From 4417fcf85f3829bc54159313462390918afb9586 Mon Sep 17 00:00:00 2001 From: Dantali0n <info@dantalion.nl> Date: Fri, 1 Dec 2023 13:43:10 +0100 Subject: [PATCH] CWG-75: Protect Gitlab secrets, raise awareness --- README.md | 8 ++++++++ {{cookiecutter.project_slug}}/.gitlab-ci.yml | 16 ++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9973445..fd15d2b 100644 --- a/README.md +++ b/README.md @@ -22,5 +22,13 @@ cookiecutter https://git.astron.nl/templates/cpp-project.git # Next follow a set of prompts (such as the name and description of the package) ``` +## Gitlab security, secrets and role configuration + +When using these templates for a repository on git.astron.nl please read the following +pages to configure Gitlab appropriately: + +1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration) +2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline) + ## License This project is licensed under the Apache License Version 2.0 diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml index 93d9e58..e21ce1a 100644 --- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml +++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml @@ -129,10 +129,21 @@ pages: paths: - build/doc/* +release_job: + stage: publish + image: registry.gitlab.com/gitlab-org/release-cli:latest + rules: + - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"' + script: + - echo "running release_job" + release: + tag_name: '$CI_COMMIT_TAG' + description: '$CI_COMMIT_TAG' + abi-deploy: stage: publish needs: ["trigger_prepare"] - environment: production + environment: abi script: - cmake --version - mkdir build && cd build @@ -143,4 +154,5 @@ abi-deploy: # The syntax is described at https://docs.gitlab.com/ee/user/packages/generic_packages/index.html - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${APPLICATION_LAST_RELEASE}.dump "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/ABI/${APPLICATION_LAST_RELEASE}/abi.dump"' rules: - - when: manual + - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"' + - when: manual -- GitLab