version v7.2.
For up-to-date documentation, see the
latest version.
GitLab pipeline
3 minute read
- Keep Your Pipelines Idempotent
- Keep Your Pipelines Fast
- Use Trusted Docker Images
Test Job Commands Locally
Before running job commands in GitLab, it’s beneficial to perform local tests. This approach offers several advantages:
- Detect and correct issues more efficiently.
- Minimize the chances of unexpected problems in GitLab.
By focusing on local testing, you can ensure a smoother operation when implementing commands in
the GitLab environment.
If you need external services to run tests, you can use docker-compose on your local environnement.
In a GitLab pipeline, you can use services keyword.
Utilize Your IDE for Pipeline Development
Utilize development tools like the VSCode Git Workflow extension to check file syntax and preview pipeline execution.
These tools can provide valuable feedback and help catch errors before they cause problems.
Avoid Using the ’latest’ Docker Image Tag
A image tagged as latest can change over time,
leading to potential inconsistencies and reproducibility issues in your pipelines.
By using specific tags for your Docker images, you can ensure your pipeline always uses the same version of the image.
Avoid Personal Token Usage: Opt for Service Accounts
Opt for dedicated service accounts instead of personal tokens for authenticating with services like Artifactory, Coverity and Sonar.
This approach enhances security, improves traceability, and ensures continuity of service.
For GitLab, you can use Group Access Tokens and Project Access Tokens .
Use Thales Trusted Container Base Images
The innersource project Thales Trusted Container Base Images which is providing base images for micro-services, tooling base image and service base image
Use NextGen CICD GitLab step
The innersource project nextgen-cicd is providing lots of golden GitLab stages (and corresponding Docker images) which abstract some complexity from tools or infra.
Use Artifactory to retrieve image from Docker Hub
See How to use Artifactory to pull images from Docker Hub.
Appropriate Use of GitLab Registry and Artifactory
Use GitLab Registry for temporary storage of artifacts that may be needed by subsequent GitLab jobs , such as pre-security analysis storage. For final artifact delivery and sharing, employ Artifactory. This ensures efficient use of resources and streamlines the development workflow.
Make Use of Caching
Caching dependencies can greatly speed up pipelines, especially for infrequent job changes. See Caching in GitLab CI/CD
Avoid Child or Multi-Project pipelines
Try to make your pipeline as simple as possible without the need for Child or Multi-Project pipelines. See also Downstream Pipelines .
However, in instances where this is unavoidable due to Separation of Duties or other requirements , strive to make the process as easy as possible. Ideally Upstream pipeline having no dependencies other than status of downstream pipeline.
Make sure, that you do not build huge artifact dependencies between parent and children
Use allow_failure Flag Responsibly
Set allow_failure flag for jobs that are accepted to fail, for example Security jobs should not block pipeline, but can be blocked before merging.
Prefer Running CI Pipelines on Merge Requests
Prioritize running CI pipelines on merge requests over short-lived branches. This approach ensures that the CI pipeline is run on code that is intended to be merged into the main branch.
Code on short-lived branches may lack stability and undergo frequent changes, leading to unnecessary and potentially misleading test results. By running tests on merge requests, developers can indicate when their changes are mature enough for automated analysis.
Use the draft mode for merge requests to indicate ongoing changes and allow time for error correction before the full code review.