Merge branch 'release/v3.8.0'

Author: dlen

.gitlab-ci.yml

@@ -6,7 +6,6 @@ variables:
   DOCKER_TLS_CERTDIR: ""
 
 stages:
-  - scanning
   - build
   - test-vulnerabilities
   - test
@@ -15,8 +14,9 @@ stages:
 
 include:
   - local: '/.gitlab-ci/Jobs/build_image.yml'
-  - local: '/.gitlab-ci/Jobs/container_security_scan.yml'
+  - local: '/.gitlab-ci/Jobs/rules.yml'
   - local: '/.gitlab-ci/Jobs/test_vulnerabilities.yaml'
   - local: '/.gitlab-ci/Jobs/test_images.yaml'
   - local: '/.gitlab-ci/Jobs/publish.yaml'
   - local: '/.gitlab-ci/Jobs/docker-compose-file-upload.yml'
+  - local: '/.gitlab-ci/Jobs/entrypoint_test.yml'

.gitlab-ci/Jobs/build_image.yml

@@ -1,4 +1,5 @@
 .build:
+  extends: .rules
   stage: build
   image:
     name: gcr.io/kaniko-project/executor:debug
@@ -22,40 +23,40 @@
         --destination $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-$(date +%s) \
         --destination $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR:-local}-${DOCKER_TAG}-latest
 
-.testing-build:
+.stable-build:
   extends: .build
-  rules:
-    - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop"  || $CI_COMMIT_MESSAGE =~ /test-image/ ) && $PASSBOLT_FLAVOUR =~ /ce|pro/'
-      when: on_success
+  variables:
+    COMPONENT: "stable"
+    PASSBOLT_FLAVOUR: "ce"
+    OPPOSITE_FLAVOUR: "pro"
 
-.stable-build:
+.stable-build-pro:
   extends: .build
   variables:
     COMPONENT: "stable"
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR =~ /ce|pro/'
-      when: on_success
+    PASSBOLT_FLAVOUR: "pro"
+    OPPOSITE_FLAVOUR: "ce"
 
-build-testing-docker:
-  extends: .testing-build
+build-stable-docker:
+  extends: .stable-build
   variables:
     DOCKERFILE_PATH: "debian/Dockerfile"
     DOCKER_TAG: "root"
 
-build-testing-rootless:
-  extends: .testing-build
+build-stable-rootless:
+  extends: .stable-build
   variables:
     DOCKERFILE_PATH: "debian/Dockerfile.rootless"
     DOCKER_TAG: "rootless"
 
-build-stable-docker:
-  extends: .stable-build
+build-pro-stable-docker:
+  extends: .stable-build-pro
   variables:
     DOCKERFILE_PATH: "debian/Dockerfile"
     DOCKER_TAG: "root"
 
-build-stable-rootless:
-  extends: .stable-build
+build-pro-stable-rootless:
+  extends: .stable-build-pro
   variables:
     DOCKERFILE_PATH: "debian/Dockerfile.rootless"
     DOCKER_TAG: "rootless"

.gitlab-ci/Jobs/container_security_scan.yml

@@ -0,0 +1,9 @@
+entrypoint-tests:
+  extends: .rules
+  stage: test
+  image: registry.gitlab.com/passbolt/passbolt-ci-docker-images/debian-bullseye-11-slim:latest
+  before_script:
+    - apt update && apt install curl git -y
+    - curl -fsSL https://git.io/shellspec | sh -s -- --yes
+  script:
+    - /root/.local/bin/shellspec -s /bin/bash -f d

.gitlab-ci/Jobs/entrypoint_test.yml

@@ -35,7 +35,7 @@
     IMAGE_NAME: "passbolt/passbolt"
     PASSBOLT_IMAGE_FLAVOUR: "ce"
   rules:
-    - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR == "ce"'
+    - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "ce"'
       when: on_success
 
 publish-ce:
@@ -62,7 +62,7 @@ publish-pro:
     - *docker-authentication
     - *publish-command
   rules:
-    - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_FLAVOUR == "pro"'
+    - if: '$PASSBOLT_VERSION && $CI_COMMIT_BRANCH == "master" && $PASSBOLT_PUBLISH == "pro"'
       when: on_success
 
 publish-pro-non-root:

.gitlab-ci/Jobs/publish.yaml

@@ -0,0 +1,4 @@
+.rules:
+  rules:
+  - if:  '$CI_COMMIT_BRANCH && $PASSBOLT_PUBLISH != "OPPOSITE_FLAVOUR"'
+    when: on_success

.gitlab-ci/Jobs/rules.yml

@@ -1,7 +1,10 @@
 services:
-  - docker:19.03.0-dind
+  - name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/dind:latest
+    alias: docker
+    command: ["--tls=false"]
 
 .test-images:
+  extends: .rules
   stage: test
   image:
     name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/ruby:latest
@@ -10,19 +13,17 @@ services:
     - rake spec:$TEST_NAME
   variables:
     PASSBOLT_COMPONENT: stable
-  rules:
-  - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" ) && $PASSBOLT_FLAVOUR == "ce"'
-    when: on_success
+    PASSBOLT_FLAVOUR: ce
+    OPPOSITE_FLAVOUR: pro
 
 .test-pro-images:
   extends: .test-images
   before_script:
     - cat $SUBSCRIPTION_KEY > subscription_key.txt
   variables:
     PASSBOLT_COMPONENT: stable
-  rules:
-  - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ || $CI_COMMIT_BRANCH == "master" ) && $PASSBOLT_FLAVOUR == "pro"'
-    when: on_success
+    PASSBOLT_FLAVOUR: pro
+    OPPOSITE_FLAVOUR: ce
 
 ce-docker-image:
   extends: .test-images

.gitlab-ci/Jobs/test_images.yaml

@@ -1,4 +1,5 @@
 .test-vulnerabilities:
+  extends: .rules
   stage: test-vulnerabilities
   image:
     name: registry.gitlab.com/passbolt/passbolt-ci-docker-images/aquasec:latest
@@ -8,13 +9,29 @@
     DOCKER_TAG: root
   script:
     - trivy image --ignore-unfixed $CI_REGISTRY_IMAGE:${PASSBOLT_FLAVOUR}-${DOCKER_TAG}-latest
-  rules:
-    - if: '($CI_PIPELINE_SOURCE == "schedule" || $CI_COMMIT_BRANCH == "master" || $CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_MESSAGE =~ /test-image/ ) && $PASSBOLT_FLAVOUR =~ /ce|pro/'
-      when: on_success
 
-docker:
+docker-ce:
   extends: .test-vulnerabilities
-docker-non-root:
+  variables:
+    PASSBOLT_FLAVOUR: "ce"
+    OPPOSITE_FLAVOUR: "pro"
+
+docker-ce-rootless:
+  extends: .test-vulnerabilities
+  variables:
+    PASSBOLT_FLAVOUR: "ce"
+    DOCKER_TAG: "rootless"
+    OPPOSITE_FLAVOUR: "pro"
+
+docker-pro:
+  extends: .test-vulnerabilities
+  variables:
+    PASSBOLT_FLAVOUR: "pro"
+    OPPOSITE_FLAVOUR: "ce"
+
+docker-pro-rootless:
   extends: .test-vulnerabilities
   variables:
+    PASSBOLT_FLAVOUR: "pro"
     DOCKER_TAG: "rootless"
+    OPPOSITE_FLAVOUR: "ce"

.gitlab-ci/Jobs/test_vulnerabilities.yaml

@@ -0,0 +1,13 @@
+--require spec_helper
+
+## Default kcov (coverage) options
+# --kcov-options "--include-path=. --path-strip-level=1"
+# --kcov-options "--include-pattern=.sh"
+# --kcov-options "--exclude-pattern=/.shellspec,/spec/,/coverage/,/report/"
+
+## Example: Include script "myprog" with no extension
+# --kcov-options "--include-pattern=.sh,myprog"
+
+## Example: Only specified files/directories
+# --kcov-options "--include-pattern=myprog,/lib/"
+--execdir @basedir/debian/scripts

.shellspec

@@ -2,7 +2,18 @@
 All notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
-## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.7.5...HEAD)
+## [Unreleased](https://github.com/passbolt/passbolt_docker/compare/v3.8.0...HEAD)
+
+## [3.8.0](https://github.com/passbolt/passbolt_docker/compare/v3.7.5...v3.8.0) - 2023-01-13
+
+### Added
+
+- Support for docker secrets
+- Shellspec for entrypoint testing
+
+### Changed
+
+- Entrypoint refactor in separated libraries for increased testability
 
 ## [3.7.5](https://github.com/passbolt/passbolt_docker/compare/v3.7.4...v3.7.5) - 2022-12-01