feat(renovate): allow to disable renovate job

chore(release): 2.36.0 * **renovate:** allow to disable renovate job ([fec5c0b8](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/fec5c0b89f2059884e11f739cec7f35e28f4466c)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.35.2 fix: use custom goreleaser-cross image Fixes failing tenctl release, allows more up-to-date Go versions to be used. chore(release): 2.36.1 * use custom goreleaser-cross image ([3fe6d82f](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3fe6d82f7eaf274ae68121146b8ef483429d5dda)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.35.2 ([eece629c](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/eece629cd63d07d166d7713ebd4da41ebac6a16c)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.36.0 chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.36.1 feat: allow mock release with goreleaser chore(release): 2.37.0 * allow mock release with goreleaser ([6b905ed5](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/6b905ed546fa0a3c89a8bda5e78af44d05181cd0)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.36.0 ([a0f8b6fd](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/a0f8b6fda3eb734e6616ace1d4767df352f5e3ac)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.36.1 ([3592320f](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3592320f3e224711af570bd858406295374a684a)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.37.0 chore(deps): update dependency zricethezav/gitleaks to v8.19.1 feat: use golang-fips for compiling FIPS goreleaser modules chore(release): 2.38.0 * use golang-fips for compiling FIPS goreleaser modules ([4b015195](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/4b0151954412463e8b468336b6614cdcd4361322)) * **deps:** update dependency zricethezav/gitleaks to v8.19.1 ([5682ac26](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/5682ac26c894fd355fba58919a18a3e07a77438f)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.37.0 ([154cc13b](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/154cc13bdc70e085ae5a7b8b1f8f99b11ef53840)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.38.0 chore: use truncated versions for Goreleaser Now that we manage our own goreleaser container images, it's more straight-forward to publish truncated version tags. This will further reduce the number of Renovate MRs. feat: allow Goreleaser to run on default branch chore(release): 2.39.0 * allow Goreleaser to run on default branch ([8ade73e0](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/8ade73e05cd015e601dc2ef9f6031747ea8f13dc)) * use truncated versions for Goreleaser ([96cc0364](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/96cc0364f2f6fbed875effa341641db60ebb6586)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.38.0 ([0d77c48b](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/0d77c48bd77c53662b8c08e77ca050597d3b5f78)) fix: typo in goreleaser rules Fixes a typo in the rules for running goreleaser chore(release): 2.39.1 * typo in goreleaser rules ([cea03a13](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/cea03a1388022d53399bd59fbd30809e442d16e4)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.39.0 feat: add support for ChainGuard registry access chore(release): 2.40.0 * add support for ChainGuard registry access ([d2c15aa0](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/d2c15aa042807f03ce87aee2946050e585081087)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.39.0 ([8616dfb6](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/8616dfb6624054d3e3276a4a238fefbc9af1b402)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.39.1 chore(deps): update ghcr.io/containerbase/base docker tag to v11.11.17 fix: revert release_on_main_branch Turns out this isn't as helpful as I'd hoped. Removing as it's low value. chore(release): 2.40.1 * revert release_on_main_branch ([ab417a3b](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/ab417a3be92f6ff9c3775c1b2dd085c2d923f2f7)) * **deps:** update ghcr.io/containerbase/base docker tag to v11.11.17 ([3f4b1109](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3f4b1109c8fdcfeef198b3f7860b785f3c4a6ca2)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.39.1 ([ebd0375a](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/ebd0375a32ef13eb1112de3edb990ad379e15c0a)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.1 fix: easier debugging of common-ci-tasks Including secret configuration source. chore(release): 2.40.2 * easier debugging of common-ci-tasks ([485161a7](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/485161a7adc32de5cf8635a1962b66c3177f8226)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.1 ([3fbe6a93](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3fbe6a935ab66397b975aad022ce5244eb252509)) chore(deps): update dependency python/cpython to v3.12.6 chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.2 fix(goreleaser): remove expose_as from Gorelease artifacts This configuration is causing some pipelines to fail, eg https://gitlab.com/gitlab-com/gl-infra/terra-transformer/-/pipelines/1458330067 The error message is: ``` This GitLab CI configuration is invalid: jobs:goreleaser_build:artifacts paths can't contain '*' when used with 'expose_as'. ``` Additionally, it is not needed, nor used. chore(release): 2.40.3 * **goreleaser:** remove expose_as from Gorelease artifacts ([a2ecb5ba](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/a2ecb5ba3c215c501849186ecd3292adc9c9ab47)) * **deps:** update dependency python/cpython to v3.12.6 ([1eaca1cd](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/1eaca1cd88d113eac5fc1855b30b8826d583d6eb)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.2 ([aecea365](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/aecea3653f3b481dd694a18763687deb244fb49a)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.3 chore(deps): update dependency zricethezav/gitleaks to v8.19.2 chore(deps): update dependency zricethezav/gitleaks to v8.19.3 fix: Update docs to mention vault secrets for renovate only available on default branch chore(release): 2.40.4 * Update docs to mention vault secrets for renovate only available on default branch ([5cedbaff](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/5cedbaff883611a9130f34d08c6072382cc0735d)) * **deps:** update dependency zricethezav/gitleaks to v8.19.2 ([0dc64754](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/0dc64754384795340b4021861189615adbdab00b)) * **deps:** update dependency zricethezav/gitleaks to v8.19.3 ([af916c01](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/af916c0102c36a6227e5380d16f58f8590afa9d8)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.3 ([fd7374ca](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/fd7374ca4128c271c608c1312694a88efe3d701e)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.4 chore(deps): update ghcr.io/containerbase/base docker tag to v11.11.29 chore(deps): update dependency git/git to v2.46.2 chore(deps): update golang-patch to v1.23.2 chore(deps): update dependency nodejs/node to v20.18.0 chore(deps): update ghcr.io/containerbase/base docker tag to v12 chore(deps): update dependency pre-commit to v4 chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v5 fix: pass CI_PROJECT_DIR to Goreleaser Adds the GitLab CI Predefined Variable, `CI_PROJECT_DIR`. chore(release): 2.40.5 * pass CI_PROJECT_DIR to Goreleaser ([f71694a4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/f71694a4061a6cd544dd0a1b83dde4219bf98fb3)) * **deps:** update dependency git/git to v2.46.2 ([486a2bc6](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/486a2bc60c3aba38e5d68a2eabc125520b862f35)) * **deps:** update dependency nodejs/node to v20.18.0 ([1cbdf5bd](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/1cbdf5bd697f60e72cd4a5e4135079b78ade5199)) * **deps:** update dependency pre-commit to v4 ([cd112e66](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/cd112e669acf4889d7c37ab3c3c3449a00effea8)) * **deps:** update ghcr.io/containerbase/base docker tag to v11.11.29 ([102336e4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/102336e47039c1699a912d5d1a6eb78fec4cbc84)) * **deps:** update ghcr.io/containerbase/base docker tag to v12 ([37018ca8](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/37018ca8416ef14ae9dba560286fe3b29d5063ca)) * **deps:** update golang-patch to v1.23.2 ([8e583483](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/8e583483ffda11cf8b511b199a61ae8a5c68e6fd)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.4 ([958d4bab](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/958d4bab92b49a6f73968b82b79951ccf206c0d0)) * **deps:** update pre-commit hook pre-commit/pre-commit-hooks to v5 ([dee71140](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/dee71140594721b48b5f22b4ebcf14479fafdb32)) chore(deps): update dependency zricethezav/gitleaks to v8.20.1 chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.5 chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.15.8 chore(deps): update dependency python/cpython to v3.12.7 fix: add gettext to mise container and don't delete apt-get database Currently mise containers are unable to use `apt` packages as the database gets deleted. This fixes that problem. It also uses `gettext` as `envsubst` can be a useful utility. chore(release): 2.40.6 * add gettext to mise container and don't delete apt-get database ([7053f7b5](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/7053f7b53c5138be9ee0ffb4fec1c144b0dc3920)) * **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.15.8 ([4a04f124](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/4a04f12407a1ea1bf11e19fbd2917a7f42e18e32)) * **deps:** update dependency python/cpython to v3.12.7 ([0b618aa4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/0b618aa4ef65f5491843f2c3f956fc2b7fe23edb)) * **deps:** update dependency zricethezav/gitleaks to v8.20.1 ([6d0896d7](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/6d0896d73f29bcaaf7e2bc06c94367a760ef90ed)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.5 ([39c3ba3d](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/39c3ba3d1eb5236b3f359a5b7df8728d9152cb56)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.6 feat: Add template for Chef tasks chore(release): 2.41.0 * Add template for Chef tasks ([31fe310d](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/31fe310d658be26e8fd15c67c4ca63b6d679b2b8)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.40.6 ([0a35c08d](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/0a35c08d421a98f34b457aed7d2aee08ad072412)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.0 chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.15.10 chore(deps): update dependency pre-commit to v4.0.1 fix: add kaniko deprecation notices Adds deprecation notices for Kaniko, since we're now a `docker buildx` shop. chore(release): 2.41.1 * add kaniko deprecation notices ([43de0c40](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/43de0c402b18c5a369533efa5572ff2f1bac920e)) * **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.15.10 ([5e63a2a4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/5e63a2a40c6d296737ef8bf45d19e6d32b973f1b)) * **deps:** update dependency pre-commit to v4.0.1 ([31b5488b](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/31b5488b7c2f65a6e4f1597d13bd47239a0c2ac8)) * **deps:** update dependency pre-commit/pre-commit to v4.0.1 ([c5dd0b80](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/c5dd0b80272bbbadd9d41b3ee5fb0a4e870ad680)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.0 ([f517fd47](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/f517fd476ef00c7c1af0b4224d23e5d1e0c3107f)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.1 chore(deps): update dependency https://gitlab.com/gitlab-com/gl-infra/common-template-copier.git to v1.23.0 chore(deps): update dependency zricethezav/gitleaks to v8.21.1 chore(deps): update dependency mvdan/sh to v3.10.0 chore(deps): update dependency git/git to v2.47.0 chore(deps): update ghcr.io/containerbase/base docker tag to v12.0.10 fix: fix docker caching Docker image caching doesn't appear to be working at present. This change should fix the problems in downstream builds wrt caching. chore(release): 2.41.2 * fix docker caching ([7946fdd0](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/7946fdd0ac59bc5a44ef287dff7b4998875bae14)) * **deps:** update dependency git/git to v2.47.0 ([a6ffded4](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/a6ffded46db86363acc1484ba274cccb7cda94ff)) * **deps:** update dependency https://gitlab.com/gitlab-com/gl-infra/common-template-copier.git to v1.23.0 ([26188cc3](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/26188cc316f9bcd1f892b6a6f7eddd8b35b53019)) * **deps:** update dependency mvdan/sh to v3.10.0 ([370ad662](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/370ad6623ea0d27e2c6528c34086faba1aef42db)) * **deps:** update dependency zricethezav/gitleaks to v8.21.1 ([b6fa7128](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/b6fa7128c2ca83a8eb3d1b3fef062f6a683c3103)) * **deps:** update ghcr.io/containerbase/base docker tag to v12.0.10 ([98922fed](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/98922fedc0dfe80432189cbd0217dc72e5a5cbb1)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.1 ([d1b7d8fe](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/d1b7d8fe68a7bfbd17015e0aa61d362e22ee72f8)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.2 fix: terraform fmt pre-commit hook Currently it's not writing the change. This fixes that problem. chore(release): 2.41.3 * terraform fmt pre-commit hook ([185fcb80](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/185fcb802096d706ab64402845bb96db1f7f46d5)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.2 ([7c89d4e9](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/7c89d4e9551b737c8371b3eca8886fca0c2cf38f)) docs: add cosign to developer setup chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.3 feat: support vendir in common-ci-tasks chore(release): 2.42.0 * support vendir in common-ci-tasks ([1c6bfa09](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/1c6bfa09dc56b6adfe7ab3f28bb8fcef2be8545e)) * add cosign to developer setup ([330690dc](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/330690dc1caba5257330fb22225b096e0d9506b3)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.41.3 ([649dc05a](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/649dc05aeb1bfd3a7e438382ae54e21f43d85887)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.42.0 fix(renovate): upgrade GitLab configs in .gitlab directory This configures Renovate to upgrade gitlab-ci YAML files in `.gitlab/{ci,template}` subdirectories, as the default configuration only checks the `.gitlab-ci.yml` file. chore(release): 2.42.1 * **renovate:** upgrade GitLab configs in .gitlab directory ([8f4ae91c](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/8f4ae91c4b6a17ef9df53734e188ffb53a485a1e)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.42.0 ([34ac0b69](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/34ac0b69842a2536b3722cb0e4448013d780c63d)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.42.1 chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.16.0 feat: switch from GitLab caching to Registry caching for docker builds Looking for performance improvements. chore(release): 2.43.0 * switch from GitLab caching to Registry caching for docker builds ([9a45fe19](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/9a45fe19a938f288746b382ccdbf665ffcb3cf06)) * **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.16.0 ([30824386](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3082438625e63cbf0bbb6ae8dd4fffe7b0633171)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.42.1 ([3eec173a](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/3eec173a5a87b9535e8f039b6154047bb5f37146)) fix: broken Docker tags builds Also, stops renovate running when Semantic Releaser pushes directly to main branch, as this has the affect of making it appear that the main branch is broken, when it's not. fix: revert to working renovate image So that we can cut a release, which will then upgrade it again. chore(release): 2.43.1 * broken Docker tags builds ([fccc5d03](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/fccc5d032f8b6844520082c20bfc6c3ecca0449f)) * revert to working renovate image ([0b9b975b](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/0b9b975b6e723d4e869bcc68bac647fb0364f2b1)) fix: skip renovate-validate on semantic release pushes We're already made this change for `renovate_bot` jobs: we need to do the same for `renovate_validate` jobs for the same reason: the image doesn't exist until after the tag pipeline is run. chore(release): 2.43.2 * skip renovate-validate on semantic release pushes ([af0b1b23](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/af0b1b23f2a52304a93f15962919e4f0fbc13a7b)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.43.1 chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.43.2 feat(docker): turn branch write caching off by default It turns out that for many docker jobs, writing the branch write cache takes many times longer than the docker build itself, so make it optional. chore(release): 2.44.0 * **docker:** turn branch write caching off by default ([8700ca04](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/8700ca04e76306733fdc73256c99a85b3da6040e)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.43.1 ([13e2a5d5](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/13e2a5d51ecabbae49e1546fd3ec2e8ad726b738)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.43.2 ([c5c56e28](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/c5c56e280247619168e2fac6ed35155e4ed2d898)) fix: remove 'v' prefix from truncated versions in Renovate chore(release): 2.44.1 * remove 'v' prefix from truncated versions in Renovate ([b30fcf20](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/b30fcf20fab03de4ce755ab5faac8daa04da42e1)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.0 fix: Add SBOM attestation to Docker build - Added `--attest type=sbom` flag to the `docker buildx build` command in the Dockerfile. - This flag enables SBOM (Software Bill of Materials) attestation during the Docker build process. - The SBOM attestation helps to track and manage the dependencies and components used in the Docker image, ensuring compliance and security. chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.1 chore(release): 2.44.2 * Add SBOM attestation to Docker build ([f509b7cf](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/f509b7cf55f9235a607482417b7cf96a25ad54c7)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.0 ([b6be82d5](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/b6be82d5ff1b596b3f853655e9f10a8d1b852e8a)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.1 ([c7d10396](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/c7d103962f21930193c7879fd3a0d8efadbba03d)) chore: Add integration test requirement for Ansible Galaxy major version updates - Added a new rule in the `renovate-versions-dedicated.json` Renovate preset file to require an integration test for Ansible-Galaxy major version updates. - This rule is triggered when a major version update of an Ansible Galaxy dependency is detected. - The rule adds a label to the pull request to indicate that an integration test is required. - For non-major version updates, also includes a note in the pull request body to remind developers to perform a review app deployment to ensure that the upgrade works as expected. chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.2 fix(renovate-bot): Change the order of precedence for deciding between Vault and Variable. Issue: gitlab-com/gl-infra/common-ci-tasks#29 fix(renovate-bot): Continue to support the `VAULT_RENOVATE_GITLAB_TOKEN_PATH` variable. docs(renovate-bot): Document Renovate's access tokens in detail. chore(deps): update dependency gitlab-com/gl-infra/common-ci-tasks to v2.44.2 chore(release): 2.44.3 * **renovate-bot:** Change the order of precedence for deciding between Vault and Variable. ([34b075df](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/34b075df43cae1958343fd373195e08c31e3d6c0)), closes [gitlab-com/gl-infra/common-ci-tasks#29](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/issues/) * **renovate-bot:** Continue to support the `VAULT_RENOVATE_GITLAB_TOKEN_PATH` variable. ([ec188cc5](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/ec188cc5531aebfd31633298cc4b38def4160390)) * **renovate-bot:** Document Renovate's access tokens in detail. ([d945ad90](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/d945ad90684c47e979141a32eab6eae2733f197d)) * Add integration test requirement for Ansible Galaxy major version updates ([d29aed06](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/d29aed0699d2977839f87453c7568000d3318177)) * **deps:** update dependency gitlab-com/gl-infra/common-ci-tasks to v2.44.2 ([137fd48d](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/137fd48d0f13e5e1a58f93031b25ccce06b6b632)) * **deps:** update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.44.2 ([ffac32ad](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/ffac32ad8e2e06ef76028c75b2ea23151a75669e)) chore(deps): update dependency gitlab-com/gl-infra/jsonnet-tool to v1.16.1 feat: Add Terraform Module publisher chore(release): 2.45.0 * Add Terraform Module publisher ([c085207e](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/c085207e374782d13830d41b6b7ef7832b92efa0)) * **deps:** update dependency gitlab-com/gl-infra/jsonnet-tool to v1.16.1 ([204e9540](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/204e9540d6a3c7b540381df9219e4cd1d37e952f)) fix: fix documentation, broken script Fix publish script for Terraform Module publish chore(release): 2.45.1 * fix documentation, broken script ([a944f33e](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/commit/a944f33eae0059cfe13c7ccf70de11d024b29031)) chore(deps): update pre-commit hook gitlab-com/gl-infra/common-ci-tasks to v2.45.0 feat: add job_image and job_allow_failure to input Adding job_image and job_allow_failure to input will allow the fields to be configurable if desired

feat(renovate): allow to disable renovate job
a6d20ce3 · Tan Le · Maina Ng'ang'a · 5b768581 · a6d20ce3 · a6d20ce3
Commit a6d20ce3 authored 5 months ago by Tan Le Committed by Maina Ng'ang'a 4 months ago
--- a/.copier-answers.yml
+++ b/.copier-answers.yml
@@ -3,7 +3,7 @@
 # See the project for instructions on how to update the project
 #
 # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
-_commit: v1.21.0
+_commit: v1.23.0
 _src_path: https://gitlab.com/gitlab-com/gl-infra/common-template-copier.git
 ee_licensed: false
 golang: false

--- a/.editorconfig
+++ b/.editorconfig
@@ -20,4 +20,3 @@ indent_size = unset
 [{Makefile,**.mk}]
 # Use tabs for indentation (Makefiles require tabs)
 indent_style = tab
-
--- a/.gitlab-ci-asdf-versions.yml
+++ b/.gitlab-ci-asdf-versions.yml
 # DO NOT MANUALLY EDIT; Run ./scripts/update-asdf-version-variables.sh to update this
 variables:
-    GL_ASDF_PRE_COMMIT_VERSION: 3.8.0
+    GL_ASDF_PRE_COMMIT_VERSION: 4.0.1
    GL_ASDF_SHELLCHECK_VERSION: 0.10.0
-    GL_ASDF_SHFMT_VERSION: 3.9.0
+    GL_ASDF_SHFMT_VERSION: 3.10.0
--- a/.gitlab-ci-default-asdf-versions.yml
+++ b/.gitlab-ci-default-asdf-versions.yml
 # DO NOT MANUALLY EDIT; Run ./scripts/update-asdf-version-variables.sh to update this
 variables:
-    GL_COMMON_CI_TASKS_DEFAULT_ASDF_PRE_COMMIT_VERSION: 3.8.0
+    GL_COMMON_CI_TASKS_DEFAULT_ASDF_PRE_COMMIT_VERSION: 4.0.1
    GL_COMMON_CI_TASKS_DEFAULT_ASDF_SHELLCHECK_VERSION: 0.10.0
-    GL_COMMON_CI_TASKS_DEFAULT_ASDF_SHFMT_VERSION: 3.9.0
+    GL_COMMON_CI_TASKS_DEFAULT_ASDF_SHFMT_VERSION: 3.10.0
--- a/.gitlab-ci-other-versions.yml
+++ b/.gitlab-ci-other-versions.yml
@@ -4,18 +4,18 @@
 # so be sure not to include the `v` prefix on version numbers here when adding new
 # values, or manually upgrading.
 variables:
-  GL_COMMON_CI_TASKS_DEFAULT_GITLEAKS_VERSION: "8.18.4"  # datasource=github-releases depName=zricethezav/gitleaks
+  GL_COMMON_CI_TASKS_DEFAULT_GITLEAKS_VERSION: "8.21.1"  # datasource=github-releases depName=zricethezav/gitleaks
  GL_COMMON_CI_TASKS_YAMLLINT_VERSION: "1.35.1"  # datasource=github-tags depName=adrienverge/yamllint
  GL_COMMON_CI_TASKS_HCLFMT_VERSION: "2.22.0"  # datasource=github-tags depName=hashicorp/hcl
  GL_COMMON_CI_TASKS_KANIKO_VERSION: "1.23.2"  # datasource=github-releases depName=GoogleContainerTools/kaniko
  
  # These are versions used in the Renovate runner image
-  GL_COMMON_RENOVATE_GIT_VERSION: "2.46.0"  # datasource=github-tags depName=git/git
-  GL_COMMON_RENOVATE_GOLANG_VERSION: "1.23.1"  # datasource=golang-version depName=golang/go
+  GL_COMMON_RENOVATE_GIT_VERSION: "2.47.0"  # datasource=github-tags depName=git/git
+  GL_COMMON_RENOVATE_GOLANG_VERSION: "1.23.2"  # datasource=golang-version depName=golang/go
  GL_COMMON_RENOVATE_JB_VERSION: "0.6.0"  # datasource=github-releases depName=jsonnet-bundler/jsonnet-bundler
-  GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION: "1.15.7"  # datasource=gitlab-releases depName=gitlab-com/gl-infra/jsonnet-tool
-  GL_COMMON_RENOVATE_NODEJS_VERSION: "20.17.0"  # datasource=node depName=nodejs/node
+  GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION: "1.16.1"  # datasource=gitlab-releases depName=gitlab-com/gl-infra/jsonnet-tool
+  GL_COMMON_RENOVATE_NODEJS_VERSION: "20.18.0"  # datasource=node depName=nodejs/node
  GL_COMMON_RENOVATE_RUBY_VERSION: "3.3.5"  # datasource=ruby-version depName=ruby/ruby
  GL_COMMON_RENOVATE_YARN_VERSION: "1.22.22"  # datasource=github-tags depName=yarnpkg/yarn
  GL_COMMON_RENOVATE_YQ_VERSION: "4.44.3"  # datasource=github-releases depName=mikefarah/yq
-  GL_COMMON_RENOVATE_PYTHON_VERSION: "3.12.5"  # datasource=github-tags depName=python/cpython
+  GL_COMMON_RENOVATE_PYTHON_VERSION: "3.12.7"  # datasource=github-tags depName=python/cpython
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,6 +36,7 @@ include:
      - IMAGE_SUFFIX: asdf
      - IMAGE_SUFFIX: mise
  variables:
+    CHAINGUARD_VIEWER: true # Enable viewer-role access to GitLab's chainguard images
    DOCKER_BUILD_FILE: Dockerfile.${IMAGE_SUFFIX}
    GL_VERSION_YML_FILES: .gitlab-ci-asdf-versions.yml .gitlab-ci-other-versions.yml .gitlab-ci-default-asdf-versions.yml
  
@@ -47,7 +48,7 @@ container_image_builds:
    - .docker_buildx_base
    - .container_builds
  rules:
-    - if: '$CI_PIPELINE_SOURCE == "scheduled"'
+    - if: '$CI_PIPELINE_SOURCE == "scheduled" || $CI_COMMIT_TAG != null'
      when: "never"
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
@@ -77,3 +78,33 @@ container_image_tagged:
    - .container_builds
  rules:
    - if: "$CI_COMMIT_TAG"
+
+# Override the renovate_bot script to avoid what appears to be broken
+# master builds when renovate attempts to run before the new image
+# is build
+renovate_validate:
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "schedule"'
+      when: 'never'
+    - if: $RENOVATE_DISABLED == 'true' || $RENOVATE_DISABLED == '1'
+      when: never
+    # Avoid running Renovate when Semantic Release pushes the release commit directly to main branch
+    - if: "$CI_COMMIT_AUTHOR =~ /semantic-release-bot/ && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: never
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      exists:
+        - renovate.json
+
+renovate_bot:
+  rules:
+    # Renovate only ever runs on gitlab.com
+    - if: '$CI_SERVER_HOST != "gitlab.com"'
+      when: never
+    - if: $RENOVATE_DISABLED == 'true' || $RENOVATE_DISABLED == '1'
+      when: never
+    # Avoid running Renovate when Semantic Release pushes the release commit directly to main branch
+    - if: "$CI_COMMIT_AUTHOR =~ /semantic-release-bot/ && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH"
+      when: never
+    - if: "($RENOVATE_SCHEDULED || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH) && ($RENOVATE_IMMEDIATE == '' || $RENOVATE_IMMEDIATE == null) "
+      exists:
+        - renovate.json
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -5,7 +5,7 @@
 # exclude: '^fixtures/'
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
+    rev: v5.0.0
    hooks:
      - id: trailing-whitespace
      - id: end-of-file-fixer
@@ -23,7 +23,7 @@ repos:
        args: [--autofix, --no-sort-keys]
  
  - repo: https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks
-    rev: v2.35.1  # renovate:managed:self
+    rev: v2.45.0  # renovate:managed:self
    hooks:
      - id: shellcheck  # Run shellcheck for changed Shell files
      - id: shfmt  # Run shellcheck for changed Shell files

--- a/.pre-commit-hooks.yaml
+++ b/.pre-commit-hooks.yaml
@@ -15,7 +15,7 @@
  language: system
  require_serial: true
  pass_filenames: false
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: go-fmt
  name: "go-fmt | common-ci-tasks"
@@ -25,7 +25,7 @@
  language: script
  description: "Run go-fmt"
  pass_filenames: true
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: go-imports
  name: "go-imports | common-ci-tasks"
@@ -35,7 +35,7 @@
  language: script
  description: "Run go-imports"
  pass_filenames: true
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: go-mod-tidy
  name: "go-mod-tidy | common-ci-tasks"
@@ -46,7 +46,7 @@
  description: "Run go mod tidy"
  pass_filenames: true
  require_serial: true
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: go-test
  name: "go-test | common-ci-tasks"
@@ -55,7 +55,7 @@
  language: script
  description: "Run go test on project"
  pass_filenames: false
-  stages: [commit]
+  stages: [pre-commit]
  
 #########################################################
 # Shell Hooks
@@ -73,7 +73,7 @@
    # https://www.shellcheck.net/wiki/Directive#source-path
    - "--source-path=SCRIPTDIR"
  types: [shell]
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: shfmt
  name: "shfmt | common-ci-tasks"
@@ -83,7 +83,7 @@
  args: [-w, -s, -i, "2"]
  types: [shell]
  exclude_types: [csh, tcsh, zsh]
-  stages: [commit]
+  stages: [pre-commit]
  
 #########################################################
 # Misc Hooks
@@ -95,7 +95,7 @@
  language: script
  entry: scripts/pre-commit/update-asdf-version-variables.sh
  files: '^(\.gitlab-ci-asdf-versions\.yml|scripts/update-asdf-version-variables.sh|\.tool-versions)$'
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: gitlint
  name: "gitlint | common-ci-tasks"
@@ -115,6 +115,7 @@
  entry: gitleaks protect --verbose --redact --staged
  language: golang
  pass_filenames: false
+  stages: [pre-commit]
  
 - id: editorconfig
  name: 'editorconfig | common-ci-tasks'
@@ -125,6 +126,7 @@
  language: golang
  types: [text]
  require_serial: true
+  stages: [pre-commit]
  
 - id: yamllint
  name: "yamllint | common-ci-tasks"
@@ -136,6 +138,7 @@
    - "-c=.yamllint.yaml"
  language: python
  types: [yaml]
+  stages: [pre-commit]
  
 #########################################################
 # Terraform Hooks
@@ -145,10 +148,9 @@
  name: "terraform fmt | common-ci-tasks"
  description: "Apply terraform fmt across all changed terraform files"
  language: system
-  entry: mise exec terraform -- terraform fmt
-  args: [-write, -check]
+  entry: mise exec terraform -- terraform fmt -write -check
  types: [terraform]
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: terraform-tflint
  name: "tflint | common-ci-tasks"
@@ -156,7 +158,7 @@
  language: script
  entry: scripts/pre-commit/terraform-tflint.sh
  types: [terraform]
-  stages: [commit]
+  stages: [pre-commit]
  
 - id: terra-transformer-validate-roots
  name: "terra-transformer-validate-roots | common-ci-tasks"
@@ -167,7 +169,7 @@
    - "--ignore-missing-files"
    - "--delete-dot-terraform-if-required"
  types: [terraform]
-  stages: [commit]
+  stages: [pre-commit]
  pass_filenames: false
  
 #########################################################
@@ -181,4 +183,4 @@
  entry: mise exec go-jsonnet -- jsonnetfmt
  args: [-i, --string-style, s, -n, "2"]
  types: [jsonnet]
-  stages: [commit]
+  stages: [pre-commit]
--- a/.tool-versions
+++ b/.tool-versions
 # For first-time installation, you'll need to install all plugins:
 # Use the script: ./scripts/install-asdf-plugins.sh
 # NOTE: please add new plugins to ./scripts/install-asdf-plugins.sh when adding items here
-pre-commit 3.8.0 # datasource=github-releases depName=pre-commit/pre-commit
+pre-commit 4.0.1 # datasource=github-releases depName=pre-commit/pre-commit
 python system
 shellcheck 0.10.0 # datasource=github-releases depName=koalaman/shellcheck
-shfmt 3.9.0 # datasource=github-releases depName=mvdan/sh
+shfmt 3.10.0 # datasource=github-releases depName=mvdan/sh
--- a/Dockerfile.asdf
+++ b/Dockerfile.asdf
 # This image is used by asdf to validate asdf setup scripts in asdf-tool-versions.yml
 # This docker image is deprecated. Use the mise image instead.
  
-FROM ghcr.io/containerbase/base:11.11.12
+FROM ghcr.io/containerbase/base:12.0.10
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_PYTHON_VERSION
  

--- a/Dockerfile.mise
+++ b/Dockerfile.mise
 # This image is used by asdf to validate asdf setup scripts in asdf-tool-versions.yml
-FROM ghcr.io/containerbase/base:11.11.12
+FROM ghcr.io/containerbase/base:12.0.10
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_PYTHON_VERSION
  
@@ -10,19 +10,20 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update
 RUN apt-get upgrade -y
  
+# Install gettext for envsubst
 RUN apt-get install -yq \
  jq curl bash build-essential libssl-dev zlib1g-dev \
  libbz2-dev libreadline-dev libsqlite3-dev libyaml-dev wget unzip \
  ca-certificates openssh-client lsb-release \
  libncursesw5-dev xz-utils tk-dev libxml2-dev \
-  libxmlsec1-dev libffi-dev liblzma-dev
+  libxmlsec1-dev libffi-dev liblzma-dev gettext
  
 RUN install-tool git "${GL_COMMON_RENOVATE_GIT_VERSION}"
 RUN install-tool python "${GL_COMMON_RENOVATE_PYTHON_VERSION}"
  
 # Cleanup apt
 RUN apt-get clean autoclean && apt-get autoremove --yes && \
-  rm -rf /var/lib/{apt,dpkg,cache,log}/
+  rm -rf /var/lib/{cache,log}/
  
 # Install mise
 RUN curl https://mise.jdx.dev/mise-latest-linux-x64 > /bin/mise && chmod 755 /bin/mise
--- a/Dockerfile.renovate
+++ b/Dockerfile.renovate
@@ -5,7 +5,7 @@ FROM docker.io/mikefarah/yq:${GL_COMMON_RENOVATE_YQ_VERSION} as yq
 FROM registry.gitlab.com/gitlab-com/gl-infra/jsonnet-tool:v${GL_COMMON_RENOVATE_JSONNET_TOOL_VERSION} AS jsonnet-tool
  
 # This image is used by renovate
-FROM ghcr.io/containerbase/base:11.11.12
+FROM ghcr.io/containerbase/base:12.0.10
 ARG GL_COMMON_RENOVATE_GIT_VERSION
 ARG GL_COMMON_RENOVATE_GOLANG_VERSION
 ARG GL_COMMON_RENOVATE_JB_VERSION

--- a/appsec-container-scan.md
+++ b/appsec-container-scan.md
@@ -15,7 +15,7 @@ include:
  # and include the container scanning results in the project that is triggering this scan.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/appsec-container-scan.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: appsec-container-scan.yml
  
 container_image_scan:

--- a/asdf-tool-versions.md
+++ b/asdf-tool-versions.md
@@ -31,6 +31,6 @@ include:
  # and that asdf and mise are generally working
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/asdf-tool-versions.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: asdf-tool-versions.yml
 ```
--- a/asdf-tool-versions.yml
+++ b/asdf-tool-versions.yml
@@ -6,7 +6,7 @@ spec:
 validate_mise_tool_versions:
  stage: $[[ inputs.stage ]]
  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/mise:v2.35.2
+    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/mise:v2.45.1
    entrypoint: [""]
  needs: []
  variables:

--- a/checkov.md
+++ b/checkov.md
@@ -25,6 +25,6 @@ include:
  # Runs checkov on all terraform module directories
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/checkov.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: checkov.yml
 ```
--- a/container-diff.md
+++ b/container-diff.md
@@ -7,7 +7,7 @@ This can help to determine how much a container image has changed in size due to
 ```yaml
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: 'container-diff.yml'
    inputs:
      job_name: container-diff # The name of the job this template will create

--- a/danger.md
+++ b/danger.md
@@ -13,7 +13,7 @@ variables:
 include:
  # Run Danger during merge requests to alert on messages, warnings and errors.
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: 'danger.yml'
    # inputs:
    #   stage: defaults to `validate`

--- a/danger.yml
+++ b/danger.yml
@@ -8,12 +8,20 @@ spec:
    bundler_group:
      default: ""
      description: 'When using a Gemfile, install dependencies from this group.'
+    job_image:
+      default: ruby:3.2.3
+      description: 'The image to use for the `danger-review` job, defaults to `ruby:3.2.3`'
+    job_allow_failure:
+      default: false
+      type: boolean
+      description: 'Whether or not the job is allowed to fail'
+
  
 ---
  
 # Taken from https://gitlab.com/gitlab-org/components/danger-review
 danger-review:
-  image: ruby:3.2.3
+  image: $[[ inputs.job_image ]]
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.gitlab.net
@@ -24,6 +32,7 @@ danger-review:
      token: $VAULT_ID_TOKEN
  stage: $[[ inputs.stage ]]
  needs: []
+  allow_failure: $[[ inputs.job_allow_failure ]]
  retry:
    max: 2
    when:

--- a/docker.md
+++ b/docker.md
@@ -21,7 +21,7 @@ include:
  # Includes a base template for running an opinionated docker buildx build
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.35.2  # renovate:managed
+    ref: v2.45.1  # renovate:managed
    file: 'docker.yml'
  
 .container_builds:
@@ -72,7 +72,7 @@ logs:
 ```
 ------------------------------------------------------------
 Verify this container image using:
-cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.35.2 \
+cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.45.1 \
  --certificate-identity https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks//.gitlab-ci.yml@refs/tags/v1.2.3 \
  --certificate-oidc-issuer https://gitlab.com
 ------------------------------------------------------------
@@ -86,3 +86,102 @@ please review [the Sigstore docs](https://docs.sigstore.dev/verifying/verify/#ke
 ### Caching
  
 By default, caching is enabled for Docker tasks.
+
+Caching will store cache images in the `$CI_REGISTRY_IMAGE/cache` registry.
+All cache tags start with the prefix of `cache-` to allow for easy cleanup.
+
+Two cache key schemes are used:
+
+1. `BRANCH_REGISTRY_CACHE_KEY` for branches
+2. `DEFAULT_BRANCH_REGISTRY_CACHE_KEY` - for default branch.
+
+Please review the [template definition](./docker.yml) for details,
+but these can be overridden depending on project requirements.
+
+There are three caching modes:
+
+1. **For branches**:  `docker buildx` will read from the branch cache and the default branch cache.
+   For performance reasons, branches don't write to the cache by default,
+   but this can optionally be turned on.
+   See [Branch Write Caching](#branch-write-caching) for more information.
+1. **For main branch**:  `docker buildx` will read from and write to the default branch cache.
+1. **For tags**: `docker buildx` will read from the default branch cache and not write to the cache.
+
+#### Branch Write Caching
+
+Writing cached images to the registry can be very slow:
+often slower than a rebuild if the main cache  is relatively warm.
+
+For that reason, writing docker builds to the branch cache is disabled by default.
+
+It can be enabled using the ~docker-write-branch-cache label on your MR,
+or adding by the `DOCKER_WRITE_BRANCH_CACHE="1"` variable.
+
+If you're finding that Docker builds on a branch are slow and could benefit from writing the cache,
+for maximum efficiency, turn branch write caching on temporarily,
+run a successful pipeline,
+and then turn branch write caching off again.
+This will allow the branch cache to be populated,
+while avoiding the costly cache write at the end of each docker build job.
+
+Note that Docker builds will attempt to read the branch cache even when branch cache writing is disabled.
+
+### SBOM Attestation
+
+By default, tag and default branch images will have SBOM attestations attached using the Docker SBOM
+attestation feature: <https://docs.docker.com/build/metadata/attestations/sbom/>.
+
+This behaviour can be modified:
+
+1. Add the ~docker-attest-sbom label to an MR to write attestations for docker images produced on the branch,
+   or set `DOCKER_ATTEST_SBOM="1"`.
+2. To disable SBOM attestations, set `DOCKER_NO_ATTEST_SBOM="1"`.
+
+#### Listing the Software Bill of Materials in a Docker Image
+
+To list all packages in a Docker image, the Docker documentation provides example usage, for example:
+
+```console
+$ # list all packages in a Docker container
+$ docker buildx imagetools inspect <image> \
+    --format "{{ range .SBOM.SPDX.packages }}{{ .name }}@{{ .versionInfo }}{{ println }}{{ end }}"
+alpine-baselayout@3.6.5-r0
+alpine-baselayout-data@3.6.5-r0
+alpine-keys@2.4-r1
+apk-tools@2.14.4-r0
+busybox@1.36.1-r29
+busybox-binsh@1.36.1-r29
+ca-certificates-bundle@20240705-r0
+libcrypto3@3.3.2-r0
+libssl3@3.3.2-r0
+musl@1.2.5-r0
+musl-utils@1.2.5-r0
+scanelf@1.3.7-r2
+ssl_client@1.36.1-r29
+zlib@1.3.1-r1
+```
+
+### Chainguard
+
+If your project uses [Chainguard](https://console.chainguard.dev/overview) images,
+the Docker task can automatically log into the GitLab Chainguard account prior to performing the Docker build.
+
+This allows images to be pulled from `cgr.dev` without the need to juggle credentials on a per-project basis.
+
+Currently, due to [OIDC issue #28](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/issues/28), a long-lived token is shared
+between all projects under the [`gitlab-com/gl-infra`](https://gitlab.com/groups/gitlab-com/gl-infra/-/settings/ci_cd) group on GitLab.com.
+
+Once the OIDC problem is resolved, these credentials will be removed and replaced with a tokenless OIDC authentication flow.
+
+#### Enabling Chainguard
+
+To automatically log into  `cgr.dev` with a [pull-token](https://edu.chainguard.dev/chainguard/chainguard-registry/authenticating/),
+set the variable `CHAINGUARD_VIEWER` to `true` in your docker job, as follows:
+
+```yaml
+.container_builds:
+  stage: release
+  variables:
+      CHAINGUARD_VIEWER: true
+  ...
+```