Commit 782c95ec authored by Sergey Nikolaev's avatar Sergey Nikolaev

Use image digest for Auto DevOps deployments

This prevents users with the developer role from deploying their
changes to production by overriding container image in the registry

Changelog: changed
parent 4debfa65
...@@ -179,3 +179,11 @@ include: ...@@ -179,3 +179,11 @@ include:
- template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
- template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml - template: Security/SAST.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml
# The latest build job generates a dotenv report artifact with a CI_APPLICATION_TAG
# that also includes the image digest. This configures Auto Deploy to receive
# this artifact and use the updated CI_APPLICATION_TAG for deployments.
.auto-deploy:
dependencies: [build]
dast_environment_deploy:
dependencies: [build]
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
# This template is scheduled for removal when testing is complete: https://gitlab.com/gitlab-org/gitlab/-/issues/337987 # This template is scheduled for removal when testing is complete: https://gitlab.com/gitlab-org/gitlab/-/issues/337987
variables: variables:
AUTO_BUILD_IMAGE_VERSION: 'v1.3.1' AUTO_BUILD_IMAGE_VERSION: 'v1.5.0'
build: build:
stage: build stage: build
...@@ -23,6 +23,9 @@ build: ...@@ -23,6 +23,9 @@ build:
export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG} export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
fi fi
- /build/build.sh - /build/build.sh
artifacts:
reports:
dotenv: gl-auto-build-variables.env
rules: rules:
- if: '$BUILD_DISABLED' - if: '$BUILD_DISABLED'
when: never when: never
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment