Merge branch common-ci-tasks:main into main

.gitlab-ci-asdf-versions.yml

 # DO NOT MANUALLY EDIT; Run ./scripts/update-asdf-version-variables.sh to update this
 variables:
-    GL_ASDF_PRE_COMMIT_VERSION: 4.0.1
+    GL_ASDF_CHECKOV_VERSION: 3.2.372
+    GL_ASDF_PRE_COMMIT_VERSION: 4.1.0
     GL_ASDF_SHELLCHECK_VERSION: 0.10.0
     GL_ASDF_SHFMT_VERSION: 3.10.0

.gitlab-ci-default-asdf-versions.yml

 # DO NOT MANUALLY EDIT; Run ./scripts/update-asdf-version-variables.sh to update this
 variables:
-    GL_COMMON_CI_TASKS_DEFAULT_ASDF_PRE_COMMIT_VERSION: 4.0.1
+    GL_COMMON_CI_TASKS_DEFAULT_ASDF_CHECKOV_VERSION: 3.2.372
+    GL_COMMON_CI_TASKS_DEFAULT_ASDF_PRE_COMMIT_VERSION: 4.1.0
     GL_COMMON_CI_TASKS_DEFAULT_ASDF_SHELLCHECK_VERSION: 0.10.0
     GL_COMMON_CI_TASKS_DEFAULT_ASDF_SHFMT_VERSION: 3.10.0

.gitlab-ci-other-versions.yml

@@ -4,19 +4,20 @@
 # so be sure not to include the `v` prefix on version numbers here when adding new
 # values, or manually upgrading.
 variables:
-  GL_COMMON_CI_TASKS_DEFAULT_GITLEAKS_VERSION: "8.22.1"  # datasource=github-releases depName=zricethezav/gitleaks
+  GL_COMMON_CI_TASKS_DEFAULT_GITLEAKS_VERSION: "8.24.0"  # datasource=github-releases depName=zricethezav/gitleaks
   GL_COMMON_CI_TASKS_YAMLLINT_VERSION: "1.35.1"  # datasource=github-tags depName=adrienverge/yamllint
-  GL_COMMON_CI_TASKS_HCLFMT_VERSION: "2.22.0"  # datasource=github-tags depName=hashicorp/hcl
+  GL_COMMON_CI_TASKS_HCLFMT_VERSION: "2.23.0"  # datasource=github-tags depName=hashicorp/hcl
   GL_COMMON_CI_TASKS_KANIKO_VERSION: "1.23.2"  # datasource=github-releases depName=GoogleContainerTools/kaniko
+  GL_COMMON_CI_TASKS_JQ_VERSION: "1.7.1"  # datasource=github-releases depName=jqlang/jq
   # These are versions used in the Renovate runner image
-  GL_COMMON_RENOVATE_GIT_VERSION: "2.47.0"  # datasource=github-tags depName=git/git
-  GL_COMMON_RENOVATE_GOLANG_VERSION: "1.23.4"  # datasource=golang-version depName=golang/go
+  GL_COMMON_RENOVATE_GIT_VERSION: "2.48.1"  # datasource=github-tags depName=git/git
+  GL_COMMON_RENOVATE_GOLANG_VERSION: "1.23.6"  # datasource=golang-version depName=golang/go
   GL_COMMON_RENOVATE_JB_VERSION: "0.6.0"  # datasource=github-releases depName=jsonnet-bundler/jsonnet-bundler
-  GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION: "1.16.1"  # datasource=gitlab-releases depName=gitlab-com/gl-infra/jsonnet-tool
-  GL_COMMON_RENOVATE_NODEJS_VERSION: "20.18.0"  # datasource=node depName=nodejs/node
-  GL_COMMON_RENOVATE_RUBY_VERSION: "3.3.5"  # datasource=ruby-version depName=ruby/ruby
+  GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION: "1.17.0"  # datasource=gitlab-releases depName=gitlab-com/gl-infra/jsonnet-tool
+  GL_COMMON_RENOVATE_NODEJS_VERSION: "22.14.0"  # datasource=node depName=nodejs/node
+  GL_COMMON_RENOVATE_RUBY_VERSION: "3.3.7"  # datasource=ruby-version depName=ruby/ruby
   GL_COMMON_RENOVATE_YARN_VERSION: "1.22.22"  # datasource=github-tags depName=yarnpkg/yarn
-  GL_COMMON_RENOVATE_YQ_VERSION: "4.44.3"  # datasource=github-releases depName=mikefarah/yq
-  GL_COMMON_RENOVATE_PYTHON_VERSION: "3.12.7"  # datasource=github-tags depName=python/cpython
-  GL_COMMON_RENOVATE_MISE_VERSION: "2024.12.24"  # datasource=github-releases depName=jdx/mise
+  GL_COMMON_RENOVATE_YQ_VERSION: "4.45.1"  # datasource=github-releases depName=mikefarah/yq
+  GL_COMMON_RENOVATE_PYTHON_VERSION: "3.12.9"  # datasource=github-tags depName=python/cpython
+  GL_COMMON_RENOVATE_MISE_VERSION: "2024.11.4"  # [pinned - see: https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/issues/33] datasource=github-releases depName=jdx/mise

.pre-commit-config.yaml

@@ -23,7 +23,7 @@ repos:
         args: [--autofix, --no-sort-keys]
   - repo: https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks
-    rev: v2.51.0  # renovate:managed:self
+    rev: v2.61  # renovate:managed:self
     hooks:
       - id: shellcheck  # Run shellcheck for changed Shell files
       - id: shfmt  # Run shellcheck for changed Shell files

.tool-versions

 # For first-time installation, you'll need to install all plugins:
 # Use the script: ./scripts/install-asdf-plugins.sh
 # NOTE: please add new plugins to ./scripts/install-asdf-plugins.sh when adding items here
-pre-commit 4.0.1 # datasource=github-releases depName=pre-commit/pre-commit
+checkov 3.2.372
+pre-commit 4.1.0 # datasource=github-releases depName=pre-commit/pre-commit
 python system
 shellcheck 0.10.0 # datasource=github-releases depName=koalaman/shellcheck
 shfmt 3.10.0 # datasource=github-releases depName=mvdan/sh

Dockerfile.asdf

 # This image is used by asdf to validate asdf setup scripts in asdf-tool-versions.yml
 # This docker image is deprecated. Use the mise image instead.
-FROM ghcr.io/containerbase/base:12.0.10
+FROM ghcr.io/containerbase/base:13.7.17
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_PYTHON_VERSION

Dockerfile.mise

 # This image is used by asdf to validate asdf setup scripts in asdf-tool-versions.yml
-FROM ghcr.io/containerbase/base:12.0.10
+FROM ghcr.io/containerbase/base:13.7.17
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_MISE_VERSION
 ARG GL_COMMON_RENOVATE_PYTHON_VERSION
 ENV DEBIAN_FRONTEND=noninteractive
 ENV MISE_INSTALL_PATH=/bin/mise
-ENV MISE_VERSION="${GL_COMMON_RENOVATE_MISE_VERSION}"
+ENV MISE_VERSION="v${GL_COMMON_RENOVATE_MISE_VERSION}"
 # Some dependencies from https://github.com/pyenv/pyenv/wiki#suggested-build-environment
 # required for mise

Dockerfile.renovate

 ARG GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION
 ARG GL_COMMON_RENOVATE_YQ_VERSION
-FROM docker.io/mikefarah/yq:${GL_COMMON_RENOVATE_YQ_VERSION} as yq
+FROM docker.io/mikefarah/yq:${GL_COMMON_RENOVATE_YQ_VERSION} AS yq
 FROM registry.gitlab.com/gitlab-com/gl-infra/jsonnet-tool:v${GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION} AS jsonnet-tool
 # This image is used by renovate
-FROM ghcr.io/containerbase/base:12.0.10
+FROM ghcr.io/containerbase/base:13.7.17
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_GOLANG_VERSION
 ARG GL_COMMON_RENOVATE_JB_VERSION
@@ -15,8 +15,7 @@ ARG GL_COMMON_RENOVATE_YARN_VERSION
 ARG GL_COMMON_RENOVATE_PYTHON_VERSION
 ENV DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update
+ENV ASDF_DIR=/asdf
 # Install post-upgrade script
 COPY ./scripts/post-renovate-upgrade.sh /opt/gitlab/renovate/post-renovate-upgrade.sh
@@ -26,41 +25,39 @@ COPY ./scripts/renovate-upgrade-scripts /opt/gitlab/renovate/renovate-upgrade-sc
 # Some dependencies from https://github.com/pyenv/pyenv/wiki#suggested-build-environment
 # required for asdf, and some others as needed
-RUN apt-get update
-RUN apt-get upgrade -y
-
-RUN apt-get install -yq \
+RUN apt-get update \
+    && apt-get upgrade -y \
+    && apt-get install -yq \
         jq curl bash build-essential libssl-dev zlib1g-dev \
         libbz2-dev libreadline-dev libsqlite3-dev libyaml-dev wget unzip \
-        ca-certificates openssh-client lsb-release rsync
-RUN install-tool git "${GL_COMMON_RENOVATE_GIT_VERSION}"
-RUN install-tool node "${GL_COMMON_RENOVATE_NODEJS_VERSION}"
-# TODO: remove once using slim containers
-RUN install-tool yarn "${GL_COMMON_RENOVATE_YARN_VERSION}"
-RUN install-tool ruby "${GL_COMMON_RENOVATE_RUBY_VERSION}"
-RUN install-tool python "${GL_COMMON_RENOVATE_PYTHON_VERSION}"
-RUN install-tool jb "${GL_COMMON_RENOVATE_JB_VERSION}"
-RUN install-tool golang "${GL_COMMON_RENOVATE_GOLANG_VERSION}"
-# Install asdf as some renovate scripts will install
-# requirements using asdf
-ENV ASDF_DIR=/asdf
-RUN git clone https://github.com/asdf-vm/asdf.git "${ASDF_DIR}"
-# Install mise
-RUN curl https://mise.jdx.dev/mise-latest-linux-x64 > /bin/mise && chmod 755 /bin/mise
-# Try install renovate with a retry
-RUN npm install -g renovate || npm install -g renovate
-# Cleanup npm
-RUN npm cache clean --force
-# Cleanup apt
-RUN apt-get clean autoclean && apt-get autoremove --yes && \
-  rm -rf /var/lib/{apt,dpkg,cache,log}/
+        ca-certificates openssh-client lsb-release rsync gettext-base \
+    && install-tool git "${GL_COMMON_RENOVATE_GIT_VERSION}" \
+    && install-tool node "${GL_COMMON_RENOVATE_NODEJS_VERSION}" \
+    # TODO: remove once using slim containers
+    && install-tool yarn "${GL_COMMON_RENOVATE_YARN_VERSION}" \
+    && install-tool ruby "${GL_COMMON_RENOVATE_RUBY_VERSION}" \
+    && install-tool python "${GL_COMMON_RENOVATE_PYTHON_VERSION}" \
+    && install-tool jb "${GL_COMMON_RENOVATE_JB_VERSION}" \
+    && install-tool golang "${GL_COMMON_RENOVATE_GOLANG_VERSION}" \
+    # Install asdf as some renovate scripts will install
+    # requirements using asdf
+    && git clone https://github.com/asdf-vm/asdf.git "${ASDF_DIR}" \
+    # Install mise
+    && curl https://mise.jdx.dev/mise-latest-linux-x64 > /bin/mise && chmod 755 /bin/mise \
+    # Try install renovate with a retry
+    && npm install -g renovate || npm install -g renovate \
+    # Cleanup npm
+    && npm cache clean --force \
+    # Cleanup apt
+    && apt-get clean autoclean && apt-get autoremove --yes \
+    && rm -rf /var/lib/{apt,dpkg,cache,log}/
 COPY --from=jsonnet-tool /usr/local/bin/jsonnet-tool /bin/jsonnet-tool
 COPY --from=yq /usr/bin/yq /usr/bin/yq

appsec-container-scan.md

@@ -15,7 +15,7 @@ include:
   # and include the container scanning results in the project that is triggering this scan.
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/appsec-container-scan.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: appsec-container-scan.yml
 container_image_scan:

asdf-tool-versions.md

@@ -31,6 +31,6 @@ include:
   # and that asdf and mise are generally working
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/asdf-tool-versions.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: asdf-tool-versions.yml
 ```

asdf-tool-versions.yml

@@ -6,7 +6,7 @@ spec:
 validate_mise_tool_versions:
   stage: $[[ inputs.stage ]]
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/mise:v2.51.0
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks/mise:v2.61.0
     entrypoint: [""]
   needs: []
   variables:

autolabels.md

+# [`autolabels`](./autolabels.yml)
+
+The **autolabels** job adds [Work Type Classification](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification) labels to GitLab merge requests.
+See https://gitlab.com/gitlab-com/gl-infra/autolabels for more details on what *autolabels* does.
+
+## Setup
+
+* Using [infra-mgmt](https://gitlab.com/gitlab-com/gl-infra/infra-mgmt) **(Recommended)**
+
+  Setting `common_ci_tasks.enabled = true` will enable *autolabels* by default.
+* Manual setup
+  * Create a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (PrAT) with the `api` and `read_repository` scopes and the `Developer` role.
+
+  * Store the PrAT in Vault under the `ci/access_tokens/${VAULT_SECRETS_PATH}/autolabels` path.
+  Please note that merge requests need access to this token.
+  This is usually achieved by adding the Vault path to the read-only policy.
+  * **Alternative:** Create a CI variable called `AUTOLABELS_TOKEN` containing the PrAT.
+  Please note that merge requests need access to this token.
+  This typically means that you must omit the `Protected` flag, since merge request branches are typically not protected.
+  The token has the `Developer` role, which is also the role required to create merge requests, meaning developers cannot escalate their privileges by extracting the token.
+* Import `autolabels.yml` into your project:
+
+  ```yaml
+  include:
+    - project: "gitlab-com/gl-infra/common-ci-tasks"
+      ref: v2.61.0  # renovate:managed
+      file: "autolabels.yml"
+  ```

autolabels.yml

+spec:
+  inputs:
+    stage:
+      default: "build"
+    version:
+      default: "v1.3.4"  # renovate:managed
+    vault:
+      default: ""
+---
+# Include exactly one of the following files:
+include:
+  # Option 1: Vault with explicit path from the "vault" input
+  - local: 'internal/autolabels/vault.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" != ""'
+    inputs:
+      vault: "$[[ inputs.vault | expand_vars ]]"
+  # Option 2: Variable using AUTOLABELS_TOKEN (compatibility behavior)
+  - local: 'internal/autolabels/variable.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $AUTOLABELS_TOKEN != null'
+  # Option 3 (default): Vault using a well-known default path
+  - local: 'internal/autolabels/vault.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $AUTOLABELS_TOKEN == null'
+    inputs:
+      vault: "access_tokens/${VAULT_SECRETS_PATH}/autolabels/token@ci"
+
+  # Include the "autolabels 🏷️" job from the autolabels repository.
+  - project: 'gitlab-com/gl-infra/autolabels'
+    ref: $[[ inputs.version ]]
+    file: 'ci-tasks/autolabels.yml'
+    inputs:
+      version: $[[ inputs.version ]]
+      stage: $[[ inputs.stage ]]
+
+# Amend the "extends" field to the "autolabels 🏷️" job.
+autolabels 🏷️:
+  extends: .autolabels_auth  # Vault or CI variable, from internal/autolabels/{vault,variable}.yml

checkov.md

@@ -25,6 +25,6 @@ include:
   # Runs checkov on all terraform module directories
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/checkov.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: checkov.yml
 ```

container-diff.md

@@ -7,7 +7,7 @@ This can help to determine how much a container image has changed in size due to
 ```yaml
 include:
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: 'container-diff.yml'
     inputs:
       job_name: container-diff # The name of the job this template will create

container-diff.yml

@@ -21,7 +21,7 @@ $[[ inputs.job_name ]]:
   needs:
     - $[[ inputs.needs ]]
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/container-diff:latest
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/container-diff:latest
     entrypoint: [""]
   script:
     - mkdir -p /cache

danger.md

@@ -13,7 +13,7 @@ variables:
 include:
   # Run Danger during merge requests to alert on messages, warnings and errors.
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: 'danger.yml'
     # inputs:
     #   stage: defaults to `validate`

docker.md

@@ -21,7 +21,7 @@ include:
   # Includes a base template for running an opinionated docker buildx build
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: 'docker.yml'
 .container_builds:
@@ -72,7 +72,7 @@ logs:
 ```
 ------------------------------------------------------------
 Verify this container image using:
-cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.51.0 \
+cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.61.0 \
   --certificate-identity https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks//.gitlab-ci.yml@refs/tags/v1.2.3 \
   --certificate-oidc-issuer https://gitlab.com
 ------------------------------------------------------------

docker.yml

@@ -5,7 +5,7 @@ include:
 .docker_buildx_base:
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/docker:latest
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/docker:latest
     entrypoint: [""]
   retry: 2
   services:

editorconfig-check.md

@@ -13,7 +13,7 @@ include:
   # validate .editorconfig
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/editorconfig-check.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: "editorconfig-check.yml"
 ```