feat: migrate to CI/CD component

requires GitLab 16.6 or later

feat: migrate to CI/CD component
ed6b967c · girija.saintange · Pierre Smeyers · 51ad749b · ed6b967c · ed6b967c
Commit ed6b967c authored 1 year ago by girija.saintange Committed by Pierre Smeyers 1 year ago
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -10,7 +10,7 @@ include:
    file: '/templates/validation.yml'
  - project: 'to-be-continuous/bash'
    ref: '3.3'
-    file: 'templates/gitlab-ci-bash.yml'
+    file: '/templates/gitlab-ci-bash.yml'
  - project: 'to-be-continuous/semantic-release'
    ref: '3.7'
    file: '/templates/gitlab-ci-semrel.yml'    

--- a/README.md
+++ b/README.md
@@ -7,13 +7,35 @@ security vulnerabilities as early as possible.
 ## Usage
-In order to include this template in your project, add the following to your `gitlab-ci.yml`:
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+### Use as a CI/CD component
+Add the following to your `gitlab-ci.yml`:
 ```yaml
 include:
+  # 1: include the component
+  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1
+    # 2: set/override component inputs
+    inputs:
+      host-url: https://sonarqube.acme.host # ⚠ this is only an example
+```
+### Use as a CI/CD template (legacy)
+Add the following to your `gitlab-ci.yml`:
+```yaml
+include:
+  # 1: include the template
  - project: 'to-be-continuous/sonar'
    ref: '4.1.1'
    file: '/templates/gitlab-ci-sonar.yml'
+variables:
+  # 2: set/override template variables
+  SONAR_HOST_URL: https://sonarqube.acme.host # ⚠ this is only an example
 ```
 ## SonarQube analysis job
@@ -22,17 +44,17 @@ This job performs a SonarQube analysis of your code.
 It is bound to the `test` stage, and uses the following variables:
-| Name                     | Description                     | Default value |
+| Input / Variable | Description                     | Default value |
 | ------------------------ | ------------------------------- | ----------------------------- |
-| `SONAR_SCANNER_IMAGE`    | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
+| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
-| `SONAR_HOST_URL`         | SonarQube server url            | _none_ (disabled) |
+| `host-url` / `SONAR_HOST_URL` | SonarQube server url            | _none_ (disabled) |
-| `SONAR_PROJECT_KEY`      | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
+| `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
-| `SONAR_PROJECT_NAME`     | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
+| `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
 | :lock: `SONAR_TOKEN`     | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ |
 | :lock: `SONAR_LOGIN`     | SonarQube login (depends on your authentication method)                | _none_ |
 | :lock: `SONAR_PASSWORD`  | SonarQube password (depends on your authentication method)             | _none_ |
-| `SONAR_BASE_ARGS`        | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
+| `base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
-| `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) |
+| `quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._ | _none_ (disabled) |
 ### Automatic Branch Analysis & Merge Request Analysis
@@ -65,11 +87,11 @@ This variant allows delegating your secrets management to a [Vault](https://www.
 In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
-| Name              | Description                            | Default value     |
+| Input / Variable | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
 | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
-| `VAULT_BASE_URL`  | The Vault server base API url          | _none_ |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |
-| `VAULT_OIDC_AUD`  | The `aud` claim for the JWT | `$CI_SERVER_URL` |
+| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
@@ -83,7 +105,7 @@ Then you may retrieve any of your secret(s) from Vault using the following synta
 With:
-| Name                             | Description                            |
+| Parameter                        | Description                            |
 | -------------------------------- | -------------------------------------- |
 | `secret_path` (_path parameter_) | this is your secret location in the Vault server |
 | `field` (_query parameter_)      | parameter to access a single basic field from the secret JSON payload |
@@ -93,19 +115,16 @@ With:
 ```yaml
 include:
  # main template
-  - project: 'to-be-continuous/sonar'
+  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.1.1
-    ref: '4.1.1'
-    file: '/templates/gitlab-ci-sonar.yml'
  # Vault variant
-  - project: 'to-be-continuous/sonar'
+  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.1.1
-    ref: '4.1.1'
+    inputs:
-    file: '/templates/gitlab-ci-sonar-vault.yml'
+       # audience claim for JWT
+      vault-oidc-aud: "https://vault.acme.host"
+      vault-base-url: "https://vault.acme.host/v1"
 variables:
-    # audience claim for JWT
-    VAULT_OIDC_AUD: "https://vault.acme.host"
  # Secrets managed by Vault
  SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
-    VAULT_BASE_URL: "https://vault.acme.host/v1"
  # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
 ```
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,13 +27,13 @@ if [[ "$curVer" ]]; then
  log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
  # replace in README
-  sed -e "s/ref: '$curVer'/ref: '$nextVer'/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
  mv -f README.md.next README.md
  # replace in template and variants
  for tmpl in templates/*.yml
  do
-    sed -e "s/\"$curVer\"/\"$nextVer\"/" "$tmpl" > "$tmpl.next"
+    sed -e "s/command: *\[\"--service\", \"\(.*\)\", \"$curVer\"\]/command: [\"--service\", \"\1\", \"$nextVer\"]/" "$tmpl" > "$tmpl.next"
    mv -f "$tmpl.next" "$tmpl"
  done
 else

--- a/kicker.json
+++ b/kicker.json
@@ -3,6 +3,8 @@
  "description": "Continuously inspect your codebase with [SonarQube](https://www.sonarqube.org/)",
  "template_path": "templates/gitlab-ci-sonar.yml",
  "kind": "analyse",
+  "prefix": "sonar",
+  "is_component": true,
  "variables": [
    {
      "name": "SONAR_SCANNER_IMAGE",

--- a/logo.png
+++ b/logo.png
--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
 # =====================================================================================================================
 # === Vault template variant
 # =====================================================================================================================
+spec:
+  inputs:
+    vault-base-url:
+      description: The Vault server base API url
+      default: ''
+    vault-oidc-aud:
+      description: The `aud` claim for the JWT
+      default: $CI_SERVER_URL
+---
 variables:
  # variabilized vault-secrets-provider image
-  TBC_VAULT_IMAGE: "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master"
+  TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master
  # variables have to be explicitly declared in the YAML to be exported to the service
  VAULT_ROLE_ID: "$VAULT_ROLE_ID"
  VAULT_SECRET_ID: "$VAULT_SECRET_ID"
-  VAULT_OIDC_AUD: "$CI_SERVER_URL"
+  VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
+  VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
 sonar:
  services:

--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -14,6 +14,34 @@
 # Floor, Boston, MA  02110-1301, USA.
 # =========================================================================================
 # default workflow rules: Merge Request pipelines
+spec:
+  inputs:
+    scanner-image:
+      description: The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)
+      default: registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest
+    host-url:
+      description: SonarQube server url
+      default: ''
+    project-key:
+      description: SonarQube Project Key (might also be set in the `sonar-project.properties` file)
+      default: ''
+    project-name:
+      description: SonarQube Project Name (might also be set in the `sonar-project.properties` file)
+      default: ''
+    base-args:
+      description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
+      default: >-
+        -Dsonar.links.homepage=${CI_PROJECT_URL}
+        -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
+        -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
+    quality-gate-enabled:
+      description: |-
+        Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.
+        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._
+      type: boolean
+      default: false
+---
 workflow:
  rules:
    # prevent branch pipeline when an MR is open (prefer MR pipeline)
@@ -56,23 +84,23 @@ workflow:
 variables:
  # variabilized tracking image
-  TBC_TRACKING_IMAGE: "registry.gitlab.com/to-be-continuous/tools/tracking:master"
+  TBC_TRACKING_IMAGE: registry.gitlab.com/to-be-continuous/tools/tracking:master
  # Sonar
-  SONAR_SCANNER_IMAGE: "registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest"
+  SONAR_SCANNER_IMAGE: $[[ inputs.scanner-image ]]
+  SONAR_HOST_URL: $[[ inputs.host-url ]]
+  SONAR_PROJECT_KEY: $[[ inputs.project-key ]]
+  SONAR_PROJECT_NAME: $[[ inputs.project-name ]]
+  SONAR_QUALITY_GATE_ENABLED: $[[ inputs.quality-gate-enabled ]]
  # Sonar base analysis default args
  # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
  # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
-  SONAR_BASE_ARGS: >-
+  SONAR_BASE_ARGS: $[[ inputs.base-args ]]
-    -Dsonar.links.homepage=${CI_PROJECT_URL}
-    -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
-    -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
  # default production ref name (pattern)
-  PROD_REF: '/^(master|main)$/'
+  PROD_REF: /^(master|main)$/
  # default integration ref name (pattern)
-  INTEG_REF: '/^develop$/'
+  INTEG_REF: /^develop$/
 stages:
  - build