Merge branch common-ci-tasks:main into main

017196ee · Zedic Birchler · 3a33b5bd · 3ead1c4d · 017196ee · 017196ee
Commit 017196ee authored 2 weeks ago by Zedic Birchler
--- a/gitlab-scanners.md
+++ b/gitlab-scanners.md
@@ -11,6 +11,6 @@ stages:
 include:
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/gitlab-scanners.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'gitlab-scanners.yml'
 ```
--- a/gitlab-scanners.yml
+++ b/gitlab-scanners.yml
@@ -8,6 +8,17 @@ include:
  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
  
+  # TEMPORARY WORKAROUND: ops.gitlab.net does not have the updated Dependency-Scanning.latest.gitlab-ci.yml
+  #                       template yet so the "dependency-scanning" job is not extending the intended job leading to
+  #                       a "jobs:dependency-scanning config should contain either a trigger or a needs:pipeline" error.
+  #                       Once ops.gitlab.net has the updated template, we can copy the contents of
+  #                       gitlab-scanners-ds.yml back into this file and remove this include.
+  - local: internal/gitlab-scanners/ds.yml
+    rules:
+      - if: $CI_SERVER_HOST == "gitlab.com"
+    inputs:
+      stage: $[[ inputs.stage ]]
+
 sast:
  stage: $[[ inputs.stage ]]
  needs: []
@@ -20,14 +31,3 @@ sast:
 dependency_scanning:
  stage: $[[ inputs.stage ]]
  needs: []
-
-## HACK HACK HACK
-## Temporary Workaround to https://gitlab.com/gitlab-org/gitlab/-/issues/458532
-## Remove this once the upstream problem is fixed.
-flawfinder-sast:
-  stage: $[[ inputs.stage ]]
-  script:
-    - echo "The flawfinder-sast job was deprecated in GitLab 16.8 and removed in GitLab 17.0"
-    - echo "For more information see https://gitlab.com/gitlab-org/gitlab/-/issues/425085"
-  rules:
-    - when: never
--- a/gitleaks.md
+++ b/gitleaks.md
@@ -37,6 +37,6 @@ include:
  # Ensure that all shell-scripts are formatted according to a
  # standard canonical format
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: gitleaks.yml
 ```
--- a/gitlint.md
+++ b/gitlint.md
@@ -14,6 +14,6 @@ include:
  # Runs gitlint on all terraform module directories
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/gitlint.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: gitlint.yml
 ```
--- a/go-mod-tidy.md
+++ b/go-mod-tidy.md
@@ -19,7 +19,7 @@ include:
  # Perform `go mod tidy` and ensure that go.mod and go.sum are tidy.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/go-mod-tidy.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: go-mod-tidy.yml
 ```
 ## A note on compatibility

--- a/go-unittests.md
+++ b/go-unittests.md
@@ -20,7 +20,7 @@ include:
  # Runs Go unit tests
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/go-unittests.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: go-unittests.yml
 ```
  

--- a/go.mod
+++ b/go.mod
 module gitlab.com/gitlab-com/gl-infra/common-ci-tasks
  
-go 1.23.4
+go 1.23.6
  
 // Note: this file is only here to allow golang pre-commit hooks to be installed via this repository
--- a/golangci-lint.md
+++ b/golangci-lint.md
@@ -13,7 +13,7 @@ include:
  # Runs golangci-lint on the project.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/golangci-lint.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'golangci-lint.yml'
    inputs:
      golangci_lint_timeout: 5m # optionally specify a separate timeout

--- a/goreleaser.md
+++ b/goreleaser.md
@@ -102,7 +102,7 @@ include:
  # build binary release artifacts with goreleaser
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: goreleaser.yml
 ```
  
@@ -142,7 +142,7 @@ include:
  # build binary release artifacts with goreleaser
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: goreleaser.yml
 ```
  

--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -61,7 +61,7 @@ goreleaser_validate:
  extends:
    - .goreleaser_validate_base
  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
    entrypoint: [""]
  rules:
    - if: '($CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "parent_pipeline" || ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE != "schedule"))'
@@ -109,6 +109,7 @@ goreleaser_validate:
      -v $DOCKER_AUTH_SHARED_PATH/config.json:/root/.docker/config.json \
      -e DOCKER_USERNAME -e DOCKER_PASSWORD -e DOCKER_REGISTRY  \
      -e GITLAB_TOKEN \
+      -e CI_API_V4_URL \
      -e CI_REGISTRY \
      -e CI_REGISTRY_IMAGE \
      -e CI_JOB_TOKEN \
@@ -212,7 +213,7 @@ goreleaser_build:
      exists:
        - .goreleaser.yml
      variables:
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
  
    # FIPS, normal build
@@ -220,7 +221,7 @@ goreleaser_build:
      exists:
        - .goreleaser.yml
      variables:
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: build --snapshot --clean ${GORELEASER_BUILD_EXTRA_ARGS:-}
  
    # Non-FIPS, goreleaser-mock-release label set
@@ -228,14 +229,14 @@ goreleaser_build:
      exists:
        - .goreleaser.yml
      variables:
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
  
    # Finally, the default
    - exists:
        - .goreleaser.yml
      variables:
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: build --snapshot --clean --single-target ${GORELEASER_BUILD_EXTRA_ARGS:-}
  
 #################################################################
@@ -260,14 +261,14 @@ goreleaser:
        - .goreleaser.yml
      variables:
        GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in FIPS mode
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-golang-fips:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
  
    # Non-FIPS
    - exists:
        - .goreleaser.yml
      variables:
        GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in non-FIPS mode
-        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
  
 #################################################################
 #  Deprecated Jobs, to be removed

--- a/hclfmt.md
+++ b/hclfmt.md
@@ -10,7 +10,7 @@ include:
  # Ensures that all terraform files are correctly formatted
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/hclfmt.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: hclfmt.yml
 ```
  

--- a/hclfmt.yml
+++ b/hclfmt.yml
@@ -11,7 +11,7 @@ hclfmt:
  stage: $[[ inputs.stage ]]
  needs: []
  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/hclfmt:${GL_COMMON_CI_TASKS_HCLFMT_VERSION}
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/hclfmt:${GL_COMMON_CI_TASKS_HCLFMT_VERSION}
    entrypoint: [""]
  script:
    - find . -name '*.hcl'|xargs hclfmt -w -require-no-change

--- a/internal/autolabels/variable.yml
+++ b/internal/autolabels/variable.yml
+# DO NOT INCLUDE DIRECTLY!
+---
+.autolabels_auth:
+  variables:
+    AUTOLABELS_AUTH_SOURCE: "CI/CD Variables"
--- a/internal/autolabels/vault.yml
+++ b/internal/autolabels/vault.yml
+# DO NOT INCLUDE DIRECTLY!
+spec:
+  inputs:
+    vault:
+---
+.autolabels_auth:
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://vault.gitlab.net
+  variables:
+    AUTOLABELS_AUTH_SOURCE: "Vault"
+  secrets:
+    AUTOLABELS_TOKEN:
+      file: false
+      vault: $[[ inputs.vault ]]
+      token: $VAULT_ID_TOKEN
--- a/internal/gitlab-scanners/ds.yml
+++ b/internal/gitlab-scanners/ds.yml
+spec:
+  inputs:
+    stage:
+---
+
+dependency-scanning:
+  stage: $[[ inputs.stage ]]
+  needs: []
--- a/jsonfmt.md
+++ b/jsonfmt.md
@@ -19,6 +19,6 @@ include:
  # canonical manner with sorted keys
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/jsonfmt.md
  - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: jsonfmt.yml
 ```
--- a/jsonfmt.yml
+++ b/jsonfmt.yml
@@ -8,7 +8,7 @@ jsonfmt:
  stage: $[[ inputs.stage ]]
  needs: []
  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/jq:1.6
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/jq:${GL_COMMON_CI_TASKS_JQ_VERSION}
    entrypoint: [""]
  script:
    - rm -rf "${CI_PROJECT_DIR}/jsonfmt-reports/"

--- a/kaniko.md
+++ b/kaniko.md
@@ -13,7 +13,7 @@ include:
  # Includes a base template for running kaniko easily
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/kaniko.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'kaniko.yml'
  
 .container_builds:

--- a/mirroring.md
+++ b/mirroring.md
@@ -22,6 +22,6 @@ variables:
 include:
  # Setup Woodhouse notifications in merge requests for mirrored remote pipelines.
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: mirroring.yml
 ```
--- a/oidc.md
+++ b/oidc.md
@@ -15,7 +15,7 @@ include:
  # Includes a base template for oidc authentication
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/oidc.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'oidc.yml'
  
 deploy_to_cloud_provider:
@@ -46,7 +46,7 @@ include:
  # Includes a base template for running kaniko easily
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/kaniko.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'oidc.yml'
  
 oidc_authenticated_job:
@@ -156,7 +156,7 @@ include:
  # Includes a base template for running kaniko easily
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/kaniko.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
    file: 'oidc.yml'
  
 dual_oidc_authenticated_job: