Merge branch common-ci-tasks:main into main

promlint.md

@@ -23,7 +23,7 @@ include:
   # Ensure that all Prometheus Rules and Alerts are defined correctly
   # Rules defined https://cloudflare.github.io/pint/checks/
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: promlint.yml
 ```

renovate-bot.md

@@ -54,7 +54,7 @@ There are four ways to configure the access token used by Renovate. There are in
    ```yaml
      - project: 'gitlab-com/gl-infra/common-ci-tasks'
-       ref: v2.51.0  # renovate:managed
+       ref: v2.61.0  # renovate:managed
        file: renovate-bot.yml
        inputs:
          vault: "gitlab-com/gitlab-com/gl-infra/renovate/renovate-ci/renovate/gitlab-com/token@ci"
@@ -153,7 +153,7 @@ include:
   # Upgrades dependencies on a schedule
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/renovate-bot.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: renovate-bot.yml
 ```
@@ -274,8 +274,6 @@ To disable Renovate, run a pipeline with `RENOVATE_DISABLED=1` set.
 ## Truncated Versions
-**[This is Experimental](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/issues/19)**.
-
 In an effort to reduce Renovate noise, and toil for Infrastructure teams, for certain low-risk dependencies,
 a preset Renovate configuration is available which will configure Renovate to exclude Patch versions
 from the specified dependency version.
@@ -299,20 +297,26 @@ In order for this to work effectively and safely, several conditions must be met
    of the produced artifacts is more important.
 1. Truncated versions should be avoided for projects that do not strictly follow semver semantics.
-### Including the Truncated Versions Preset in your Renovate Configuration
-Extend your configuration with the `gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-truncated-versions` preset.
+This is enabled by default by extending from `gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-common`
+in a project's `renovate.json` file.
+
+### Disabling Truncated Versions Preset in your Renovate Configuration
+Extend your configuration with the `gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-no-truncated-versions` preset.
 ```json
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-common",
-    "gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-truncated-versions"
+    "gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-no-truncated-versions"
   ]
 }
 ```
+This will make the listed dependencies use regular semver (`x.y.z`)
+version numbers again on renovate runs.
+
 ### Publishing Truncated Versions in Upstream Dependencies
 #### For Projects that Rely on Git Tags for Versioning

renovate-bot.yml

@@ -35,7 +35,7 @@ include:
 .base_renovate_bot:
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/renovate:v2.51.0
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks/renovate:v2.61.0
     entrypoint: [""]
   stage: $[[ inputs.renovate_bot_stage ]]
   variables:

renovate-common.json

@@ -2,7 +2,8 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:base",
-    ":disableDependencyDashboard"
+    ":disableDependencyDashboard",
+    "gitlab>gitlab-com/gl-infra/common-ci-tasks:renovate-truncated-versions"
   ],
   "prHourlyLimit": 0,
   "prConcurrentLimit": 0,

renovate-no-truncated-versions.json

+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "description": "++++++++++ SEE https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/renovate-bot.md#truncated-versions FOR DETAILS ON THIS PRESET ++++++++++",
+  "packageRules": [
+    {
+      "matchPackageNames": [
+        "gitlab-com/gl-infra/pmv",
+        "gitlab-com/gl-infra/common-ci-tasks",
+        "mvdan/sh",
+        "koalaman/shellcheck",
+        "golangci/golangci-lint",
+        "goreleaser/goreleaser",
+        "gitlab.com/gitlab-com/gl-infra/jsonnet-tool"
+      ],
+      "extractVersion": "^v?(?<version>\\d+\\.\\d+\\.d+)"
+    },
+    {
+      "matchPackageNames": [
+        "gitlab-com/gl-infra/common-ci-tasks"
+      ],
+      "matchManagers": ["gitlabci", "gitlabci-include", "pre-commit"],
+      "extractVersion": "^v?(?<version>\\d+\\.\\d+\\.d+)"
+    }
+  ]
+}

renovate-truncated-versions.json

@@ -13,6 +13,13 @@
         "gitlab.com/gitlab-com/gl-infra/jsonnet-tool"
       ],
       "extractVersion": "^v?(?<version>\\d+\\.\\d+)"
+    },
+    {
+      "matchPackageNames": [
+        "gitlab-com/gl-infra/common-ci-tasks"
+      ],
+      "matchManagers": ["gitlabci", "gitlabci-include", "pre-commit"],
+      "extractVersion": "^(?<version>v?\\d+\\.\\d+)"
     }
   ]
 }

renovate.json

@@ -16,6 +16,16 @@
       ],
       "depNameTemplate": "gitlab-com/gl-infra/common-ci-tasks",
       "datasourceTemplate": "gitlab-tags"
+    },
+    {
+      "fileMatch": [
+        "^autolabels\\.yml$"
+      ],
+      "matchStrings": [
+        "default: \"(?<currentValue>v[0-9.]+)\" +# renovate:managed"
+      ],
+      "datasourceTemplate": "docker",
+      "depNameTemplate": "registry.gitlab.com/gitlab-com/gl-infra/autolabels"
     }
   ],
   "packageRules": [

scripts/post-renovate-upgrade.sh

@@ -43,7 +43,7 @@ main() {
     "${script_dir}/renovate-upgrade-scripts/shfmt.sh"
   fi
-  if [[ $dep_name == "golangci/golangci-lint" ]]; then
+  if [[ $dep_name == "golangci/golangci-lint" ]] && [[ $package_file == '.tool-versions' ]]; then
     echo "Running ${script_dir}/renovate-upgrade-scripts/golangci-lint.sh..."
     "${script_dir}/renovate-upgrade-scripts/golangci-lint.sh"

scripts/prepare-release.sh

@@ -21,7 +21,7 @@ inline_sed() {
 for i in *.md templates/*.md *.yml templates/*.yml docs/*.md; do
   inline_sed -E 's/(re[fv]): v[[:digit:]]+\.[[:digit:]]+(\.[[:digit:]]+)? +# *renovate:managed/\1: v'"$next_version"'  # renovate:managed/' "$i"
-  inline_sed -E 's#registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/([[:alpha:]]+):v[[:digit:]]+\.[[:digit:]]+(\.[[:digit:]]+)?#registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/\1:v'"$next_version"'#' "$i"
+  inline_sed -E 's#(registry\.gitlab\.com|\$\{?CI_REGISTRY\}?)/gitlab-com/gl-infra/common-ci-tasks/([[:alpha:]]+):v[[:digit:]]+\.[[:digit:]]+(\.[[:digit:]]+)?#\1/gitlab-com/gl-infra/common-ci-tasks/\2:v'"$next_version"'#' "$i"
 done
 # Update pre-commit config

semantic-release.md

@@ -79,7 +79,7 @@ Done :tada:
       # Analyze commits to determine whether to cut a release
       # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/semantic-release.md
       - project: 'gitlab-com/gl-infra/common-ci-tasks'
-        ref: v2.51.0  # renovate:managed
+        ref: v2.61.0  # renovate:managed
         file: semantic-release.yml
         #inputs:
         #  stage: release
@@ -148,7 +148,7 @@ include:
   # Analyze commits to determine whether to cut a release
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/semantic-release.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: 'semantic-release.yml'
     inputs:
       vault: access_tokens/${VAULT_SECRETS_PATH}/semantic-release/token@ci

semantic-release.yml

@@ -16,7 +16,7 @@ spec:
 .semantic_release_base:
   stage: $[[ inputs.stage ]]
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/semantic-release:latest
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/semantic-release:latest
     entrypoint: [""]
   variables:
     GITLAB_URL: $CI_SERVER_URL
@@ -80,7 +80,7 @@ semantic_release_check:
   stage: $[[ inputs.validate_stage ]]
   needs: []
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/semantic-release:latest
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/semantic-release:latest
     entrypoint: [""]
   variables:
     GITLAB_URL: $CI_SERVER_URL
@@ -98,6 +98,28 @@ semantic_release_check:
       changes:
         - .releaserc.json
+semantic_release_dry_run:
+  stage: $[[ inputs.validate_stage ]]
+  needs: []
+  image:
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/semantic-release:latest
+    entrypoint: [""]
+  variables:
+    GITLAB_URL: $CI_SERVER_URL
+  script:
+    - semantic-release --dry-run --branches $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
+  after_script: |
+    cat <<-EOD
+    ----------------------------------------------------------
+    Need help? Documentation on the semantic_release CI job can be found at:
+    https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/semantic-release.md
+    EOD
+  rules:
+    # Don't run when the pipeline was triggered by a schedule
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      changes:
+        - .releaserc.json
+
 include:
   - local: 'internal/semantic-release/vault.yml'
     rules:

shellcheck.md

@@ -26,6 +26,6 @@ include:
   # standard canonical format
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/shellcheck.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: shellcheck.yml
 ```

shellcheck.yml

@@ -7,7 +7,7 @@ spec:
 shellcheck:
   stage: $[[ inputs.stage ]]
   needs: []
-  image: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/shellcheck:${GL_ASDF_SHELLCHECK_VERSION}
+  image: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/shellcheck:${GL_ASDF_SHELLCHECK_VERSION}
   script:
     - shfmt --find . |
       xargs -I {} echo "./{}" |

shfmt.md

@@ -22,6 +22,6 @@ include:
   # Ensure that all shell-scripts are formatted according to a
   # standard canonical format
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: shfmt.yml
 ```

shfmt.yml

@@ -8,7 +8,7 @@ shfmt:
   stage: $[[ inputs.stage ]]
   needs: []
   image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/shfmt:${GL_ASDF_SHFMT_VERSION}
+    name: ${CI_REGISTRY}/gitlab-com/gl-infra/common-ci-tasks-images/shfmt:${GL_ASDF_SHFMT_VERSION}
     entrypoint: [""]
   script:
     # Find all *.sh files, and any executable script files

templates/chef.yml

@@ -43,6 +43,8 @@ variables:
   BUNDLE_PATH: "$CI_PROJECT_DIR/.bundle"
   RUBYOPT: "-W0" # Disable ruby warnings.
   EXTRA_PRODUCTS_FILE: cinc-products.rb
+  COOKBOOK_PUBLISHER_BRANCH: "master"
+  COOKBOOK_PUBLISHER_SKIP_VERSION_CHECK: "false"
 before_script:
   - eval $(ssh-agent -s)
@@ -53,7 +55,8 @@ before_script:
   - bundle config set clean 'true'
   - bundle config set path $BUNDLE_PATH
   - bundle config build.ffi-yajl --withh-ldflags="-Wl,-undefined,dynamic_lookup"
-  - bundle install --jobs "$(nproc)"
+  # Skip the initial bundle when publishing. We bundle using cookbook-publisher's lockfile later.
+  - if [[ "$CI_JOB_NAME" != "push-cookbook" ]]; then bundle install --jobs "$(nproc)" ; fi
 kitchen-suites-updated?:
   stage: $[[ inputs.lint_stage ]]
@@ -113,6 +116,7 @@ kitchen:
 push-cookbook:
   stage: $[[ inputs.publish_stage ]]
+  image: ruby:2.7
   only:
     refs:
       - master
@@ -122,8 +126,7 @@ push-cookbook:
       - "$OPS_CLONE_PASSWORD"
   script:
     - rm -rf Gemfile Gemfile.lock || true
-    - git clone https://$OPS_CLONE_USERNAME:$OPS_CLONE_PASSWORD@ops.gitlab.net/gitlab-cookbooks/cookbook-publisher.git /tmp/cookbook-publisher
+    - git clone -b "$COOKBOOK_PUBLISHER_BRANCH" https://$OPS_CLONE_USERNAME:$OPS_CLONE_PASSWORD@ops.gitlab.net/gitlab-cookbooks/cookbook-publisher.git /tmp/cookbook-publisher
     - cp /tmp/cookbook-publisher/publisher.rb /tmp/cookbook-publisher/Gemfile /tmp/cookbook-publisher/Gemfile.lock .
-    - if [[ "$(ruby -v | awk '{print $2}')" =~ ^2 ]]; then echo "Using cookbook-publisher lockfile" ; else rm Gemfile.lock ; fi
     - bundle install
     - bundle exec ruby publisher.rb

templates/golang.md

@@ -26,7 +26,7 @@ include:
   # Runs golang standard tests, including tests, goreleaser, golangci-lint and go-mod-tidy
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/golang.md
   - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/golang.yml
 ```
@@ -42,7 +42,7 @@ include:
   # common to all projects using this template library.
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/standard.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/golang.yml
     inputs:
       validate_stage: test  # stage that validation jobs should run in

templates/standard.md

@@ -5,6 +5,7 @@ This template should be included in all Infrastructure projects. It includes sta
 Includes the following tasks:
 1. [`asdf-tool-versions.yml`](../asdf-tool-versions.md): ensures that `.tool-versions` file is synced with .gitlab-ci-asdf-versions.yml, that all the plugins are declared in `./scripts/install-asdf-plugins.sh` and that ASDF is generally working.
+1. [`autolabels.yml`](../autolabels.md): adds [Work Type Classification](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification) labels to merge requests.
 1. [`editorconfig-check.yml`](../editorconfig-check.md): ensures that the repository adheres to the [EditorConfig](https://editorconfig.org/) rules for the project.
 1. [`gitlab-scanners.yml`](../gitlab-scanners.md): adds various GitLab SAST, Dependency Scanner, Secret Detection, Licence Scanning, Container Scanning and IAC Scanner tools.
 1. [`gitlint.yml`](../gitlint.md): ensures that commit messages adhere to the standards for the project.
@@ -28,7 +29,7 @@ include:
   # common to all projects using this template library.
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/standard.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/standard.yml
 ```
@@ -44,7 +45,7 @@ include:
   # common to all projects using this template library.
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/standard.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/standard.yml
     inputs:
       validate_stage: test  # stage that validation jobs should run in

templates/standard.yml

@@ -18,6 +18,12 @@ include:
     inputs:
       stage: $[[ inputs.validate_stage ]]
+  - local: autolabels.yml
+    inputs:
+      stage: $[[ inputs.validate_stage ]]
+    rules:
+      - if: $AUTOLABELS_ENABLED == null || $AUTOLABELS_ENABLED != "false"
+
   - local: editorconfig-check.yml
     inputs:
       stage: $[[ inputs.validate_stage ]]

templates/terraform.md

@@ -28,7 +28,7 @@ include:
   # Runs Terraform validations, including tflint, terraform validate and terraform formatting checks
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/terraform.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/terraform.yml
 ```
@@ -44,7 +44,7 @@ include:
   # common to all projects using this template library.
   # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/templates/standard.md
   - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.51.0  # renovate:managed
+    ref: v2.61.0  # renovate:managed
     file: templates/terraform.yml
     inputs:
       validate_stage: test  # stage that validation jobs should run in