From a7930cb3b9aab5ed292a7bf5aa5c7b005a4caf91 Mon Sep 17 00:00:00 2001
From: Sebastiaan ten Pas <st981@cam.ac.uk>
Date: Thu, 14 Nov 2024 07:35:38 +0000
Subject: [PATCH] fix: container scanning when using multi target docker images

---
 CHANGELOG.md                                    |  9 +++++++++
 .../multi-target-docker-images.gitlab-ci.yml    |  2 +-
 ...d.gitlab-ci.yml => overwrites.gitlab-ci.yml} | 17 ++++++++++++++---
 3 files changed, 24 insertions(+), 4 deletions(-)
 rename fragments/multi-target-docker-images/{build.gitlab-ci.yml => overwrites.gitlab-ci.yml} (60%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8380a28..e6e1d40 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.1.1] - 2024-11-14
+
+### Fixed
+
+- Fixed container scanning when using `multi-target-docker-images`, where previously the container
+  image was not correctly set.
+- Fixed setting `CI_ARTIFACT_REGISTRY_REPOSITORY` when using `multi-target-docker-images`, where
+  previously this was not correctly saved to `gl-auto-build-variables.env`.
+
 ## [6.1.0] - 2024-11-12
 
 ### Added
diff --git a/auto-devops/multi-target-docker-images.gitlab-ci.yml b/auto-devops/multi-target-docker-images.gitlab-ci.yml
index 219bf0a..3584d23 100644
--- a/auto-devops/multi-target-docker-images.gitlab-ci.yml
+++ b/auto-devops/multi-target-docker-images.gitlab-ci.yml
@@ -34,7 +34,7 @@ include:
       - if: $MULTI_DOCKER_IMAGE_BUILD_ENABLED
         when: never
       - if: $CI_PIPELINE_SOURCE != "parent_pipeline"
-  - local: "/fragments/multi-target-docker-images/build.gitlab-ci.yml"
+  - local: "/fragments/multi-target-docker-images/overwrites.gitlab-ci.yml"
     rules:
       - if: $MULTI_DOCKER_IMAGE_BUILD_ENABLED && $CI_PIPELINE_SOURCE == "parent_pipeline"
 
diff --git a/fragments/multi-target-docker-images/build.gitlab-ci.yml b/fragments/multi-target-docker-images/overwrites.gitlab-ci.yml
similarity index 60%
rename from fragments/multi-target-docker-images/build.gitlab-ci.yml
rename to fragments/multi-target-docker-images/overwrites.gitlab-ci.yml
index 2febc7d..9decc1a 100644
--- a/fragments/multi-target-docker-images/build.gitlab-ci.yml
+++ b/fragments/multi-target-docker-images/overwrites.gitlab-ci.yml
@@ -3,17 +3,28 @@
 # because the outcome of the variables is conditional based on the existance of `CI_COMMIT_TAG`.
 # So we set this in the child pipeline.
 build:
-  before_script:
+  script:
     - |
       # This is adapted from the Auto-DevOps Build job to ensure we're working on the same image!
       # See https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
       if [[ -z "$CI_COMMIT_TAG" ]]; then
         export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE/$DOCKER_BUILD_TARGET/$CI_COMMIT_REF_SLUG}
         export CI_ARTIFACT_REGISTRY_REPOSITORY=$ARTIFACT_REGISTRY_DOCKER_REPOSITORY/${ARTIFACT_REGISTRY_IMAGE_NAME:-$CI_PROJECT_NAME/$DOCKER_BUILD_TARGET/$CI_COMMIT_REF_SLUG}
+        export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_SHA}
       else
         export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE/$DOCKER_BUILD_TARGET}
         export CI_ARTIFACT_REGISTRY_REPOSITORY=$ARTIFACT_REGISTRY_DOCKER_REPOSITORY/${ARTIFACT_REGISTRY_IMAGE_NAME:-$CI_PROJECT_NAME/$DOCKER_BUILD_TARGET}
+        export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
       fi
+    - /build/build.sh
+    # `CI_APPLICATION_REPOSITORY` will be written to `gl-auto-build-variables.env` in
+    # /build/build.sh, see: https://gitlab.com/gitlab-org/cluster-integration/auto-build-image/-/blob/master/src/build.sh?ref_type=heads#L51
+    # Since this line overwrites all previous content in `gl-auto-build-variables.env`, we can
+    # only write `CI_ARTIFACT_REGISTRY_REPOSITORY` after the build script ran.
+    - echo "CI_ARTIFACT_REGISTRY_REPOSITORY=$CI_ARTIFACT_REGISTRY_REPOSITORY" >> gl-auto-build-variables.env
 
-      echo "CI_APPLICATION_REPOSITORY=$CI_APPLICATION_REPOSITORY" >> gl-auto-build-variables.env
-      echo "CI_ARTIFACT_REGISTRY_REPOSITORY=$CI_ARTIFACT_REGISTRY_REPOSITORY" >> gl-auto-build-variables.env
+container_scanning:
+  # Needed to overwrite the dependencies to ensure the dotenv file is loaded with the altered
+  # environment variables
+  dependencies:
+    - build
-- 
GitLab