diff --git a/.gitlab/release-notes.md.template b/.gitlab/release-notes.md.template
index 6a3da5b59de91634f638799294b6f28f546ff1ef..d9edef9e899ad931f8942051df3bbec09c669194 100644
--- a/.gitlab/release-notes.md.template
+++ b/.gitlab/release-notes.md.template
@@ -52,6 +52,10 @@ cosign verify \
--certificate-oidc-issuer "https://gitlab.com"
```
+The `image_digest` input can be used to strictly pull by the image digest.
+The `image_digest` input value needs to have the format of `@<type>:<hash>`
+where `<type>:<hash>` is the `digest` value from the images list above.
+
> **Note:**
>
> When using the component with the inputs `version` and `opentofu_version`,<br>
diff --git a/templates/apply.yml b/templates/apply.yml
index 8e992063958c257a6aea4a48a06410d75a8d5ec3..90adf3961d02cb5c52f4f129422dbe3d34455aeb 100644
--- a/templates/apply.yml
+++ b/templates/apply.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -101,6 +109,6 @@ spec:
TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
TF_PLAN_NAME: $[[ inputs.plan_name ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu apply
diff --git a/templates/custom-command.yml b/templates/custom-command.yml
index 8d705aba957614e7d2ef7fe9a07cab1d879184da..3fc702287b445b5edfd40cdaa39ae3474ff42427 100644
--- a/templates/custom-command.yml
+++ b/templates/custom-command.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -80,7 +88,7 @@ spec:
__CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
TF_ROOT: $[[ inputs.root_dir ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu $[[ inputs.command ]]
diff --git a/templates/destroy.yml b/templates/destroy.yml
index a224964ec478526ea562430b6bbfaaf75c64e67f..9975044db5f8bd2d18efc5561f86fa7b41948308 100644
--- a/templates/destroy.yml
+++ b/templates/destroy.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -100,6 +108,6 @@ spec:
TF_APPLY_NO_PLAN: $[[ inputs.no_plan ]]
TF_PLAN_NAME: $[[ inputs.plan_name ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu apply -destroy
diff --git a/templates/fmt.yml b/templates/fmt.yml
index 45219cc325b472a47355d00662ffa710804be5d5..b732794edcb18a5a50f1aa482098690fa33ed6f1 100644
--- a/templates/fmt.yml
+++ b/templates/fmt.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -88,6 +96,6 @@ spec:
__CACHE_KEY_HACK: "$[[ inputs.root_dir ]]"
TF_ROOT: $[[ inputs.root_dir ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu fmt
diff --git a/templates/full-pipeline.yml b/templates/full-pipeline.yml
index fece43f4514dc7dad952125cf4e74275c4b0605d..265d27e0ad332fd0975fc2da77ada34cdee684e8 100644
--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -67,6 +67,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -98,6 +106,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
- local: '/templates/validate.yml'
inputs:
@@ -108,6 +117,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/test.yml'
@@ -119,6 +129,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
rules:
@@ -133,6 +144,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
artifacts_access: $[[ inputs.plan_artifacts_access ]]
@@ -145,6 +157,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
auto_apply: $[[ inputs.auto_apply ]]
@@ -157,6 +170,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
auto_destroy: $[[ inputs.auto_destroy ]]
diff --git a/templates/graph.yml b/templates/graph.yml
index fa6c21f390f972c807616421aa1b1816a8a98a70..7a0a0d0796b80469e3b693c9ab3edcfe08f2f8ec 100644
--- a/templates/graph.yml
+++ b/templates/graph.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -86,7 +94,7 @@ spec:
TF_ROOT: $[[ inputs.root_dir ]]
TF_STATE_NAME: $[[ inputs.state_name ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu graph > "$[[ inputs.graph_file ]]"
artifacts:
diff --git a/templates/job-templates.yml b/templates/job-templates.yml
index 93ced344df0cfe0f40dcdbec26adb8cc04e518e4..448d0ad68ac9f3fe699f2e2988892125f4dd4b2c 100644
--- a/templates/job-templates.yml
+++ b/templates/job-templates.yml
@@ -67,6 +67,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
job_name_prefix:
default: '.opentofu:'
@@ -98,6 +106,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
- local: '/templates/validate.yml'
inputs:
@@ -108,6 +117,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/graph.yml'
@@ -129,6 +139,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/plan.yml'
@@ -140,6 +151,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/apply.yml'
@@ -151,6 +163,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
auto_apply: $[[ inputs.auto_apply ]]
@@ -163,6 +176,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
auto_destroy: $[[ inputs.auto_destroy ]]
diff --git a/templates/plan.yml b/templates/plan.yml
index a62a5465dbb6cf2f097be34c7099508b5f40a965..cf6e7892bea2aaf054975582c78bfcae871c30aa 100644
--- a/templates/plan.yml
+++ b/templates/plan.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -110,7 +118,7 @@ spec:
TF_STATE_NAME: $[[ inputs.state_name ]]
TF_PLAN_NAME: $[[ inputs.plan_name ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- "args=\"\"\nif [ \"$[[ inputs.destroy ]]\" == \"true\" ]; then \n echo \"Planning for a destroy\"\n args=\"-destroy\"\nfi\n"
- gitlab-tofu plan $args
diff --git a/templates/test.yml b/templates/test.yml
index 37e659a6ec906bff6600278d8c9de35a4c4f1f2f..2f4894b54965c782149b60d32adacbcd22de5dc0 100644
--- a/templates/test.yml
+++ b/templates/test.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -86,6 +94,6 @@ spec:
TF_ROOT: $[[ inputs.root_dir ]]
TF_STATE_NAME: $[[ inputs.state_name ]]
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu test
diff --git a/templates/validate-plan-apply.yml b/templates/validate-plan-apply.yml
index a48b5522866a6a660d0d4f1aebe16c0999569ab6..04fdb4d0a3a85abe9f010bc81409ce4b7d32c50d 100644
--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -61,6 +61,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -88,6 +96,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
- local: '/templates/validate.yml'
inputs:
@@ -98,6 +107,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/plan.yml'
@@ -109,6 +119,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
artifacts_access: $[[ inputs.plan_artifacts_access ]]
@@ -121,6 +132,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
auto_apply: $[[ inputs.auto_apply ]]
diff --git a/templates/validate-plan-destroy.yml b/templates/validate-plan-destroy.yml
index ac01f065ade6afd4bef607d2f0ff77c8fd60e9a7..e1c0b2d03926e4fec80edad5aa30999f115e2dc0 100644
--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -61,6 +61,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -91,6 +99,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
- local: '/templates/validate.yml'
inputs:
@@ -101,6 +110,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/plan.yml'
@@ -112,6 +122,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
plan_name: $[[ inputs.plan_name ]]
@@ -126,6 +137,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
no_plan: false
diff --git a/templates/validate-plan.yml b/templates/validate-plan.yml
index 69fe8cc9731eea1d11c8edfa4e09192c9e2ecd9f..709901f7340c5e96a0e89f790539f0975d8aab00 100644
--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -81,6 +89,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
- local: '/templates/validate.yml'
inputs:
@@ -91,6 +100,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
- local: '/templates/plan.yml'
@@ -102,6 +112,7 @@ include:
opentofu_version: $[[ inputs.opentofu_version ]]
image_registry_base: $[[ inputs.image_registry_base ]]
image_name: $[[ inputs.image_name ]]
+ image_digest: $[[ inputs.image_digest ]]
root_dir: $[[ inputs.root_dir ]]
state_name: $[[ inputs.state_name ]]
artifacts_access: $[[ inputs.artifacts_access ]]
diff --git a/templates/validate.yml b/templates/validate.yml
index fb096b2a187719988e8154f3ca9495b624eb0d77..f88189c05e927392a067146736c4b128e1e9a055 100644
--- a/templates/validate.yml
+++ b/templates/validate.yml
@@ -58,6 +58,14 @@ spec:
default: 'gitlab-opentofu'
description: 'Image name for the job images. Hosted under `image_registry_base`.'
+ image_digest:
+ default: ''
+ # FIXME: we cannot use regex yet because of a bug that rejects
+ # empty strings from ever being checked against the regex.
+ # see https://gitlab.com/gitlab-org/gitlab/-/issues/477707
+ # regex: '^(@sha256:[a-z0-9]{64})?$'
+ description: 'Image digest of the image you want to use. The format must be `@<image_digest>`, e.g. `@sha256:abc..`, see regex of this input. Please consult the release page at https://gitlab.com/components/opentofu/-/releases to obtain the image digests.'
+
# Configuration
root_dir:
default: ${CI_PROJECT_DIR}
@@ -86,6 +94,6 @@ spec:
TF_STATE_NAME: $[[ inputs.state_name ]]
TF_IGNORE_INIT_ERRORS: 'true' # Tofu can report errors which might be the reason init failed.
image:
- name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]'
+ name: '$[[ inputs.image_registry_base ]]/$[[ inputs.image_name ]]:$[[ inputs.version ]]-opentofu$[[ inputs.opentofu_version ]]-$[[ inputs.base_os ]]$[[ inputs.image_digest ]]'
script:
- gitlab-tofu validate