GitLab Renovate Bot · renovate-bot · GitLab Renovate Bot · renovate-bot · Andrew Newdigate OoO · Andrew Newdigate OoO
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -23,7 +23,7 @@ repos:
        args: [--autofix, --no-sort-keys]

  - repo: https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks
-    rev: v2.35.2  # renovate:managed:self
+    rev: v2.36.1  # renovate:managed:self
    hooks:
      - id: shellcheck  # Run shellcheck for changed Shell files
      - id: shfmt  # Run shellcheck for changed Shell files

--- a/appsec-container-scan.md
+++ b/appsec-container-scan.md
@@ -15,7 +15,7 @@ include:
  # and include the container scanning results in the project that is triggering this scan.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/appsec-container-scan.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: appsec-container-scan.yml

 container_image_scan:

--- a/asdf-tool-versions.md
+++ b/asdf-tool-versions.md
@@ -31,6 +31,6 @@ include:
  # and that asdf and mise are generally working
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/asdf-tool-versions.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: asdf-tool-versions.yml
 ```
--- a/asdf-tool-versions.yml
+++ b/asdf-tool-versions.yml
@@ -6,7 +6,7 @@ spec:
 validate_mise_tool_versions:
  stage: $[[ inputs.stage ]]
  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/mise:v2.36.1
+    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/mise:v2.37.0
    entrypoint: [""]
  needs: []
  variables:

--- a/checkov.md
+++ b/checkov.md
@@ -25,6 +25,6 @@ include:
  # Runs checkov on all terraform module directories
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/checkov.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: checkov.yml
 ```
--- a/container-diff.md
+++ b/container-diff.md
@@ -7,7 +7,7 @@ This can help to determine how much a container image has changed in size due to
 ```yaml
 include:
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'container-diff.yml'
    inputs:
      job_name: container-diff # The name of the job this template will create

--- a/danger.md
+++ b/danger.md
@@ -13,7 +13,7 @@ variables:
 include:
  # Run Danger during merge requests to alert on messages, warnings and errors.
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'danger.yml'
    # inputs:
    #   stage: defaults to `validate`

--- a/docker.md
+++ b/docker.md
@@ -21,7 +21,7 @@ include:
  # Includes a base template for running an opinionated docker buildx build
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/docker.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'docker.yml'

 .container_builds:
@@ -72,7 +72,7 @@ logs:
 ```
 ------------------------------------------------------------
 Verify this container image using:
-cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.36.1 \
+cosign verify registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks/asdf:v2.37.0 \
  --certificate-identity https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks//.gitlab-ci.yml@refs/tags/v1.2.3 \
  --certificate-oidc-issuer https://gitlab.com
 ------------------------------------------------------------

--- a/editorconfig-check.md
+++ b/editorconfig-check.md
@@ -13,7 +13,7 @@ include:
  # validate .editorconfig
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/editorconfig-check.md
  - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: "editorconfig-check.yml"
 ```


--- a/gitlab-scanners.md
+++ b/gitlab-scanners.md
@@ -11,6 +11,6 @@ stages:
 include:
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/gitlab-scanners.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'gitlab-scanners.yml'
 ```
--- a/gitleaks.md
+++ b/gitleaks.md
@@ -37,6 +37,6 @@ include:
  # Ensure that all shell-scripts are formatted according to a
  # standard canonical format
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: gitleaks.yml
 ```
--- a/gitlint.md
+++ b/gitlint.md
@@ -14,6 +14,6 @@ include:
  # Runs gitlint on all terraform module directories
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/gitlint.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: gitlint.yml
 ```
--- a/go-mod-tidy.md
+++ b/go-mod-tidy.md
@@ -19,7 +19,7 @@ include:
  # Perform `go mod tidy` and ensure that go.mod and go.sum are tidy.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/go-mod-tidy.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: go-mod-tidy.yml
 ```
 ## A note on compatibility

--- a/go-unittests.md
+++ b/go-unittests.md
@@ -20,7 +20,7 @@ include:
  # Runs Go unit tests
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/go-unittests.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: go-unittests.yml
 ```


--- a/golangci-lint.md
+++ b/golangci-lint.md
@@ -13,6 +13,6 @@ include:
  # Runs golangci-lint on the project.
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/golangci-lint.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'golangci-lint.yml'
 ```
--- a/goreleaser.md
+++ b/goreleaser.md
@@ -102,7 +102,7 @@ include:
  # build binary release artifacts with goreleaser
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: goreleaser.yml
 ```

@@ -142,7 +142,7 @@ include:
  # build binary release artifacts with goreleaser
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/goreleaser.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: goreleaser.yml
 ```

@@ -209,3 +209,19 @@ binary_signs:
      - "${artifact}"
    output: true
 ```
+
+## Performing a Full-Mock Release
+
+While the normal Goreleaser build action is helpful in validating that a Go program compiles,
+sometimes it's useful to perform a full mock release.
+This will full test the Goreleaser release process, including SBOM generation, code signing, docker build, etc.
+
+This can be useful when refactoring the Goreleaser configuration.
+
+In order to use this feature, either add the ~goreleaser-mock-release label to the Merge Request, or
+set the `GORELEASER_FULL_MOCK_RELEASE` variable to 1:
+
+```yaml
+variables:
+  GORELEASER_FULL_MOCK_RELEASE: 1
+```
--- a/goreleaser.yml
+++ b/goreleaser.yml
@@ -64,18 +64,7 @@ goreleaser_validate:
    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
    entrypoint: [""]
  rules:
-    - if: '($CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "parent_pipeline" || ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE != "schedule")) && $FIPS_MODE != "1"'
-      exists:
-        - .goreleaser.yml
-
-goreleaser_validate-fips:
-  extends:
-    - .goreleaser_validate_base
-  image:
-    name: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-cross:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
-    entrypoint: [""]
-  rules:
-    - if: '($CI_PIPELINE_SOURCE == "merge_request_event"  || $CI_PIPELINE_SOURCE == "parent_pipeline" || ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE != "schedule")) && $FIPS_MODE == "1"'
+    - if: '($CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "parent_pipeline" || ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PIPELINE_SOURCE != "schedule"))'
      exists:
        - .goreleaser.yml

@@ -150,14 +139,44 @@ goreleaser_build:
  stage: $[[ inputs.validate_stage ]]
  variables:
    GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser snapshot validation
-    GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
-    GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: build --snapshot --clean --single-target ${GORELEASER_BUILD_EXTRA_ARGS:-}
  rules:
-    - if: $CI_PIPELINE_SOURCE == "schedule"
+    - if: '$CI_PIPELINE_SOURCE != "merge_request_event" && $CI_PIPELINE_SOURCE != "parent_pipeline" && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
      when: never
-    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" || $CI_PIPELINE_SOURCE == "parent_pipeline" || $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+    # FIPS, oreleaser-mock-release label set
+    - if: '$FIPS_MODE == "1" && ($CI_MERGE_REQUEST_LABELS =~ /goreleaser-mock-release/ || $GORELEASER_FULL_MOCK_RELEASE == "1")'
+      exists:
+        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-cross:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
+
+    # FIPS, normal build
+    - if: '$FIPS_MODE == "1"'
+      exists:
+        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-cross:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: build --snapshot --clean --single-target ${GORELEASER_BUILD_EXTRA_ARGS:-}
+
+    # Non-FIPS, goreleaser-mock-release label set
+    - if: '$CI_MERGE_REQUEST_LABELS =~ /goreleaser-mock-release/ || $GORELEASER_FULL_MOCK_RELEASE == "1"'
      exists:
        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --snapshot --clean --skip=publish ${GORELEASER_BUILD_EXTRA_ARGS:-}
+
+    # Finally, the default
+    - exists:
+        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+        GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: build --snapshot --clean --single-target ${GORELEASER_BUILD_EXTRA_ARGS:-}
+
+#################################################################
+# Release Stage
+#################################################################

 goreleaser:
  extends:
@@ -165,26 +184,42 @@ goreleaser:
    - .goreleaser_auth_config  # Configure vault or variables, from internal/goreleaser/*
  stage: $[[ inputs.release_stage ]]
  variables:
-    GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in non-FIPS mode
-    GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
    GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --clean
  rules:
    # Only run this release job for tags, not every commit
-    - if: $CI_COMMIT_TAG && $FIPS_MODE != "1"
+    - if: $CI_COMMIT_TAG == "" || $CI_COMMIT_TAG == null
+      when: never
+
+    # FIPS
+    - if: $FIPS_MODE == "1"
      exists:
        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in FIPS mode
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-cross:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
+
+    # Non-FIPS
+    - exists:
+        - .goreleaser.yml
+      variables:
+        GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in non-FIPS mode
+        GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser:${GL_ASDF_GORELEASER_VERSION}
+
+#################################################################
+#  Deprecated Jobs, to be removed
+#################################################################
+# Deprecated for removal
+goreleaser_validate-fips:
+  extends:
+    - goreleaser_validate
+  rules:
+    - when: never

 goreleaser-fips:
  extends:
    - .goreleaser_base
    - .goreleaser_auth_config  # Configure vault or variables, from internal/goreleaser/*
  stage: $[[ inputs.release_stage ]]
-  variables:
-    GL_COMMON_CI_TASKS_GORELEASER_MESSAGE: Running go-releaser release in FIPS mode
-    GL_COMMON_CI_TASKS_GORELEASER_IMAGE: registry.gitlab.com/gitlab-com/gl-infra/common-ci-tasks-images/goreleaser-cross:${GL_ASDF_GOLANG_VERSION}-${GL_ASDF_GORELEASER_VERSION}
-    GL_COMMON_CI_TASKS_GORELEASER_ARGUMENTS: release --clean
  rules:
    # Only run this release job for tags, not every commit
-    - if: $CI_COMMIT_TAG && $FIPS_MODE == "1"
-      exists:
-        - .goreleaser.yml
+    - when: never
--- a/hclfmt.md
+++ b/hclfmt.md
@@ -10,7 +10,7 @@ include:
  # Ensures that all terraform files are correctly formatted
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/hclfmt.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: hclfmt.yml
 ```


--- a/jsonfmt.md
+++ b/jsonfmt.md
@@ -19,6 +19,6 @@ include:
  # canonical manner with sorted keys
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/jsonfmt.md
  - project: "gitlab-com/gl-infra/common-ci-tasks"
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: jsonfmt.yml
 ```
--- a/kaniko.md
+++ b/kaniko.md
@@ -9,7 +9,7 @@ include:
  # Includes a base template for running kaniko easily
  # see https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/main/kaniko.md
  - project: 'gitlab-com/gl-infra/common-ci-tasks'
-    ref: v2.36.1  # renovate:managed
+    ref: v2.37.0  # renovate:managed
    file: 'kaniko.yml'

 .container_builds: