Call gitlab-ci-lint from a CI job (with proper authorizations)

Problem to solve

As Devon, I want to have some CI that test my gitlab-ci templates, so that I can edit and add features in those with less risk of creating bugs. In my scenario, I have a repository that hosts multiple gitlab-ci job template that are used by other repositories (include:project,file).

At least, I would be more confidant with a CI lint run.

The templates use include:local to read job description, factorized configuration

Intended users

• Devon (DevOps Engineer)
• Sidney (Systems Administrator)
• Rachel (Release Manager)
• Simone (Software Engineer in Test)

User experience goal

The CI should be able to call gitlab CI lint API with the permission to read the current repository.

Proposal

api/v4/ci/lint with the $CI_JOB_TOKEN should accept to read the repository on which the CI job is run.

Further details

Our template repository structure:

• README > how to use template files at the root of the repo
• .gitlab-ci.yml
• template-one.yml
• template-two.yml
• Jobs/
  • go-lib.yml
  • go-service.yml
  • build-go-image.yml
  • build-chart.yml
  • deploy-charts.yml
• Templates/
  • helm.yml
  • go.yml
• tests/
  • template-one-conf1.yml
  • template-one-conf2.yml
  • template-two-conf1.yml

Extract of the .gitlab-ci.yml:

---
.ci-lint:
  image: gableroux/gitlab-ci-lint:latest  # TODO: have an image that pass the token without before_script
  stage: test
  before_script:
    - |
      sed -ri -e '21s/ / --header "PRIVATE-TOKEN: ${CI_BUILD_TOKEN}" /' $(which gitlab-ci-lint)
  script:
    - |
      echo "    project: $CI_PROJECT_PATH" >> ${TEST_ENDPOINT}
    - |
      echo "    ref: $CI_COMMIT_SHA" >> ${TEST_ENDPOINT}
    - gitlab-ci-lint ${TEST_ENDPOINT}

ci-lint::tmpl-one-conf1:
  extends: .ci-lint
  variables:
    TEST_ENDPOINT: tests/template-one-conf1.yml

ci-lint::tmpl-one-conf2:
  extends: .ci-lint
  variables:
    TEST_ENDPOINT: tests/template-one-conf2.yml

ci-lint::tmpl-two-conf1:
  extends: .ci-lint
  variables:
    TEST_ENDPOINT: tests/template-two-conf1.yml

Example of content in tests/template-one-conf1.yml

---
variables:
  BEHAVIOR1: foo
  BEHAVIOR2: bar

include:
   - file: template-one.yml  # it will be completed by .gitlab-ci.yml on run

And finally, example of template file at the root:

---
variables:
  BEHAVIOR1: ''
  DEPLOYMENT_BRANCH: master

stages:
  - test
  - build
  - publish
  - deploy-dev
  - deploy-prod

include:
  - local: /Templates/commons.yml
  - local: /Templates/go.yml
  - local: /Templates/helm.yml
  - local: /Jobs/go-service.yml
  - …

Links / references

• https://docs.gitlab.com/ee/api/lint.html
• https://docs.gitlab.com/ee/api/README.html#gitlab-ci-job-token
• #35067 (closed)