Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
O
OpenTofu
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package registry
Container registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
components
OpenTofu
Commits
bafd24de
Unverified
Commit
bafd24de
authored
8 months ago
by
Timo Furrer
Browse files
Options
Downloads
Patches
Plain Diff
Only sign images on GitLab.com
Changelog: fixed
parent
72675b76
Branches
Branches containing commit
Tags
Tags containing commit
No related merge requests found
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
.gitlab-ci.yml
+57
-40
57 additions, 40 deletions
.gitlab-ci.yml
tests/unit.gitlab-ci.yml
+1
-1
1 addition, 1 deletion
tests/unit.gitlab-ci.yml
with
58 additions
and
41 deletions
.gitlab-ci.yml
+
57
−
40
View file @
bafd24de
...
...
@@ -57,7 +57,7 @@ stages:
-
release
-
cleanup
.image-matrix
:
.image-matrix:
build
:
parallel
:
matrix
:
-
OPENTOFU_VERSION
:
!reference
[
.data
,
supported_versions
]
...
...
@@ -65,6 +65,36 @@ stages:
-
'
alpine'
-
'
debian'
.image-matrix:deploy
:
parallel
:
# OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
# RELEASE_VERSION: Tag base for the release image
# RELEASE_OPENTOFU_VERSION: opentofu version to contained in the release tag
matrix
:
-
# :{commit-tag}-opentofu{opentofu-version}
OPENTOFU_VERSION
:
!reference
[
.data
,
supported_versions
]
RELEASE_VERSION
:
$CI_COMMIT_TAG
RELEASE_OPENTOFU_VERSION
:
$OPENTOFU_VERSION
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
-
# :latest-opentofu{opentofu-version}
OPENTOFU_VERSION
:
!reference
[
.data
,
supported_versions
]
RELEASE_VERSION
:
latest
RELEASE_OPENTOFU_VERSION
:
$OPENTOFU_VERSION
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
-
# :{commit-tag|latest}{-opentofulatest|}
OPENTOFU_VERSION
:
$LATEST_OPENTOFU_VERSION
RELEASE_VERSION
:
[
"
${CI_COMMIT_TAG}"
,
latest
]
RELEASE_OPENTOFU_VERSION
:
[
"
"
,
latest
]
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
.image-matrix:deploy:release-name-script
:
&image-matrix-deploy-release-name-script
# OCI image tags are not compatible with semver, specifically the build metadata part
# indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
# We use a dash `-` here, instead of the `+`.
# This may be problematic, because it indicates a semver prerelease.
-
export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
-
export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
variables
:
# OpenTofu variables
LATEST_OPENTOFU_VERSION
:
!reference
[
.data
,
latest_version
]
...
...
@@ -85,7 +115,7 @@ check-semantic-version:
-
echo -n "$CI_COMMIT_TAG" | ./.gitlab/scripts/check-semantic-version.sh
gitlab-opentofu-image:build
:
extends
:
.image-matrix
extends
:
'
.image-matrix
:build'
stage
:
build
image
:
quay.io/containers/buildah:v1.37.3
before_script
:
...
...
@@ -180,6 +210,7 @@ shellcheck:
# - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
.gitlab-opentofu-image:deploy:base
:
extends
:
'
.image-matrix:deploy'
stage
:
deploy
image
:
name
:
alpine/crane:0.20.2
...
...
@@ -187,52 +218,15 @@ shellcheck:
variables
:
GITLAB_OPENTOFU_BASE_IMAGE_OS
:
$RELEASE_BASE_IMAGE_OS
before_script
:
-
*image-matrix-deploy-release-name-script
-
crane auth login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" "$CI_REGISTRY"
# OCI image tags are not compatible with semver, specifically the build metadata part
# indicated with a `+` sign, see https://github.com/distribution/distribution/issues/1201
# We use a dash `-` here, instead of the `+`.
# This may be problematic, because it indicates a semver prerelease.
-
export RELEASE_IMAGE_NAME="$CI_REGISTRY_IMAGE/gitlab-opentofu"
-
export RELEASE_IMAGE="${RELEASE_IMAGE_NAME}:${RELEASE_VERSION}${RELEASE_OPENTOFU_VERSION:+-opentofu$RELEASE_OPENTOFU_VERSION}${RELEASE_BASE_IMAGE_OS:+-$RELEASE_BASE_IMAGE_OS}"
-
'
echo
"base
image
OS:
$GITLAB_OPENTOFU_BASE_IMAGE_OS"'
-
echo "Deploying $GITLAB_OPENTOFU_IMAGE_NAME as $RELEASE_IMAGE"
parallel
:
# OPENTOFU_VERSION: opentofu version to release in the job (from gitlab-opentofu-image:build)
# RELEASE_VERSION: Tag base for the release image
# RELEASE_OPENTOFU_VERSION: opentofu version to contained in the release tag
matrix
:
-
# :{commit-tag}-opentofu{opentofu-version}
OPENTOFU_VERSION
:
!reference
[
.data
,
supported_versions
]
RELEASE_VERSION
:
$CI_COMMIT_TAG
RELEASE_OPENTOFU_VERSION
:
$OPENTOFU_VERSION
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
-
# :latest-opentofu{opentofu-version}
OPENTOFU_VERSION
:
!reference
[
.data
,
supported_versions
]
RELEASE_VERSION
:
latest
RELEASE_OPENTOFU_VERSION
:
$OPENTOFU_VERSION
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
-
# :{commit-tag|latest}{-opentofulatest|}
OPENTOFU_VERSION
:
$LATEST_OPENTOFU_VERSION
RELEASE_VERSION
:
[
"
${CI_COMMIT_TAG}"
,
latest
]
RELEASE_OPENTOFU_VERSION
:
[
"
"
,
latest
]
RELEASE_BASE_IMAGE_OS
:
[
'
alpine'
,
'
debian'
]
gitlab-opentofu-image:deploy
:
extends
:
[
'
.gitlab-opentofu-image:deploy:base'
]
variables
:
COSIGN_YES
:
"
true"
# Used by Cosign to skip confirmation prompts for non-destructive operations
id_tokens
:
SIGSTORE_ID_TOKEN
:
aud
:
sigstore
script
:
# Install dependencies, can't use before_script because of the job we are extending.
-
apk add --update cosign
# Release image
-
crane copy "$GITLAB_OPENTOFU_IMAGE_NAME" "$RELEASE_IMAGE"
# Sign image
-
cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
-
export image_digest="$(crane digest $RELEASE_IMAGE)"
-
'
echo
"-
\`$RELEASE_IMAGE\`
(digest:
\`$image_digest\`)"
>
image$CI_JOB_ID.md'
artifacts
:
paths
:
-
'
image*.md'
...
...
@@ -254,6 +248,29 @@ gitlab-opentofu-image:deploy:dry-run:
-
.gitlab-ci.yml
-
src/**/*
gitlab-opentofu-image:sign
:
extends
:
'
.image-matrix:deploy'
image
:
alpine:3.20.3
variables
:
COSIGN_YES
:
"
true"
# Used by Cosign to skip confirmation prompts for non-destructive operations
id_tokens
:
SIGSTORE_ID_TOKEN
:
aud
:
sigstore
before_script
:
-
*image-matrix-deploy-release-name-script
-
apk add --update cosign
script
:
-
cosign sign "$(crane digest --full-ref "$RELEASE_IMAGE")"
-
export image_digest="$(crane digest $RELEASE_IMAGE)"
-
'
echo
"-
\`$RELEASE_IMAGE\`
(digest:
\`$image_digest\`)"
>
image$CI_JOB_ID.md'
artifacts
:
paths
:
-
'
image*.md'
rules
:
-
if
:
'
$CI_SERVER_FQDN
!=
"gitlab.com"'
when
:
never
-
if
:
$CI_COMMIT_TAG
.release:base
:
stage
:
release
image
:
registry.gitlab.com/gitlab-org/release-cli:v0.19.0
...
...
This diff is collapsed.
Click to expand it.
tests/unit.gitlab-ci.yml
+
1
−
1
View file @
bafd24de
...
...
@@ -33,7 +33,7 @@ variables:
unit-test:gitlab-tofu
:
extends
:
-
.unit-test-base
-
.image-matrix
-
.image-matrix
:build
script
:
-
bats --jobs 8 --report-formatter junit --filter-tags '!source' tests/unit/gitlab-tofu.bats
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment