CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [2.3.0] - 2023-06-28
+
+### Added
+
+- `artifact-registry.yml` template to push Auto-DevOps built images to an Artifact Registry
+  repository.
+
 ## [2.2.2] - 2023-06-16
 
 ### Modified

auto-devops/artifact-registry.yml

+# This template pushes images built via Auto-DevOps to Google Artifact Registry in the meta project for the specific
+# product. This can only be used for products which have been provisioned using the gcp-product-factory, and which have
+# a product-specific GKE-based GitLab runner deployed.
+#
+# This template is intended to be "include"-d in addition to the standard Auto-DevOps template, for example:
+#
+# include:
+#   - template: Auto-DevOps.gitlab-ci.yml
+#
+#   - project: 'uis/devops/continuous-delivery/ci-templates'
+#     file: '/auto-devops/artifact-registry.yml'
+#     ref: v2.3.0
+#
+# The following variables must be available:
+#
+# GKE_RUNNER_TAG:
+#   The tag to target the product-specific GitLab runner.
+#
+# ARTIFACT_REGISTRY_DOCKER_REPOSITORY:
+#   This is the path to a docker registry to push the images to. Usually, this is the "default_docker" registry created
+#   in the product meta-project by the gcp-product-factory.
+#
+# ARTIFACT_REGISTRY_SERVICE_ACCOUNT: This is the email account of a service account which has permission to push to the
+#   $ARTIFACT_REGISTRY_DOCKER_REPOSITORY. The gke_ci_run service account configured by the gitlab-runner-infrastructure
+#   code must have permission to impersonate this service account.
+
+artifact-registry-push:
+  stage: production
+  image: google/cloud-sdk:alpine
+  script: |
+    # This is adapted from the Auto-DevOps Build job to ensure we're working on the same image!
+    # See https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/Build.gitlab-ci.yml
+    if [[ -z "$CI_COMMIT_TAG" ]]; then
+      export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE/$CI_COMMIT_REF_SLUG}
+      export CI_ARTIFACT_REGISTRY_REPOSITORY=$ARTIFACT_REGISTRY_DOCKER_REPOSITORY/$CI_PROJECT_NAME/$CI_COMMIT_REF_SLUG
+      export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_SHA}
+    else
+      export CI_APPLICATION_REPOSITORY=${CI_APPLICATION_REPOSITORY:-$CI_REGISTRY_IMAGE}
+      export CI_ARTIFACT_REGISTRY_REPOSITORY=$ARTIFACT_REGISTRY_DOCKER_REPOSITORY/$CI_PROJECT_NAME
+      export CI_APPLICATION_TAG=${CI_APPLICATION_TAG:-$CI_COMMIT_TAG}
+    fi
+
+    gitlab_image="$CI_APPLICATION_REPOSITORY:$CI_APPLICATION_TAG"
+    
+    # This uses "${string%substring}" to remove everything after the "@" (and the "@" itself) from the image digest
+    # leaving a the hash prefix (e.g. "898d68000bd66376f44f0c1bb1bd73e68f2f0daa").
+    artifact_registry_image="$CI_ARTIFACT_REGISTRY_REPOSITORY:${CI_APPLICATION_TAG%@*}"
+
+    gcloud auth --impersonate-service-account $ARTIFACT_REGISTRY_SERVICE_ACCOUNT print-access-token \
+      | docker login -u oauth2accesstoken --password-stdin $ARTIFACT_REGISTRY_DOCKER_REPOSITORY
+
+    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+
+    docker pull $gitlab_image
+    docker tag $gitlab_image $artifact_registry_image
+    docker push $artifact_registry_image
+  needs:
+    - build
+  tags:
+    - $GKE_RUNNER_TAG
+  rules:
+    - if: $GKE_RUNNER_TAG == null || $ARTIFACT_REGISTRY_SERVICE_ACCOUNT == null || $ARTIFACT_REGISTRY_DOCKER_REPOSITORY == null
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG