chore: use vault with Goreleaser

Updates the goreleaser task to use Vault.

docs/project-setup.md

+# Project Setup
+
+There are two ways of setting up projects: the automated way and the manual way. The manual way is legacy only.
+
+## Automated Project Setup
+
+1. Declare a new project in the **[Infra-Mgmt project](https://gitlab.com/gitlab-com/gl-infra/infra-mgmt/-/tree/main/environments/gitlab-com)**.
+   1. Infra-Mgmt configuration will ensure that Vault configuration is applied to the project.
+   2. The **[Project module](https://ops.gitlab.net/gitlab-com/gl-infra/terraform-modules/gitlab/project)** contains
+      the documentation on configuring a new project appropriately.
+1. Add the `common-ci-tasks` input variable to the Project resource declaration, as follows:
+
+    ```terraform
+
+    module "project_gitlab-dedicated-org-tenctl" {
+        source  = "ops.gitlab.net/gitlab-com/project/gitlab"
+        version = "x.x.x"
+
+        ...
+
+        # Enable common-ci-task definitions
+        common_ci_tasks = {
+            enabled          = true
+            goreleaser       = true  # Enable for Goland projects that use Goreleaser, see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
+            mirroring        = true
+            renovate_bot     = true
+            semantic_release = true
+        }
+    }
+    ```
+1. Merge the change and await Terraform provisioning of the project.
+1. Optional, but recommended. Follow the **[Project Templates documentation](./project-templates.md) to setup the new project
+   using a [copier template](https://copier.readthedocs.io/).
+   Copier has the advantage of allowing existing project templates to be progressively updated as new changes are made
+   to the template.
+
+## Manual Project Setup
+
+Each template has it's own requirements for manual setup. Follow the template documentation for details.
+
+You'll also need to maintain and refresh tokens manually, so this approach will require a great deal more overhead in the long run.

goreleaser.md

@@ -64,7 +64,31 @@ gitlab_urls:
   download: '{{ .Env.CI_SERVER_URL }}'
 ```
-Next, create a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) with `api`  and make it available in your CI environment via the `GITLAB_TOKEN` environment variable through the CI/CD Variables settings.
+## Automated Setup
+
+Follow the instructions in **[the Project Setup documentation for Automated Setup](./docs/project-setup.md)** and
+ensure that the follow settings are configured on your Project resource:
+
+```terraform
+
+# Enable common-ci-task definitions
+common_ci_tasks = {
+    enabled          = true
+    goreleaser       = true  # Enable for Goland projects that use Goreleaser, see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
+    ....
+}
+```
+
+Note that if the `VAULT_SECRETS_PATH` configuration is present, this task will use Vault for resolution of `GITLAB_TOKEN`.
+
+## Manual Setup
+
+For legacy project configurations, the following manual setup is required:
+
+1. Create a [Project Access Token](https://docs.gitlab.com/ee/user/project/settings/project_access_tokens.html) with `api`
+2. Make it available in your CI environment via the `GITLAB_TOKEN` environment variable through the CI/CD Variables settings.
+
+## `.gitlab-ci.yml` Configuration
 ```yaml
 stages:

goreleaser.yml

@@ -8,7 +8,18 @@ spec:
       default: docker.io
 ---
-.goreleaser_common: &goreleaser_common
+include:
+  # No vault? fall back to legacy variable based configuration
+  - local: 'internal/goreleaser/variable.yml'
+    rules:
+      - if: '$VAULT_SECRETS_PATH == null || $VAULT_SECRETS_PATH == ""'
+
+  # Vault? Use it to obtain the GITLAB_TOKEN for Goreleaser
+  - local: 'internal/goreleaser/vault.yml'
+    rules:
+      - if: '$VAULT_SECRETS_PATH != null && $VAULT_SECRETS_PATH != ""'
+
+.goreleaser_common:
   after_script:
     - |
       cat <<-EOD
@@ -22,8 +33,9 @@ spec:
     when:
       - runner_system_failure
-.goreleaser_validate_base: &goreleaser_validate_base
-  <<: *goreleaser_common
+.goreleaser_validate_base:
+  extends:
+    .goreleaser_common
   stage: $[[ inputs.validate_stage ]]
   needs: []
   script:
@@ -33,7 +45,8 @@ spec:
 # Requires .goreleaser.yml file
 # Requires stages: validate, release
 goreleaser_validate:
-  <<: *goreleaser_validate_base
+  extends:
+    - .goreleaser_validate_base
   image:
     name: $[[ inputs.docker_hub_host ]]/goreleaser/goreleaser:v${GL_ASDF_GORELEASER_VERSION}
     entrypoint: [""]
@@ -43,7 +56,8 @@ goreleaser_validate:
         - .goreleaser.yml
 goreleaser_validate-fips:
-  <<: *goreleaser_validate_base
+  extends:
+    - .goreleaser_validate_base
   image:
     name: $[[ inputs.docker_hub_host ]]/goreleaser/goreleaser-cross:v${GL_ASDF_GOLANG_VERSION}-v${GL_ASDF_GORELEASER_VERSION}
     entrypoint: [""]
@@ -52,8 +66,9 @@ goreleaser_validate-fips:
       exists:
         - .goreleaser.yml
-.goreleaser_build_base: &goreleaser_build_base
-  <<: *goreleaser_common
+.goreleaser_build_base:
+  extends:
+    - .goreleaser_common
   stage: $[[ inputs.validate_stage ]]
   needs: []
   script:
@@ -64,7 +79,8 @@ goreleaser_validate-fips:
 # For the moment, we perform a single build for FIPS and non-FIPS
 # this build is done for validation purposes only
 goreleaser_build:
-  <<: *goreleaser_build_base
+  extends:
+    - .goreleaser_build_base
   image:
     name: $[[ inputs.docker_hub_host ]]/golang:${GL_ASDF_GOLANG_VERSION}
     entrypoint: [""]
@@ -75,8 +91,9 @@ goreleaser_build:
       exists:
         - .goreleaser.yml
-.goreleaser_base: &goreleaser_base
-  <<: *goreleaser_common
+.goreleaser_base:
+  extends:
+    - .goreleaser_common
   stage: $[[ inputs.release_stage ]]
   image: $[[ inputs.docker_hub_host ]]/docker:stable
   services:
@@ -90,7 +107,9 @@ goreleaser_build:
     GIT_DEPTH: 0
 goreleaser:
-  <<: *goreleaser_base
+  extends:
+    - .goreleaser_base
+    - .goreleaser_auth_config  # Configure vault or variables, from internal/goreleaser/*
   rules:
     # Only run this release job for tags, not every commit
     - if: $CI_COMMIT_TAG && $FIPS_MODE != "1"
@@ -114,7 +133,9 @@ goreleaser:
       ${GORELEASER_EXTRA_ARGS:-}
 goreleaser-fips:
-  <<: *goreleaser_base
+  extends:
+    - .goreleaser_base
+    - .goreleaser_auth_config  # Configure vault or variables, from internal/goreleaser/*
   rules:
     # Only run this release job for tags, not every commit
     - if: $CI_COMMIT_TAG && $FIPS_MODE == "1"

internal/goreleaser/variable.yml

+# DO NOT INCLUDE DIRECTLY!
+---
+.goreleaser_auth_config:
+  # We can't specify an empty job, so
+  # repeat something that is invariant
+  needs: []

internal/goreleaser/vault.yml

+# DO NOT INCLUDE DIRECTLY!
+---
+.goreleaser_auth_config:
+  id_tokens:
+    VAULT_ID_TOKEN:
+      aud: https://vault.gitlab.net
+  secrets:
+    GITLAB_TOKEN:
+      file: false
+      vault: "access_tokens/${VAULT_SECRETS_PATH}/goreleaser/token@ci"

semantic-release.yml

@@ -80,15 +80,15 @@ spec:
         - .releaserc.json
 include:
-  - local: 'semantic-release-vault.yml'
+  - local: 'internal/semantic-release/vault.yml'
     rules:
       - if: '"$[[ inputs.vault | expand_vars ]]" != ""'
     inputs:
       vault: "$[[ inputs.vault | expand_vars ]]"
-  - local: 'semantic-release-variable.yml'
+  - local: 'internal/semantic-release/variable.yml'
     rules:
       - if: '"$[[ inputs.vault | expand_vars ]]" == "" && ($SEMANTIC_RELEASE_GITLAB_TOKEN != null || $GITLAB_TOKEN != null)'
-  - local: 'semantic-release-vault.yml'
+  - local: 'internal/semantic-release/vault.yml'
     rules:
       - if: '"$[[ inputs.vault | expand_vars ]]" == "" && ($SEMANTIC_RELEASE_GITLAB_TOKEN == null && $GITLAB_TOKEN == null)'
     inputs: