Transition Vendored CI templates to rules syntax
For all of our vendored templates in Secure, we need to transition to [`rules:` syntax](https://docs.gitlab.com/ee/ci/yaml/#rules) as it is more flexible than [`only/except`](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-basic) ## Job templates Update the [job templates](https://gitlab.com/gitlab-org/gitlab/tree/master/lib/gitlab/ci/templates/Security) that ship with GitLab: - Container Scanning: https://gitlab.com/gitlab-org/gitlab/issues/36541 - License Management: https://gitlab.com/gitlab-org/gitlab/issues/36543 - DAST: https://gitlab.com/gitlab-org/gitlab/issues/36546 - Dependency Scanning: https://gitlab.com/gitlab-org/gitlab/issues/36547 - SAST: https://gitlab.com/gitlab-org/gitlab/issues/36548 This impacts ~"GitLab Ultimate" users ## What if I am not ready to update my pipelines ? For affected users who extend Secure templates, but are not ready to update their pipelines, you can switch to the [GitLab 12.10 based templates](https://gitlab.com/gitlab-org/auto-devops-v12-10). ## Security tools Update the CI configuration files of the Secure projects: - Container Scanning - License Management - DAST - Dependency Scanning - SAST - [ci-templates](https://gitlab.com/gitlab-org/security-products/ci-templates/tree/master) (CI configs for [analyzers](https://gitlab.com/gitlab-org/security-products/analyzers) and [test projects](https://gitlab.com/gitlab-org/security-products/tests/python-pip/pipelines)) - [analyzers](https://gitlab.com/gitlab-org/security-products/analyzers) not using the [shared CI config](https://gitlab.com/gitlab-org/security-products/ci-templates/blob/master/includes-dev/analyzer.yml) (TBD) - gemnasium-db - gemnasium-db-toolbox This impacts developers of the Secure projects. ## Other links - [Deprecation notice](https://gitlab.com/gitlab-com/www-gitlab-com/-/merge_requests/44838#8f8202583081354f4b34523cafe546b6ef6d26b7) ## Implementation Plan Rolling out the breaking change ([Approach A](https://gitlab.com/groups/gitlab-org/-/epics/2300#note_333137907)) and do everything we can to notify users ahead of time with guidance on transitioning. - [x] Release issue opened https://gitlab.com/gitlab-org/release/tasks/-/issues/1315 - [x] Create troubleshooting page providing immediate action for locking to %12.10 version and example patches describing CI configuration updates (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30658) - [x] Describe inclusion of remote; i.e. https://gitlab.com/gitlab-org/gitlab/-/raw/12-10-stable-ee/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml - [x] Describe before and after examples to help illustrate `rules` usage - [x] Linking to `rules` CI docs - [x] Update existing templates, dropping `only/except` in favor of `rules` - [x] Update `Container-Scanning.gitlab-ci.yml` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30775 - [x] Update `DAST.gitlab-ci.yml` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30776 - [x] Update `Dependency-Scanning.gitlab-ci.yml` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30907 - [x] Update `License-Scanning.gitlab-ci.yml` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30784 - [x] Update `SAST.gitlab-ci.yml` https://gitlab.com/gitlab-org/gitlab/-/merge_requests/31127 - [ ] Updating pipeline error message to link to troubleshooting docs when `error_message =~ %r|config key may not be used with rules: only, except|` (EDIT: We chose not to do this due to time constraints and Level-of-Effort)
epic