fix: easier debugging of common-ci-tasks

Including secret configuration source.

fix: easier debugging of common-ci-tasks
6f9cf7ec · Andrew Newdigate · 51aaeef4 · 6f9cf7ec · 6f9cf7ec · 6f9cf7ec
Unverified Commit 6f9cf7ec authored 5 months ago by Andrew Newdigate
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -71,16 +71,16 @@ goreleaser_validate:
 .goreleaser_base:
  extends:
    - .goreleaser_common
-  image: $[[ inputs.docker_hub_host ]]/docker:stable
+  image: $[[ inputs.docker_hub_host ]]/docker:25
  services:
-    - name: $[[ inputs.docker_hub_host ]]/docker:${DOCKER_VERSION}-dind
+    - name: $[[ inputs.docker_hub_host ]]/docker:25-dind
      alias: docker
  variables:
-    DOCKER_VERSION: "24.0.6" # Pinning due to https://github.com/docker-library/docker/issues/467
    DOCKER_REGISTRY: $CI_REGISTRY
    DOCKER_USERNAME: $CI_REGISTRY_USER
    DOCKER_PASSWORD: $CI_REGISTRY_PASSWORD
    GIT_DEPTH: 0
+    SHARED_PATH: /builds/shared/$CI_PROJECT_PATH
  
  # See https://goreleaser.com/ci/gitlab/ for documentation
  script: |
@@ -88,18 +88,9 @@ goreleaser_validate:
    echo "Cache size at start:"
    du -h -d0 "${GOMODCACHE}"
  
-    mkdir -p /builds/shared
-    cat > /builds/shared/docker-creds.json <<-EOF
-    {
-      "registries": [
-        {
-          "user": "$CI_REGISTRY_USER",
-          "pass": "$CI_REGISTRY_PASSWORD",
-          "registry": "$CI_REGISTRY"
-        }
-      ]
-    }
-    EOF
+    echo "Note: Goreleaser variables configured via $GORELEASER_AUTH_SOURCE"
+
+    echo "$CI_REGISTRY_PASSWORD" | docker login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" --password-stdin
  
    cat <<-EOD
    ----------------------------------------------------------
@@ -108,26 +99,61 @@ goreleaser_validate:
  
    set -x
  
+    mkdir -p $SHARED_PATH
+    cp /root/.docker/config.json $SHARED_PATH/
+
+    docker run --rm --privileged \
+      -v $PWD:$PWD \
+      -w $PWD \
+      -v /var/run/docker.sock:/var/run/docker.sock \
+      -v $SHARED_PATH/config.json:/root/.docker/config.json \
+      -e DOCKER_USERNAME -e DOCKER_PASSWORD -e DOCKER_REGISTRY  \
+      -e GITLAB_TOKEN \
+      -e CI_REGISTRY \
+      -e CI_REGISTRY_IMAGE \
+      -e CI_JOB_TOKEN \
+      -e CI_SERVER_URL \
+      -e CI_PROJECT_NAME \
+      -e CI_PROJECT_NAMESPACE \
+      -e FIPS_MODE \
+      -e GOMODCACHE \
+      -e DOCKER_CONFIG=/root/.docker/ \
+      -e DOCKER_CREDS_FILE=/root/.docker/config.json \
+      -e REGISTRY_AUTH_FILE=/root/.docker/config.json \
+      -e GOLANG_VERSION=${GL_ASDF_GOLANG_VERSION} \
+      -e GOTOOLCHAIN=go${GL_ASDF_GOLANG_VERSION} \
+      -e COSIGN_YES \
+      -e SIGSTORE_ID_TOKEN \
+      ${GORELEASER_DOCKER_EXTRA_ARGS:-} \
+      --entrypoint /bin/sh \
+      ${GL_COMMON_CI_TASKS_GORELEASER_IMAGE} \
+      -c 'ls -al /root/.docker/config.json; cat /root/.docker/config.json'
+
    docker run --rm --privileged \
      -v $PWD:$PWD \
      -w $PWD \
      -v /var/run/docker.sock:/var/run/docker.sock \
-      -v /builds/shared/docker-creds.json:/docker-creds.json \
+      -v $SHARED_PATH/config.json:/root/.docker/config.json \
      -e DOCKER_USERNAME -e DOCKER_PASSWORD -e DOCKER_REGISTRY  \
-      -e GITLAB_TOKEN -e CI_REGISTRY_IMAGE \
+      -e GITLAB_TOKEN \
+      -e CI_REGISTRY \
+      -e CI_REGISTRY_IMAGE \
+      -e CI_JOB_TOKEN \
      -e CI_SERVER_URL \
      -e CI_PROJECT_NAME \
      -e CI_PROJECT_NAMESPACE \
      -e FIPS_MODE \
      -e GOMODCACHE \
-      -e DOCKER_CREDS_FILE=/docker-creds.json \
+      -e DOCKER_CONFIG=/root/.docker/ \
+      -e DOCKER_CREDS_FILE=/root/.docker/config.json \
+      -e REGISTRY_AUTH_FILE=/root/.docker/config.json \
      -e GOLANG_VERSION=${GL_ASDF_GOLANG_VERSION} \
      -e GOTOOLCHAIN=go${GL_ASDF_GOLANG_VERSION} \
      -e COSIGN_YES \
      -e SIGSTORE_ID_TOKEN \
      ${GORELEASER_DOCKER_EXTRA_ARGS:-} \
      ${GL_COMMON_CI_TASKS_GORELEASER_IMAGE} \
-      $GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS \
+      ${GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS} \
      ${GORELEASER_EXTRA_ARGS:-}
  
    set +x

--- a/internal/goreleaser/variable.yml
+++ b/internal/goreleaser/variable.yml
 # DO NOT INCLUDE DIRECTLY!
 ---
 .goreleaser_auth_config:
-  # We can't specify an empty job, so
-  # repeat something that is invariant
-  needs: []
+  variables:
+    GORELEASER_AUTH_SOURCE: "CI/CD Variables"
--- a/internal/goreleaser/vault.yml
+++ b/internal/goreleaser/vault.yml
@@ -9,3 +9,5 @@
      file: false
      vault: "access_tokens/${VAULT_SECRETS_PATH}/goreleaser/token@ci"
      token: $VAULT_ID_TOKEN
+  variables:
+    GORELEASER_AUTH_SOURCE: "Vault"
--- a/internal/renovate-bot/variable.yml
+++ b/internal/renovate-bot/variable.yml
 # DO NOT INCLUDE DIRECTLY!
 ---
 .renovate_bot_auth_config:
-  # We can't specify an empty job, so
-  # repeat something that is invariant
-  needs: []
+  variables:
+    RENOVATE_BOT_AUTH_SOURCE: "CI/CD Variables"
--- a/internal/renovate-bot/vault.yml
+++ b/internal/renovate-bot/vault.yml
@@ -6,6 +6,7 @@
      aud: https://vault.gitlab.net
  variables:
    VAULT_RENOVATE_GITLAB_TOKEN_PATH: access_tokens/${VAULT_SECRETS_PATH}/renovate-bot
+    RENOVATE_BOT_AUTH_SOURCE: "Vault"
  secrets:
    RENOVATE_GITLAB_TOKEN:
      file: false

--- a/internal/semantic-release/variable.yml
+++ b/internal/semantic-release/variable.yml
@@ -5,3 +5,5 @@
 ---
 semantic_release:
  extends: .semantic_release_base
+  variables:
+    SEMANTIC_RELEASE_AUTH_SOURCE: "CI/CD Variables"
--- a/internal/semantic-release/vault.yml
+++ b/internal/semantic-release/vault.yml
@@ -15,3 +15,5 @@ semantic_release:
      file: false
      vault: $[[ inputs.vault ]]
      token: $VAULT_ID_TOKEN
+  variables:
+    SEMANTIC_RELEASE_AUTH_SOURCE: "Vault"
--- a/renovate-bot.yml
+++ b/renovate-bot.yml
@@ -86,6 +86,7 @@ renovate_bot:
  variables:
    GIT_STRATEGY: none # renovate will run it's own clone
  script:
+    - 'echo "Note: RENOVATE_GITLAB_TOKEN secret configured via $RENOVATE_BOT_AUTH_SOURCE"'
    - npx renovate --token "${RENOVATE_GITLAB_TOKEN}"
      --platform gitlab
      --cache-dir "${CI_PROJECT_DIR}/renovate-cache"
@@ -118,6 +119,8 @@ renovate_bot_immediate:
    - .base_renovate_bot
    - .renovate_bot_auth_config  # Configure vault or variables, from internal/renovate-bot/*
  script:
+    - 'echo "Note: RENOVATE_GITLAB_TOKEN secret configured via $RENOVATE_BOT_AUTH_SOURCE"'
+
    # Note: renovate immmediate doesn't use a cache to avoid stale updates
    - npx renovate --token "${RENOVATE_GITLAB_TOKEN}"
      --platform gitlab

--- a/semantic-release.yml
+++ b/semantic-release.yml
@@ -22,6 +22,8 @@ spec:
    GITLAB_URL: $CI_SERVER_URL
  before_script:
    - |
+      echo "Note: GitLab token secret configured via $SEMANTIC_RELEASE_AUTH_SOURCE"
+
      if [[ -z "${SEMANTIC_RELEASE_GITLAB_TOKEN}" && -n "${GITLAB_TOKEN}" ]]; then
        printf '\e[31;1m%s\e[0m\n' 'WARNING: GITLAB_TOKEN is deprecated -- use SEMANTIC_RELEASE_GITLAB_TOKEN instead'
      fi