Merge branch 'CWG-75' into 'main'

CWG-75: Secure jobs with secrets and raise awareness Closes CWG-75 See merge request !5

Merge branch 'CWG-75' into 'main'
62b7b4e8 · Corné Lukken · d07d007a · ee7b6ff3 · 62b7b4e8 · 62b7b4e8
Commit 62b7b4e8 authored 1 year ago by Corné Lukken
--- a/README.md
+++ b/README.md
@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git
 # Next follow a set of prompts (such as the name and description of the package)
 ```
+## Gitlab security, secrets and role configuration
+When using these templates for a repository on git.astron.nl please read the following
+pages to configure Gitlab appropriately:
+1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration)
+2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline)
 ## License
 This project is licensed under the Apache License Version 2.0
\ No newline at end of file
--- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
@@ -108,8 +108,7 @@ package_files:
    paths:
      - dist/*
  script:
-#    - curl -sSL https://get.docker.com/ | sh
+    - source scripts/setup-docker-host.sh
-#    - python -m pip install cibuildwheel==2.13.1 cookiecutter
    - cibuildwheel --platform linux --output-dir dist
 package_docs:
@@ -156,6 +155,7 @@ publish_on_test_pypi:
  when: manual
  rules:
    - if: $CI_COMMIT_TAG
+  allow_failure: true
  script:
    - echo "run twine for test pypi"
    # - |
@@ -164,6 +164,7 @@ publish_on_test_pypi:
    # TODO: replace URL with a pipy URL
    #   python -m twine upload \
    #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 publish_on_pypi:
  stage: publish
@@ -173,6 +174,7 @@ publish_on_pypi:
  when: manual
  rules:
    - if: $CI_COMMIT_TAG
+  allow_failure: true
  script:
    - echo "run twine for pypi"
    # - |
@@ -181,6 +183,7 @@ publish_on_pypi:
    # TODO: replace URL with a pipy URL
    #   python -m twine upload \
    #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 publish_to_readthedocs:
  stage: publish
@@ -194,3 +197,14 @@ publish_to_readthedocs:
  script:
    - echo "scp docs/* ???"
    - exit 1
+release_job:
+  stage: publish
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  rules:
+    - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'
+  script:
+    - echo "running release_job"
+  release:
+    tag_name: '$CI_COMMIT_TAG'
+    description: '$CI_COMMIT_TAG'
--- a/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
@@ -3,9 +3,9 @@ stages:
 build_ci_runner_image:
  stage: build
-  image: docker:stable
+  image: docker
-  services:
+  tags:
-    - docker:dind
+    - dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - |

--- a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
+++ b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
@@ -2,3 +2,4 @@ FROM python:3.11
 RUN python -m pip install --upgrade pip
 RUN pip install --upgrade tox twine cibuildwheel==2.13.1
+RUN curl -sSL https://get.docker.com/ | sh
--- a/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
+++ b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
+#!/bin/sh
+_should_tls() {
+	[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
+}
+# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
+if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
+	export DOCKER_HOST=unix:///var/run/docker.sock
+elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
+	export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
+fi
+# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
+if [ -z "${DOCKER_HOST:-}" ]; then
+	if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
+		export DOCKER_HOST='tcp://docker:2376'
+	else
+		export DOCKER_HOST='tcp://docker:2375'
+	fi
+fi
+if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
+	&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
+	&& [ -z "${DOCKER_CERT_PATH:-}" ] \
+	&& _should_tls \
+; then
+	export DOCKER_TLS_VERIFY=1
+	export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
+fi