forked from gitlabform/gitlabform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yml
392 lines (361 loc) · 16.1 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
# This key prevents GitLabForm from actually using this config.
# Please remove it if you create your config as a copy of this file.
example_config: true
# GitLab API access config
gitlab:
# You can also set in your environment GITLAB_URL
url: https://gitlab.yourcompany.com
# You can also set in your environment GITLAB_TOKEN
# this can be both private token OR OAuth2 access token
token: "<private token of an admin user>"
# GitLab API version. As of now only 4 is supported.
api_version: 4
# SSL will be verified by default, you can turn checks off by passing `ssl_verify: false`
ssl_verify: true
# timeout, defaults to 10
timeout: 10
#
# You can define settings on 3 levels here:
# * common - for ALL projects in ALL groups
# * group/subgroup - for ALL projects in selected group/subgroup (recursively)
# * project - for single projects
#
# Each level is optional.
#
# To generate effective settings to apply for a given project, if it is configured on more than one level
# (for example you run it for "my-group/my-project" with the example configuration below, where this project will
# take configuration from all 3 levels), GitLabForm will merge those configurations.
#
# Merging is additive, so for sections like `deploy_keys`, `secret_variables`, `hooks' on each lower level
# the effective configuration will contain elements from higher levels plus elements from lower levels.
#
# Exception: when `skip: true` is set on a more specific level, given config section is not set AT ALL for given project.
#
common_settings:
# common settings for ALL projects in ALL groups
# keys and values here are as described at https://docs.gitlab.com/ee/api/project_level_variables.html#create-variable
secret_variables:
# this name is not actually used, it's just for you
a_secret_you_want_to_add_to_all_projects_in_your_gitlab_instance:
key: A_VERY_COMMONLY_USED_PASSWORD
value: "ThisIsAVerySecretPassword"
delete: false # Set to true to delete this variable
# keys and values here are as described at https://docs.gitlab.com/ee/api/group_level_variables.html#create-variable
group_secret_variables:
# this name is not actually used, it's just for you
a_secret_you_want_to_add_to_all_groups_in_your_gitlab_instance:
key: A_VERY_COMMONLY_USED_PASSWORD
value: "ThisIsAVerySecretPassword"
variable_type: env_var #or file
protected: false #
delete: false # Set to true to delete this variable
group_settings:
# settings for ALL projects in 'my-group' group
"my-group":
deploy_keys:
# this name is not actually used, it's just for you
a_friendly_deploy_key_name:
# you have to pass whole SSH key content here even if GitLab already has this key added and you just assign it
# to another project here
# this is a limitation of GitLab API
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB2QKx6BPzL (...)"
title: ssh_key_name_that_is_shown_in_gitlab
# note that you can set this to `true` or `false` only on the first assignment of the key / its creation
# see https://gitlab.com/gitlab-org/gitlab-ce/issues/30021#note_39567845
# this is a limitation of GitLab API
can_push: false
# this name is not actually used, it's just for you
another_friendly_deploy_key_name:
key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDtbyEK66RXg (...)"
title: other_ssh_key_name_that_is_shown_in_gitlab
can_push: false
# keys and values here are as described at https://docs.gitlab.com/ee/api/project_level_variables.html#create-variable
secret_variables:
# this name is not actually used, it's just for you
a_friendly_secret_variable_name:
key: SSH_PRIVATE_KEY_BASE64
value: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUl (...)"
# keys and values here are as described at https://docs.gitlab.com/ee/api/group_level_variables.html#create-variable
group_secret_variables:
# this name is not actually used, it's just for you
a_secret_you_want_to_add_to_all_projects_in_your_gitlab_instance:
key: A_VERY_COMMONLY_USED_PASSWORD
value: "ThisIsAVerySecretPassword"
protected: true
# note that there are extra requirements for variables to be "masked",
# see https://docs.gitlab.com/ee/ci/variables/#masked-variable-requirements
masked: true
# keys and values here are as described at https://docs.gitlab.com/ce/api/projects.html#edit-project
project_settings:
jobs_enabled: true
public_jobs: false # "Public pipelines" checkbox in GitLab web UI
visibility: internal
only_allow_merge_if_pipeline_succeeds: true
only_allow_merge_if_all_discussions_are_resolved: true
# Container Registry cleanup policies
# https://docs.gitlab.com/ee/user/packages/container_registry/#use-the-cleanup-policy-api
container_expiration_policy_attributes:
cadence: "1month"
enabled: true
keep_n: 1
older_than: "14d"
name_regex: ""
name_regex_delete: ".*"
name_regex_keep: ".*-master"
# See https://docs.gitlab.com/ee/push_rules/push_rules.html#enabling-push-rules
project_push_rules:
commit_message_regex: 'Fixes \d +'
branch_name_regex: ""
deny_delete_tag: false
member_check: false
prevent_secrets: false
author_email_regex: ""
file_name_regex: ""
max_file_size: 0 # in MB, 0 means unlimited
# *** This section requires GitLab EE 10.6+ ***
merge_requests:
# keys and values here are as described at
# https://docs.gitlab.com/ee/api/merge_request_approvals.html#change-configuration
# (note that some Merge Requests-related settings are set in project_settings! read linked gitlab API docs for details)
approvals:
approvals_before_merge: 2
reset_approvals_on_push: true
disable_overriding_approvers_per_merge_request: true
# below settings are using https://docs.gitlab.com/ee/api/merge_request_approvals.html#change-allowed-approvers
# but instead of user and group ids ONLY use usernames and full groups/subgroup paths here
# if neither 'approvers' or 'approver_groups' below are set, approvers are NOT managed by gitlabform
# you DON'T have to provide both
approvers:
- user1
- user2
approver_groups:
- my-group
- my-group1/subgroup
- my-group2/subgroup/subsubgroup
# keys names are branches names and values can be as shown below
branches:
develop:
# this will unprotect a branch if it is protected currently
protected: false
branch_only_protected_from_deletion:
protected: true
developers_can_push: true
developers_can_merge: true
branch_completely_protected_from_developers:
protected: true
developers_can_push: false
developers_can_merge: false
brach_protected_from_direct_pushes_from_developers_but_with_merges_allowed:
protected: true
developers_can_push: false
developers_can_merge: true
# below setup is probably not very useful but we are adding it for completeness
branch_protected_from_but_with_direct_pushes_from_developers_allowed:
protected: true
developers_can_push: true
developers_can_merge: false
branch_protected_from_direct_pushes_from_everyone_but_with_merges_allowed:
protected: true
push_access_level: 0 # = No access, see "valid access levels" at https://docs.gitlab.com/ee/api/members.html
merge_access_level: 30 # Developer
unprotect_access_level: 40 # Maintainer
# note: protecting using wildcards works only when using the new API, with the dict keys like below
'*-branch_protected_from_direct_pushes_from_no_one_but_with_merges_allowed_configured_using_wildcard':
protected: true
push_access_level: 0 # No access
merge_access_level: 30 # Developer
unprotect_access_level: 40 # Maintainer
# this is for adding/changing the access level of group members - only users can be them
# for removing users please see the flag below.
#
# keys names are user names and values are as parameters described at
# https://docs.gitlab.com/ee/api/members.html#add-a-member-to-a-group-or-project
group_members:
my-user:
access_level: 50 # = Owner, see "valid access levels" at https://docs.gitlab.com/ee/api/members.html
# if this flag is set to 'true', then removing a user the above config will remove the user from the group
# note: you have to keep at least 1 user with Owner level (50) - it's required by GitLab
enforce_group_members: true # default: false
# keys names are tags names and values are as parameters described at
# https://docs.gitlab.com/ee/api/protected_tags.html
tags:
"v*":
protected: true
create_access_level: 40 # = Maintainer, see "valid access levels" at https://docs.gitlab.com/ee/api/members.html
# service names are as in the endpoints described at https://docs.gitlab.com/ce/api/services.html
# hashes under those name correspond to the parameters described for given service there
# except where services are deleted with `delete: true`
services:
slack:
delete: true
drone-ci:
delete: true
jira:
active: true
url: https://jira.yourcompany.com
username: foo
password: bar
# key names here are hook URLs and values are as parameters described at
# https://docs.gitlab.com/ee/api/projects.html#edit-project-hook
# except where hooks are deleted with `delete: true`
hooks:
"http://host.domain.com/some-old-hook-you-want-to-remove-from-config":
delete: true
"http://127.0.0.1:5000/hooks/merge-request":
push_events: false # this is set to true by GitLab API by default
merge_requests_events: true
token: some_secret_auth_token
# with this configuration section you can ensure that some files with appropriate content are in some or all
# branches (or that they are NOT there)
# note that this is gitlabform-specific feature, it DOES NOT directly correspond to GitLab API like other sections
# (although it uses https://docs.gitlab.com/ee/api/repository_files.html)
files:
"README.md":
overwrite: false
branches:
- develop
# this will prevent the commit that applies this file change triggering CI build
# default is `false`, so a file change WILL trigger CI build
skip_ci: true
content: |
This is a default README. Please replace it with a proper one!
".gitlab-ci.yml":
overwrite: true
branches: all
content: |
stages:
- test
test:
image: node:6
stage: test
script:
- npm test
"other-file":
overwrite: true
branches: all
# You can provide file contents with external file too. Both absolute and relative paths are supported.
# Relative paths are interpreted as relative to `config.yml` file location.
file: some-file.txt
"file-using-templating":
overwrite: true
branches: all
content: |
Simple templating is supported via jinja2 with two default variables
{{ project }} will be replaced by project name, while {{ group }} by a group name.
All occurences will be replaced.
"file-escape-templating":
branches: all
template: no
content: |
{{ project }} will be rendered literally
"file-with-custom-variable":
branches: all
content: |
{{ foo }} and {{ bar }} are defined by you, but currently only dict is supported for jinja_env.
Group: {{ group }} and project: {{ project }} are always accessable by jinja.
jinja_env:
foo: "fooz"
bar: "barz"
"file-to-set-in-protected-branches":
branches: protected
content: |
This file will be added to all protected branches.
# settings for ALL projects in 'old-projects-group' group
old-projects-group:
# this will archive all the projects in the 'old-projects-group' group
project:
archive: true
group-with-spammy-projects:
# configures settings for the 'group-with-spammy-projects' group
group_settings:
# keys and values here are as described at https://docs.gitlab.com/ee/api/groups.html#update-group
emails_disabled: true
project_settings:
# settings specific to 'my-group/my-project1' project
"my-group/my-project1":
project_settings:
# this will make this project settings set to values defined on a group level, but with this single parameter
# overriden
visibility: private
deploy_keys:
# see comment above - this key will be ADDED to the keys configured on a group level
one_more_deploy_key:
key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDB2QKx6BPzL...
title: ssh_key_name_that_is_shown_in_gitlab_3
can_push: false
branches:
# see comment above - this branch config will be ADDED to the branches configured on a group level
special_branch:
protected: true
developers_can_push: false
developers_can_merge: true
hooks:
skip: true # this will skip whole hooks config *section* for this project, although it is set on group level
files:
"some-file":
overwrite: true
branches:
- develop
- master
# setting below value to `true` will make this file be set only for the first *existing* branch in the list above
only_first_branch: true
content: |
We want this file to be set only in the first existing branch from the branch list above.
"some-path/garbage-file":
delete: true
branches:
- develop
- master
skip_ci: true
"other-file":
skip: true # this will skip processing this *single file* in case it is configured on a group level
# this is for adding/changing the access level of project members - groups or users
# note: removing members from the config DOES NOT remove their access!
#
# keys names are members/groups names and values are as parameters described at
# https://docs.gitlab.com/ee/api/projects.html#share-project-with-group
# https://docs.gitlab.com/ee/api/members.html#add-a-member-to-a-group-or-project
members:
groups:
my-group:
group_access: 40 # = Maintainer, see "valid access levels" at https://docs.gitlab.com/ee/api/members.html
my-other-group/subgroup:
group_access: 40 # Maintainer
users:
my-user:
access_level: 40 # Maintainer
expires_at: 2019-09-26
# this is for adding/changing/deleting pipeline schedules
#
# keys names are schedule descriptions and values are parameters described at
# https://docs.gitlab.com/ee/api/pipeline_schedules.html
#
# note: if there multiple pipeline schedules with the same description in GitLab project, corresponding entry
# will cause those schedules to be DELETED and replaced with the one from the configuration
# if there is exactly one schedule with the corresponding description, only parameters provided in the configuration
# will be updated
#
# timezone defaults to 'UTC', valid values must be supported by ActiveSupport::TimeZone and can be taken e.g.
# from https://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html
schedules:
"Some schedule":
ref: master
cron: "0 * * * MON-FRI"
cron_timezone: "London"
active: false
"Another schedule":
ref: develop
cron: "0 * * * *"
variables:
some_variable:
value: some_value
variable_type: file # optional parameter, defaults to 'env_var'
other_variable:
value: another_value
# this will skip these projects from being processed
skip_projects:
- my-group/this-project-will-not-be-processed-with-gitlabform-when-running-for-my-group
- my-group/and-this-too
# this will skip these groups from being processed
skip_groups:
- my-other-group