Merge branch 'main' into '33-feat-helm-jobs-2'

      - local: tests/jobs/c.yml

    strategy: depend

jobs:container:

jobs:kaniko:

  stage: test

  trigger:

    include:

      - local: tests/jobs/container.yml

      - local: tests/jobs/kaniko.yml

    strategy: depend

jobs:buildah:

  stage: test

  trigger:

    include:

      - local: tests/jobs/buildah.yml

    strategy: depend

jobs:docs:

      - local: tests/pipelines/container/polyrepo.yml

    strategy: depend

pipelines:container:monorepo:

pipelines:kaniko:monorepo:

  stage: test

  trigger:

    include:

      - local: tests/pipelines/container/monorepo.yml

    strategy: depend

pipelines:container:python:

pipelines:kaniko:python:

  stage: test

  trigger:

    include:

# Just CI templates v5.4.0

# Just CI templates v6.0.0

Maintainers:

- **Templates** are collections of pipelines. Users should import templates

  rather than dealing with pipelines or jobs directly. They are in the directory

  `templates`. For example the `templates/python-docker.yml` provides the user

  with pipelines for python and docker jobs, our default workflow rules and

  `templates`. For example the `templates/container/python.yml` provides the

  user with pipelines for python and docker jobs, our default workflow rules and

  project-automation pipeline.

# How to use

```yaml

---

include:

  - project: "just-ci/templates"

    file: "templates/python.yml"

    ref: "v5.4.0"

  - project: just-ci/templates

    file: templates/python.yml

    ref: v6.0.0

```

The above is a template for Python projects. Other templates can be found in

```yaml

---

include:

  - project: "just-ci/templates"

    file: "templates/python.yml"

    ref: "v5.4.0"

  - project: just-ci/templates

    file: templates/python.yml

    ref: v6.0.0

python:pytest:

  rules:

```yaml

---

include:

  - project: "just-ci/templates"

    file: "python/pylint.yml"

    ref: "v3.19.2"

  - project: just-ci/templates

    file: python/pylint.yml

    ref: v3.19.2

```

# monorepos vs polirepos

# Monorepo (multiple Dockerfiles) or polyrepo (one Dockerfile)

We support both! Read [this](pipelines/container/readme.md) for more information

on how to configure pipelines for monorepos and polirepos.

### example python polyrepo

Polirepos will likely work out of the box without extra configuration needed.

```yaml

---

include:

  - project: "just-ci/templates"

    file: "templates/container/python.yml"

    ref: v5.4.0-beta.1

```

### example monorepo

In monorepos you can start by including the following, but you will need to

write your own kaniko and grype job. Again, read

[this](pipelines/container/readme.md)

```yaml

---

include:

  - project: "just-ci/templates"

    file: "templates/container/monorepo.yml"

    ref: v5.4.0-beta.1

```

We support both! Read [this](pipelines/container.md) for more information on how

to configure pipelines for monorepos and polyrepos.

## Contributing

---

.ssh:

  image: alpine:latest

  image: docker.io/alpine:3

  before_script:

    - apk add --no-cache openssh

    - eval $(ssh-agent -s)

---

# https://github.com/containers/buildah

include:

  - local: container/image.yml

variables:

  BUILDAH_EXTRA_ARGS: "" # https://github.com/containers/buildah/blob/main/docs/buildah-build.1.md

.buildah:

  stage: build

  extends: [".image:rules", ".image:name"]

  image: quay.io/buildah/stable:latest

  script:

    - !reference [".image:name", script]

    - |

      if [ "${BUILDAH_EXTRA_ARGS}" != "" ]; then

        echo "[*] Applying the extra arguments '${BUILDAH_EXTRA_ARGS}'."

      fi

    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n

      ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64)\"}}}" >

      /tmp/auth.json

    - |

      if [ "${IMAGE_CONTAINERFILE}" != "" ]; then

        CONTAINERFILE_ARG="-f ${IMAGE_CONTAINERFILE}"

      fi

    - buildah build --authfile /tmp/auth.json ${CONTAINERFILE_ARG}

      --tag=${IMAGE_NAME}:${IMAGE_DEV_TAG} --tag=${IMAGE_NAME}:${IMAGE_TAG}

      --layers=${IMAGE_CACHE} ${BUILDAH_EXTRA_ARGS} ${IMAGE_CONTEXT}

    - |

      for IMAGE in "${IMAGE_NAME}:${IMAGE_TAG}" "${IMAGE_NAME}:${IMAGE_DEV_TAG}"; do

        buildah push --authfile /tmp/auth.json ${IMAGE}

      done

---

include:

  - local: container/image.yml

variables:

  SYFT_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.json

  SYFT_REGISTRY_AUTH_AUTHORITY: ${CI_REGISTRY}

  SYFT_REGISTRY_AUTH_USERNAME: ${CI_REGISTRY_USER}

  SYFT_REGISTRY_AUTH_PASSWORD: ${CI_REGISTRY_PASSWORD}

  GRYPE_IMAGE: ${CI_REGISTRY_IMAGE}:dev-${CI_COMMIT_SHORT_SHA}

  GRYPE_OUTPUT_FILE: ${CI_COMMIT_SHORT_SHA}.txt

  GRYPE_FAIL_ON_THRESHOLD: "critical"

  GRYPE_FAIL_ON_THRESHOLD: critical

  GRYPE_EXTRA_ARGS: ""

  GRYPE_DEFAULT_ARGS: "--only-fixed"

  GRYPE_CVE_BLACKLIST_REGEX: "CVE-xxx"

  GRYPE_DEFAULT_ARGS: --only-fixed

  GRYPE_CVE_BLACKLIST_REGEX: CVE-xxx

.grype:

  # TODO: replace alpine and installation with our custom image

  image: alpine:3

  image: docker.io/alpine:3

  stage: test

  script:

    - apk add --no-cache curl

    # versions are pinned to these because of a bug in grype v0.36.0

    - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh

      | sh -s -- -b /usr/local/bin v0.35.1

    - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh

      | sh -s -- -b /usr/local/bin v0.31.1

    - echo ${GRYPE_IMAGE}

    - !reference [".image:name", script]

    - wget -O- https://raw.githubusercontent.com/anchore/syft/main/install.sh |

      sh -s -- -b /usr/local/bin

    - wget -O- https://raw.githubusercontent.com/anchore/grype/main/install.sh |

      sh -s -- -b /usr/local/bin

    - echo "${IMAGE_NAME}:${IMAGE_DEV_TAG}"

    # 0) get the SBOM from syft

    - syft packages ${GRYPE_IMAGE} -o json > ${SYFT_OUTPUT_FILE}

    - syft packages ${IMAGE_NAME}:${IMAGE_DEV_TAG} -o json > syft.json

    # 1) run grype on syft SBOM report to obtain a full grype report with all vulnerabilities

    - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE}

    - grype sbom:syft.json --output=table --file grype.txt

    # 2) fail job if any of blacklisted vulnerabilities is in grype output. Grype does not provide blacklisting natively.

    - cat ${GRYPE_OUTPUT_FILE} | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1

      || exit 0

    - cat grype.txt | grep -E ${GRYPE_CVE_BLACKLIST_REGEX} && exit 1 || exit 0

    # 3) fail job if vulnerabilities at or above GRYPE_FAIL_ON_THRESHOLD

    - grype sbom:${SYFT_OUTPUT_FILE} --output=table --file ${GRYPE_OUTPUT_FILE}

      --fail-on ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS}

      ${GRYPE_EXTRA_ARGS}

    - grype sbom:syft.json --output=table --file grype.txt --fail-on

      ${GRYPE_FAIL_ON_THRESHOLD} ${GRYPE_DEFAULT_ARGS} ${GRYPE_EXTRA_ARGS}

  artifacts:

    paths:

      - ${SYFT_OUTPUT_FILE}

      - ${GRYPE_OUTPUT_FILE}

      - syft.json

      - grype.txt

    when: always

  allow_failure: true

# default for polirepos

grype:

  extends: .grype

# hidden job for monorepos

.grype:monorepo:

  extends: .grype

  variables:

    GRYPE_CONTEXT: changeme

    GRYPE_IMAGE: ${CI_REGISTRY_IMAGE}/${GRYPE_CONTEXT}:dev-${CI_COMMIT_SHORT_SHA}

    SYFT_OUTPUT_FILE: ${GRYPE_CONTEXT}-${CI_COMMIT_SHORT_SHA}.json

    GRYPE_OUTPUT_FILE: ${GRYPE_CONTEXT}-${CI_COMMIT_SHORT_SHA}.txt