feat: adaptive pipeline

    file: '/templates/gitlab-ci-gitleaks.yml'

```

## `gitleaks` and `gitleaks-quick` jobs configuration

## `gitleaks` jobs configuration

Those jobs trigger a Gitleaks analysis (either on the complete repository, either on the current branch).

They use the following configuration.

| `GITLEAKS_IMAGE`      | The Docker image used to run Gitleaks  | `zricethezav/gitleaks:latest` |

| `GITLEAKS_RULES`      | Gitleaks [configuration rules](https://github.com/zricethezav/gitleaks#configuration) to use (you may also provide your own `.gitleaks.toml` configuration file in your project). | _none_ (uses default rules) |

| `GITLEAKS_ARGS`       | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a full Gitleaks analysis (on master or develop branches) | `--verbose` |

| `GITLEAKS_QUICK_ARGS` | [Options](https://github.com/zricethezav/gitleaks/wiki/Options) for a quick Gitleaks analysis (on feature branches) | `--verbose` _(audit on the current branch)_ |

| `GITLEAKS_QUICK_DEPTH` | Number of commits to scan (on feature branches) | `10` | 

### Configuring Gitleaks rules

# program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth

# Floor, Boston, MA  02110-1301, USA.

# =========================================================================================

# default workflow rules

# default workflow rules: Merge Request pipelines

workflow:

  rules:

    # exclude merge requests

    - if: $CI_MERGE_REQUEST_ID

    # prevent branch pipeline when an MR is open (prefer MR pipeline)

    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'

      when: never

    - when: always

# test job prototype: implement adaptive pipeline rules

.test-policy:

  rules:

    # on tag: auto & failing

    - if: $CI_COMMIT_TAG

    # on ADAPTIVE_PIPELINE_DISABLED: auto & failing

    - if: '$ADAPTIVE_PIPELINE_DISABLED == "true"'

    # on production or integration branch(es): auto & failing

    - if: '$CI_COMMIT_REF_NAME =~ $PROD_REF || $CI_COMMIT_REF_NAME =~ $INTEG_REF'

    # early stage (dev branch, no MR): manual & non-failing

    - if: '$CI_MERGE_REQUEST_ID == null && $CI_OPEN_MERGE_REQUESTS == null'

      when: manual

      allow_failure: true

    # Draft MR: auto & non-failing

    - if: '$CI_MERGE_REQUEST_TITLE =~ /^Draft:.*/'

      allow_failure: true

    # else (Ready MR): auto & failing

    - when: on_success

variables:

  # variabilized tracking image

  TBC_TRACKING_IMAGE: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"

  # Default Docker image (can be overridden)

  GITLEAKS_IMAGE: "zricethezav/gitleaks:latest"

  GITLEAKS_ARGS: "--verbose"

  GITLEAKS_QUICK_DEPTH: "10"

  GITLEAKS_QUICK_ARGS: "--verbose"

  # default production ref name (pattern)

  PROD_REF: '/^(master|main)$/'

  # default integration ref name (pattern)

    paths:

      - gitleaks/

  rules:

    # on production and integration branch(es)

    - if: '$CI_COMMIT_REF_NAME =~ $INTEG_REF || $CI_COMMIT_REF_NAME =~ $PROD_REF'

# quick analysis on dev branches

gitleaks-quick:

  extends: gitleaks

  variables:

    GIT_DEPTH: "${GITLEAKS_QUICK_DEPTH}"

  script:

    - gitleaks detect ${TRACE+--log-level debug} --source . $gitleaks_rule_opts --report-path ./gitleaks/gitleaks-report.json --log-opts="-n ${GITLEAKS_QUICK_DEPTH}" $GITLEAKS_QUICK_ARGS

  rules:

    # only on non-production, non-integration branches

    - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF && $CI_COMMIT_REF_NAME !~ $INTEG_REF'

      allow_failure: true

    - !reference [.test-policy, rules]