// Common container builder by ZeroDownTime

def call(Map config=[:]) {
    pipeline {
      options {
        disableConcurrentBuilds()
      }
      agent {
        node {
          label 'podman-aws-trivy'
        }
      }
      stages {
        stage('Prepare') {
          steps {
            sh 'mkdir -p reports'

            // we set pull tags as project adv. options
            // pull tags
            //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
            //  sh 'git fetch -q --tags ${GIT_URL}'
            //}
            // Optional project specific preparations
            sh 'make prepare'
          }
        }

        // Build using rootless podman
        stage('Build') {
          steps {
            sh 'make build GIT_BRANCH=$GIT_BRANCH'
          }
        }

        stage('Test') {
          steps {
            sh 'make test'
          }
        }

        // Scan via trivy
        stage('Scan') {
          steps {
            // we always scan and create the full json report
            sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'

            // render custom full html report
            sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'

            publishHTML target: [
              allowMissing: true,
              alwaysLinkToLastBuild: true,
              keepAll: true,
              reportDir: 'reports',
              reportFiles: 'trivy.html',
              reportName: 'TrivyScan',
              reportTitles: 'TrivyScan'
            ]
            sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'

            // fail build if issues found above trivy threshold
            script {
              if ( config.trivyFail ) {
                sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
              }
            }
          }
        }

        // Push to container registry if not PR
        // incl. basic registry retention removing any untagged images
        stage('Push') {
          when { not { changeRequest() } }
          steps {
            sh 'make push'
            sh 'make rm-remote-untagged'
          }
        }

        // generic clean
        stage('cleanup') {
          steps {
            sh 'make clean'
          }
        }
      }
    }
  }