Draft: Switch to FIPS runners depending on CI var (!173) · Merge requests · GitLab.org / security-products / Tests / java-maven

Fabien Catteau requested to merge xp-ds-fips-conditional into ds-fips Jul 22, 2022

This proves that the default shared runners are used when a job only has one tag, and this is an empty string. It's then possible to switch b/w the FIPS runners and the default ones using a CI variable. See CI config file:

gemnasium-maven-dependency_scanning:
  variables:
    DS_JOB_TAG: ""
  tags:
    - $DS_JOB_TAG

gemnasium-maven-dependency_scanning fips:
  extends: gemnasium-maven-dependency_scanning
  variables:
    CI_GITLAB_FIPS_MODE: "true"
    DS_JOB_TAG: "fips"

Pipeline when no CI variable is set when triggering the pipeline: https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/pipelines/594190913

Pipeline when CI variables are set to use FIPS runners and use the FIPS image (the 2 jobs are equivalent): https://gitlab.com/gitlab-org/security-products/tests/java-maven/-/pipelines/594197105

Edited Jul 22, 2022 by Fabien Catteau

Draft: Switch to FIPS runners depending on CI var

Merge request reports