RAIDERS
of the LOST CICD

and the quest of the
INNERSOURCE GRAAL

Speaker

Matthieu VINCENT

Tech Advocate

GitLab Hero
R2Devops Ambassador
Volcamp co-cofounder

Disclaimer

We will made our demo with Golang & GitLab, because we love Gophers & Tanukis.

But all we explain in this talk can be applied to other programming languages and adapted to other platforms (Github, …)

At the beginning…
🎬

A lonely raider working on his project

Speaker

Thomas BONI

CTO & Co-Founder

R2Devops Co-Founder
CI/CD Endurer

A lonely raider working on his project

His hardcoded CI

stages:
  - test
  - build

[...]
go_dependency_scanning:
  stage: test
  image:
    name: aquasec/trivy:0.55.2
    entrypoint: [""]
  script:
    - trivy fs --exit-code 1 --severity "MEDIUM,HIGH,CRITICAL" ./

go_sast:
  stage: test
  image: securego/gosec:2.21.3
  script:
    - gosec ./...

build_container_image:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:v1.23.2-debug
    entrypoint: ['']
  script:
[...]

🦊 GitLab CI documentation
➡️ Full example available here

but there is another raider with an idea

GitLab CI component

Introduced recently in GitLab (v17.0 - 2024)
A new approach to build reusable jobs (like GitHub actions)
Easily extensible, versionned
You can document them, even test them !

A quick sample

spec:
  inputs:
    stage:
      default: test
---
go_lint:
  stage: $[[ inputs.stage ]]
  image: golangci/golangci-lint:v1.61-alpine
  script:
    - golangci-lint run --timeout 5m -v

🦊 GitLab Components
🔗 Components source code

When they realized that they add the same goal but they didn't know

Reuse the components

From 57 lines to 14 🤯

stages:
  - test
  - build

include:
  - component: gitlab.com/yodamad-workshops/[...]/go_lint@0.1.1
    inputs:
      stage: build
  - component: gitlab.com/yodamad-workshops/[...]/dockerfile_lint@0.1.0
  - component: gitlab.com/yodamad-workshops/[...]/go_unit-tests@0.1.0
  - component: gitlab.com/yodamad-workshops/[...]/secret_detection@0.1.0
  - component: gitlab.com/yodamad-workshops/[...]/go_dependency_scanning@0.1.0
  - component: gitlab.com/yodamad-workshops/[...]/go_sast@0.1.0
  - component: gitlab.com/yodamad-workshops/[...]/build_container_image@0.1.0

Now, they ride the same boat in the chaos

GitLab native CICD catalog ?

A dashboard to view all components available on GitLab
Quick overview of a component and the jobs it contains
but …
- it can be not that clear to find what we need
- it is complicated to know the "good" components (certified by your organization, secure, used..)

🔗 GitLab.com CICD Catalog

They find the Graal ! Innersource approach to save their world

R2Devops to the rescue

A platform to easily vizualize CICD components catalog within a company
Track usage of all component to know their maturity

Demo !

🔗 Demo available here
ℹ️ All features shown are free ones on the platform

Moral of the story
🧙🏻‍♂️

Why InnerSource approach for CICD

CI/CD pipelines are now the spine of security and delivery
It’s a complex field requiring extensive knowledge in different tools and usages
It’s time-consuming, evolve super fast and prone to open security breaches
- 45% of company worldwide will suffer a supply chain attack in 2025 - Gartner
InnerSource is a solution to allow everyone in a company to setup a secured CI/CD pipeline in a minute

Key points to have a successful InnerSource strategy

Duplication is an alert sign
Sharing is easy, reuse is complicated
- Think extensibility / customizable
- Think right scope / size
  - too small ➡️ not enough value
  - too big ➡️ complex to integrate, scary to onboard / understand
- Document clearly
Measure usage
CICD can be an easy way to initialize your InnerSource program 💡

Thank you !

Slides : https:/innersource-summit-2024.yodamad.fr/
Demos : https://gitlab.com/yodamad-workshops/2024/innersource-summit
@yodamad03 & @thomas_boni

RAIDERSof the LOST CICD

Disclaimer

At the beginning…🎬

A lonely raider working on his project

A lonely raider working on his project

His hardcoded CI

but there is another raider with an idea

GitLab CI component

When they realized that they add the same goal but they didn't know

Reuse the components

Now, they ride the same boat in the chaos

GitLab native CICD catalog ?

They find the Graal ! Innersource approach to save their world

R2Devops to the rescue

Moral of the story🧙🏻‍♂️

Why InnerSource approach for CICD

Key points to have a successful InnerSource strategy

Thank you !

See you !

RAIDERS
of the LOST CICD

At the beginning…
🎬

Moral of the story
🧙🏻‍♂️