... | @@ -2,19 +2,52 @@ |
... | @@ -2,19 +2,52 @@ |
|
|
|
|
|
## Pipelines Home
|
|
## Pipelines Home
|
|
|
|
|
|
#### Tools
|
|
## Getting started
|
|
|
|
|
|
| Link | Description |
|
|
If this is your first time contributing to this repo, please read our contributing.md guide. This guide provides steps for setting up your local environment as well as information regarding best practices when contributing to this code base.
|
|
| ------ | ------ |
|
|
|
|
| [Cosign](Cosign) | - |
|
|
|
|
|
|
|
|
#### Troubleshooting
|
|
## ironbank-pipeline directory structure
|
|
|
|
|
|
| Link | Description |
|
|
`/templates` contains the templates for the pipeline.
|
|
| ------ | ------ |
|
|
This includes the `globals.yaml` file, which contains variable references needed for each CI/CD job to run and outlines the stages required to run.
|
|
| [Job Debugging](Job-Debugging) | Rootless podman and twistcli |
|
|
This directory will also contain templates for special cases, such as distroless or scratch images.
|
|
| [Trufflehog Findings](Trufflehog-Findings) | TODO |
|
|
These special cases will have their own `.yaml` files which override aspects of the `globals.yaml` configuration as needed.
|
|
|
|
|
|
|
|
`/stages` contains the stages which are involved in pipeline execution.
|
|
|
|
Each stage of the pipeline has its own folder within this directory containing a `base.yaml` file.
|
|
|
|
The `base.yaml` file dictates the actions and requirements needed for the stage to execute.
|
|
|
|
Additional `.yaml` files can be present within the stage directories in order to separate the jobs which occur within that particular stage.
|
|
|
|
|
|
|
|
## Contributor project requirements for ironbank-pipeline use
|
|
|
|
|
|
|
|
### Adding a project pipeline in settings
|
|
|
|
|
|
|
|
The Iron Bank pipelines team will control the project configuration.
|
|
|
|
As a result, projects _must not_ contain a `.gitlab-ci.yml`.
|
|
|
|
The Iron Bank Pipelines team has set up project templates which are used in the creation of the repo.
|
|
|
|
The template provides a CI configuration path which enables the pipeline for the project.
|
|
|
|
|
|
|
|
The following steps outline how the custom CI configuration path is set:
|
|
|
|
|
|
|
|
`Settings` > `CI / CD` > `General pipelines` > `Custom CI configuration path`
|
|
|
|
|
|
|
|
The following is provided: `templates/default.yaml@ironbank-tools/ironbank-pipeline`
|
|
|
|
|
|
|
|
This will point the project towards the default pipeline in ironbank-pipeline.
|
|
|
|
|
|
|
|
The `default` template will allow images based on UBI to run through the required pipeline steps (whether the image directly uses an UBI base image for its base image, or by using an approved Iron Bank container with a base UBI image for its base image).
|
|
|
|
The other approved template is `templates/distroless.yaml@ironbank-tools/ironbank-pipeline`, and is used for distroless and scratch based images.
|
|
|
|
|
|
|
|
Please review templates/README.md for more information on which template your project needs.
|
|
|
|
|
|
|
|
## Pipeline artifacts
|
|
|
|
|
|
|
|
To access artifacts for each job, select the job in the UI on the `CI/CD -> Pipelines` page by clicking on the button for that job.
|
|
|
|
In the top right hand corner of the screen, there is a box which says "Job artifacts" and contains buttons which say "Keep", "Download", and "Browse". Select the button which corresponds to the option you want.
|
|
|
|
|
|
|
|
Job artifacts are retained for the latest pipeline, removed after one week in most cases.
|
|
|
|
A new pipeline run will need to occur in order to produce job artifacts after this period of time.
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
<details><summary>
|
|
<details><summary>
|
... | @@ -245,4 +278,31 @@ The SBOM files, VAT response file, and Cosign signatures on the image and SBOM a |
... | @@ -245,4 +278,31 @@ The SBOM files, VAT response file, and Cosign signatures on the image and SBOM a |
|
Upload artifacts which are displayed/utilized by the [Iron Bank website](https://ironbank.dso.mil).
|
|
Upload artifacts which are displayed/utilized by the [Iron Bank website](https://ironbank.dso.mil).
|
|
The artifacts uploaded include scan reports, project README, project LICENSE, and others.
|
|
The artifacts uploaded include scan reports, project README, project LICENSE, and others.
|
|
|
|
|
|
</details> |
|
</details>
|
|
\ No newline at end of file |
|
|
|
|
|
#### Tools
|
|
|
|
|
|
|
|
| Link | Description |
|
|
|
|
| ------ | ------ |
|
|
|
|
| [Cosign](Cosign) | - |
|
|
|
|
|
|
|
|
#### Troubleshooting
|
|
|
|
|
|
|
|
| Link | Description |
|
|
|
|
| ------ | ------ |
|
|
|
|
| [Job Debugging](Job-Debugging) | Rootless podman and twistcli |
|
|
|
|
| [Trufflehog Findings](Trufflehog-Findings) | TODO |
|
|
|
|
|
|
|
|
|
|
|
|
## CI Vars Consumed Externally
|
|
|
|
|
|
|
|
- `PIP_QUIET` is used to supress the output from pip commands
|
|
|
|
|
|
|
|
- `SYFT_REGISTRY_AUTH_PASSWORD` and `SYFT_REGISTRY_AUTH_USERNAME` are used for credentials for specific registries: [Link](https://github.com/anchore/syft/blob/main/README.md)
|
|
|
|
|
|
|
|
- `TWISTLOCK_USER` and `TWISTLOCK_PASSWORD` are used for TWISTLOCK authentication
|
|
|
|
|
|
|
|
## Stargate (Legacy Code)
|
|
|
|
|
|
|
|
- Stage and module removed on 03/06/2023
|
|
|
|
- Last commit SHA: `f5a439a9237ce9ec05b8a6f4ce7e91c96c44f1d5` |