default: []
+
+
+
---
# default workflow rules: Merge Request pipelines
workflow:
@@ -633,6 +668,7 @@ mvn-build:
# version may have been altered
- "${MAVEN_PROJECT_DIR}/**/pom.xml"
- "${MAVEN_PROJECT_DIR}/**/target"
+ tags: $[[ inputs.mvn-build-job-tags ]]
# Sonar job
mvn-sonar:
@@ -671,6 +707,7 @@ mvn-sonar:
- if: '($SONAR_HOST_URL == null || $SONAR_HOST_URL == "") && ($SONAR_URL == null || $SONAR_URL == "")'
when: never
- !reference [.test-policy, rules]
+ tags: $[[ inputs.mvn-sonar-job-tags ]]
mvn-dependency-check:
extends: .mvn-base
@@ -696,6 +733,7 @@ mvn-dependency-check:
# all other cases: manual & non-blocking
- when: manual
allow_failure: true
+ tags: $[[ inputs.mvn-dependency-check-job-tags ]]
mvn-no-snapshot-deps:
extends: .mvn-base
@@ -708,6 +746,7 @@ mvn-no-snapshot-deps:
- if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
+ tags: $[[ inputs.mvn-no-snapshot-deps-job-tags ]]
mvn-sbom:
extends: .mvn-base
@@ -731,6 +770,7 @@ mvn-sbom:
- if: '$MAVEN_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
+ tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-deploy-snapshot:
extends: .mvn-base
@@ -746,6 +786,7 @@ mvn-deploy-snapshot:
when: never
# exclude unprotected ref if disabled
- if: '$MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED != "true" || $CI_COMMIT_REF_PROTECTED == "true"'
+ tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
mvn-deploy-release:
extends: .mvn-base
@@ -758,6 +799,7 @@ mvn-deploy-release:
when: never
# on tag with release pattern: auto
- if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
+ tags: $[[ inputs.mvn-deploy-release-job-tags ]]
mvn-release:
extends: .mvn-base
@@ -796,3 +838,4 @@ mvn-release:
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
when: manual
allow_failure: true
+ tags: $[[ inputs.mvn-release-job-tags ]]