Skip to content
Commits on Source (42)
Hide whitespace changes
Inline Side-by-side
.gitlab-ci.yml
View file @ 8fae81be
# variables in the GitLab CI/CD variables:
# GITLAB_TOKEN to support the semantic-release
# DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
# TMPL_RELEASE_ENABLED to enable the semantic-release job
# TBC_NAMESPACE: smartdatalab/public/ci-cd-components
include:
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/extract.yml"
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/validation.yml"
- project: "to-be-continuous/kicker"
ref: "master"
file: "/templates/validation.yml"
- component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.6
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
gitlab-ci-lint-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
shellcheck-files: "*.sh"
- component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.7
- component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.14
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
inputs:
gitleaks-job-tags: ["docker"]
variables:
GITLAB_CI_FILES: "templates/gitlab-ci-docker.yml"
GIT_STRATEGY: clone
semantic-release:
rules:
......
CHANGELOG.md
View file @ 8fae81be
## [6.1.7](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/6.1.6...6.1.7) (2025-05-07)
### Bug Fixes
* install custom CA certs before awk ([45b8cb3](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/45b8cb399cd5f73455d5e2be81f51e1672b46823))
## [6.1.7](https://gitlab.com/to-be-continuous/docker/compare/6.1.6...6.1.7) (2025-04-25)
### Bug Fixes
* install custom CA certs before awk ([45b8cb3](https://gitlab.com/to-be-continuous/docker/commit/45b8cb399cd5f73455d5e2be81f51e1672b46823))
## [6.1.6](https://gitlab.com/to-be-continuous/docker/compare/6.1.5...6.1.6) (2025-04-18)
......@@ -45,7 +59,19 @@
### Features
* disable tracking service by default ([4fa3b0e](https://gitlab.com/to-be-continuous/docker/commit/4fa3b0ead55b66aac16d7fbce15f242dfef301be))
* disable tracking service by default ([4fa3b0e](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/4fa3b0ead55b66aac16d7fbce15f242dfef301be))
# [6.0.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/compare/5.14.1...6.0.0) (2025-01-20)
### Code Refactoring
* **trivy:** enforce usage of Trivy environment variables ([e69ce13](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/e69ce13565711b9dac8ee7b7105c8e9061bb3799))
### BREAKING CHANGES
* **trivy:** 4 Trivy configuration params removed in favor of the native Trivy environment variables
# [6.0.0](https://gitlab.com/to-be-continuous/docker/compare/5.14.1...6.0.0) (2024-11-26)
......@@ -113,7 +139,7 @@
### Features
* introduce variable for additional docker/buildah push arguments ([9de48b2](https://gitlab.com/to-be-continuous/docker/commit/9de48b24c1512cb9f5c8b7e26d33cea1bc5504e2))
* introduce variable for additional docker/buildah push arguments ([9de48b2](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/docker/commit/9de48b24c1512cb9f5c8b7e26d33cea1bc5504e2))
## [5.11.1](https://gitlab.com/to-be-continuous/docker/compare/5.11.0...5.11.1) (2024-08-13)
......
README.md
View file @ 8fae81be
......@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
# 2: set/override component inputs
inputs:
build-tool: buildah # ⚠ this is only an example
......@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/docker'
ref: '6.1.6'
ref: '6.1.7'
file: '/templates/gitlab-ci-docker.yml'
variables:
......@@ -285,6 +285,7 @@ It is bound to the `build` stage, and uses the following variables:
| `hadolint-disabled` / `DOCKER_HADOLINT_DISABLED` | Set to `true` to disable Hadolint | _(none: enabled by default)_ |
| `hadolint-image` / `DOCKER_HADOLINT_IMAGE` | The Hadolint image | `registry.hub.docker.com/hadolint/hadolint:latest-alpine`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_HADOLINT_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_HADOLINT_IMAGE)|
| `hadolint-args` / `DOCKER_HADOLINT_ARGS` | Additional `hadolint` arguments | _(none)_ |
| `hadolint-job-tags` / `DOCKER_HADOLINT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In case you have to disable some rules, either add `--ignore XXXX` to the `DOCKER_HADOLINT_ARGS` variable or create a [Hadolint configuration file](https://github.com/hadolint/hadolint#configure) named `hadolint.yaml` at the root of your repository.
......@@ -311,17 +312,17 @@ This job builds the image and publishes it to the _snapshot_ repository.
It is bound to the `package-build` stage, and uses the following variables:
| Input / Variable | Description | Default value |
|-------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
| `build-args` / `DOCKER_BUILD_ARGS` | Additional `docker/kaniko/buildah` `build` arguments | _(none)_ |
| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_ |
| :lock: `DOCKER_REGISTRY_MIRROR_USER` | Docker registry username for the mirror registry | _(none)_ |
| :lock: `DOCKER_REGISTRY_MIRROR_PASSWORD` | Docker registry password for the mirror registry | _(none)_ |
| `container-registries-config-file` / `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only | _(none)_ |
| `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
| `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
| `push-args` / `DOCKER_PUSH_ARGS` | Additional `push` arguments for [docker](https://docs.docker.com/reference/cli/docker/image/push/) or [buildah](https://github.com/containers/buildah/blob/main/docs/buildah-push.1.md) (executed right after `build`).<br>Ex: `--compression-format zstd --compression-level 20` | _(none)_ |
| Input / Variable | Description | Default value |
| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `build-args` / `DOCKER_BUILD_ARGS` | Additional `docker/kaniko/buildah` `build` arguments | _(none)_ |
| `registry-mirror` / `DOCKER_REGISTRY_MIRROR` | URL of a Docker registry mirror to use during the image build (instead of default `https://index.docker.io`) <br>:warning: Used by the `kaniko` and `dind` options only | _(none)_ |
| `container-registries-config-file` / `CONTAINER_REGISTRIES_CONFIG_FILE` | The [`registries.conf`](https://www.redhat.com/sysadmin/manage-container-registries) configuration to be used<br>:warning: Used by the `buildah` build only | _(none)_ |
| `metadata` / `DOCKER_METADATA` | Additional `docker build`/`kaniko` arguments to set label | OCI Image Format Specification |
| `kaniko-snapshot-image-cache` / `KANIKO_SNAPSHOT_IMAGE_CACHE` | Snapshot image repository that will be used to store cached layers (leave empty to use default: snapshot image repository + `/cache`)<br>:warning: Used by the `kaniko` build only | _none_ (default cache path) |
| `build-cache-disabled` / `DOCKER_BUILD_CACHE_DISABLED` | Set to `true` to disable the build cache.<br/>Cache can typically be disabled when there is a network latency between the container registry and the runner. | _none_ (i.e cache enabled) |
| `kaniko-build-job-tags` / `DOCKER_KANIKO_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `dind-build-job-tags` / `DOCKER_DIND_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `buildah-build-job-tags` / `DOCKER_BUILDAH_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
......@@ -399,12 +400,13 @@ This job performs a [Health Check](https://docs.docker.com/engine/reference/buil
It is bound to the `package-test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `healthcheck-disabled` / `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check | _(none: enabled by default)_ |
| `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
| Input / Variable | Description | Default value |
| -------------------------------------- | -------------------------------------------------------------------- | ----------------- |
| `healthcheck-disabled` / `DOCKER_HEALTHCHECK_DISABLED` | Set to `true` to disable health check | _(none: enabled by default)_ |
| `healthcheck-timeout` / `DOCKER_HEALTHCHECK_TIMEOUT` | When testing a Docker Health (test stage), how long (in seconds) wait for the [HealthCheck status](https://docs.docker.com/engine/reference/builder/#healthcheck) | `60` |
| `healthcheck-options` / `DOCKER_HEALTHCHECK_OPTIONS` | Docker options for health check such as port mapping, environment... | _(none)_ |
| `healthcheck-container-args` / `DOCKER_HEALTHCHECK_CONTAINER_ARGS` | Set arguments sent to the running container for health check | _(none)_ |
| `healthcheck-job-tags` / `DOCKER_HEALTHCHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
In case your Docker image is not intended to run as a service and only contains a _client tool_ (like curl, Ansible, ...) you can test it by overriding the Health Check Job. See [this example](#overriding-docker-healthcheck).
......@@ -431,6 +433,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-image` / `DOCKER_TRIVY_IMAGE` | The docker image used to scan images with Trivy | `registry.hub.docker.com/aquasec/trivy:latest`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_TRIVY_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_TRIVY_IMAGE)|
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive` |
| `docker-trivy-job-tags` / `DOCKER_DOCKER_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
......@@ -459,6 +462,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `TBC_SBOM_MODE` | Controls when SBOM reports are generated (`onrelease`: only on `$INTEG_REF`, `$PROD_REF` and `$RELEASE_REF` pipelines; `always`: any pipeline).<br/>:warning: `sbom-disabled` / `DOCKER_SBOM_DISABLED` takes precedence | `onrelease` |
| `sbom-image` / `DOCKER_SBOM_IMAGE` | The docker image used to emit SBOM | `registry.hub.docker.com/anchore/syft:debug`<br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-DOCKER_SBOM_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-DOCKER_SBOM_IMAGE)|
| `sbom-opts` / `DOCKER_SBOM_OPTS` | Options for syft used for SBOM analysis | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file` |
| `docker-sbom-job-tags` / `DOCKER_DOCKER_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `docker-publish` job
......@@ -472,6 +476,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
| `release-extra-tags-pattern` / `DOCKER_RELEASE_EXTRA_TAGS_PATTERN` | Defines the image tag pattern that `$DOCKER_RELEASE_IMAGE` should match to push extra tags (supports capturing groups - [see below](#using-extra-tags)) | `^v?(?P<major>[0-9]+)\\.(?P<minor>[0-9]+)\\.(?P<patch>[0-9]+)(?P<suffix>(?P<prerelease>-[0-9A-Za-z-\\.]+)?(?P<build>\\+[0-9A-Za-z-\\.]+)?)$` _(SemVer pattern)_ |
| `release-extra-tags` / `DOCKER_RELEASE_EXTRA_TAGS` | Defines extra tags to publish the _release_ image (supports capturing group references from `$DOCKER_RELEASE_EXTRA_TAGS_PATTERN` - [see below](#using-extra-tags)) | _(none)_ |
| `semrel-release-disabled` / `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (enabled) |
| `docker-publish-job-tags` / `DOCKER_DOCKER_PUBLISH_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ci/yaml/artifacts_reports/#artifactsreportsdotenv)):
......@@ -565,7 +570,7 @@ Here is a `.gitlab-ci.yaml` using an external Docker registry:
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
snapshot-image: "registry.acme.host/$CI_PROJECT_NAME/snapshot:$CI_COMMIT_REF_SLUG"
release-image: "registry.acme.host/$CI_PROJECT_NAME:$CI_COMMIT_REF_NAME"
......@@ -580,7 +585,7 @@ Here is a `.gitlab-ci.yaml` that builds 2 Docker images from the same project (u
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
.docker-base:
parallel:
......@@ -635,9 +640,9 @@ With:
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-vault@6.1.7
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
......@@ -683,7 +688,7 @@ to use the snapshot image repository (will host your snapshot image as well as c
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
build-tool: "kaniko" # Only Kaniko has been proved to work for this use case YET
# untested & unverified container image
......@@ -691,7 +696,7 @@ include:
# ⚠ don't forget to create the '{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "{GCP_REGION}-docker.pkg.dev/{GCP_PROJECT_ID}/{YOUR_REPOSITORY}/{YOUR_IMAGE_NAME}:$CI_COMMIT_REF_NAME"
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-gcp@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-gcp@6.1.7
inputs:
# default WIF provider
gcp-oidc-provider: "projects/{GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/{YOUR_WIF_POOL_NAME}/providers/gitlab-diod"
......@@ -756,14 +761,14 @@ then set the required configuration.
```yaml
include:
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@6.1.7
inputs:
# untested & unverified container image
snapshot-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG/snapshot:$CI_COMMIT_REF_SLUG"
# ⚠ don't forget to create the '123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH/snapshot/cache' repo for Kaniko
# validated container image (published)
release-image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/$CI_PROJECT_PATH_SLUG:$CI_COMMIT_REF_NAME"
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-ecr@6.1.6
- component: $CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker-ecr@6.1.7
inputs:
# default Role ARN (using OIDC authentication method)
aws-oidc-role-arn: "arn:aws:iam::123456789012:role/gitlab-ci"
......
kicker.json
View file @ 8fae81be
......@@ -121,6 +121,34 @@
"type": "boolean",
"advanced": true
},
{
"name": "DOCKER_KANIKO_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_DIND_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_BUILDAH_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_DOCKER_PUBLISH_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "DOCKER_PUSH_ARGS",
"description": "Additional docker/buildah `push` arguments (executed right after `build`).\n\nEx: `--compression-format zstd --compression-level 20`",
......@@ -143,6 +171,13 @@
"name": "DOCKER_HADOLINT_ARGS",
"description": "Additional `hadolint` arguments",
"advanced": true
},
{
"name": "DOCKER_HADOLINT_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -168,6 +203,13 @@
"name": "DOCKER_HEALTHCHECK_CONTAINER_ARGS",
"description": "Arguments sent to the running container for health check",
"advanced": true
},
{
"name": "DOCKER_HEALTHCHECK_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -188,6 +230,13 @@
"description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --pkg-types os --exit-on-eol 1 --detection-priority comprehensive",
"advanced": true
},
{
"name": "DOCKER_DOCKER_TRIVY_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
......@@ -214,6 +263,13 @@
"description": "Options for syft used for SBOM analysis",
"default": "--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file",
"advanced": true
},
{
"name": "DOCKER_DOCKER_SBOM_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
}
......
templates/gitlab-ci-docker-ecr.yml
View file @ 8fae81be
......@@ -45,7 +45,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.6"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_AWS_PROVIDER_IMAGE"
alias: "aws-auth-provider"
id_tokens:
......
templates/gitlab-ci-docker-gcp.yml
View file @ 8fae81be
......@@ -44,7 +44,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.6"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_GCP_PROVIDER_IMAGE"
alias: "gcp-auth-provider"
variables:
......
templates/gitlab-ci-docker-vault.yml
View file @ 8fae81be
......@@ -22,7 +22,7 @@ variables:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.6"]
command: ["--service", "docker", "6.1.7"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
......
templates/gitlab-ci-docker.yml
View file @ 8fae81be
......@@ -170,6 +170,39 @@ spec:
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger --select-catalogers -file
hadolint-job-tags:
description: tags to filter applicable runners for hadolint job
type: array
default: []
kaniko-build-job-tags:
description: tags to filter applicable runners for kaniko build job
type: array
default: []
dind-build-job-tags:
description: tags to filter applicable runners for dind build job
type: array
default: []
buildah-build-job-tags:
description: tags to filter applicable runners for buildah build job
type: array
default: []
healthcheck-job-tags:
description: tags to filter applicable runners for healthcheck job
type: array
default: []
docker-trivy-job-tags:
description: tags to filter applicable runners for docker-trivy job
type: array
default: []
docker-sbom-job-tags:
description: tags to filter applicable runners for docker-sbom job
type: array
default: []
docker-publish-job-tags:
description: tags to filter applicable runners for docker-publish job
type: array
default: []
---
# default workflow rules: Merge Request pipelines
workflow:
......@@ -708,8 +741,8 @@ stages:
}
function init_workspace() {
maybe_install_awk
install_custom_ca_certs
maybe_install_awk
unscope_variables
eval_all_secrets
configure_registries_auth
......@@ -788,7 +821,7 @@ stages:
.docker-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.6"]
command: ["--service", "docker", "6.1.7"]
before_script:
- !reference [.docker-scripts]
......@@ -824,7 +857,7 @@ stages:
_TRACE: "${TRACE}"
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "docker", "6.1.6"]
command: ["--service", "docker", "6.1.7"]
- name: $DOCKER_DIND_IMAGE
alias: docker
command:
......@@ -885,6 +918,7 @@ docker-hadolint:
- if: '$DOCKER_HADOLINT_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.hadolint-job-tags ]]
# ==================================================
# Stage: package-build
......@@ -912,6 +946,7 @@ docker-kaniko-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "kaniko"'
tags: $[[ inputs.kaniko-build-job-tags ]]
docker-dind-build:
extends: .docker-dind-base
......@@ -949,6 +984,7 @@ docker-dind-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "dind"'
tags: $[[ inputs.dind-build-job-tags ]]
docker-buildah-build:
extends: .docker-base
......@@ -989,6 +1025,7 @@ docker-buildah-build:
- docker.env
rules:
- if: '$DOCKER_BUILD_TOOL == "buildah"'
tags: $[[ inputs.buildah-build-job-tags ]]
# ==================================================
# Stage: package-test
......@@ -1058,6 +1095,7 @@ docker-healthcheck:
- if: '$DOCKER_BUILD_TOOL != "dind"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.healthcheck-job-tags ]]
# Security audit with trivy
docker-trivy:
......@@ -1110,6 +1148,7 @@ docker-trivy:
- if: '$DOCKER_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.docker-trivy-job-tags ]]
docker-sbom:
extends: .docker-base
......@@ -1146,6 +1185,7 @@ docker-sbom:
when: never
# 'onrelease' mode: use common software delivery rules
- !reference [.delivery-policy, rules]
tags: $[[ inputs.docker-sbom-job-tags ]]
# ==================================================
......@@ -1222,3 +1262,4 @@ docker-publish:
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
tags: $[[ inputs.docker-publish-job-tags ]]
\ No newline at end of file