diff --git a/README.md b/README.md index 6272346239d41079a87fb48521e15e2d647c0f2f..9e19768fb95b5be85e4f382d120af2dd7f49eaba 100644 --- a/README.md +++ b/README.md @@ -98,6 +98,7 @@ It is bound to the `build` stage, and uses the following variable: | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | | `lint-enabled` / `NODE_LINT_ENABLED` | Set to `true` to enable lint analysis | _none_ (disabled) | | `lint-args` / `NODE_LINT_ARGS` | npm [run script](https://docs.npmjs.com/cli/v8/commands/npm-run-script) arguments to execute the lint analysis <br/> yarn [run script](https://classic.yarnpkg.com/en/docs/cli/run) arguments to execute the lint analysis <br/> pnpm [run script](https://pnpm.io/cli/run) arguments to execute the lint analysis | `run lint` | +| `node-lint-job-tags` / `NODE_LINT_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | The job generates a lint report that you will find here: `NODE_PROJECT_DIR/reports/node-lint.xslint.json`. @@ -116,6 +117,7 @@ This job is bound to the `build` stage, and uses the following variables: | `build-dir` / `NODE_BUILD_DIR` | Variable to define build directory | `dist` | | `build-args` / `NODE_BUILD_ARGS` | npm [run script](https://docs.npmjs.com/cli/v8/commands/npm-run-script) arguments <br/> yarn [run script](https://classic.yarnpkg.com/en/docs/cli/run) arguments <br/> pnpm [run script](https://pnpm.io/cli/run) arguments <br/>⚠ default value should be overridden for `pnpm` as `--prod` is not a valid option. | `run build --prod` | | `test-args` / `NODE_TEST_ARGS` | npm [test](https://docs.npmjs.com/cli/v8/commands/npm-test) arguments <br/> yarn [test](https://classic.yarnpkg.com/en/docs/cli/test) arguments <br/> pnpm [test](https://pnpm.io/cli/test) arguments | `test -- --coverage` | +| `node-build-job-tags` / `NODE_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | #### Unit Tests and Code Coverage reports @@ -348,6 +350,7 @@ In addition to a textual report in the console, this job produces the following | Report | Format | Usage | | ------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `$NODE_PROJECT_DIR/reports/npm-audit.native.json` | [JSON](https://docs.npmjs.com/cli/v9/commands/npm-audit#json) | [DefectDojo integration](https://documentation.defectdojo.com/integrations/parsers/#npm-audit)<br/>_This report is generated only if DefectDojo template is detected, if needed, you can force it with `$DEFECTDOJO_NPMAUDIT_REPORTS`_ | +| `node-audit-jobs-tags` / `NODE_AUDIT_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | ### `node-outdated` job @@ -359,6 +362,7 @@ It is bound to the `test` stage. | ---------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | | `outdated-disabled` / `NODE_OUTDATED_DISABLED` | Set to `true` to disable npm outdated | _none_ (enabled) | | `outdated-args` / `NODE_OUTDATED_ARGS` | npm [outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated) arguments <br/> yarn [outdated](https://classic.yarnpkg.com/lang/en/docs/cli/outdated/) arguments <br/> pnpm [outdated](https://pnpm.io/cli/outdated) arguments | `--long` | +| `node-outdated-job-tags` / `NODE_OUTDATED_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | The job generates an outdated report that you will find here: `NODE_PROJECT_DIR/reports/npm-outdated-report.json`. @@ -376,6 +380,7 @@ It is bound to the `test` stage, and uses the following variables: | `semgrep-rules` / `NODE_SEMGREP_RULES` | Space-separated list of [Semgrep rules](https://semgrep.dev/docs/running-rules).<br/>Can be both local YAML files or remote rules from the [Semgrep Registry](https://semgrep.dev/explore) (denoted by the `p/` prefix). | `p/javascript p/eslint p/gitlab-eslint` | | `semgrep-registry-base-url` / `NODE_SEMGREP_REGISTRY_BASE_URL` | The Semgrep Registry base URL that is used to download the rules. No trailing slash. | `https://semgrep.dev/c` | | `semgrep-download-rules-enabled` / `NODE_SEMGREP_DOWNLOAD_RULES_ENABLED` | Download Semgrep remote rules | `true` | +| `node-semgrep-job-tags` / `NODE_SEMGREP_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | > :information_source: Semgrep may [collect some metrics](https://semgrep.dev/docs/metrics), especially when using rules from the Semgrep Registry. > To protect your privacy and let you run Semgrep in air-gap environments, this template disables all Semgrep metrics by default: @@ -402,6 +407,7 @@ It is bound to the `test` stage, and uses the following variables: | `sbom-disabled` / `NODE_SBOM_DISABLED` | Set to `true` to disable this job | _none_ | | `sbom-version` / `NODE_SBOM_VERSION` | The version of @cyclonedx/cyclonedx-npm used to emit SBOM | _none_ (uses latest) | | `sbom-opts` / `NODE_SBOM_OPTS` | Options for @cyclonedx/cyclonedx-npm used for SBOM analysis | `--omit dev` | +| `node-sbom-job-tags` / `NODE_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | ### `node-publish` job @@ -417,6 +423,7 @@ It uses the following variables: | `publish-enabled` / `NODE_PUBLISH_ENABLED` | Set to `true` to enable the publish job | _none_ (disabled) | | `publish-args` / `NODE_PUBLISH_ARGS` | npm [publish](https://docs.npmjs.com/cli/v8/commands/npm-publish) extra arguments<br/>yarn [publish](https://classic.yarnpkg.com/lang/en/docs/cli/publish/) extra arguments <br/>pnpm [publish](https://pnpm.io/cli/publish) extra arguments | _none_ | | :lock: `NODE_PUBLISH_TOKEN` | npm publication registry authentication token | _none_ | +| `node-publish-job-tags` / `NODE_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | [] | #### Configure the target registry diff --git a/kicker.json b/kicker.json index fe6d12dbc5bfbf832a72c3155a0b172ffceadb01..0304be1a9658936d2f7311dbe895fc1be2b90b84 100644 --- a/kicker.json +++ b/kicker.json @@ -71,8 +71,15 @@ "name": "NODE_INSTALL_EXTRA_OPTS", "description": "Extra options to install project dependencies (either [`npm ci`](https://docs.npmjs.com/cli/ci.html/), [`yarn install`](https://yarnpkg.com/cli/install) or [`pnpm install`](https://pnpm.io/cli/install))", "advanced": true + }, + { + "name": "NODE_BUILD_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } - ], +], "features": [ { "id": "node-lint", @@ -85,6 +92,13 @@ "description": "npm [run script](https://docs.npmjs.com/cli/v8/commands/npm-run-script) arguments to execute the lint analysis - yarn [run script](https://classic.yarnpkg.com/en/docs/cli/run) arguments to execute the lint analysis - pnpm [run script](https://pnpm.io/cli/run) arguments to execute the lint analysis", "default": "run lint", "advanced": true + }, + { + "name": "NODE_LINT_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] }, @@ -98,6 +112,13 @@ "name": "NODE_AUDIT_ARGS", "description": "npm [audit](https://docs.npmjs.com/cli/v8/commands/npm-audit) arguments - yarn [audit](https://classic.yarnpkg.com/en/docs/cli/audit) arguments - [pnpm audit](https://pnpm.io/cli/audit) arguments", "default": "--audit-level=low" + }, + { + "name": "NODE_AUDIT_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] }, @@ -111,6 +132,13 @@ "name": "NODE_OUTDATED_ARGS", "description": "npm [outdated](https://docs.npmjs.com/cli/v8/commands/npm-outdated) arguments - yarn [outdated](https://classic.yarnpkg.com/lang/en/docs/cli/outdated/) arguments - pnpm [outdated](https://pnpm.io/cli/outdated) arguments", "default": "--long" + }, + { + "name": "NODE_OUTDATED_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] }, @@ -145,6 +173,13 @@ "description": "Download Semgrep remote rules", "type": "boolean", "default": "true" + }, + { + "name": "NODE_PUBLISH_SEMGREP_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] }, @@ -164,6 +199,13 @@ "description": "Options for @cyclonedx/cyclonedx-npm used for SBOM analysis", "default": "--omit dev", "advanced": true + }, + { + "name": "NODE_SBOM_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] }, @@ -182,6 +224,13 @@ "name": "NODE_PUBLISH_TOKEN", "description": "npm publication registry authentication token", "secret": true + }, + { + "name": "NODE_PUBLISH_JOB_TAGS", + "description": "Tags to be used for selecting runners for the job", + "type": "array", + "default": [], + "advanced": true } ] } diff --git a/templates/gitlab-ci-node.yml b/templates/gitlab-ci-node.yml index a76f58a8cf614dda0c07f444fc3fc5bfe2147947..b1f29378bc0a443cd3a1f1e048fb97aaa56ec95e 100644 --- a/templates/gitlab-ci-node.yml +++ b/templates/gitlab-ci-node.yml @@ -120,6 +120,31 @@ spec: publish-args: description: npm [publish](https://docs.npmjs.com/cli/v8/commands/npm-publish) extra arguments - yarn [publish](https://classic.yarnpkg.com/lang/en/docs/cli/publish/) extra arguments - pnpm [publish](https://pnpm.io/cli/publish) extra arguments default: '' + node-build-job-tags: + description: tags to filter applicable runners for node-build job + type: array + default: [] + node-lint-job-tags: + description: tags to filter applicable runners for node-lint job + type: array + default: [] + node-audit-job-tags: + description: tags to filter applicable runners for node-audit job + type: array + default: [] + node-outdated-job-tags: + description: tags to filter applicable runners for node-outdated job + type: array + default: [] + node-sbom-job-tags: + description: tags to filter applicable runners for node-sbom job + type: array + default: [] + node-publish-job-tags: + description: tags to filter applicable runners for node-publish job + type: array + default: [] + --- workflow: rules: @@ -736,6 +761,7 @@ node-audit: - if: '$NODE_AUDIT_DISABLED == "true"' when: never - !reference [.test-policy, rules] + tags: $[[ inputs.node-audit-job-tags ]] # outdated node-outdated: @@ -765,6 +791,7 @@ node-outdated: # on non-production, non-integration branches: manual & non-blocking - when: manual allow_failure: true + tags: $[[ inputs.node-outdated-job-tags ]] # SAST: Semgrep node-semgrep: @@ -797,6 +824,7 @@ node-semgrep: - if: '$NODE_SEMGREP_DISABLED == "true"' when: never - !reference [.test-policy, rules] + tags: $[[ inputs.node-semgrep-job-tags ]] node-sbom: extends: .node-base @@ -827,6 +855,7 @@ node-sbom: - if: '$NODE_SBOM_DISABLED == "true"' when: never - !reference [.test-policy, rules] + tags: $[[ inputs.node-sbom-job-tags ]] node-publish: extends: .node-base @@ -841,3 +870,4 @@ node-publish: when: never # on tag with release pattern: auto - if: '$CI_COMMIT_TAG =~ $RELEASE_REF' + tags: $[[ inputs.node-publish-job-tags ]] \ No newline at end of file