Skip to content
Commits on Source (17)
# variables in the GitLab CI/CD variables:
# GITLAB_TOKEN to support the semantic-release
# DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
# TMPL_RELEASE_ENABLED to enable the semantic-release job
# TBC_NAMESPACE: smartdatalab/public/ci-cd-components
include:
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/extract.yml"
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/validation.yml"
- project: "to-be-continuous/kicker"
ref: "master"
file: "/templates/validation.yml"
- component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.5
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
gitlab-ci-lint-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
shellcheck-files: "*.sh"
- component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.6
- component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.11
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
inputs:
gitleaks-job-tags: ["docker"]
variables:
GITLAB_CI_FILES: "templates/gitlab-ci-maven.yml"
GIT_STRATEGY: clone
semantic-release:
rules:
......
# [4.1.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.0.2...4.1.0) (2025-01-20)
### Features
* **JaCoCo:** add JaCoCo Coverage Reports integration ([1f997a1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/commit/1f997a18c61d7eb4fe8b9af1ee828893ec70929b))
# [4.1.0](https://gitlab.com/to-be-continuous/maven/compare/4.0.2...4.1.0) (2025-01-20)
### Features
* **JaCoCo:** add JaCoCo Coverage Reports integration ([1f997a1](https://gitlab.com/to-be-continuous/maven/commit/1f997a18c61d7eb4fe8b9af1ee828893ec70929b))
## [4.0.2](https://gitlab.com/to-be-continuous/maven/compare/4.0.1...4.0.2) (2024-12-29)
......
......@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.0.2
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
# 2: set/override component inputs
inputs:
# ⚠ this is only an example
......@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/maven'
ref: '4.0.2'
ref: '4.1.0'
file: '/templates/gitlab-ci-maven.yml'
variables:
......@@ -81,6 +81,7 @@ It uses the following variable:
| Input / Variable | Description | Default value |
| --------------------- | ---------------------------------------- | ----------------- |
| `build-args` / `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` |
| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### About Code Coverage
......@@ -89,14 +90,15 @@ to compute code coverage during unit tests execution.
In addition it makes the necessary to [integrate code coverage stats into your GitLab project](https://docs.gitlab.com/ee/ci/testing/code_coverage.html#view-code-coverage-results-in-the-mr) (report badge and viewable coverage in merge requests).
If yo want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the
If you want to fix the JaCoCo plugin version or tweak the default configuration, you may have to configure the
[JaCoCo Maven Plugin](https://www.eclemma.org/jacoco/trunk/doc/maven.html) in your `pom.xml`, but be aware of the
following:
* do not declare JaCoCo executions for `prepare-agent` and `report` goals as each would run twice during
unit tests (not necessarily with the expected configuration). If you really need to do so anyway, you'll have to
override the `$MAVEN_BUILD_ARGS` variable to remove the explicit invocation to JaCoCo goals.
* make sure the `report` goal computes a CSV report, that is used by the Maven template to compute the global coverage stat.
* make sure the `report` goal computes a CSV report (that's default behavior), that is used by the Maven template to compute the global coverage stat,
* make sure the `report` goal computes an XML report (that's default behavior), that is required to support [GitLab code coverage intergation](https://docs.gitlab.com/ee/ci/testing/test_coverage_visualization/jacoco.html).
More info:
......@@ -116,6 +118,7 @@ This job uses the following variables:
| :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ |
| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
| `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Recommended minimal configuration
......@@ -172,6 +175,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `dependency-check-disabled` / `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ |
| `dependency-check-args` / `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` |
| `mvn-dependency-check-job-tags` / `MVN_DEPENDENCY_CHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
A Dependency Check is a quite long operation and therefore the job is configured to be ran __manually__ by default.
......@@ -217,6 +221,7 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- |
| `mvn-forbid-snapshot-dependencies-disabled` / `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
| `mvn-no-snapshot-deps-job-tags` / `MVN_NO_SNAPSHOT_DEPS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-sbom` job
......@@ -228,6 +233,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
| `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-release` &amp; `mvn-deploy-*` jobs
......@@ -255,6 +261,9 @@ They are bound to the `publish` stage, and use the following variables:
| `release-scm-release-comment` / `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `release-scm-dev-comment` / `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `mvn-semrel-release-disabled` / `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (disabled) |
| `mvn-release-job-tags` / `MVN_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `mvn-deploy-release-job-tags` / `MVN_DEPLOY_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `mvn-deploy-snapshot-job-tags` / `MVN_DEPLOY_SNAPSHOT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
More info:
......@@ -483,7 +492,8 @@ The template uses GitLab registries and authentication defaults. See the Docker
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --pkg-types os` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
| `mvn-trivy-job-tags` / `MVN_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
......@@ -506,6 +516,7 @@ the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-
| `jib-build-args` / `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` |
| `jib-publish-args` / `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ |
| `jib-prod-publish-strategy` / `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` |
| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Usage
......@@ -532,7 +543,7 @@ All authentication methods should use masked GitLab environment variables.
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.0.2
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.1.0
# Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.0.2
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.1.0
```
......@@ -47,6 +47,62 @@
"description": "Maven arguments for the build & test job",
"default": "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report",
"advanced": true
},
{
"name": "MAVEN_MVN_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_SONAR_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPENDENCY_CHECK_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_NO_SNAPSHOT_DEPS_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_SBOM_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPLOY_RELEASE_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_RELEASE_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
],
"features": [
......@@ -286,6 +342,13 @@
{
"name": "MAVEN_JIB_PUBLISH_ARGS",
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
},
{
"name": "MAVEN_MVN_TRIVY_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
}
......
......@@ -40,6 +40,27 @@ spec:
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java
mvn-build-job-tags:
description: tags to filter applicable runners for mvn-build job
type: array
default: []
mvn-sbom-job-tags:
description: tags to filter applicable runners for mvn-sbom job
type: array
default: []
mvn-trivy-job-tags:
description: tags to filter applicable runners for mvn-trivy job
type: array
default: []
mvn-deploy-release-job-tags:
description: tags to filter applicable runners for mvn-deploy-release job
type: array
default: []
mvn-deploy-snapshot-job-tags:
description: tags to filter applicable runners for mvn-deploy-snapshot job
type: array
default: []
---
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
......@@ -108,7 +129,8 @@ mvn-build:
reports:
dotenv:
- jib.env
tags: $[[ inputs.mvn-build-job-tags ]]
mvn-sbom:
extends: .mvn-base
stage: package-test
......@@ -132,6 +154,7 @@ mvn-sbom:
reports:
cyclonedx:
- "reports/mvn-sbom-*.cyclonedx.json"
tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-trivy:
extends: .mvn-base
......@@ -177,7 +200,8 @@ mvn-trivy:
- if: '$MAVEN_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-trivy-job-tags ]]
mvn-deploy-release:
extends: .mvn-base
image:
......@@ -240,6 +264,7 @@ mvn-deploy-release:
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "auto"'
tags: $[[ inputs.mvn-deploy-release-job-tags ]]
# =====================================================================================================================
# === Disable Maven template jobs not required for Docker Jib pipeline
......@@ -249,3 +274,4 @@ mvn-deploy-release:
mvn-deploy-snapshot:
rules:
- when: never
tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
......@@ -128,6 +128,41 @@ spec:
mvn-semrel-release-disabled:
description: Disable semantic-release integration
default: ''
mvn-build-job-tags:
description: tags to filter applicable runners for mvn-build job
type: array
default: []
mvn-sonar-job-tags:
description: tags to filter applicable runners for mvn-sonar job
type: array
default: []
mvn-dependency-check-job-tags:
description: tags to filter applicable runners for mvn-dependency-check job
type: array
default: []
mvn-no-snapshot-deps-job-tags:
description: tags to filter applicable runners for mvn-no-snapshot-deps job
type: array
default: []
mvn-sbom-job-tags:
description: tags to filter applicable runners for mvn-sbom job
type: array
default: []
mvn-deploy-snapshot-job-tags:
description: tags to filter applicable runners for mvn-deploy-snapshot job
type: array
default: []
mvn-deploy-release-job-tags:
description: tags to filter applicable runners for mvn-deploy-release job
type: array
default: []
mvn-release-job-tags:
description: tags to filter applicable runners for mvn-release job
type: array
default: []
---
# default workflow rules: Merge Request pipelines
workflow:
......@@ -603,7 +638,7 @@ stages:
image: $MAVEN_IMAGE
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.0.2"]
command: ["--service", "maven", "4.1.0"]
before_script:
- !reference [.mvn-scripts]
- install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
......@@ -634,10 +669,14 @@ mvn-build:
reports:
junit:
- "${MAVEN_PROJECT_DIR}/**/target/*-reports/TEST-*.xml"
coverage_report:
coverage_format: jacoco
path: "${MAVEN_PROJECT_DIR}/**/target/site/jacoco/jacoco.xml"
paths:
# version may have been altered
- "${MAVEN_PROJECT_DIR}/**/pom.xml"
- "${MAVEN_PROJECT_DIR}/**/target"
tags: $[[ inputs.mvn-build-job-tags ]]
# Sonar job
mvn-sonar:
......@@ -676,6 +715,7 @@ mvn-sonar:
- if: '($SONAR_HOST_URL == null || $SONAR_HOST_URL == "") && ($SONAR_URL == null || $SONAR_URL == "")'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-sonar-job-tags ]]
mvn-dependency-check:
extends: .mvn-base
......@@ -701,6 +741,7 @@ mvn-dependency-check:
# all other cases: manual & non-blocking
- when: manual
allow_failure: true
tags: $[[ inputs.mvn-dependency-check-job-tags ]]
mvn-no-snapshot-deps:
extends: .mvn-base
......@@ -713,6 +754,7 @@ mvn-no-snapshot-deps:
- if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-no-snapshot-deps-job-tags ]]
mvn-sbom:
extends: .mvn-base
......@@ -736,6 +778,7 @@ mvn-sbom:
- if: '$MAVEN_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-deploy-snapshot:
extends: .mvn-base
......@@ -751,6 +794,7 @@ mvn-deploy-snapshot:
when: never
# exclude unprotected ref if disabled
- if: '$MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED != "true" || $CI_COMMIT_REF_PROTECTED == "true"'
tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
mvn-deploy-release:
extends: .mvn-base
......@@ -763,6 +807,7 @@ mvn-deploy-release:
when: never
# on tag with release pattern: auto
- if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
tags: $[[ inputs.mvn-deploy-release-job-tags ]]
mvn-release:
extends: .mvn-base
......@@ -801,3 +846,4 @@ mvn-release:
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
when: manual
allow_failure: true
tags: $[[ inputs.mvn-release-job-tags ]]