gitlabhq
diff --git a/‎.gitlab-ci.yml
+7-11 b/‎.gitlab-ci.yml
+7-11
diff --git a/‎.gitlab/ci/_common.gitlab-ci.yml
+10-37 b/‎.gitlab/ci/_common.gitlab-ci.yml
+10-37
diff --git a/‎.gitlab/ci/_rules.gitlab-ci.yml
+2-60 b/‎.gitlab/ci/_rules.gitlab-ci.yml
+2-60
diff --git a/‎.gitlab/ci/build.gitlab-ci.yml
+100-26 b/‎.gitlab/ci/build.gitlab-ci.yml
+100-26
@@ -1,12 +1,9 @@
 stages:
-- prepare
-- fips helper binaries
-- prebuild
-- prerelease
+- build
+- qa
 - test
 - test kubernetes integration
 - coverage
-- build
 - package
 - release
 - postrelease
@@ -15,18 +12,17 @@ stages:
 include:
 - local: /.gitlab/ci/_common.gitlab-ci.yml
 - local: /.gitlab/ci/_rules.gitlab-ci.yml
-- local: /.gitlab/ci/prepare.gitlab-ci.yml
-- local: /.gitlab/ci/fips-helper-binaries.gitlab-ci.yml
-- local: /.gitlab/ci/prebuild.gitlab-ci.yml
-- local: /.gitlab/ci/prerelease.gitlab-ci.yml
+- local: /.gitlab/ci/build.gitlab-ci.yml
+- local: /.gitlab/ci/qa.gitlab-ci.yml
 - local: /.gitlab/ci/test.gitlab-ci.yml
 - local: /.gitlab/ci/test-kubernetes-integration.gitlab-ci.yml
 - local: /.gitlab/ci/coverage.gitlab-ci.yml
-- local: /.gitlab/ci/build.gitlab-ci.yml
 - local: /.gitlab/ci/package.gitlab-ci.yml
 - local: /.gitlab/ci/release.gitlab-ci.yml
 - local: /.gitlab/ci/postrelease.gitlab-ci.yml
 - local: /.gitlab/ci/docs.gitlab-ci.yml
 - component: ${CI_SERVER_FQDN}/gitlab-org/components/danger-review/[email protected]
+  inputs:
+    job_stage: qa
   rules:
-    - if: '$CI_SERVER_HOST == "gitlab.com"'
+    - if: '$CI_SERVER_HOST == "gitlab.com"'
@@ -3,30 +3,18 @@ variables:
   # When updating GO_VERSION, update Go versions in docs/development/index.md
   # or the 'docs:check development docs Go version' job will fail
   GO_VERSION: "1.23.2"
-  # ubi version for go.fips image base (see https://gitlab.com/gitlab-org/gitlab-runner/-/issues/38034)
-  GO_FIPS_UBI_VERSION: "ubi8"
-  # Sometimes the FIPS repo lags behind the official releases
-  GO_FIPS_VERSION: "1.23.2"
-  # Account for the suffix used in https://github.com/golang-fips/go/releases/tag/go1.23.2-2-openssl-fips
-  GO_FIPS_VERSION_SUFFIX: "-1-openssl-fips"
-  GO_CI_IMAGE: "$GO_VERSION-bookworm"
-  CI_IMAGE: "registry.gitlab.com/gitlab-org/gitlab-runner/ci:$GO_CI_IMAGE-1"
+  RUNNER_IMAGES_REGISTRY: registry.gitlab.com/gitlab-org/ci-cd/runner-tools/base-images
+  RUNNER_IMAGES_VERSION: "0.0.1"
+  RUNNER_IMAGES_WINDOWS_GO_URL: https://gitlab.com/api/v4/projects/gitlab-org%2fci-cd%2frunner-tools%2fbase-images/packages/generic/runner-images/v${RUNNER_IMAGES_VERSION}/golang-windows-amd64.zip
+  CI_IMAGE: "${RUNNER_IMAGES_REGISTRY}/ci:${RUNNER_IMAGES_VERSION}"
   # Feature flags
   FF_SCRIPT_SECTIONS: "true"
   FF_USE_FASTZIP: "true"
   FF_USE_NEW_BASH_EVAL_STRATEGY: "true"
   FF_TIMESTAMPS: "true"
   # Following variables are used in some jobs to install specified software
   RELEASE_INDEX_GEN_VERSION: "latest"
-  DOCKER_VERSION: 24.0.5
-  DOCKER_MACHINE_VERSION: "v0.16.2-gitlab.30"
-  BUILDX_VERSION: 0.10.4
-  KUBECTL_VERSION: 1.23.0
-  AWS_CLI_VERSION: 2.4.19
-  GIT_VERSION: "2.40.1"
-  GIT_VERSION_BUILD: "1"
-  GIT_LFS_VERSION: "3.5.1"
-  YQ_VERSION: "4.30.5"
+  DOCKER_VERSION: 27.3.1
   LICENSE_MANAGEMENT_SETUP_CMD: echo "Skip setup. Dependency already vendored"
   DOCS_GITLAB_REPO_SUFFIX: "runner"
   # We're overriding rules for the jobs that we want to run.
@@ -35,26 +23,7 @@ variables:
   TRANSFER_METER_FREQUENCY: "5s"
   CACHE_COMPRESSION_FORMAT: tarzstd
   GO111MODULE: "on"
-  GO_FIPS_IMAGE: registry.gitlab.com/gitlab-org/gitlab-runner/go-fips:$GO_FIPS_VERSION-$GO_FIPS_UBI_VERSION
-  # Leaving the Alpine and UBI versions defined here until the renovate pattern is changed
-  # to recognize the definitions as a Go variable
-  # renovate: datasource=docker depName=alpine allowedVersions=/3\.18\..+/
-  ALPINE_318_VERSION: "3.18.9"
-  # renovate: datasource=docker depName=alpine allowedVersions=/3\.19\..+/
-  ALPINE_319_VERSION: "3.19.4"
-  # renovate: datasource=docker depName=alpine allowedVersions=/3\.21\..+/
-  ALPINE_321_VERSION: "3.21.0"
-  # renovate: datasource=docker depName=ubuntu allowedVersions=/20\..+/
-  UBUNTU_VERSION: "20.04"
-  # renovate: datasource=docker depName=redhat/ubi9-micro versioning=redhat allowedVersions=/9\.5-[0-9]+/
-  UBI_MICRO_VERSION: "9.5-1731934928"
-  UBI_MICRO_IMAGE: redhat/ubi9-micro
-  # renovate: datasource=docker depName=redhat/ubi9-minimal versioning=redhat allowedVersions=/9\.5-[0-9]+/
-  UBI_MINIMAL_VERSION: "9.5-1731604394"
-  UBI_MINIMAL_IMAGE: redhat/ubi9-minimal
-  UBI_FIPS_BASE_IMAGE: registry.gitlab.com/gitlab-org/gitlab-runner/ubi-fips-base
-  ## Note: UBI_FIPS_VERSION=$UBI_MICRO_VERSION, post conversion to ubi-micro
-  UBI_FIPS_VERSION: "$UBI_MICRO_VERSION"
+  # renovate: datasource=docker depName=redhat/ubi9-micro versioning=redhat allowedVersions=/9\.4-[0-9]+/
   PACKAGES_ITERATION: "1"
 
 default:
@@ -85,8 +54,10 @@ default:
   tags:
     - gitlab-org-docker
 
+
 .go-cache:
   variables:
+    GODEBUG: gocachetest=1
     GOCACHE: $CI_PROJECT_DIR/.gocache-$CI_COMMIT_REF_PROTECTED
   before_script:
     - mkdir -p "$GOCACHE"
@@ -98,9 +69,11 @@ default:
 
 .go-cache-windows:
   variables:
+    GODEBUG: gocachetest=1
     GOCACHE: $CI_PROJECT_DIR\.gocache-$CI_COMMIT_REF_PROTECTED
   before_script:
     - New-Item -Path "$Env:GOCACHE" -Type Directory -Force
+    - $env:GOCACHE = (Resolve-Path $env:GOCACHE).Path
     - ./ci/touch_git.ps1
   cache:
     paths:
 
@@ -228,69 +228,11 @@
   - <<: *if-runner-merge-request-pipeline
     changes: *code-backstage-patterns
 
-.rules:prepare:ci:image:merge-requests:
+.rules:build:test:images:merge-requests:
   rules:
   - <<: *if-runner-merge-request-pipeline
     changes:
-    - dockerfiles/ci/Dockerfile
-    - dockerfiles/ci/Dockerfile.rebuild
-    - .gitlab/ci/_common.gitlab-ci.yml
-    - .gitlab/ci/prepare.gitlab-ci.yml
-
-.rules:prepare:alpine-no-root:image:merge-requests:
-  rules:
-  - <<: *if-runner-merge-request-pipeline
-    changes:
-    - tests/dockerfiles/alpine-no-root/*
-    - .gitlab/ci/prepare.gitlab-ci.yml
-
-.rules:prepare:alpine-entrypoint:image:merge-requests:
-  rules:
-  - <<: *if-runner-merge-request-pipeline
-    changes:
-    - tests/dockerfiles/alpine-entrypoint/*
-    - .gitlab/ci/prepare.gitlab-ci.yml
-
-.rules:prepare:powershell-entrypoint:image:merge-requests:
-  rules:
-  - <<: *if-runner-merge-request-pipeline
-    changes:
-    - tests/dockerfiles/powershell-entrypoint/*
-    - .gitlab/ci/prepare.gitlab-ci.yml
-
-.rules:prepare:alpine-id-overflow:image:merge-requests:
-  rules:
-  - <<: *if-runner-merge-request-pipeline
-    changes:
-    - tests/dockerfiles/alpine-id-overflow/*
-    - .gitlab/ci/prepare.gitlab-ci.yml
-
-.rules:prepare:go-fips:image:merge-requests:
-  rules:
-    - <<: *if-runner-merge-request-pipeline
-      changes:
-        - dockerfiles/ci/go.fips.Dockerfile
-        - dockerfiles/ci/go.fips.Dockerfile.rebuild
-        - dockerfiles/ci/ubi.fips.base.Dockerfile
-        - dockerfiles/ci/ubi.fips.base.Dockerfile.rebuild
-        - .gitlab/ci/prepare.gitlab-ci.yml
-        - .gitlab/ci/_common.gitlab-ci.yml
-
-.rules:prepare:ubi-base:image:merge-requests:
-  rules:
-    - <<: *if-runner-merge-request-pipeline
-      changes:
-        - dockerfiles/ci/ubi.fips.base.Dockerfile
-        - dockerfiles/ci/ubi.fips.base.Dockerfile.rebuild
-        - .gitlab/ci/prepare.gitlab-ci.yml
-        - .gitlab/ci/_common.gitlab-ci.yml
-
-.rules:prepare:gitlab-runner-helper-entrypoint:image:merge-requests:
-  rules:
-  - <<: *if-runner-merge-request-pipeline
-    changes:
-    - tests/dockerfiles/gitlab-runner-helper-entrypoint/*
-    - .gitlab/ci/prepare.gitlab-ci.yml
+    - tests/dockerfiles/*
 
 .rules:prepare:test-ci-scripts:merge-requests:
   rules:
 
@@ -1,45 +1,119 @@
-binaries:
+helper images:
+  tags:
+    - saas-linux-2xlarge-amd64
   extends:
+  - .docker
   - .rules:merge_request_pipelines:no_docs
-  - .go-cache
   stage: build
   needs:
-  - 'prepare done'
+    - 'binaries'
   script:
-  - make runner-bin BUILD_PLATFORMS="-osarch='$PLATFORMS'"
+  - ./ci/touch_git
+  - make helper-images
+  - ls -alh out/helper-images/
+  retry: 2
   artifacts:
     paths:
-    - out/binaries/gitlab-runner-*
-    exclude:
-    - out/binaries/gitlab-runner-helper/
+    - out/helper-images/
     expire_in: 7d
   parallel:
     matrix:
-    - PLATFORMS:
-      - linux/amd64 linux/arm64 #64bit
-      - linux/386 linux/arm #32bit
-      - linux/s390x linux/ppc64le #ibm
-      - linux/riscv64 #riscv
-      - darwin/amd64 darwin/arm64
-      - freebsd/386 freebsd/amd64 freebsd/arm
-      - windows/386 windows/amd64
+      - TARGETS:
+        - alpine alpine-pwsh ubuntu ubuntu-pwsh ubi-fips
+        - windows-nanoserver-ltsc2019 windows-servercore-ltsc2019
+        - windows-nanoserver-ltsc2022 windows-servercore-ltsc2022
 
-binaries-fips:
+prebuilt helper images:
+  tags:
+    - saas-linux-2xlarge-amd64
   extends:
+  - .docker
   - .rules:merge_request_pipelines:no_docs
-  - .go-cache
   stage: build
-  image: $GO_FIPS_IMAGE
+  image: "${RUNNER_IMAGES_REGISTRY}/ci:${RUNNER_IMAGES_VERSION}-prebuilt-images"
   needs:
-  - job: 'prepare go fips'
-    optional: true
+    - 'helper images: [alpine alpine-pwsh ubuntu ubuntu-pwsh ubi-fips]'
   script:
-  - make runner-bin-fips GOOS=$GOOS GOARCH=$GOARCH
+  - apt-get update -yq && apt-get install -yq parallel time p7zip-full
+  - make prebuilt-helper-images
+  - ls -alh out/helper-images/
   artifacts:
     paths:
-      - out/binaries/gitlab-runner-*
+    - out/helper-images/*.tar.xz
     expire_in: 7d
-  parallel:
-    matrix:
-    - GOOS: linux
-      GOARCH: amd64
+
+runner images:
+  tags:
+    - saas-linux-2xlarge-amd64
+  extends:
+  - .docker
+  - .rules:merge_request_pipelines:no_docs
+  stage: build
+  needs:
+    - 'binaries'
+  script:
+  - ./ci/touch_git
+  - TARGETS="ubuntu alpine ubi-fips" make runner-images
+  - ls -alh out/runner-images/
+  retry: 2
+  artifacts:
+    paths:
+    - out/runner-images/
+    expire_in: 7d
+
+test images:
+  extends:
+  - .docker
+  - .rules:build:test:images:merge-requests
+  stage: build
+  needs:
+    - 'binaries'
+  script:
+  - docker buildx create --name builder --use --driver docker-container default || true
+  - echo "${CI_REGISTRY_PASSWORD}" | docker login --username "${CI_REGISTRY_USER}" --password-stdin "${CI_REGISTRY}"
+  - cd tests/dockerfiles && docker buildx bake --progress plain tests-images --set *.output="type=registry,compression=zstd"
+  - docker logout "${CI_REGISTRY}"
+
+binaries:
+  image: "${RUNNER_IMAGES_REGISTRY}/ubi-go:${RUNNER_IMAGES_VERSION}"
+  tags:
+    - saas-linux-2xlarge-amd64
+  extends:
+  - .rules:merge_request_pipelines:no_docs
+  - .go-cache
+  stage: build
+  needs: []
+  script:
+  - go mod download
+  - make -j$(($(nproc) * 2)) helper-bin helper-bin-fips runner-bin runner-bin-fips
+  artifacts:
+    paths:
+    - out/binaries/gitlab-runner*
+    expire_in: 7d
+
+clone test repo:
+  extends:
+  - .rules:merge_request_pipelines:no_docs
+  - .no_cache_and_dependencies
+  stage: build
+  image: alpine:latest
+  needs: []
+  variables:
+    GIT_STRATEGY: none
+  script:
+  - apk add git
+  - mkdir tmp
+  - succeed=0
+  - for i in {1..3}; do git clone https://gitlab.com/gitlab-org/ci-cd/gitlab-runner-pipeline-tests/gitlab-test tmp/gitlab-test && succeed=1 && break; echo "retrying"; done
+  - '[[ "$succeed" -eq 1 ]]'
+  artifacts:
+    paths:
+    - tmp/gitlab-test
+    expire_in: 7d
+
+# prepare done is used as a sentinel for "Prepare" stage completion, so we can kick off builds in later stages
+# without waiting for the completion of the Prebuild stage
+prepare done:
+  stage: build
+  extends:
+  - .stage_done