GitLab's Code Quality analysis template can be a convenient tool, but the
default CodeClimate-based solution has some significant drawbacks, and was
recently deprecated. This post, part 1 of a series, explores the security,
performance, and usability issues with the default Code Quality template, and
why its deprecation not a significant loss. Future parts of this series will
explore a more flexible, more adaptable, and more capable approach.
One of the challenges with deploying static sites is that there's nothing
tracking any sort of site state, including when new content is published. This
post presents a technique to identify newly published content on an Eleventy
site and sending various notifications with content-specific data.
Part 1 covered
identifying the new posts and collecting post-specific data. Part 2 covers
posting a status to Mastodon, posting a status to Bluesky, and sending an
IndexNow notification for the new page.
One of the challenges with deploying static sites is that there's nothing
tracking any sort of site state, including when new content is published. This
post presents a technique to identify newly published content on an Eleventy
site and sending various notifications with content-specific data. Part 1 covers
identifying the new posts and collecting post-specific data.
This post describes an alternative to the built-in GitLab Code Quality duplicate
or similar code analysis, which uses Code Climate. It details four significant
issues observed with the Code Climate analysis and an assessment of alternative
tools for duplication analysis. This lead to the creation of a new project using
PMD Copy/Paste Detector (CPD)
that returns a GitLab Code Quality formatted report.
After recently learning Go, and about to start my first project, I started
putting together a GitLab CI pipeline for Go projects. After scouring the
Internet, I found mostly old posts on the subject. The posted pipelines, as well
as numerous actual Go project pipelines, were missing jobs in my set of goals
for a CI pipeline. So I built this GitLab CI pipeline for Go projects.
GitLab continues to migrate Static Application Security Testing (SAST) to
Semgrep, and makes this available to all GitLab tiers. This analysis only
includes the rules that GitLab manages, but there are many more available in the
Semgrep Rules project. This post
details how to combine the two to get a more comprehensive analysis.
A lot has happened in the last year - the resurgence of this blog, I created six
new software projects, and I shipped almost 200 software releases. In addition,
I learned Go, started publishing NPM packages with provenance, and generative AI
and large language models took over the world. This post reviews it all.
GitLab's
license approval policies
provide a powerful and flexible means of managing dependency license approvals.
Using these policies requires performing GitLab's Dependency Scanning to
generate and report a Software Bill of Materials (SBOM). For the cases where
there are no dependencies, Dependency Scanning is not run, no SBOM is created,
and the license policies are considered failed and require approval. For
projects without dependencies this is an added hassle, and this post proposes a
solution.
With it's default configuration, Renovate does a great job of managing container
image tag updates. One limitation is that for updates that include an OS in the
tag, for example the Alpine Linux version in python:3.11.3-alpine3.17,
Renovate only updates Python image tags matching that version, which may limit
updates, and doesn't identify any OS updates. This post details how to configure
Renovate to work around that limitation for Alpine images.
Bin Tester v4.0.0 was released today with several noteworthy changes, including
changing the function exports, changing the argument to the test functions,
adding TypeScript type declarations, and deprecating support for Node 14 and 19.
This post details the GitLab CI pipeline used for this blog, which is built with
Eleventy. It's based on a collection of GitLab CI
templates that have evolved over several years for my published NPM packages
with a collection of end-to-end tests used for web applications and a few unique
jobs added specifically for Eleventy and Nunjucks templates. It's meant as an
illustration of a reasonably comprehensive CI pipeline for an Eleventy static
site, maximizing the level of automated testing, leveraging built-in GitLab
capabilities where practical, and optimizing parallelization and pipeline speed.
There are some cases where the expected outcome of a CI job script is failure.
One prominent use case is the testing of tools and container images that are
intended for CI-based analyses. This post details techniques for GitLab CI
scripts that allow the job to pass when the script fails to accurately reflect
the expected result.
GitLab Pages
provide an easy means of deploying a site hosted on GitLab, but GitLab does not
provide support for creating Review Apps for a Pages site. This post outlines a
reusable technique to work around that and setup Review Apps with
Eleventy to enable creation of a unique, browsable
instance of a site with the changes in a merge request.
GitLab Releaser v5.0.0 was released today with several noteworthy changes,
including failing if an empty release description is pulled from the CHANGELOG
and a new CLI option to specify the CHANGELOG path.
Google Chrome's Lighthouse tool is a great resource in the browser and has
become the standard for basic performance and best-practice metrics on websites.
While useful in the browser, a good continuous integration (CI) pipeline
includes all the testing practical to identify any issues as early as possible.
To that end, this post details how to run Lighthouse via the CLI in GitLab CI
and collect a GitLab metrics report so any changes are reported in merge
requests.
It's been well over a decade since I kept a blog here. That's a lifetime or two
in software development, but I've missed writing and decided it's time to bring
it back. So, this is the kick-off to incentivize me to write more. And it never
hurts to have another new project to work on, and something with more web
front-end work, that is developing a site with
Eleventy, hosted on GitLab pages, optimizing the use of
GitLab's tooling, and extensive use of automation with GitLab CI.
Aaron Goldenthal