workflow: rules: - if: $CI_PIPELINE_SOURCE == "merge_request_event" - if: $CI_PIPELINE_SOURCE == "schedule" - if: $CI_COMMIT_TAG - if: $CI_COMMIT_REF_PROTECTED == "true" include: - local: opentofu_versions.yaml - local: tests/unit.gitlab-ci.yml rules: - if: $SKIP_TESTS == "true" when: never - changes: - src/gitlab-tofu.sh - opentofu_versions.yaml - Dockerfile.* - .dockerignore - .gitlab-ci.yml - tests/unit.gitlab-ci.yml - tests/unit/* - if: $CI_COMMIT_TAG - local: tests/integration.gitlab-ci.yml rules: - if: $SKIP_TESTS == "true" when: never - changes: - src/gitlab-tofu.sh - opentofu_versions.yaml - Dockerfile.* - .dockerignore - .gitlab-ci.yml - templates/*.yml - tests/integration.gitlab-ci.yml - tests/integration-tests/*.yml - tests/iac/**.tf - if: $CI_COMMIT_TAG # FIXME: we cannot make this work for all use cases because of the following: # - cannot pass parallel.matrix to the component, thus we need to extend it # - that leads to a problem that when this component is ruled out, the extended job fails, # because it doesn't have a script or trigger. # Additionally, when this project is mirrored into another instance the component reference fails. # This may be solved with https://gitlab.com/gitlab-org/gitlab/-/issues/434260#note_1776822074 # - component: $CI_SERVER_FQDN/components/container-scanning/container-scanning@3.0 # inputs: # stage: quality # cs_image: $GITLAB_OPENTOFU_IMAGE_NAME # git_strategy: fetch stages: - build - test - test-integration - quality - deploy - release - cleanup .image-matrix:build: parallel: matrix: - OPENTOFU_VERSION: !reference [.data, supported_versions] GITLAB_OPENTOFU_BASE_IMAGE_OS: - 'alpine' - 'debian' .image-matrix:deploy: parallel: # OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build) # RELEASE_VERSION: Tag base for the release image # RELEASE_OPENTOFU_VERSION: opentofu version to contained in the release tag matrix: - # :{commit-tag}-opentofu{opentofu-version} OPENTOFU_VERSION: !reference [.data, supported_versions] RELEASE_VERSION: $CI_COMMIT_TAG RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION RELEASE_BASE_IMAGE_OS: ['alpine', 'debian'] - # :latest-opentofu{opentofu-version} OPENTOFU_VERSION: !reference [.data, supported_versions] RELEASE_VERSION: latest RELEASE_OPENTOFU_VERSION: $OPENTOFU_VERSION RELEASE_BASE_IMAGE_OS: ['alpine', 'debian'] - # :{commit-tag|latest}{-opentofulatest|} OPENTOFU_VERSION: $LATEST_OPENTOFU_VERSION RELEASE_VERSION: ["${CI_COMMIT_TAG}", latest] RELEASE_OPENTOFU_VERSION: ["", latest] RELEASE_BASE_IMAGE_OS: ['alpine', 'debian'] .image-matrix:deploy:release-name-script: &image-matrix-deploy-release-name-script # OCI image tags are not compatible with semver, specifically the build metadata part # indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201 # We use a dash `-` here, instead of the `+`. # This may be problematic, because it indicates a semver prerelease. - export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu" - export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}" variables: # OpenTofu variables LATEST_OPENTOFU_VERSION: !reference [.data, latest_version] # OpenTofu image build variables: PLATFORMS: linux/amd64,linux/arm64 GITLAB_OPENTOFU_IMAGE_BASE: "$CI_REGISTRY_IMAGE/internal" GITLAB_OPENTOFU_IMAGE_NAME: "$GITLAB_OPENTOFU_IMAGE_BASE/gitlab-opentofu:$CI_COMMIT_SHA-opentofu$OPENTOFU_VERSION-$GITLAB_OPENTOFU_BASE_IMAGE_OS" check-semantic-version: stage: .pre rules: - if: $CI_COMMIT_TAG image: alpine:3.20.3 before_script: - apk add perl script: - echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh gitlab-opentofu-image:build: extends: '.image-matrix:build' stage: build image: quay.io/containers/buildah:v1.37.3 before_script: # Supporting GitLab dependency proxies: # see https://docs.gitlab.com/ee/user/packages/dependency_proxy/ - | if [ -n "$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX" ]; then echo "Detected GitLab Dependency Proxy at '$CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX', configuring it for buildah ..." cat > /etc/containers/registries.conf.d/dependency-proxy.conf < image$CI_JOB_ID.md' artifacts: paths: - 'image*.md' rules: - if: '$CI_SERVER_FQDN == "gitlab.com" && $CI_COMMIT_TAG' .release:base: stage: release image: registry.gitlab.com/gitlab-org/release-cli:v0.19.0 before_script: - apk add --update yq envsubst script: - echo "Creating release $RELEASE_TAG_NAME" - ./.gitlab/scripts/release-notes.sh > release-notes.md artifacts: paths: - images.md - release-notes.md release: extends: ['.release:base'] rules: - if: $CI_COMMIT_TAG variables: RELEASE_TAG_NAME: $CI_COMMIT_TAG release: tag_name: $CI_COMMIT_TAG description: './release-notes.md' release:dry-run: extends: ['.release:base'] rules: - if: $CI_COMMIT_TAG when: never - changes: - .gitlab-ci.yml - ./.gitlab/scripts/release-notes.sh - ./.gitlab/release-notes.md.template after_script: - cat release-notes.md variables: RELEASE_TAG_NAME: '' old-states: image: alpine:3.20.3 stage: cleanup variables: REMOVE_STATES_UNTIL: 1 week ago GITLAB_TOKEN: $GITLAB_STATE_CLEANER_TOKEN before_script: - apk add --update coreutils curl jq - export FETCH_OLDER_THAN=$(date '+%Y-%m-%dT%H:%M:%SZ' -d "${REMOVE_STATES_UNTIL}") script: - echo "Going to remove Terraform States older than '$FETCH_OLDER_THAN'" - ./.gitlab/scripts/fetch-states.sh | sed -n '1d;p' | ./.gitlab/scripts/remove-states.sh rules: - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE == "schedule" && $STATE_CLEANER == "true"'