CHANGELOG.md

@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [6.1.0] - 2024-11-12
+
+### Added
+
+- `/auto-devops/maven.gitlab-ci.yml` : new template to support Maven-based Java projects. Provides
+  maven:verify and maven:deploy jobs.
+
 ## [6.0.4] - 2024-11-08
 
 ### Fixed

auto-devops/maven.gitlab-ci.yml

+# Define jobs for maven-based Java projects. Rules are only added if a pom.xml file is present in
+# the root of the repository.
+#
+# Tests are run for all branches by means of a "mvn verify" run.
+#
+# Deploy is run for the default branch *only*, verify is run for other branches.
+#
+# Set MAVEN_{DEPLOY,VERIFY}_DISABLED to disable jobs.
+#
+# Set MAVEN_ACCESS_TOKENS_DISABLED to skip the retrieval of GitLab Access Tokens if not needed.
+#
+# Set MAVEN_TEST_VERSIONS to override the default list of Maven images for running tests.
+#
+# Jobs are run for each image defined in .maven:versions so you can vary the versions of the JDK one
+# tests with.
+# Deploy jobs are only run in the default maven image defined in MAVEN_IMAGE. See the
+# "variables" section below for details.
+
+# Versions to run tests in.
+.maven:versions: [$MAVEN_TEST_VERSIONS]
+
+variables:
+  # Default maven version and base docker image to use when building Java packages.
+  MAVEN_VERSION: "3.9-eclipse-temurin-8"
+  MAVEN_TEST_VERSIONS: "3.9-eclipse-temurin-8"
+  MAVEN_IMAGE: maven:$MAVEN_VERSION
+
+# DinD service for Testcontainers support
+services:
+  - name: docker:dind
+    # explicitly disable tls to avoid docker startup interruption
+    command: ["--tls=false"]
+
+# Retrieve Access Token used to retrieve published Maven packages from GitLab Maven Repository
+.maven.deploy_tokens:
+  - |
+    if [ "$MAVEN_ACCESS_TOKENS_DISABLED" != "1" ]; then
+      if ! [ -x "$(command -v apt-get)" ]; then
+        apk add --no-cache curl jq git
+      else
+        apt-get update && apt-get install -y curl jq git
+      fi
+
+      echo "Retrieving an access token for the default service account of the runner pod..."
+        DEFAULT_TOKEN=$(
+          curl --fail-with-body -s -S -H "Metadata-Flavor: Google" \
+            "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
+          | jq -r ".access_token"
+        )
+
+        echo "Generating an access token for the $GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT service account..."
+        ACCESS_TOKEN=$(
+          curl --fail-with-body -s -S -X POST \
+            -H "Authorization: Bearer $DEFAULT_TOKEN" \
+            -H "Content-Type: application/json; charset=utf-8" \
+            "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT/@/%40}:generateAccessToken" \
+            -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
+          | jq -r ".accessToken"
+        )
+
+        echo "Retrieving the GitLab bot access token from Google Secret Manager..."
+        export GITLAB_TOKEN=$(
+          curl --fail-with-body -s -S -H "Authorization: Bearer $ACCESS_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://secretmanager.googleapis.com/v1/projects/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_PROJECT/secrets/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_NAME/versions/latest:access" \
+          | jq -r ".payload.data" | base64 -d
+        )
+
+        export AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGS=--build-arg="GITLAB_TOKEN=${GITLAB_TOKEN}"
+    else
+      echo "MAVEN_ACCESS_TOKENS_DISABLED=1, skipping access tokens"
+    fi
+
+# Template maven job.
+.maven:
+  image: $MAVEN_IMAGE
+  before_script: !reference [".maven.deploy_tokens"]
+  # Cache downloaded dependencies and plugins between builds. To keep cache across branches add
+  # 'key: "$CI_JOB_NAME"' Be aware that `mvn deploy` will install the built jar into this
+  # repository. If you notice your cache size increasing, consider adding
+  # `-Dmaven.install.skip=true` to `MAVEN_OPTS` or in `.mvn/maven.config`
+  cache:
+    key: "$CI_JOB_NAME"
+    paths:
+      - .m2/repository
+  rules:
+    - exists:
+        - pom.xml
+  variables:
+    # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode`
+    # to make this work.
+    MAVEN_OPTS: >-
+      -Dhttps.protocols=TLSv1.2
+      -Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository
+      -Dorg.slf4j.simpleLogger.showDateTime=true
+      -Djava.awt.headless=true
+      -Xmx512m
+
+    # As of Maven 3.3.0 instead of this you MAY define these options in `.mvn/maven.config` so the
+    # same config is used when running from the command line.
+    # As of Maven 3.6.1, the use of `--no-tranfer-progress` (or `-ntp`) suppresses download and
+    # upload messages. The use of the `Slf4jMavenTransferListener` is no longer necessary.
+    # `installAtEnd` and `deployAtEnd` are only effective with recent version of the corresponding
+    # plugins.
+    MAVEN_CLI_OPTS: >-
+      --batch-mode
+      --errors
+      --fail-at-end
+      --show-version
+      --no-transfer-progress
+      -DinstallAtEnd=true
+      -DdeployAtEnd=true
+      --settings ci_settings.xml
+
+# Template verify-only job to run tests.
+.maven:verify:
+  extends: .maven
+  stage: test
+  script: |
+    echo "Running mvn verify"
+    mvn $MAVEN_CLI_OPTS verify
+  parallel:
+    matrix:
+      - MAVEN_VERSION: !reference [".maven:versions"]
+  artifacts:
+    when: always
+    paths:
+      - "**/target/surefire-reports/TEST-*.xml"
+      - "**/target/failsafe-reports/TEST-*.xml"
+    reports:
+      junit:
+        - "**/target/surefire-reports/TEST-*.xml"
+        - "**/target/failsafe-reports/TEST-*.xml"
+
+# Verify job runs on all branches apart from Merge Requests.
+maven:verify:
+  extends: .maven:verify
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: never
+    - if: $MAVEN_VERIFY_DISABLED
+      when: never
+    - !reference [".maven:verify", rules]
+
+# Template deploy job for pipelines which *are* on the default branch.
+.maven:deploy:
+  extends: .maven
+  script:
+    - if [ ! -f ci_settings.xml ]; then
+        echo "CI settings missing\! If deploying to GitLab Maven Repository, please see https://docs.gitlab.com/ee/user/packages/maven_repository/index.html#create-maven-packages-with-gitlab-cicd for instructions.";
+      fi
+    - mvn $MAVEN_CLI_OPTS clean deploy
+  rules:
+    - if: $MAVEN_DEPLOY_DISABLED
+      when: never
+    - !reference [.maven, rules]
+
+# Production Deploy uses the default maven version.
+maven:deploy:
+  extends: .maven:deploy
+  stage: production
+  rules:
+    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
+      when: never
+    - !reference [".maven:deploy", rules]
+
+# Non-default branch deploy job - must be run manually as part of the review stage, apart from Merge Requests
+maven:deploy-dev:
+  extends: .maven:deploy
+  stage: review
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: never
+    - if: $CI_COMMIT_TAG
+      when: never
+    - if: $CI_COMMIT_BRANCH
+      when: manual
+      # This is currently the only way to allow the pipeline to succeed if the optional manual push job was
+      # not triggered. See the following issue for context - https://gitlab.com/gitlab-org/gitlab/-/issues/249524.
+      allow_failure: true
+    - !reference [".maven:deploy", rules]