### Problem Statement The `common-ci-tasks` repository provides several MR labels that can tune CI job behavior. However, these labels are not consistently defined across top-level groups, which limits their usability for projects outside `gitlab-com/gl-infra`. ### Current Label Definitions | Label | Purpose | `gitlab-org` | `gitlab-com` | `gitlab-com/gl-infra` | | ------------------------- | ------------------------------------------------------------------------------------- | :--------: | :--------: | :-----------------: | | `goreleaser-mock-release` | Run full mock release (SBOM, signing, docker build) to test goreleaser config changes | ❌ | ❌ | ✅ | | `docker-write-branch-cache` | Enable writing Docker cache on branch pipelines (disabled by default for speed) | ❌ | ✅ | ✅ | | `docker-attest-sbom` | Enable SBOM attestations for Docker images on branch pipelines | ❌ | ✅ | ✅ | ### Label Details #### `goreleaser-mock-release` - **Alternative:** `GORELEASER_FULL_MOCK_RELEASE: 1` - **Purpose:** Performs a full mock release testing the complete Goreleaser release process including SBOM generation, code signing, and Docker builds. Useful when refactoring `.goreleaser.yml` to verify the release pipeline works before merging. - **Status:** Only defined in `gitlab-com/gl-infra` subgroup - **CI Rule:** [templates/goreleaser/template.yml#L243-L248](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/v3.8.1/templates/goreleaser/template.yml#L243-248) #### `docker-write-branch-cache` - **Alternative:** `DOCKER_WRITE_BRANCH_CACHE: 1` - **Purpose:** By default, branches only read from Docker cache (writing is slow). This label enables writing cached images to the registry on branch pipelines. - **Status:** Defined at `gitlab-com` level (available to all child projects) - **CI Rule:** [templates/docker/template.yml#L132](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/v3.8.1/templates/docker/template.yml#L132) #### `docker-attest-sbom` - **Alternative:** `DOCKER_ATTEST_SBOM: 1` - **Purpose:** By default, only tag and default branch images get SBOM attestations. This label enables SBOM attestations for Docker images built on branches. - **Status:** Defined at `gitlab-com` level (available to all child projects) - **CI Rule:** [templates/docker/template.yml#L148-L151](https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks/-/blob/v3.8.1/templates/docker/template.yml#L148-151) ### Proposed Solution 1. **Manage labels via infra-mgmt** - Move these labels to Terraform using `gitlab_group_label` resources in [infra-mgmt](https://gitlab.com/gitlab-com/gl-infra/infra-mgmt), similar to how labels are managed for `gitlab-dedicated` in `environments/gitlab-com/groups_gitlab-dedicated.tf` 2. **Define labels at both top-level groups:** - `gitlab-com` - for all Infrastructure and GitLab.com projects - `gitlab-org` - for GitLab product projects that may use common-ci-tasks 3. **Labels to create:** - `goreleaser-mock-release` (currently missing from both top-level groups) - `docker-write-branch-cache` (currently only at `gitlab-com`) - `docker-attest-sbom` (currently only at `gitlab-com`) ### Implementation Suggestion Add to `infra-mgmt` (e.g., new file `environments/gitlab-com/labels_common-ci-tasks.tf`): ```hcl # common-ci-tasks labels for CI job tuning # See: https://gitlab.com/gitlab-com/gl-infra/common-ci-tasks locals { common_ci_tasks_labels = { "goreleaser-mock-release" = { description = "Run full mock goreleaser release (SBOM, signing, docker). See common-ci-tasks docs." color = "#428BCA" } "docker-write-branch-cache" = { description = "Enable Docker cache writing on branch pipelines. See common-ci-tasks docs." color = "#428BCA" } "docker-attest-sbom" = { description = "Enable SBOM attestations for Docker images on branches. See common-ci-tasks docs." color = "#428BCA" } } } resource "gitlab_group_label" "common_ci_tasks_gitlab_com" { for_each = local.common_ci_tasks_labels group = data.gitlab_group.gitlab-com.id name = each.key description = each.value.description color = each.value.color } resource "gitlab_group_label" "common_ci_tasks_gitlab_org" { for_each = local.common_ci_tasks_labels group = data.gitlab_group.gitlab-org.id name = each.key description = each.value.description color = each.value.color } # Import existing labels at gitlab-com (group_id: 6543) import { to = gitlab_group_label.common_ci_tasks_gitlab_com["docker-write-branch-cache"] id = "6543:37000822" } import { to = gitlab_group_label.common_ci_tasks_gitlab_com["docker-attest-sbom"] id = "6543:38030460" } ``` **Note:** The `goreleaser-mock-release` label currently only exists at `gitlab-com/gl-infra` (ID: 1112072, label ID: 36622133), not at the `gitlab-com` top-level. The implementation will create it at both `gitlab-com` and `gitlab-org` levels. The existing label at `gl-infra` can optionally be removed after the parent-level label is created (since it will be inherited). ### Exit Criteria - [ ] Labels managed via infra-mgmt Terraform - [ ] All three labels available at `gitlab-com` group level - [ ] All three labels available at `gitlab-org` group level - [ ] Document label availability in common-ci-tasks README