From 1d8420dd81179dc885b4cb923334764c0015ea0d Mon Sep 17 00:00:00 2001
From: Dantali0n <info@dantalion.nl>
Date: Fri, 1 Dec 2023 14:02:45 +0100
Subject: [PATCH] CWG-75: Secure jobs with secrets and raise awareness

---
 README.md                                    |  8 ++++++++
 {{cookiecutter.project_slug}}/.gitlab-ci.yml | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/README.md b/README.md
index 8f9500e..75ed43c 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git
 # Next follow a set of prompts (such as the name and description of the package)
 ```
 
+## Gitlab security, secrets and role configuration
+
+When using these templates for a repository on git.astron.nl please read the following
+pages to configure Gitlab appropriately:
+
+1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration)
+2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline)
+
 ## License
 
 This project is licensed under the Apache License Version 2.0
\ No newline at end of file
diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
index 1fb825d..86d0ce1 100644
--- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
@@ -155,6 +155,7 @@ publish_on_test_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for test pypi"
     # - |
@@ -163,6 +164,7 @@ publish_on_test_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_on_pypi:
   stage: publish
@@ -172,6 +174,7 @@ publish_on_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for pypi"
     # - |
@@ -180,6 +183,7 @@ publish_on_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_to_readthedocs:
   stage: publish
@@ -193,3 +197,14 @@ publish_to_readthedocs:
   script:
     - echo "scp docs/* ???"
     - exit 1
+
+release_job:
+  stage: publish
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  rules:
+    - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'
+  script:
+    - echo "running release_job"
+  release:
+    tag_name: '$CI_COMMIT_TAG'
+    description: '$CI_COMMIT_TAG'
-- 
GitLab