Merge branch 'fforster/autolabels' into 'main'

feat(autolabels): Add the "autolabels" job. See merge request gitlab-com/gl-infra/common-ci-tasks!890

Merge branch 'fforster/autolabels' into 'main'
916387e4 · Bob Van Landuyt :neckbeard: · 3da5ae09 · 2c661dab · 916387e4 · 916387e4
Commit 916387e4 authored 1 month ago by Bob Van Landuyt :neckbeard:
--- a/autolabels.md
+++ b/autolabels.md
+# [`autolabels`](./autolabels.yml)
+
+The **autolabels** job adds [Work Type Classification](https://handbook.gitlab.com/handbook/product/groups/product-analysis/engineering/metrics/#work-type-classification) labels to GitLab merge requests.
+See https://gitlab.com/gitlab-com/gl-infra/autolabels for more details on what *autolabels* does.
+
+## Setup
+
+* Using [infra-mgmt](https://gitlab.com/gitlab-com/gl-infra/infra-mgmt) **(Recommended)**
+
+  Setting `common_ci_tasks.enabled = true` will enable *autolabels* by default.
+* Manual setup
+  * Create a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) (PrAT) with the `api` and `read_repository` scopes and the `Developer` role.
+
+  * Store the PrAT in Vault under the `ci/access_tokens/${VAULT_SECRETS_PATH}/autolabels` path.
+  Please note that merge requests need access to this token.
+  This is usually achieved by adding the Vault path to the read-only policy.
+  * **Alternative:** Create a CI variable called `AUTOLABELS_TOKEN` containing the PrAT.
+  Please note that merge requests need access to this token.
+  This typically means that you must omit the `Protected` flag, since merge request branches are typically not protected.
+  The token has the `Developer` role, which is also the role required to create merge requests, meaning developers cannot escalate their privileges by extracting the token.
+* Import `autolabels.yml` into your project:
+
+  ```yaml
+  include:
+    - project: "gitlab-com/gl-infra/common-ci-tasks"
+      ref: v2.54.0  # renovate:managed
+      file: "autolabels.yml"
+  ```
--- a/autolabels.yml
+++ b/autolabels.yml
+spec:
+  inputs:
+    stage:
+      default: "build"
+    version:
+      default: "v1.3.0"  # renovate:managed
+    vault:
+      default: ""
+---
+# Include exactly one of the following files:
+include:
+  # Option 1: Vault with explicit path from the "vault" input
+  - local: 'internal/autolabels/vault.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" != ""'
+    inputs:
+      vault: "$[[ inputs.vault | expand_vars ]]"
+  # Option 2: Variable using AUTOLABELS_TOKEN (compatibility behavior)
+  - local: 'internal/autolabels/variable.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $AUTOLABELS_TOKEN != null'
+  # Option 3 (default): Vault using a well-known default path
+  - local: 'internal/autolabels/vault.yml'
+    rules:
+      - if: '"$[[ inputs.vault | expand_vars ]]" == "" && $AUTOLABELS_TOKEN == null'
+    inputs:
+      vault: "access_tokens/${VAULT_SECRETS_PATH}/autolabels/token@ci"
+
+  # Include the "autolabels 🏷️" job from the autolabels repository.
+  - project: 'gitlab-com/gl-infra/autolabels'
+    ref: $[[ inputs.version ]]
+    file: 'ci-tasks/autolabels.yml'
+    inputs:
+      version: $[[ inputs.version ]]
+      stage: $[[ inputs.stage ]]
+
+# Amend the "extends" field to the "autolabels 🏷️" job.
+autolabels 🏷️:
+  extends: .autolabels_auth  # Vault or CI variable, from internal/autolabels/{vault,variable}.yml
--- a/internal/autolabels/variable.yml
+++ b/internal/autolabels/variable.yml
+# DO NOT INCLUDE DIRECTLY!
+---
+.autolabels_auth:
+  variables:
+    AUTOLABELS_AUTH_SOURCE: "CI/CD Variables"
--- a/internal/autolabels/vault.yml
+++ b/internal/autolabels/vault.yml
+# DO NOT INCLUDE DIRECTLY!
+spec:
+  inputs:
+    vault:
+---
+.autolabels_auth:
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://vault.gitlab.net
+  variables:
+    AUTOLABELS_AUTH_SOURCE: "Vault"
+  secrets:
+    AUTOLABELS_TOKEN:
+      file: false
+      vault: $[[ inputs.vault ]]
+      token: $VAULT_ID_TOKEN
--- a/renovate.json
+++ b/renovate.json
@@ -16,6 +16,16 @@
      ],
      "depNameTemplate": "gitlab-com/gl-infra/common-ci-tasks",
      "datasourceTemplate": "gitlab-tags"
+    },
+    {
+      "fileMatch": [
+        "^autolabels\\.yml$"
+      ],
+      "matchStrings": [
+        "default: \"(?<currentValue>v[0-9.]+)\" +# renovate:managed"
+      ],
+      "datasourceTemplate": "docker",
+      "depNameTemplate": "registry.gitlab.com/gitlab-com/gl-infra/autolabels"
    }
  ],
  "packageRules": [