CodeQuality vendored template is outdated
Summary
https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/ci/templates/Jobs/Code-Quality.gitlab-ci.yml is using a registry.gitlab.com/gitlab-org/security-products/codequality
image, with a hardcoded 12-0-stable
version.
Historically, CodeQuality was owned by the team behind devopssecure and thus following the same versioning as any other tools there: https://gitlab.com/gitlab-org/security-products/release/blob/master/docs/release_process.md#gitlab-security-products-release-process Remember that when we started this, includes and vendored templates were not yet available in GitLab.
I don't think this versioning is relevant anymore, not to mention confusing now since it's not following GitLab versions anymore. Furthermore, there's no easy way with the current template to override the version being used.
This leads to other issues like this timeout bug fixed but not available: https://gitlab.com/gitlab-org/security-products/codequality/blob/master/CHANGELOG.md#12-1-stable and in the end disabling this job until it's fixed: gitlab-org/security-products/tests/webgoat!15 (comment 235813054)
Steps to reproduce
Use the CodeQuality.gitlab-ci.yml template.
Example Project
gitlab-org/security-products/tests/webgoat!15 (comment 235813054)
What is the current bug behavior?
A bug fix released in the 12.1 Code Quality docker image isn't available when using CodeQuality.gitlab-ci.yml
What is the expected correct behavior?
Bugs Fixed in the CodeQuality Docker Image should be utilized upon release by the CodeQuality.gilab-ci.yml
Relevant logs and/or screenshots
Output of checks
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)
/label ~bug
Proposal
This is based on the discussion from #35090 (comment 242838575)
codequality
will start a new versioning scheme. We will get inspiration from how our docker-machine does it. Given we use 0.85.5
of codeclimate, we start over at 0.85.5
. When we make modifications to codequality
, we bump to 0.85.5-gitlab.1
. When we update the version of codeclimate
to let's say 0.86.1
, we reset codequality
to 0.86.1
(no need to append -gitlab.0
).
Once this new scheme is approved, we will release a new 0.85.5
image to mark the start of the new scheme.
At the same time, to avoid breaking existing job definitions that use the old way of versioning, we will release 12-5-stable
, 12-6-stable
, 12-7-stable
, 12-8-stable
, 12-9-stable
, 12-10-stable
. This gives them about 6 months to transition to the new version. Please note that these 12-x-stable
images are just "copies" of 12-4-stable
. We won't backport fixes from 0.85.5-gitlab.x
so this must be well communicated along with the "deprecation" of the old versioning scheme.
We will manually bump the Code Quality vendored template as new versions are released, we bump it to 0.85.5
when the new image is ready (we can repurpose !19354 (merged) for this). With that said, the recommended approach to all users will be to just include the vendored template. We have to communicate this clearly together with the "deprecation" message.