Andrew Newdigate (167678d8) at 16 Mar 20:09
Adds a task to publish the Helm Chart to the Generic Package registry.
This allows goreleaser to reference variables in build stage.
After discussion iin https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/merge_requests/151#note_905608196, we added a convention that the script to prepare a developer environment is always scripts/prepare-dev-env.sh.
This runs that script to ensure that it works.
This will have the additional benefit of ensuring that development scripts built in Mac-centric workflows also work well on Linux. This may help reduce confusion about differences in different environments.
Test of downstream integration of this MR: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/tenctl/-/merge_requests/86
Allows Renovate to use Docker sidecars.
Related to #8.
This danger rule doesn't seem to work. Closing this.
This rule posts a Danger warning when @GitLabDuo isn't assigned as a reviewer.
duo_code_review: Whether a review from GitLab Duo Code is :mandatory or :optional. Default to :optional.@christianking I just realised that we need a stub placeholder job (ie, just a job which warns that the functionality has been removed). Otherwise this might be a breaking change for some users of this repository which rely on .kaniko_appsec_scan or . appsec_container_scan. Please let me know if I can help with this.
PS: I rebased your change to get around a conflict.
Thanks @christianking, sorry for the slow response, this looks good to me.
This change removes the appsec container scanning template.
After being handed over to Vulnerability Management, we are decomissioning the shared pipeline that runs these scans. Unlike a normal container scan, registry.gitlab.com/gitlab-com/gl-security/appsec/container-scanners triggers a pipeline in the appsec container scanners project which runs the underlying twistlock scanner. When that project and associated runner are removed, this job will fail.
Existing projects using this shared pipeline (both those using this template and others) are being migrated, either to the GitLab container scanner or to an alternate method which does not require the shared pipeline. Where possible the GitLab container scanner should be used, and where the twistlock scanner is required we'll coordinate directly with the relevant teams.
The Appsec container scanning image/pipeline logs calling projects to understand which projects are using it via the registry.gitlab.com/gitlab-com/gl-security/appsec/container-scanners image.
Since 2026-01-21 the following projects have run pipelines:
All other triggered pipelines did not provide caller information which means they were triggered without this template. From this I conclude that this template is no longer being used.
$ mise trust ; echo $?
mise WARN No untrusted config files found.
0This isn't required.
Andrew Newdigate (70d5696b) at 16 Mar 19:37
Add integration test for non-interactive prepare-dev-env.sh
Cache mise tool installations (.mise/installs/ and .mise/downloads/) to avoid re-downloading and re-installing tools on every pipeline run. The cache key is based on .tool-versions and mise.toml files, so it invalidates when tool versions change.
Adds caching to both setup-mise and asdf-tool-versions components.
Co-Authored-By: Claude Opus 4.6 [email protected]
Andrew Newdigate (c4f03086) at 16 Mar 19:29
feat: add GitLab CI caching for mise tool installations
Andrew Newdigate (592e275a) at 16 Mar 19:28
Add mise trust to prepare-dev-env script to avoid interactive prompt
What about extending validate_mise_tool_versions and adding a before_script which copies .tool-versions.build -> .tool-versions?
My personal philosophy on this is that in CI we should try to validate the full environment rather that the diff unless there's a good reason not too.
I'd probably avoid it initially.