Skip to content
Snippets Groups Projects
Commit ee7b6ff3 authored by Corné Lukken's avatar Corné Lukken
Browse files

CWG-75: Secure jobs with secrets and raise awareness

parent d07d007a
No related branches found
No related tags found
1 merge request!5CWG-75: Secure jobs with secrets and raise awareness
Show whitespace changes
Inline Side-by-side
README.md
+ 8
0
View file @ ee7b6ff3
...@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git ...@@ -41,6 +41,14 @@ cookiecutter https://git.astron.nl/templates/python-binary-wheel-package.git
# Next follow a set of prompts (such as the name and description of the package) # Next follow a set of prompts (such as the name and description of the package)
``` ```
## Gitlab security, secrets and role configuration
When using these templates for a repository on git.astron.nl please read the following
pages to configure Gitlab appropriately:
1. [Gitlab Repository Configuration](https://git.astron.nl/groups/templates/-/wikis/Gitlab-Repository-Configuration)
2. [Continuous delivery guideline](https://git.astron.nl/groups/templates/-/wikis/Continuous%20Delivery%20Guideline)
## License ## License
This project is licensed under the Apache License Version 2.0 This project is licensed under the Apache License Version 2.0
\ No newline at end of file
{{cookiecutter.project_slug}}/.gitlab-ci.yml
+ 16
2
View file @ ee7b6ff3
...@@ -108,8 +108,7 @@ package_files: ...@@ -108,8 +108,7 @@ package_files:
paths: paths:
- dist/* - dist/*
script: script:
# - curl -sSL https://get.docker.com/ | sh - source scripts/setup-docker-host.sh
# - python -m pip install cibuildwheel==2.13.1 cookiecutter
- cibuildwheel --platform linux --output-dir dist - cibuildwheel --platform linux --output-dir dist
package_docs: package_docs:
...@@ -156,6 +155,7 @@ publish_on_test_pypi: ...@@ -156,6 +155,7 @@ publish_on_test_pypi:
when: manual when: manual
rules: rules:
- if: $CI_COMMIT_TAG - if: $CI_COMMIT_TAG
allow_failure: true
script: script:
- echo "run twine for test pypi" - echo "run twine for test pypi"
# - | # - |
...@@ -164,6 +164,7 @@ publish_on_test_pypi: ...@@ -164,6 +164,7 @@ publish_on_test_pypi:
# TODO: replace URL with a pipy URL # TODO: replace URL with a pipy URL
# python -m twine upload \ # python -m twine upload \
# --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/* # --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
- exit 1
publish_on_pypi: publish_on_pypi:
stage: publish stage: publish
...@@ -173,6 +174,7 @@ publish_on_pypi: ...@@ -173,6 +174,7 @@ publish_on_pypi:
when: manual when: manual
rules: rules:
- if: $CI_COMMIT_TAG - if: $CI_COMMIT_TAG
allow_failure: true
script: script:
- echo "run twine for pypi" - echo "run twine for pypi"
# - | # - |
...@@ -181,6 +183,7 @@ publish_on_pypi: ...@@ -181,6 +183,7 @@ publish_on_pypi:
# TODO: replace URL with a pipy URL # TODO: replace URL with a pipy URL
# python -m twine upload \ # python -m twine upload \
# --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/* # --repository-url ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/pypi dist/*
- exit 1
publish_to_readthedocs: publish_to_readthedocs:
stage: publish stage: publish
...@@ -194,3 +197,14 @@ publish_to_readthedocs: ...@@ -194,3 +197,14 @@ publish_to_readthedocs:
script: script:
- echo "scp docs/* ???" - echo "scp docs/* ???"
- exit 1 - exit 1
release_job:
stage: publish
image: registry.gitlab.com/gitlab-org/release-cli:latest
rules:
- if: '$CI_COMMIT_TAG && $CI_COMMIT_REF_PROTECTED == "true"'
script:
- echo "running release_job"
release:
tag_name: '$CI_COMMIT_TAG'
description: '$CI_COMMIT_TAG'
{{cookiecutter.project_slug}}/.prepare.gitlab-ci.yml
+ 3
3
View file @ ee7b6ff3
...@@ -3,9 +3,9 @@ stages: ...@@ -3,9 +3,9 @@ stages:
build_ci_runner_image: build_ci_runner_image:
stage: build stage: build
image: docker:stable image: docker
services: tags:
- docker:dind - dind
script: script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
- | - |
......
{{cookiecutter.project_slug}}/docker/ci-runner/Dockerfile
+ 1
0
View file @ ee7b6ff3
...@@ -2,3 +2,4 @@ FROM python:3.11 ...@@ -2,3 +2,4 @@ FROM python:3.11
RUN python -m pip install --upgrade pip RUN python -m pip install --upgrade pip
RUN pip install --upgrade tox twine cibuildwheel==2.13.1 RUN pip install --upgrade tox twine cibuildwheel==2.13.1
RUN curl -sSL https://get.docker.com/ | sh
{{cookiecutter.project_slug}}/scripts/setup-docker-host.sh 0 → 100755
+ 32
0
View file @ ee7b6ff3
#!/bin/sh
_should_tls() {
[ -n "${DOCKER_TLS_CERTDIR:-}" ] \
&& [ -s "$DOCKER_TLS_CERTDIR/client/ca.pem" ] \
&& [ -s "$DOCKER_TLS_CERTDIR/client/cert.pem" ] \
&& [ -s "$DOCKER_TLS_CERTDIR/client/key.pem" ]
}
# if we have no DOCKER_HOST but we do have the default Unix socket (standard or rootless), use it explicitly
if [ -z "${DOCKER_HOST:-}" ] && [ -S /var/run/docker.sock ]; then
export DOCKER_HOST=unix:///var/run/docker.sock
elif [ -z "${DOCKER_HOST:-}" ] && XDG_RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" && [ -S "$XDG_RUNTIME_DIR/docker.sock" ]; then
export DOCKER_HOST="unix://$XDG_RUNTIME_DIR/docker.sock"
fi
# if DOCKER_HOST isn't set (no custom setting, no default socket), let's set it to a sane remote value
if [ -z "${DOCKER_HOST:-}" ]; then
if _should_tls || [ -n "${DOCKER_TLS_VERIFY:-}" ]; then
export DOCKER_HOST='tcp://docker:2376'
else
export DOCKER_HOST='tcp://docker:2375'
fi
fi
if [ "${DOCKER_HOST#tcp:}" != "$DOCKER_HOST" ] \
&& [ -z "${DOCKER_TLS_VERIFY:-}" ] \
&& [ -z "${DOCKER_CERT_PATH:-}" ] \
&& _should_tls \
; then
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH="$DOCKER_TLS_CERTDIR/client"
fi
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment