Skip to content
Commits on Source (19)
Hide whitespace changes
Inline Side-by-side
.gitlab-ci.yml
View file @ 1165bc1f
# variables in the GitLab CI/CD variables:
# GITLAB_TOKEN to support the semantic-release
# DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
# TMPL_RELEASE_ENABLED to enable the semantic-release job
# TBC_NAMESPACE: smartdatalab/public/ci-cd-components
include:
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/extract.yml"
- project: "to-be-continuous/tools/gitlab-ci"
ref: "master"
file: "/templates/validation.yml"
- project: "to-be-continuous/kicker"
ref: "master"
file: "/templates/validation.yml"
- component: $CI_SERVER_FQDN/to-be-continuous/bash/gitlab-ci-bash@3.5
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
inputs:
extract-script-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
inputs:
check-links-job-tags: ["docker"]
tbc-check-job-tags: ["docker"]
tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
gitlab-ci-lint-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
inputs:
kicker-validation-job-tags: ["docker"]
schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
inputs:
bash-shellcheck-job-tags: ["docker"]
shellcheck-files: "*.sh"
- component: $CI_SERVER_FQDN/to-be-continuous/gitleaks/gitlab-ci-gitleaks@2.6
- component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@3.11
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
inputs:
semantic-release-job-tags: ["docker"]
- component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
inputs:
gitleaks-job-tags: ["docker"]
variables:
GITLAB_CI_FILES: "templates/gitlab-ci-maven.yml"
GIT_STRATEGY: clone
semantic-release:
rules:
......
CHANGELOG.md
View file @ 1165bc1f
# [4.2.0](https://gitlab.com/to-be-continuous/maven/compare/4.1.0...4.2.0) (2025-01-27)
# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.2.0...4.3.0) (2025-01-29)
### Features
* disable tracking service by default ([965198b](https://gitlab.com/to-be-continuous/maven/commit/965198bcd45fe574843222bb919b3ccb62795a40))
* add vault variant ([a80ac30](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/commit/a80ac3067498bfb9aea04860ee6c839bc0ab7620))
# [4.1.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/compare/4.0.2...4.1.0) (2025-01-20)
### Features
* **JaCoCo:** add JaCoCo Coverage Reports integration ([1f997a1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/maven/commit/1f997a18c61d7eb4fe8b9af1ee828893ec70929b))
# [4.1.0](https://gitlab.com/to-be-continuous/maven/compare/4.0.2...4.1.0) (2025-01-20)
......
README.md
View file @ 1165bc1f
......@@ -14,7 +14,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.2.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# 2: set/override component inputs
inputs:
# ⚠ this is only an example
......@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/maven'
ref: '4.2.0'
ref: '4.3.0'
file: '/templates/gitlab-ci-maven.yml'
variables:
......@@ -81,6 +81,7 @@ It uses the following variable:
| Input / Variable | Description | Default value |
| --------------------- | ---------------------------------------- | ----------------- |
| `build-args` / `MAVEN_BUILD_ARGS` | Maven arguments for the build & test job | `org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report` |
| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### About Code Coverage
......@@ -117,6 +118,7 @@ This job uses the following variables:
| :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ |
| `sonar-base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/analysis-parameters/) | `sonar:sonar -Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
| `sonar-quality-gate-enabled` / `SONAR_QUALITY_GATE_ENABLED` | Set to `true` to enable SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube/latest/user-guide/quality-gates/) verification.<br/>_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._ | _none_ (disabled) |
| `mvn-sonar-job-tags` / `MVN_SONAR_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Recommended minimal configuration
......@@ -173,6 +175,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `dependency-check-disabled` / `MAVEN_DEPENDENCY_CHECK_DISABLED` | Set to `true` to disable this job | _none_ |
| `dependency-check-args` / `MAVEN_DEPENDENCY_CHECK_ARGS` | Maven arguments for Dependency Check job | `org.owasp:dependency-check-maven:check -DretireJsAnalyzerEnabled=false -DassemblyAnalyzerEnabled=false` |
| `mvn-dependency-check-job-tags` / `MVN_DEPENDENCY_CHECK_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
A Dependency Check is a quite long operation and therefore the job is configured to be ran __manually__ by default.
......@@ -218,6 +221,7 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| --------------------- | -------------------------------------- | ----------------- |
| `mvn-forbid-snapshot-dependencies-disabled` / `MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED` | Set to `true` to disable this job | _none_ |
| `mvn-no-snapshot-deps-job-tags` / `MVN_NO_SNAPSHOT_DEPS_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-sbom` job
......@@ -229,6 +233,7 @@ It is bound to the `test` stage, and uses the following variables:
| --------------------- | -------------------------------------- | ----------------- |
| `sbom-disabled` / `MAVEN_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
| `sbom-gen-args` / `MAVEN_SBOM_GEN_ARGS` | Maven command used for SBOM analysis | `org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom` |
| `mvn-sbom-job-tags` / `MVN_SBOM_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
### `mvn-release` &amp; `mvn-deploy-*` jobs
......@@ -256,6 +261,9 @@ They are bound to the `publish` stage, and use the following variables:
| `release-scm-release-comment` / `MAVEN_RELEASE_SCM_RELEASE_COMMENT` | Maven release plugin [scmReleaseCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmReleaseCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `release-scm-dev-comment` / `MAVEN_RELEASE_SCM_DEV_COMMENT` | Maven release plugin [scmDevelopmentCommitComment](https://maven.apache.org/maven-release/maven-release-plugin/prepare-mojo.html#scmDevelopmentCommitComment) parameter (since Maven `3.0.0-M1`) | _none_ (Maven default) |
| `mvn-semrel-release-disabled` / `MVN_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration) | _none_ (disabled) |
| `mvn-release-job-tags` / `MVN_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `mvn-deploy-release-job-tags` / `MVN_DEPLOY_RELEASE_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
| `mvn-deploy-snapshot-job-tags` / `MVN_DEPLOY_SNAPSHOT_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
More info:
......@@ -484,7 +492,8 @@ The template uses GitLab registries and authentication defaults. See the Docker
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --pkg-types os` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` |
| `mvn-trivy-job-tags` / `MVN_TRIVY_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
......@@ -507,6 +516,7 @@ the `pom.xml` using the Maven Release Plugin, e.g., `release:prepare`. The `mvn-
| `jib-build-args` / `MAVEN_JIB_BUILD_ARGS` | [Jib Maven Plugin arguments](https://github.com/GoogleContainerTools/jib/tree/master/jib-maven-plugin#extended-usage). | `-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE` |
| `jib-publish-args` / `MAVEN_JIB_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/main/docs/skopeo-copy.1.md), e.g., `--additional-tag=strings` | _none_ |
| `jib-prod-publish-strategy` / `MAVEN_JIB_PROD_PUBLISH_STRATEGY` | Defines the publish to production strategy for `mvn-release` and `mvn-deploy-release` jobs. One of `none`, `auto`, `manual`. | `manual` |
| `mvn-build-job-tags` / `MVN_BUILD_JOB_TAGS` | Tags to be used for selecting runners for the job | `[]` |
#### Usage
......@@ -533,7 +543,59 @@ All authentication methods should use masked GitLab environment variables.
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.2.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# Jib is implemented as an extension to Maven, and uses supporting features of the TBC Maven template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.2.0
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-jib@4.3.0
```
## Variants
### Vault variant
This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.
#### Configuration
In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:
| Name | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master` |
| `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
Then you may retrieve any of your secret(s) from Vault using the following syntax:
```
@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
```
With:
| Name | Description |
| -------------------------------- | -------------------------------------- |
| `secret_path` (_path parameter_) | this is your secret location in the Vault server |
| `field` (_query parameter_) | parameter to access a single basic field from the secret JSON payload |
#### Example
```yaml
include:
# main template
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven@4.3.0
# Vault variant
- component: $CI_SERVER_FQDN/to-be-continuous/maven/gitlab-ci-maven-vault@4.3.0
variables:
# Vault configuration
VAULT_OIDC_AUD: "https://vault.acme.host"
VAULT_BASE_URL: "https://vault.acme.host/v1"
# Secret managed by Vault
SONAR_PASSWORD: "@url@http://vault-secrets-provider/api/secrets/sonar?field=password"
```
kicker.json
View file @ 1165bc1f
......@@ -47,6 +47,62 @@
"description": "Maven arguments for the build & test job",
"default": "org.jacoco:jacoco-maven-plugin:prepare-agent verify org.jacoco:jacoco-maven-plugin:report",
"advanced": true
},
{
"name": "MAVEN_MVN_BUILD_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_SONAR_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPENDENCY_CHECK_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_NO_SNAPSHOT_DEPS_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_SBOM_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPLOY_SNAPSHOT_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_DEPLOY_RELEASE_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
},
{
"name": "MAVEN_MVN_RELEASE_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
],
"features": [
......@@ -286,6 +342,46 @@
{
"name": "MAVEN_JIB_PUBLISH_ARGS",
"description": "Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options)"
},
{
"name": "MAVEN_MVN_TRIVY_JOB_TAGS",
"description": "Tags to be used for selecting runners for the job",
"type": "array",
"default": [],
"advanced": true
}
]
},
{
"id": "vault",
"name": "Vault",
"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
"template_path": "templates/gitlab-ci-maven-vault.yml",
"variables": [
{
"name": "TBC_VAULT_IMAGE",
"description": "The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use",
"default": "registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:master",
"advanced": true
},
{
"name": "VAULT_BASE_URL",
"description": "The Vault server base API url"
},
{
"name": "VAULT_OIDC_AUD",
"description": "The `aud` claim for the JWT",
"default": "$CI_SERVER_URL"
},
{
"name": "VAULT_ROLE_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
"secret": true
},
{
"name": "VAULT_SECRET_ID",
"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
"secret": true
}
]
}
......
templates/gitlab-ci-maven-jib.yml
View file @ 1165bc1f
......@@ -40,6 +40,27 @@ spec:
sbom-opts:
description: Options for syft used for SBOM analysis
default: --override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java
mvn-build-job-tags:
description: tags to filter applicable runners for mvn-build job
type: array
default: []
mvn-sbom-job-tags:
description: tags to filter applicable runners for mvn-sbom job
type: array
default: []
mvn-trivy-job-tags:
description: tags to filter applicable runners for mvn-trivy job
type: array
default: []
mvn-deploy-release-job-tags:
description: tags to filter applicable runners for mvn-deploy-release job
type: array
default: []
mvn-deploy-snapshot-job-tags:
description: tags to filter applicable runners for mvn-deploy-snapshot job
type: array
default: []
---
variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
......@@ -108,7 +129,8 @@ mvn-build:
reports:
dotenv:
- jib.env
tags: $[[ inputs.mvn-build-job-tags ]]
mvn-sbom:
extends: .mvn-base
stage: package-test
......@@ -132,6 +154,7 @@ mvn-sbom:
reports:
cyclonedx:
- "reports/mvn-sbom-*.cyclonedx.json"
tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-trivy:
extends: .mvn-base
......@@ -177,7 +200,8 @@ mvn-trivy:
- if: '$MAVEN_TRIVY_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-trivy-job-tags ]]
mvn-deploy-release:
extends: .mvn-base
image:
......@@ -240,6 +264,7 @@ mvn-deploy-release:
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "manual"'
when: manual
- if: '$MAVEN_JIB_PROD_PUBLISH_STRATEGY == "auto"'
tags: $[[ inputs.mvn-deploy-release-job-tags ]]
# =====================================================================================================================
# === Disable Maven template jobs not required for Docker Jib pipeline
......@@ -249,3 +274,4 @@ mvn-deploy-release:
mvn-deploy-snapshot:
rules:
- when: never
tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
templates/gitlab-ci-maven-vault.yml 0 → 100644
View file @ 1165bc1f
# =====================================================================================================================
# === Vault template variant
# =====================================================================================================================
spec:
inputs:
vault-base-url:
description: The Vault server base API url
default: ''
vault-oidc-aud:
description: The `aud` claim for the JWT
default: $CI_SERVER_URL
---
variables:
# variabilized vault-secrets-provider image
TBC_VAULT_IMAGE: registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest
# variables have to be explicitly declared in the YAML to be exported to the service
VAULT_ROLE_ID: "$VAULT_ROLE_ID"
VAULT_SECRET_ID: "$VAULT_SECRET_ID"
VAULT_OIDC_AUD: $[[ inputs.vault-oidc-aud ]]
VAULT_BASE_URL: $[[ inputs.vault-base-url ]]
.mvn-base:
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.3.0"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
VAULT_JWT_TOKEN: "$VAULT_JWT_TOKEN"
id_tokens:
VAULT_JWT_TOKEN:
aud: "$VAULT_OIDC_AUD"
templates/gitlab-ci-maven.yml
View file @ 1165bc1f
......@@ -128,6 +128,41 @@ spec:
mvn-semrel-release-disabled:
description: Disable semantic-release integration
default: ''
mvn-build-job-tags:
description: tags to filter applicable runners for mvn-build job
type: array
default: []
mvn-sonar-job-tags:
description: tags to filter applicable runners for mvn-sonar job
type: array
default: []
mvn-dependency-check-job-tags:
description: tags to filter applicable runners for mvn-dependency-check job
type: array
default: []
mvn-no-snapshot-deps-job-tags:
description: tags to filter applicable runners for mvn-no-snapshot-deps job
type: array
default: []
mvn-sbom-job-tags:
description: tags to filter applicable runners for mvn-sbom job
type: array
default: []
mvn-deploy-snapshot-job-tags:
description: tags to filter applicable runners for mvn-deploy-snapshot job
type: array
default: []
mvn-deploy-release-job-tags:
description: tags to filter applicable runners for mvn-deploy-release job
type: array
default: []
mvn-release-job-tags:
description: tags to filter applicable runners for mvn-release job
type: array
default: []
---
# default workflow rules: Merge Request pipelines
workflow:
......@@ -600,7 +635,7 @@ stages:
image: $MAVEN_IMAGE
services:
- name: "$TBC_TRACKING_IMAGE"
command: ["--service", "maven", "4.2.0"]
command: ["--service", "maven", "4.3.0"]
before_script:
- !reference [.mvn-scripts]
- install_ca_certs "${CUSTOM_CA_CERTS:-$DEFAULT_CA_CERTS}"
......@@ -638,6 +673,7 @@ mvn-build:
# version may have been altered
- "${MAVEN_PROJECT_DIR}/**/pom.xml"
- "${MAVEN_PROJECT_DIR}/**/target"
tags: $[[ inputs.mvn-build-job-tags ]]
# Sonar job
mvn-sonar:
......@@ -676,6 +712,7 @@ mvn-sonar:
- if: '($SONAR_HOST_URL == null || $SONAR_HOST_URL == "") && ($SONAR_URL == null || $SONAR_URL == "")'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-sonar-job-tags ]]
mvn-dependency-check:
extends: .mvn-base
......@@ -701,6 +738,7 @@ mvn-dependency-check:
# all other cases: manual & non-blocking
- when: manual
allow_failure: true
tags: $[[ inputs.mvn-dependency-check-job-tags ]]
mvn-no-snapshot-deps:
extends: .mvn-base
......@@ -713,6 +751,7 @@ mvn-no-snapshot-deps:
- if: '$MVN_FORBID_SNAPSHOT_DEPENDENCIES_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-no-snapshot-deps-job-tags ]]
mvn-sbom:
extends: .mvn-base
......@@ -736,6 +775,7 @@ mvn-sbom:
- if: '$MAVEN_SBOM_DISABLED == "true"'
when: never
- !reference [.test-policy, rules]
tags: $[[ inputs.mvn-sbom-job-tags ]]
mvn-deploy-snapshot:
extends: .mvn-base
......@@ -751,6 +791,7 @@ mvn-deploy-snapshot:
when: never
# exclude unprotected ref if disabled
- if: '$MAVEN_DEPLOY_FROM_UNPROTECTED_DISABLED != "true" || $CI_COMMIT_REF_PROTECTED == "true"'
tags: $[[ inputs.mvn-deploy-snapshot-job-tags ]]
mvn-deploy-release:
extends: .mvn-base
......@@ -763,6 +804,7 @@ mvn-deploy-release:
when: never
# on tag with release pattern: auto
- if: '$CI_COMMIT_TAG =~ $RELEASE_REF'
tags: $[[ inputs.mvn-deploy-release-job-tags ]]
mvn-release:
extends: .mvn-base
......@@ -801,3 +843,4 @@ mvn-release:
- if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'
when: manual
allow_failure: true
tags: $[[ inputs.mvn-release-job-tags ]]