From ee7b6ff366236535844eec1ff725ec95f8a2fe95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Corn=C3=A9=20Lukken?= <lukken@astron.nl>
Date: Wed, 27 Mar 2024 12:06:37 +0000
Subject: [PATCH] CWG-75: Secure jobs with secrets and raise awareness

---
 README.md                                     |  8 +++++
 {{cookiecutter.project_slug}}/.gitlab-ci.yml  | 18 +++++++++--
 .../.prepare.gitlab-ci.yml                    |  6 ++--
 .../docker/ci-runner/Dockerfile               |  1 +
 .../scripts/setup-docker-host.sh              | 32 +++++++++++++++++++
 5 files changed, 60 insertions(+), 5 deletions(-)
 create mode 100755 {{cookiecutter.project_slug}}/scripts/setup-docker-host.sh

diff --git a/README.md b/README.md
index 8f9500e..75ed43c 100644
--- a/README.md
+++ b/README.md
@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git
 # Next follow a set of prompts (such as the name and description of the package)
 ```
 
+## Gitlab security, secrets and role configuration
+
+When using these templates for a repository on git.astron.nl please read the following
+pages to configure Gitlab appropriately:
+
+1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration)
+2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline)
+
 ## License
 
 This project is licensed under the Apache License Version 2.0
\ No newline at end of file
diff --git a/{{cookiecutter.project_slug}}/.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
index ba8a52e..37ce832 100644
--- a/{{cookiecutter.project_slug}}/.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.gitlab-ci.yml
@@ -108,8 +108,7 @@ package_files:
     paths:
       - dist/*
   script:
-#    - curl -sSL https://get.docker.com/ | sh
-#    - python -m pip install cibuildwheel==2.13.1 cookiecutter
+    - source scripts/setup-docker-host.sh
     - cibuildwheel --platform linux --output-dir dist
 
 package_docs:
@@ -156,6 +155,7 @@ publish_on_test_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for test pypi"
     # - |
@@ -164,6 +164,7 @@ publish_on_test_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_on_pypi:
   stage: publish
@@ -173,6 +174,7 @@ publish_on_pypi:
   when: manual
   rules:
     - if: $CI_COMMIT_TAG
+  allow_failure: true
   script:
     - echo "run twine for pypi"
     # - |
@@ -181,6 +183,7 @@ publish_on_pypi:
     # TODO: replace URL with a pipy URL
     #   python -m twine upload \
     #   --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
+    - exit 1
 
 publish_to_readthedocs:
   stage: publish
@@ -194,3 +197,14 @@ publish_to_readthedocs:
   script:
     - echo "scp docs/* ???"
     - exit 1
+
+release_job:
+  stage: publish
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  rules:
+    - if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'
+  script:
+    - echo "running release_job"
+  release:
+    tag_name: '$CI_COMMIT_TAG'
+    description: '$CI_COMMIT_TAG'
diff --git a/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml b/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
index e531b6d..3e48a27 100644
--- a/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
+++ b/{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
@@ -3,9 +3,9 @@ stages:
 
 build_ci_runner_image:
   stage: build
-  image: docker:stable
-  services:
-    - docker:dind
+  image: docker
+  tags:
+    - dind
   script:
     - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
     - |
diff --git a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
index 54b2c9c..e9aa9c7 100644
--- a/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
+++ b/{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
@@ -2,3 +2,4 @@ FROM python:3.11
 
 RUN python -m pip install --upgrade pip
 RUN pip install --upgrade tox twine cibuildwheel==2.13.1
+RUN curl -sSL https://get.docker.com/ | sh
diff --git a/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
new file mode 100755
index 0000000..c535da0
--- /dev/null
+++ b/{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh
@@ -0,0 +1,32 @@
+#!/bin/sh
+
+_should_tls() {
+	[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
+	&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
+}
+
+# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
+if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
+	export DOCKER_HOST=unix:///var/run/docker.sock
+elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
+	export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
+fi
+
+# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
+if [ -z "${DOCKER_HOST:-}" ]; then
+	if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
+		export DOCKER_HOST='tcp://docker:2376'
+	else
+		export DOCKER_HOST='tcp://docker:2375'
+	fi
+fi
+if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
+	&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
+	&& [ -z "${DOCKER_CERT_PATH:-}" ] \
+	&& _should_tls \
+; then
+	export DOCKER_TLS_VERIFY=1
+	export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
+fi
-- 
GitLab