Merge branch 'initial' into 'master'

initial template See merge request to-be-continuous/renovate!1

Merge branch 'initial' into 'master'
c129edab · Pierre Smeyers · b5deb6e1 · b3b3d27e · c129edab · c129edab
Commit c129edab authored 1 year ago by Pierre Smeyers
--- a/.gitignore
+++ b/.gitignore
+.idea
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+include:
+  - project: 'to-be-continuous/tools/gitlab-ci'
+    ref: 'master'
+    file: '/templates/extract.yml'
+  - project: 'to-be-continuous/tools/gitlab-ci'
+    ref: 'master'
+    file: '/templates/validation.yml'
+  - project: 'to-be-continuous/kicker'
+    ref: 'master'
+    file: '/templates/validation.yml'
+  - project: 'to-be-continuous/bash'
+    ref: '3.2'
+    file: 'templates/gitlab-ci-bash.yml'
+  - project: 'to-be-continuous/semantic-release'
+    ref: '3.6'
+    file: '/templates/gitlab-ci-semrel.yml'
+
+stages:
+  - build
+  - publish
+
+variables:
+  GITLAB_CI_FILES: "templates/gitlab-ci-renovate.yml"
+  BASH_SHELLCHECK_FILES: "*.sh"
+
+semantic-release:
+  rules:
+    # on production branch(es): auto if SEMREL_AUTO_RELEASE_ENABLED
+    - if: '$TMPL_RELEASE_ENABLED == "true" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
--- a/.gitlab/issue_templates/feature_request.md
+++ b/.gitlab/issue_templates/feature_request.md
@@ -5,7 +5,7 @@
 ## Implementation ideas

 (If you have any implementation ideas, they can go here.)
-(Any design change proposal could be also discussed on the _to be continuous_ Google Group: https://groups.google.com/g/tbc-dev.)
+(Any design change proposal could be also discussed on the _to be continuous_ Discord server.)


 /label ~"kind/enhancement" ~"status/needs-investigation"
--- a/.releaserc.yml
+++ b/.releaserc.yml
+plugins: [
+  "@semantic-release/commit-analyzer",
+  "@semantic-release/release-notes-generator",
+  "@semantic-release/gitlab",
+  "@semantic-release/changelog",    
+  [
+    "@semantic-release/exec",
+    {
+      "prepareCmd": "./bumpversion.sh \"${lastRelease.version}\" \"${nextRelease.version}\" \"${nextRelease.type}\"",
+      "successCmd": "./post-release.sh \"${nextRelease.version}\""
+    }
+  ],
+  [
+    "@semantic-release/git",
+    {
+      "assets": ["*.md", "templates/*.yml"]
+    }
+  ]
+]
+branches:
+  - "master"
+tagFormat: "${version}"
\ No newline at end of file
--- a/CONTRIBUTE.md
+++ b/CONTRIBUTE.md
@@ -5,6 +5,8 @@ We try to make it easy, and all contributions, even the smaller ones, are more t
 This includes bug reports, fixes, documentation, examples...
 But first, read this page (including the small print at the end).

+Contributions are available on https://gitlab.com/to-be-continuous/renovate
+
 ## Legal

 All original contributions to _to be continuous_ are licensed under the

--- a/README.md
+++ b/README.md
-# GitLab CI template Skeleton
+# GitLab CI template for Renovate

-This is a skeleton project for starting a new _to be continuous_ template.
+Automate your dependency updates with [Renovate](https://www.mend.io/renovate/).

-You shall fork it when you want to start developing a new template.
+## Usage

-Based on the kind of template (build, analyse, hosting, acceptance, ...), you should start working from one of the available `initial-xxx` branches, that each implement basic stuff.
+In order to include this template in your project, add the following to your `gitlab-ci.yml`:

+```yaml
+include:
+  - project: 'to-be-continuous/renovate'
+    ref: '1.0.0'
+    file: '/templates/gitlab-ci-renovate.yml'
+```
+
+## Configuration
+
+The Renovate template uses some global configuration used throughout all jobs.
+
+| Name                   | description                                                                     | default value     |
+|------------------------|---------------------------------------------------------------------------------|-------------------|
+| `RENOVATE_IMAGE`       | The Docker image used to run Renovate                                           | `registry.hub.docker.com/renovate/renovate:latest` |
+| :lock: `RENOVATE_TOKEN`| A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication) | _none_ |
+| :lock: `GITHUB_COM_TOKEN`| A GitHub access token to allow Renovate fetch changelogs. [See doc](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs) | _none_ |
+
+This template will help you using [Renovate](https://www.mend.io/renovate/) from a GitLab project to
+automate your dependency updates within your groups or projects.
+On the contrary to other to-be-continuous templates, this one should be used in a separate project that
+will be in charge of crawling all your other projects.
+
+Upon including the template, carefuly follow [Renovate's documentation](https://docs.renovatebot.com/) to
+configure the bot accordingly. Pay attention to the following:
+
+* Remember to set the [platform](https://docs.renovatebot.com/self-hosted-configuration/#platform) parameter
+  to `gitlab` in your configuration.
+* [GitLab platform integration](https://docs.renovatebot.com/modules/platform/gitlab/) requires that you
+  declare a `RENOVATE_TOKEN` variable with an access token.
+* You'll also probaly need to declare a `GITHUB_COM_TOKEN` variable, holding a GitHub access token 
+  (for [fetching changelogs](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs))
--- a/Renovate.r2.yml
+++ b/Renovate.r2.yml
+files:
+    template: ./templates/gitlab-ci-renovate.yml
+    documentation: ./README.md
+    changelog: ./CHANGELOG.md
+data:
+    description: "Automate your dependency updates with Renovate"
+    public: true
+    labels:
+    - to be continuous
+    - Renovate
+    - Dependency Updates
+    license: LGPL v3
+    deprecated: false
\ No newline at end of file
--- a/SECURITY.md
+++ b/SECURITY.md
+# Security Policy
+
+## Supported Versions
+
+Security fixes and updates are only applied to the latest released version. So always try to be up to date.
+
+## Reporting a Vulnerability
+
+In order to minimize risks of attack while investigating and fixing the issue, any vulnerability shall be reported by 
+opening a [**confidential** issue on gitlab.com](https://gitlab.com/to-be-continuous/renovate/-/issues/new?issue[confidential]=true&issue[description]=%28type+in+the+vulnerability+details+here%29%0A%0A%2Flabel%20~%22kind%3A%3Avulnerability%22).
+
+Follow-up and fixing will be made on a _best effort_ basis.
+
+If you have doubts about a potential vulnerability, please reach out one of the maintainers on Discord.
--- a/bumpversion.sh
+++ b/bumpversion.sh
+#!/usr/bin/env bash
+
+function log_info() {
+  >&2 echo -e "[\\e[1;94mINFO\\e[0m] $*"
+}
+
+function log_warn() {
+  >&2 echo -e "[\\e[1;93mWARN\\e[0m] $*"
+}
+
+function log_error() {
+  >&2 echo -e "[\\e[1;91mERROR\\e[0m] $*"
+}
+
+# check number of arguments
+if [[ "$#" -le 2 ]]; then
+  log_error "Missing arguments"
+  log_error "Usage: $0 <current version> <next version>"
+  exit 1
+fi
+
+curVer=$1
+nextVer=$2
+relType=$3
+
+if [[ "$curVer" ]]; then
+  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
+
+  # replace in README
+  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  mv -f README.md.next README.md
+
+  # replace in template and variants
+  for tmpl in templates/*.yml
+  do
+    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    mv -f "$tmpl.next" "$tmpl"
+  done
+else
+  log_info "Bump version to \\e[33;1m${nextVer}\\e[0m (release type: $relType): this is the first release (skip)..."
+fi
--- a/kicker.json
+++ b/kicker.json
+{
+  "name": "Renovate",
+  "description": "Automate your dependency updates with [Renovate](https://www.mend.io/renovate/)",
+  "template_path": "templates/gitlab-ci-renovate.yml",
+  "kind": "misc",
+  "variables": [
+    {
+      "name": "RENOVATE_IMAGE",
+      "description": "The Docker image used to run Renovate",
+      "default": "registry.hub.docker.com/renovate/renovate:latest"
+    },
+    {
+      "name": "RENOVATE_TOKEN",
+      "description": "A GitLab access token to allow Renovate crawl your projects. [See doc](https://docs.renovatebot.com/modules/platform/gitlab/#authentication)",
+      "secret": true
+    },
+    {
+      "name": "GITHUB_COM_TOKEN",
+      "description": "A GitHub access token to allow Renovate fetch changelogs. [See doc](https://docs.renovatebot.com/getting-started/running/#githubcom-token-for-changelogs)",
+      "secret": true
+    }
+  ]
+}
--- a/logo.png
+++ b/logo.png
--- a/post-release.sh
+++ b/post-release.sh
+#!/usr/bin/env bash
+
+function log_info() {
+  >&2 echo -e "[\\e[1;94mINFO\\e[0m] $*"
+}
+
+function log_warn() {
+  >&2 echo -e "[\\e[1;93mWARN\\e[0m] $*"
+}
+
+function log_error() {
+  >&2 echo -e "[\\e[1;91mERROR\\e[0m] $*"
+}
+
+# check number of arguments
+if [[ "$#" -lt 1 ]]; then
+  log_error "Missing arguments"
+  log_error "Usage: $0 <next version>"
+  exit 1
+fi
+
+nextVer=$1
+minorVer=${nextVer%\.[0-9]*}
+majorVer=${nextVer%\.[0-9]*\.[0-9]*}
+
+log_info "Creating minor version tag alias \\e[33;1m${minorVer}\\e[0m from $nextVer..."
+git tag --force -a "$minorVer" "$nextVer" -m "Minor version alias (targets $nextVer)"
+
+log_info "Creating major version tag alias \\e[33;1m${majorVer}\\e[0m from $nextVer..."
+git tag --force -a "$majorVer" "$nextVer" -m "Major version alias (targets $nextVer)"
+
+log_info "Pushing tags..."
+git_base_url=$(echo "$CI_REPOSITORY_URL" | cut -d\@ -f2)
+git_auth_url="https://token:${GITLAB_TOKEN}@${git_base_url}"
+git push --tags --force "$git_auth_url"
--- a/templates/gitlab-ci-renovate.yml
+++ b/templates/gitlab-ci-renovate.yml
+# =========================================================================================
+# Copyright (C) 2021 Orange & contributors
+#
+# This program is free software; you can redistribute it and/or modify it under the terms
+# of the GNU Lesser General Public License as published by the Free Software Foundation;
+# either version 3 of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+# without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# See the GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License along with this
+# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
+# Floor, Boston, MA  02110-1301, USA.
+# =========================================================================================
+# default workflow rules: Merge Request pipelines
+workflow:
+  rules:
+    # prevent branch pipeline when an MR is open (prefer MR pipeline)
+    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*tag(,[^],]*)*\]/" && $CI_COMMIT_TAG'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*branch(,[^],]*)*\]/" && $CI_COMMIT_BRANCH'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*mr(,[^],]*)*\]/" && $CI_MERGE_REQUEST_ID'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*default(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $CI_DEFAULT_BRANCH'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*prod(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $PROD_REF'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*integ(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME =~ $INTEG_REF'
+      when: never
+    - if: '$CI_COMMIT_MESSAGE =~ "/\[(ci skip|skip ci) on ([^],]*,)*dev(,[^],]*)*\]/" && $CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'
+      when: never
+    - when: always
+
+
+variables:
+  # variabilized tracking image
+  TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
+
+  RENOVATE_IMAGE: "registry.hub.docker.com/renovate/renovate:latest"
+  RENOVATE_ENDPOINT: $CI_API_V4_URL
+  
+  RENOVATE_LOG_FILE: renovate-log.ndjson
+  RENOVATE_AUTODISCOVER_FILTER: '${CI_PROJECT_ROOT_NAMESPACE}/**'
+  RENOVATE_BINARY_SOURCE: install
+  RENOVATE_LOG_FILE_LEVEL: debug
+  LOG_LEVEL: info
+
+.renovate-scripts: &renovate-scripts |
+  # BEGSCRIPT
+  set -e
+
+  function log_info() {
+      echo -e "[\\e[1;94mINFO\\e[0m] $*"
+  }
+
+  function log_warn() {
+      echo -e "[\\e[1;93mWARN\\e[0m] $*"
+  }
+
+  function log_error() {
+      echo -e "[\\e[1;91mERROR\\e[0m] $*"
+  }
+
+  function assert_defined() {
+    if [[ -z "$1" ]]
+    then
+      log_error "$2"
+      exit 1
+    fi
+  }
+
+  function install_ca_certs() {
+    certs=$1
+    if [[ -z "$certs" ]]
+    then
+      return
+    fi
+
+    if [[ ! "$(whoami)" == "root" ]]
+    then
+      log_warn "can't install custom CA certificates (not root user); make sure to handle it"
+      return
+    fi
+
+    # List of typical bundles
+    bundles="/etc/ssl/certs/ca-certificates.crt"                            # Debian/Ubuntu/Gentoo etc.
+    bundles="${bundles} /etc/ssl/cert.pem"                                  # Alpine Linux
+    bundles="${bundles} /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"  # CentOS/RHEL 7
+    bundles="${bundles} /etc/pki/tls/certs/ca-bundle.crt"                   # Fedora/RHEL 6
+    bundles="${bundles} /etc/ssl/ca-bundle.pem"                             # OpenSUSE
+    bundles="${bundles} /etc/pki/tls/cacert.pem"                            # OpenELEC
+
+    # Try to find the right bundle to update it with custom CA certificates
+    for bundle in ${bundles}
+    do
+      # import if bundle exists
+      if [[ -f "${bundle}" ]]
+      then
+        # Import certificates in bundle
+        echo "${certs}" | tr -d '\r' >> "${bundle}"
+
+        log_info "Custom CA certificates imported in \\e[33;1m${bundle}\\e[0m"
+        ca_imported=1
+        break
+      fi
+    done
+
+    if [[ -z "$ca_imported" ]]
+    then
+      log_warn "Could not import custom CA certificates !"
+    fi
+  }
+
+  function unscope_variables() {
+    _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)
+    if [[ -z "$_scoped_vars" ]]; then return; fi
+    log_info "Processing scoped variables..."
+    for _scoped_var in $_scoped_vars
+    do
+      _fields=${_scoped_var//__/:}
+      _condition=$(echo "$_fields" | cut -d: -f3)
+      case "$_condition" in
+      if) _not="";;
+      ifnot) _not=1;;
+      *)
+        log_warn "... unrecognized condition \\e[1;91m$_condition\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+        continue
+      ;;
+      esac
+      _target_var=$(echo "$_fields" | cut -d: -f2)
+      _cond_var=$(echo "$_fields" | cut -d: -f4)
+      _cond_val=$(eval echo "\$${_cond_var}")
+      _test_op=$(echo "$_fields" | cut -d: -f5)
+      case "$_test_op" in
+      defined)
+        if [[ -z "$_not" ]] && [[ -z "$_cond_val" ]]; then continue;
+        elif [[ "$_not" ]] && [[ "$_cond_val" ]]; then continue;
+        fi
+        ;;
+      equals|startswith|endswith|contains|in|equals_ic|startswith_ic|endswith_ic|contains_ic|in_ic)
+        # comparison operator
+        # sluggify actual value
+        _cond_val=$(echo "$_cond_val" | tr '[:punct:]' '_')
+        # retrieve comparison value
+        _cmp_val_prefix="scoped__${_target_var}__${_condition}__${_cond_var}__${_test_op}__"
+        _cmp_val=${_scoped_var#"$_cmp_val_prefix"}
+        # manage 'ignore case'
+        if [[ "$_test_op" == *_ic ]]
+        then
+          # lowercase everything
+          _cond_val=$(echo "$_cond_val" | tr '[:upper:]' '[:lower:]')
+          _cmp_val=$(echo "$_cmp_val" | tr '[:upper:]' '[:lower:]')
+        fi
+        case "$_test_op" in
+        equals*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val" ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val" ]]; then continue;
+          fi
+          ;;
+        startswith*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val"* ]]; then continue;
+          fi
+          ;;
+        endswith*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val" ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val" ]]; then continue;
+          fi
+          ;;
+        contains*)
+          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val"* ]]; then continue;
+          fi
+          ;;
+        in*)
+          if [[ -z "$_not" ]] && [[ "__${_cmp_val}__" != *"__${_cond_val}__"* ]]; then continue;
+          elif [[ "$_not" ]] && [[ "__${_cmp_val}__" == *"__${_cond_val}__"* ]]; then continue;
+          fi
+          ;;
+        esac
+        ;;
+      *)
+        log_warn "... unrecognized test operator \\e[1;91m${_test_op}\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"
+        continue
+        ;;
+      esac
+      # matches
+      _val=$(eval echo "\$${_target_var}")
+      log_info "... apply \\e[32m${_target_var}\\e[0m from \\e[32m\$${_scoped_var}\\e[0m${_val:+ (\\e[33;1moverwrite\\e[0m)}"
+      _val=$(eval echo "\$${_scoped_var}")
+      export "${_target_var}"="${_val}"
+    done
+    log_info "... done"
+  }
+
+  unscope_variables
+
+  # ENDSCRIPT
+
+stages:
+  - build
+  - test
+  - package-build
+  - package-test
+  - infra
+  - deploy
+  - acceptance
+  - publish
+  - infra-prod
+  - production
+
+.renovate-base:
+  image: $RENOVATE_IMAGE
+  services:
+    - name: "$TBC_TRACKING_IMAGE"
+      command: ["--service", "renovate", "1.0.0" ]
+  variables:
+    RENOVATE_BASE_DIR: $CI_PROJECT_DIR
+    RENOVATE_CACHE_DIR: $CI_PROJECT_DIR/.cache/renovate
+  # Cache downloaded dependencies and plugins between builds.
+  # To keep cache across branches add 'key: "$CI_JOB_NAME"'
+  # TODO (if necessary): define cache policy here
+  cache:
+    key: ${CI_COMMIT_REF_SLUG}-renovate
+    paths:
+      - .cache/renovate/**
+  before_script:
+    - *renovate-scripts
+    - install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
+
+# (example) validator job
+renovate-validator:
+  extends: .renovate-base
+  stage: build
+  # force no dependency
+  dependencies: []
+  script:
+    - renovate-config-validator
+
+# dependency check job: on manual or schedule (dry-run otherwise)
+renovate-depcheck:
+  extends: .renovate-base
+  stage: test
+  # force no dependency
+  dependencies: []
+  variables:
+    # dry-run by default
+    RENOVATE_DRY_RUN: "true"
+  script:
+    - renovate $RENOVATE_EXTRA_FLAGS
+  artifacts:
+    when: always
+    expire_in: 1d
+    paths:
+      - "$RENOVATE_LOG_FILE"
+  rules:
+    # not dry run on manual or schedule
+    - if: '$CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "web"'
+      variables:
+        RENOVATE_DRY_RUN: "false"
+    - if: $RENOVATE_TOKEN