Newer
Older
workflow:
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
- if: $CI_PIPELINE_SOURCE == "schedule"
- if: $CI_COMMIT_TAG
- if: $CI_COMMIT_REF_PROTECTED == "true"
- if: $SKIP_TESTS == "true"
when: never
- changes:
- src/gitlab-tofu.sh
- Dockerfile
- .gitlab-ci.yml
- if: $SKIP_TESTS == "true"
when: never
- changes:
- src/gitlab-tofu.sh
- Dockerfile
- .gitlab-ci.yml
- templates/*.yml
- tests/integration.gitlab-ci.yml
- tests/integration-tests/*.yml
- backports/*.gitlab-ci.yml
- backports/OpenTofu/*.gitlab-ciyml
# FIXME: we cannot make this work for all use cases because of the following:
# - cannot pass parallel.matrix to the component, thus we need to extend it
# - that leads to a problem that when this component is ruled out, the extended job fails,
# because it doesn't have a script or trigger.
# Additionally, when this project is mirrored into another instance the component reference fails.
# This may be solved with https://gitlab.com/gitlab-org/gitlab/-/issues/434260#note_1776822074
# - component: $CI_SERVER_FQDN/components/container-scanning/container-scanning@3.0
# inputs:
# stage: quality
# cs_image: $GITLAB_OPENTOFU_IMAGE_NAME
# git_strategy: fetch
stages:
- build
parallel:
matrix:
variables:
DOCKER_DIND_IMAGE: "docker:26.1.2-dind"
# OpenTofu image build variables:
PLATFORMS: linux/amd64,linux/arm64
GITLAB_OPENTOFU_IMAGE_BASE: "$CI_REGISTRY_IMAGE/internal"
GITLAB_OPENTOFU_IMAGE_NAME: "$GITLAB_OPENTOFU_IMAGE_BASE/gitlab-opentofu:$CI_COMMIT_SHA-opentofu$OPENTOFU_VERSION"
check-semantic-version:
stage: .pre
rules:
- if: $CI_COMMIT_TAG
image: alpine:latest
script:
- echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh
stage: build
services:
- "$DOCKER_DIND_IMAGE"
image: "$DOCKER_DIND_IMAGE"
before_script:
# See note on the `build terraform` job about this image
- docker run --rm --privileged tonistiigi/binfmt
# Registry auth
- docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
script:
- docker buildx create --use
# NOTE: we disable provenance for now
# because it causes troubles with the registry and older clients.
# See
# - https://gitlab.com/gitlab-org/terraform-images/-/issues/104
# - https://gitlab.com/gitlab-org/terraform-images/-/merge_requests/184#note_1328485943
- docker buildx build
--platform "$PLATFORMS"
--build-arg BASE_IMAGE=$BASE_IMAGE
--build-arg OPENTOFU_VERSION=$OPENTOFU_VERSION
--file Dockerfile
--tag "$GITLAB_OPENTOFU_IMAGE_NAME"
--provenance=false
--push
.
rules:
- if: $CI_COMMIT_TAG
- changes:
- Dockerfile
- .gitlab-ci.yml
- src/**/*
- templates/**/*
- tests/**/*
- backports/**/*
check-readme:
stage: test
needs: []
image: alpine:latest
before_script:
rules:
- if: $CI_COMMIT_TAG
- changes:
- Makefile
- .gitlab-ci.yml
- README.md
- .gitlab/README.md.template
- templates/**/*
check-backports:
stage: test
needs: []
image: alpine:latest
before_script:
- apk add coreutils make git sed yq diffutils patch
script:
- make backports
- git diff --exit-code
rules:
- if: $CI_COMMIT_TAG
- changes:
- Makefile
- .gitlab-ci.yml
- backports/**/*
- templates/**/*
shellcheck:
stage: test
needs: []
image: koalaman/shellcheck-alpine:v0.10.0
script:
- shellcheck ./src/gitlab-tofu.sh
- shellcheck ./.gitlab/scripts/*.sh
rules:
- changes:
- src/gitlab-tofu.sh
- .gitlab/scripts/*.sh
- if: $CI_COMMIT_TAG
# FIXME: see component include why we have to disable this.
# container_scanning:
# extends: .opentofu-versions
# rules:
# - changes:
# - src/gitlab-tofu.sh
# - Dockerfile
# - .gitlab-ci.yml
# - if: $CI_COMMIT_TAG
# - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
gitlab-opentofu-image:deploy:with-opentofu-version:
extends: .opentofu-versions
stage: deploy
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
variables:
RELEASE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/gitlab-opentofu"
# OCI image tags are not compatible with semver, specifically the build metadata part
# indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
# We use a dash `-` here, instead of the `+`.
# This may be problematic, because it indicates a semver prerelease.
RELEASE_SEMVER: "${CI_COMMIT_TAG}-opentofu${OPENTOFU_VERSION}"
RELEASE_IMAGE: "$RELEASE_IMAGE_NAME:$RELEASE_SEMVER"
before_script:
- crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
script:
- crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
- 'echo "- \`$RELEASE_IMAGE\` (digest: \`$(crane digest $RELEASE_IMAGE)\`)" > image$CI_JOB_ID.md'
gitlab-opentofu-image:deploy:latest-with-opentofu-version:
extends: .opentofu-versions
stage: deploy
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
variables:
RELEASE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/gitlab-opentofu"
RELEASE_SEMVER: "latest-opentofu${OPENTOFU_VERSION}"
RELEASE_IMAGE: "$RELEASE_IMAGE_NAME:$RELEASE_SEMVER"
before_script:
- crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
script:
- crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
- 'echo "- \`$RELEASE_IMAGE\` (digest: \`$(crane digest $RELEASE_IMAGE)\`)" > image$CI_JOB_ID.md'
rules:
- if: $CI_COMMIT_TAG
gitlab-opentofu-image:deploy:latest:
stage: deploy
image:
name: gcr.io/go-containerregistry/crane:debug
entrypoint: [""]
variables:
OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION
RELEASE_IMAGE_NAME: "$CI_REGISTRY_IMAGE/gitlab-opentofu"
RELEASE_IMAGE: "$RELEASE_IMAGE_NAME:$RELEASE_IMAGE_TAG"
before_script:
- crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
script:
- crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
- 'echo "- \`$RELEASE_IMAGE\` (digest: \`$(crane digest $RELEASE_IMAGE)\`)" > image$CI_JOB_ID.md'
parallel:
matrix:
- RELEASE_IMAGE_TAG: ${CI_COMMIT_TAG}
- RELEASE_IMAGE_TAG: ${CI_COMMIT_TAG}-opentofulatest
# If the pipeline is for a new tag with a semantic version, and all previous jobs succeed,
# create the release.
stage: release
image: registry.gitlab.com/gitlab-org/release-cli:latest
before_script:
- apk add --update yq envsubst
- AVAILABLE_OPENTOFU_VERSIONS=$(yq -r '.spec.inputs.opentofu_version.options | filter((. | test("\$.*")) == false) | .[] | "- [`" + . + "`](https://github.com/opentofu/opentofu/releases/tag/v" + . + ")"' templates/full-pipeline.yml)
- 'AVAILABLE_IMAGES=$(cat image*.md | sort -r | tee images.md | sed -E "s/(\(digest: .*\))/\n - \1/")'
- envsubst < .gitlab/release-notes.md.template > release-notes.md
artifacts:
paths:
- images.md
- release-notes.md
old-states:
image: alpine:latest
stage: cleanup
variables:
REMOVE_STATES_UNTIL: 1 week ago
GITLAB_TOKEN: $GITLAB_STATE_CLEANER_TOKEN
before_script:
- apk add --update coreutils curl jq
- export FETCH_OLDER_THAN=$(date '+%Y-%m-%dT%H:%M:%SZ' -d "${REMOVE_STATES_UNTIL}")
script:
- echo "Going to remove Terraform States older than '$FETCH_OLDER_THAN'"
- ./.gitlab/scripts/fetch-states.sh | sed -n '1d;p' | ./.gitlab/scripts/remove-states.sh
rules:
- if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $STATE_CLEANER == "true"'