ci: support custom TBC group as an alternative CI/CD configuration

# Alternative CI/CD configuration file when using TBC in a self-managed GitLab with a custom TBC root group (different from the default "to-be-continuous")

# ℹ️ The CI/CD configuration file can be selected in your project: Settings > CI/CD > General Pipelines > CI/CD Configuration File.

# ⚠️ Requires that the TBC_NAMESPACE variable be set as a server instance variable (recommended), group variable, or project variable.

include:

  # $TBC_NAMESPACE is a group variable; can be globally overridden

  # Docker template

  - component: "$CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@8"

    inputs:

      healthcheck-disabled: true

      build-args: "--cache-ttl=6h"

      prod-publish-strategy: "auto"

      release-extra-tags: "latest \\g<major>.\\g<minor>\\g<build> \\g<major>\\g<build>"

  # Python template

  - component: "$CI_SERVER_FQDN/$TBC_NAMESPACE/python/gitlab-ci-python@9"

    inputs:

      image: "docker.io/library/python:3.13-slim"

      ruff-enabled: true

      publish-enabled: true

      semgrep-disabled: true

  # semantic-release template

  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@4

    inputs:

      # disable semrel for all synch'd repositories

      release-disabled: true

      auto-release-enabled: true

stages:

  - build

  - test

  - package-build

  - package-test

  - infra

  - deploy

  - acceptance

  - publish

  - infra-prod

  - production

variables:

  AWS_ACCOUNT: 123456789012

  AWS_REGION: us-east-1

.test-scripts: &test-scripts |

  # BEGSCRIPT

  set -e

  function log_info() {

      echo -e "[\\e[1;94mINFO\\e[0m] $*"

  }

  function log_warn() {

      echo -e "[\\e[1;93mWARN\\e[0m] $*"

  }

  function log_error() {

      echo -e "[\\e[1;91mERROR\\e[0m] $*"

  }

  function fail() {

    log_error "$*"

    exit 1

  }

  function assert_eq() {

    local expected="$1"

    local actual="$2"

    if [ "$expected" == "$actual" ]; then

      log_info "$expected == $actual"

      return 0

    else

      fail "$expected == $actual"

      return 1

    fi

  }

  # ENDSCRIPT

.test-base:

  image: "docker.io/badouralix/curl-jq"

  stage: package-test

  services:

    - name: "$DOCKER_SNAPSHOT_IMAGE"

      alias: "aws-auth-provider"

  before_script:

    - !reference [.test-scripts]

test-health:

  extends: .test-base

  script:

    # test: GET /health responds 200 / "ok"

    - response_status=`curl -s -o "resp.txt" -w "%{http_code}" http://aws-auth-provider/health`

    - assert_eq "200" $response_status

    - assert_eq "ok" $(cat resp.txt)

# test: get token with implicit env detection fails if no credentials are passed (error 401)

.test-token-no-creds-fails:

  extends: .test-base

  script:

    - response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "${TEST_ENDPOINT}")

    - cat resp.txt

    - assert_eq "401" $response_status

# test: get token with invalid OIDC role fails with 500

.test-token-invalid-oidc-fails:

  extends: .test-base

  variables:

    AWS_OIDC_ROLE_ARN: "arn:aws:iam::$AWS_ACCOUNT:role/no-such-role"

    AWS_JWT: $AWS_JWT

  id_tokens:

    # required by the AWS auth provider service (OIDC authentication method)

    AWS_JWT:

      aud: "$CI_SERVER_URL"

  script:

    - response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "${TEST_ENDPOINT}")

    - cat resp.txt

    - assert_eq "500" $response_status

test-ecr-token-no-creds-fails:

  extends: .test-token-no-creds-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/ecr/auth/token"

test-ecr-token-invalid-oidc-fails:

  extends: .test-token-invalid-oidc-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/ecr/auth/token"

test-codeartifact-token-no-creds-fails:

  extends: .test-token-no-creds-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/codeartifact/auth/token"

test-codeartifact-repository-no-creds-fails:

  extends: .test-token-no-creds-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi"

    AWS_CODEARTIFACT_DOMAIN: "my-domain"

    AWS_CODEARTIFACT_DOMAIN_OWNER: "123456789012"

    AWS_CODEARTIFACT_REPOSITORY: "my-repo"

test-codeartifact-token-invalid-oidc-fails:

  extends: .test-token-invalid-oidc-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/codeartifact/auth/token"

    AWS_CODEARTIFACT_DOMAIN: "my-domain"

    AWS_CODEARTIFACT_DOMAIN_OWNER: "123456789012"

test-codeartifact-repository-invalid-oidc-fails:

  extends: .test-token-invalid-oidc-fails

  variables:

    TEST_ENDPOINT: "http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi"

    AWS_CODEARTIFACT_DOMAIN: "my-domain"

    AWS_CODEARTIFACT_DOMAIN_OWNER: "123456789012"

    AWS_CODEARTIFACT_REPOSITORY: "my-repo"

# test: get token with valid OIDC account and provider shall succeed

# requires the following project variables are set:

# - AWS_WORKING_ACCOUNT

# - AWS_WORKING_REGION

# - AWS_WORKING_OIDC_ROLE_ARN

test-ecr-token-succeeds:

  extends: .test-base

  variables:

    AWS_JWT: $AWS_JWT

    AWS_TEST_REGION: $AWS_WORKING_REGION

    AWS_TEST_OIDC_ROLE_ARN: $AWS_WORKING_OIDC_ROLE_ARN

  id_tokens:

    # required by the AWS auth provider service (OIDC authentication method)

    AWS_JWT:

      aud: "$CI_SERVER_URL"

  script:

    - response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://aws-auth-provider/ecr/auth/token?env_ctx=TEST")

    - |

      if [[ "$response_status" != 200 ]]

      then

        echo "Get ECR token failed ($response_status)"

        curl -s -v "http://aws-auth-provider/ecr/auth/token?env_ctx=TEST"

      fi

    - assert_eq "200" $response_status

    - ecr_token=$(cat resp.txt)

    # see: https://docs.docker.com/registry/spec/api/#listing-repositories

    - |

      response_status=$(curl -s -o resp.txt -w "%{http_code}" -H "Authorization: Basic $ecr_token" "https://$AWS_WORKING_ACCOUNT.dkr.ecr.$AWS_WORKING_REGION.amazonaws.com/v2/_catalog")

    - assert_eq "200" $response_status

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    - if: $CI_SERVER_HOST != "gitlab.com"

      when: never

    - if: '$AWS_WORKING_ACCOUNT && $AWS_WORKING_REGION && $AWS_WORKING_OIDC_ROLE_ARN'

# test: get token with valid OIDC account and provider shall succeed

# requires the following project variables are set:

# - AWS_WORKING_ACCOUNT

# - AWS_WORKING_REGION

# - AWS_WORKING_OIDC_ROLE_ARN

# - AWS_WORKING_CODEARTIFACT_DOMAIN

# - AWS_WORKING_CODEARTIFACT_DOMAIN_OWNER

# - CODEARTIFACT_REPOSITORY - an existing repository in the domain

# - CODEARTIFACT_PACKAGE_NAME - an existing package name in the repository

test-codeartifact-token-succeeds:

  extends: .test-base

  variables:

    AWS_JWT: $AWS_JWT

    AWS_TEST_REGION: $AWS_WORKING_REGION

    AWS_TEST_OIDC_ROLE_ARN: $AWS_WORKING_OIDC_ROLE_ARN

    AWS_TEST_CODEARTIFACT_DOMAIN: $AWS_WORKING_CODEARTIFACT_DOMAIN

    AWS_TEST_CODEARTIFACT_DOMAIN_OWNER: $AWS_WORKING_CODEARTIFACT_DOMAIN_OWNER

    AWS_TEST_CODEARTIFACT_REPOSITORY: $CODEARTIFACT_REPOSITORY

  id_tokens:

    # required by the AWS auth provider service (OIDC authentication method)

    AWS_JWT:

      aud: "$CI_SERVER_URL"

  script:

    - response_status=$(curl -s -o "resp.txt" -w "%{http_code}" "http://aws-auth-provider/codeartifact/auth/token?env_ctx=TEST")

    - |

      if [[ "$response_status" != 200 ]]

      then

        echo "Get codeartifact token failed ($response_status)"

        curl -s -v "http://aws-auth-provider/codeartifact/auth/token?env_ctx=TEST"

      fi

    - assert_eq "200" $response_status

    - codeartifact_token=$(cat resp.txt)

    - response_status=$(curl -s -o resp.txt -w "%{http_code}" "http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi&env_ctx=TEST")

    - |

      if [[ "$response_status" != 200 ]]

      then

        echo "Get codeartifact repository endpoint failed ($response_status)"

        curl -s -v "http://aws-auth-provider/codeartifact/repository/endpoint?format=pypi&env_ctx=TEST"

      fi

    - assert_eq "200" $response_status

    - codeartifact_endpoint=$(cat resp.txt)

    - |

      response_status=$(curl -s -o resp.txt -w "%{http_code}" -H "Authorization: Bearer $codeartifact_token" "${codeartifact_endpoint}simple/${CODEARTIFACT_PACKAGE_NAME}/")

    - assert_eq "200" $response_status

  rules:

    # exclude tags

    - if: $CI_COMMIT_TAG

      when: never

    - if: $CI_SERVER_HOST != "gitlab.com"

      when: never

    - if: '$AWS_WORKING_ACCOUNT && $AWS_WORKING_REGION && $AWS_WORKING_OIDC_ROLE_ARN && $AWS_WORKING_CODEARTIFACT_DOMAIN && $AWS_WORKING_CODEARTIFACT_DOMAIN_OWNER && $CODEARTIFACT_PACKAGE_NAME && $CODEARTIFACT_REPOSITORY'

# Default CI/CD configuration file

# ℹ️ If you're using TBC in a self-managed GitLab with a custom TBC root group, use .gitlab-ci-namespaced.yml instead

include:

  # $TBC_NAMESPACE is a group variable; can be globally overridden

  # Docker template

  - component: "$CI_SERVER_FQDN/$TBC_NAMESPACE/docker/gitlab-ci-docker@8"

  - component: "$CI_SERVER_FQDN/to-be-continuous/docker/gitlab-ci-docker@8"

    inputs:

      healthcheck-disabled: true

      build-args: "--cache-ttl=6h"

      prod-publish-strategy: "auto"

      release-extra-tags: "latest \\g<major>.\\g<minor>\\g<build> \\g<major>\\g<build>"

  # Python template

  - component: "$CI_SERVER_FQDN/$TBC_NAMESPACE/python/gitlab-ci-python@9"

  - component: "$CI_SERVER_FQDN/to-be-continuous/python/gitlab-ci-python@9"

    inputs:

      image: "docker.io/library/python:3.13-slim"

      ruff-enabled: true

      publish-enabled: true

      semgrep-disabled: true

  # semantic-release template

  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@4

  - component: $CI_SERVER_FQDN/to-be-continuous/semantic-release/gitlab-ci-semrel@4

    inputs:

      # disable semrel for all synch'd repositories

      release-disabled: true

  - production

variables:

  # Default value; can be globally overridden

  TBC_NAMESPACE: "to-be-continuous"

  AWS_ACCOUNT: 123456789012

  AWS_REGION: us-east-1