cici-tools 0.17.1__tar.gz → 0.18.0__tar.gz

{cici_tools-0.17.1 → cici_tools-0.18.0}/.gitlab-ci.yml

@@ -16,7 +16,7 @@ include:
   - local: cici-bundle.yml
   - local: cici-update.yml
   - project: saferatday0/library/container
-    ref: 0.8.1
+    ref: 0.9.1
     file:
       - container-docker.yml
       - container-hadolint.yml

{cici_tools-0.17.1/cici_tools.egg-info → cici_tools-0.18.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cici-tools
-Version: 0.17.1
+Version: 0.18.0
 Summary: Continuous Integration Catalog Interface
 Author-email: Digital Safety Research Institute <contact@dsri.org>
 License: Apache-2.0

{cici_tools-0.17.1 → cici_tools-0.18.0}/cici/_version.py

@@ -28,7 +28,7 @@ version_tuple: VERSION_TUPLE
 commit_id: COMMIT_ID
 __commit_id__: COMMIT_ID
 
-__version__ = version = '0.17.1'
-__version_tuple__ = version_tuple = (0, 17, 1)
+__version__ = version = '0.18.0'
+__version_tuple__ = version_tuple = (0, 18, 0)
 
-__commit_id__ = commit_id = 'ge578edc48'
+__commit_id__ = commit_id = 'g36384f791'

{cici_tools-0.17.1 → cici_tools-0.18.0}/cici/providers/gitlab/serializers.py

@@ -327,13 +327,23 @@ def dump(
     data = unpack_jobs(data)
     data = style_scalars(data)
 
+    # DEBUG
+    # job = data.get("opentofu-trivy") or {}
+    # script = job.get("script") or []
+    # if script:
+    #     print("\n[DUMP DEBUG] opentofu-trivy script[0] type:", type(script[0]))
+    #     print("[DUMP DEBUG] script[0] repr:", repr(str(script[0])))
+    #     print("[DUMP DEBUG] contains \\n\\n?:", "\n\n" in str(script[0]))
+    #     print("[DUMP DEBUG] contains \\n?:", "\n" in str(script[0]))
+    # END DEBUG
+
     # user round trip mode to preserve ruamel scalar styles (FoldedScalarString etc)
     yaml = ruamel.yaml.YAML(typ="rt")
     yaml.default_flow_style = False
     yaml.explicit_start = False
     yaml.preserve_quotes = True  # respect the quotes set in style_scalars()
     yaml.indent(mapping=2, sequence=4, offset=2)
-    yaml.width = 1000  # prevent unwanted line wrapping
+    yaml.width = 120  # prevent unwanted line wrapping
     # makes sure ruamel.yml to always emit double quoted strings """"
     yaml.representer.add_representer(DoubleQuotedScalarString, always_double_quoted)
 

{cici_tools-0.17.1 → cici_tools-0.18.0}/cici/providers/gitlab/yaml_style.py

@@ -54,9 +54,18 @@ def make_scalar_string(line: str, quote: bool = False):
 
         return FoldedScalarString(wrap_if_long(unindented))
 
-    # Commands and long lines get folded
+    # Folding long lines logic (like a script that is super long so that it does not do anything weird in the folding process)
     if unindented.startswith(("docker ", "helm ", "tar ", "curl ")):
-        return FoldedScalarString(wrap_if_long(unindented))
+        command_string = unindented.strip()
+
+        folded_scalar = FoldedScalarString(command_string)
+
+        if " | " in command_string:
+            pipe_position = command_string.index(" | ")
+            # mypy does not like fold_pos however it solves an issue that breaks the .gitlab-ci.yaml
+            folded_scalar.fold_pos = [pipe_position]  # type: ignore[attr-defined]
+
+        return folded_scalar
 
     # Multi-command sequences get folded
     if any(sym in unindented for sym in ("&&", ";", "\\")):
@@ -339,7 +348,7 @@ def style_scalars(
             "on_success",
             "on_failure",
             "manual",
-            "cobertura",  # :white_check_mark: coverage format
+            "cobertura",  # coverage format
             "sigstore",
         }
         if stripped in UNQUOTED_KEYWORDS:

{cici_tools-0.17.1 → cici_tools-0.18.0/cici_tools.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cici-tools
-Version: 0.17.1
+Version: 0.18.0
 Summary: Continuous Integration Catalog Interface
 Author-email: Digital Safety Research Institute <contact@dsri.org>
 License: Apache-2.0

{cici_tools-0.17.1 → cici_tools-0.18.0}/cici_tools.egg-info/SOURCES.txt

@@ -85,6 +85,7 @@ tests/test_expand_job_extends.py
 tests/test_import.py
 tests/test_precommit_hook_injection.py
 tests/test_resolve_targets.py
+tests/test_yaml_style.py
 tests/fixtures/gitlab/extends/simple-job.yml
 tests/fixtures/gitlab/extends/.cici/.gitlab-ci.yml
 tests/fixtures/gitlab/helm/helm-cm-push.yml

{cici_tools-0.17.1 → cici_tools-0.18.0}/pyproject.toml

@@ -66,6 +66,7 @@ profile = "black"
 
 [tool.mypy]
 python_version = "3.10"
+exclude = '(^|/)(venv|\.venv)/'
 
 [tool.setuptools.package-data]
 "cici" = ["py.typed"]

{cici_tools-0.17.1 → cici_tools-0.18.0}/requirements.txt

@@ -8,7 +8,7 @@ attrs==25.4.0
     #   referencing
 jinja2==3.1.6
     # via cici-tools (pyproject.toml)
-jsonschema==4.25.1
+jsonschema==4.26.0
     # via cici-tools (pyproject.toml)
 jsonschema-specifications==2025.9.1
     # via jsonschema

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/helm/helm-cm-push.yml

@@ -30,7 +30,8 @@ helm-cm-push:
   before_script:
     - apk add --no-cache curl
     - >-
-      curl -sS -o - https://get.helm.sh/helm-v3.8.0-linux-amd64.tar.gz | tar --strip-components 1 -xzf - linux-amd64/helm
+      curl -sS -o - https://get.helm.sh/helm-v3.8.0-linux-amd64.tar.gz
+      | tar --strip-components 1 -xzf - linux-amd64/helm
     - install helm /usr/local/bin/
     - rm -f helm
     - >-
@@ -40,8 +41,6 @@ helm-cm-push:
     - >-
       helm plugin install https://github.com/chartmuseum/helm-push
     - >-
-      helm cm-push --version "$HELM_CHART_VERSION" --app-version "$HELM_CHART_VERSION" "$HELM_CHART_PATH"
-
-      "$HELM_REPOSITORY_URL"
+      helm cm-push --version "$HELM_CHART_VERSION" --app-version "$HELM_CHART_VERSION" "$HELM_CHART_PATH" "$HELM_REPOSITORY_URL"
   rules:
     - if: $CI_COMMIT_TAG

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/helm/helm-docs.yml

@@ -27,9 +27,8 @@ helm-docs:
   before_script:
     - apk add --no-cache curl
     - >-
-      curl -sSL -o - https://github.com/norwoodj/helm-docs/releases/download/v1.7.0/helm-docs_1.7.0_Linux_x86_64.tar.gz | tar
-
-      xzf - helm-docs
+      curl -sSL -o - https://github.com/norwoodj/helm-docs/releases/download/v1.7.0/helm-docs_1.7.0_Linux_x86_64.tar.gz
+      | tar xzf - helm-docs
     - install helm-docs /usr/local/bin/
     - rm -f helm-docs
     - helm-docs --version

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/helm/helm-lint.yml

@@ -27,7 +27,8 @@ helm-lint:
   before_script:
     - apk add --no-cache curl
     - >-
-      curl -sS -o - https://get.helm.sh/helm-v3.8.0-linux-amd64.tar.gz | tar --strip-components 1 -xzf - linux-amd64/helm
+      curl -sS -o - https://get.helm.sh/helm-v3.8.0-linux-amd64.tar.gz
+      | tar --strip-components 1 -xzf - linux-amd64/helm
     - install helm /usr/local/bin/
     - rm -f helm
     - >-

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/job-variables/opentofu-development-trivy.yml

@@ -47,9 +47,8 @@ opentofu-development-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/targets-dir → cici_tools-0.18.0/tests/fixtures/gitlab/job-variables}/opentofu-module-build.yml

@@ -41,17 +41,11 @@ opentofu-module-build:
   script:
     - OPENTOFU_MODULE_NAME=$(echo "${OPENTOFU_MODULE_NAME}" | tr " _" -)
     - >-
-      tar -vczf /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz -C
-
-      ${OPENTOFU_MODULE_DIR} --exclude=./.git .
+      tar -vczf /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz -C ${OPENTOFU_MODULE_DIR}
+      --exclude=./.git .
     - >-
-      curl --fail-with-body --location --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file
-
-      /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz
-
-      ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/terraform/modules/${OPENTOFU_MODULE_NAME}/${OPENTOFU_MODULE_SYSTEM}/
-
-      ${OPENTOFU_MODULE_VERSION}/file
+      curl --fail-with-body --location --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz
+      ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/terraform/modules/${OPENTOFU_MODULE_NAME}/${OPENTOFU_MODULE_SYSTEM}/${OPENTOFU_MODULE_VERSION}/file
   cache: {}
   dependencies: []
   rules:

{cici_tools-0.17.1/tests/fixtures/gitlab/targets-dir → cici_tools-0.18.0/tests/fixtures/gitlab/job-variables}/opentofu-production-trivy.yml

@@ -47,9 +47,8 @@ opentofu-production-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/targets-dir → cici_tools-0.18.0/tests/fixtures/gitlab/job-variables}/opentofu-staging-trivy.yml

@@ -47,9 +47,8 @@ opentofu-staging-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/targets-dir → cici_tools-0.18.0/tests/fixtures/gitlab/job-variables}/opentofu-trivy.yml

@@ -46,9 +46,8 @@ opentofu-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config .
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch-amd64.yml

@@ -106,14 +106,11 @@ container-docker-multiarch-amd64:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch-arm32v6.yml

@@ -106,14 +106,11 @@ container-docker-multiarch-arm32v6:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch-arm32v7.yml

@@ -106,14 +106,11 @@ container-docker-multiarch-arm32v7:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch-arm64v8.yml

@@ -106,14 +106,11 @@ container-docker-multiarch-arm64v8:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch-i386.yml

@@ -106,14 +106,11 @@ container-docker-multiarch-i386:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker-multiarch.yml

@@ -103,14 +103,11 @@ container-docker-multiarch:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest-${CONTAINER_DOCKER_ARCH}"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg
-
-      "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH" --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION"
-
-      --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
-    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_DOCKER_MACHINE_ARCH=$CONTAINER_DOCKER_MACHINE_ARCH"
+      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --platform "$CONTAINER_DOCKER_PLATFORM"
+      --progress plain --push --tag "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+    - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}'
+      "${CONTAINER_IMAGE}-${CONTAINER_DOCKER_ARCH}")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
     - mkdir -p dist/container/arch
     - touch "dist/container/arch/${CONTAINER_DOCKER_ARCH}"

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-docker.yml

@@ -103,11 +103,9 @@ container-docker:
         _CONTAINER_OPTS="$_CONTAINER_OPTS --tag ${CONTAINER_NAME}:latest"
       fi
     - >-
-      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_PROXY=$CONTAINER_PROXY"
-
-      --build-arg "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --progress plain --push --tag
-
-      "${CONTAINER_IMAGE}" $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
+      docker buildx build --build-arg "CONTAINER_NAME=$CONTAINER_NAME" --build-arg "CONTAINER_PROXY=$CONTAINER_PROXY" --build-arg
+      "CONTAINER_VERSION=$CONTAINER_VERSION" --file "${CONTAINER_DOCKERFILE}" --progress plain --push --tag "${CONTAINER_IMAGE}"
+      $_CONTAINER_OPTS "${CONTAINER_CONTEXT}"
     - COSIGN_IMAGE_DIGEST="$(docker inspect --format='{{index .RepoDigests 0}}' "$CONTAINER_IMAGE")"
     - cosign sign --yes "$COSIGN_IMAGE_DIGEST"
   id_tokens:

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/service-key/container-trivy.yml

@@ -97,15 +97,16 @@ container-trivy:
       echo "$CI_DEPENDENCY_PROXY_PASSWORD" | docker login "$CI_SERVER_HOST" -u "$CI_DEPENDENCY_PROXY_USER" --password-stdin
     - apk add --no-cache curl
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -xzf -
-
-      -C /usr/local/bin/
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -xzf - -C /usr/local/bin/
     - >-
       docker pull "${CONTAINER_IMAGE}"
     - trivy image "${CONTAINER_IMAGE}" --format json --no-progress -o "${CI_JOB_NAME_SLUG}.json"
     - trivy convert "${CI_JOB_NAME_SLUG}.json"
-    - trivy convert "${CI_JOB_NAME_SLUG}.json" --format template --template "@/usr/local/bin/contrib/gitlab.tpl" -o "${CI_JOB_NAME_SLUG}-gitlab.json"
-    - trivy convert "${CI_JOB_NAME_SLUG}.json" --format template --template "@/usr/local/bin/contrib/html.tpl" -o "${CI_JOB_NAME_SLUG}.html"
+    - trivy convert "${CI_JOB_NAME_SLUG}.json" --format template --template "@/usr/local/bin/contrib/gitlab.tpl" -o
+      "${CI_JOB_NAME_SLUG}-gitlab.json"
+    - trivy convert "${CI_JOB_NAME_SLUG}.json" --format template --template "@/usr/local/bin/contrib/html.tpl" -o
+      "${CI_JOB_NAME_SLUG}.html"
   artifacts:
     paths:
       - ${CI_JOB_NAME_SLUG}.json

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/fixtures/gitlab/targets-dir/opentofu-development-trivy.yml

@@ -47,9 +47,8 @@ opentofu-development-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/job-variables → cici_tools-0.18.0/tests/fixtures/gitlab/targets-dir}/opentofu-module-build.yml

@@ -41,17 +41,11 @@ opentofu-module-build:
   script:
     - OPENTOFU_MODULE_NAME=$(echo "${OPENTOFU_MODULE_NAME}" | tr " _" -)
     - >-
-      tar -vczf /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz -C
-
-      ${OPENTOFU_MODULE_DIR} --exclude=./.git .
+      tar -vczf /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz -C ${OPENTOFU_MODULE_DIR}
+      --exclude=./.git .
     - >-
-      curl --fail-with-body --location --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file
-
-      /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz
-
-      ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/terraform/modules/${OPENTOFU_MODULE_NAME}/${OPENTOFU_MODULE_SYSTEM}/
-
-      ${OPENTOFU_MODULE_VERSION}/file
+      curl --fail-with-body --location --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file /tmp/${OPENTOFU_MODULE_NAME}-${OPENTOFU_MODULE_SYSTEM}-${OPENTOFU_MODULE_VERSION}.tgz
+      ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/terraform/modules/${OPENTOFU_MODULE_NAME}/${OPENTOFU_MODULE_SYSTEM}/${OPENTOFU_MODULE_VERSION}/file
   cache: {}
   dependencies: []
   rules:

{cici_tools-0.17.1/tests/fixtures/gitlab/job-variables → cici_tools-0.18.0/tests/fixtures/gitlab/targets-dir}/opentofu-production-trivy.yml

@@ -47,9 +47,8 @@ opentofu-production-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/job-variables → cici_tools-0.18.0/tests/fixtures/gitlab/targets-dir}/opentofu-staging-trivy.yml

@@ -47,9 +47,8 @@ opentofu-staging-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config "${OPENTOFU_ROOT}/plan.json"
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1/tests/fixtures/gitlab/job-variables → cici_tools-0.18.0/tests/fixtures/gitlab/targets-dir}/opentofu-trivy.yml

@@ -46,9 +46,8 @@ opentofu-trivy:
     - cd "${OPENTOFU_ROOT}"
   script:
     - >-
-      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar -C
-
-      /usr/local/bin/ -xzf - trivy
+      curl -sSL https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz
+      | tar -C /usr/local/bin/ -xzf - trivy
     - trivy config .
   cache:
     key: $OPENTOFU_STATE_NAME

{cici_tools-0.17.1 → cici_tools-0.18.0}/tests/test_precommit_hook_injection.py

@@ -14,7 +14,7 @@ targets:
   - name: D
 """
 # Only some targets have hooks
-PRECOMMIT_HOOKS = {"A": {}, "C": {}}
+PRECOMMIT_HOOKS = {"A": {}, "C": {}}  # type: ignore[var-annotated]
 
 
 def _target_by_name(file_obj, name: str):
@@ -40,7 +40,7 @@ def test_precommit_hook_injection_is_name_based(
     file_obj = loads(
         CONFIG_YAML,
         gitlab_ci_jobs={},  # irrelevant for this test
-        precommit_hooks=PRECOMMIT_HOOKS,  # the thing we care about
+        precommit_hooks=PRECOMMIT_HOOKS,
     )
     target = _target_by_name(file_obj, target_name)
     # dict-or-None version

cici_tools-0.18.0/tests/test_yaml_style.py

@@ -0,0 +1,96 @@
+# SPDX-FileCopyrightText: UL Research Institutes
+# SPDX-License-Identifier: Apache-2.0
+
+import io
+
+import pytest
+import ruamel.yaml
+from ruamel.yaml.scalarstring import FoldedScalarString
+
+from cici.providers.gitlab.yaml_style import make_scalar_string
+
+
+# test the folding when handling string literals
+@pytest.mark.parametrize(
+    "command_text",
+    [
+        # long command with pipe
+        "toolA subcommand with many flags and arguments that make this command exceed "
+        "a typical width threshold | toolB --option value --another-option something",
+        # long command with multiple pipes
+        "cmd1 --foo bar --baz qux | cmd2 --long-option here | cmd3 --final-stage",
+        # long command without pipe
+        "someverylongcommandname with a lot of arguments and flags that keeps going "
+        "and going and going until it is clearly longer than any sane line width",
+        # command with && and ;
+        "step1 --flag value && step2 --another value ; step3 --final",
+    ],
+    ids=[
+        "long-command-with-pipe",
+        "long-command-with-multiple-pipes",
+        "long-command-no-pipe",
+        "long-command-with-operators",
+    ],
+)
+def test_styled_command_has_no_semantic_newlines(command_text):
+    styled = make_scalar_string(command_text)
+
+    # If folding is used, it must be display-only
+    if isinstance(styled, FoldedScalarString):
+        assert "\n" not in str(styled), (
+            "FoldedScalarString must not contain real newlines; "
+            "folding must be display-only"
+        )
+
+
+# make sure ruamel dumping never prints the blank line
+@pytest.mark.parametrize(
+    "command_text",
+    [
+        "toolA subcommand with many flags and arguments that make this command exceed "
+        "a typical width threshold | toolB --option value --another-option something",
+        "cmd1 --foo bar --baz qux | cmd2 --long-option here | cmd3 --final-stage",
+        "someverylongcommandname with a lot of arguments and flags that keeps going "
+        "and going and going until it is clearly longer than any sane line width",
+    ],
+    ids=[
+        "yaml-dump-no-blank-line-case1",
+        "yaml-dump-no-blank-line-case2",
+        "yaml-dump-no-blank-line-case3",
+    ],
+)
+def test_yaml_dump_has_no_blank_line_in_folded_scalar(command_text):
+    styled = make_scalar_string(command_text)
+
+    data = {
+        "job": {
+            "script": [styled, "echo ok"],
+        }
+    }
+
+    yaml = ruamel.yaml.YAML(typ="rt")
+    yaml.width = 120
+    yaml.indent(mapping=2, sequence=4, offset=2)
+    yaml.default_flow_style = False
+
+    out = io.StringIO()
+    yaml.dump(data, out)
+    emitted = out.getvalue()
+
+    lines = emitted.splitlines()
+
+    # Find folded scalar start
+    try:
+        folded_start = next(
+            i for i, line in enumerate(lines) if line.strip() in ("- >-", "- >")
+        )
+    except StopIteration:
+        pytest.skip("No folded scalar emitted; nothing to assert")
+
+    # Inspect a small window of the folded block
+    folded_block = lines[folded_start : folded_start + 8]
+
+    # Regression guard: no visually empty line inside folded scalar
+    assert not any(line.strip() == "" for line in folded_block[1:]), "\n".join(
+        folded_block
+    )