Merge commit 'c69ea98418d324d44507c9c9793cdaa313e35a8d'

.ci/README.md

@@ -2,6 +2,22 @@
 
 Various toolchain bits and pieces shared between projects
 
+# Quickstart
+Create top-level Makefile
+```
+REGISTRY := <your-registry>
+IMAGE := <image_name>
+REGION := <AWS region of your registry>
+
+include .ci/podman.mk
+```
+
+Add subtree to your project:
+```
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
+```
+
+
 ## Jenkins
 Shared groovy libraries
 

.ci/podman.mk

@@ -2,6 +2,8 @@
 GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
 TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
 
+# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }')
+
 ifeq ($(TRIVY_REMOTE),)
   TRIVY_OPTS := image
 else
@@ -12,25 +14,23 @@ endif
 
 all: test
 
-
 build:
-	@docker image exists $(IMAGE):$(TAG) || \
-		docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
+	@docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \
+		docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
 
 test: build rm-test-image
 	@test -f Dockerfile.test && \
-		docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \
+		{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \
+			docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \
 		echo "No Dockerfile.test found, skipping test"
 
 scan: build
-	@echo "Scanning $(IMAGE):$(TAG) using Trivy"
-	@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
+	@echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy"
+	@trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)
 
 push: build
 	@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
-	@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
-	docker push $(REGISTRY)/$(IMAGE):$(TAG)
-	docker push $(REGISTRY)/$(IMAGE):latest
+	@for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done
 
 clean: rm-test-image rm-image
 
@@ -51,5 +51,14 @@ rm-test-image:
 	@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
 	@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
 
+# Convience task during dev of downstream projects
+.PHONY: ci-pull-upstream
+ci-pull-upstream:
+	git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
+
+.PHONY: create-repo
+create-repo:
+	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
+
 .DEFAULT:
 	@echo "$@ not implemented. NOOP"

.ci/vars/buildPodman.groovy

@@ -48,8 +48,14 @@ def call(Map config=[:]) {
               reportTitles: 'TrivyScan'
             ]
 
-            // Scan again and fail on CRITICAL vulns
-            sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
+            // Scan again and fail on CRITICAL vulns, if not overridden
+            script {
+              if (config.trivyFail == 'NONE') {
+                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
+              } else {
+                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
+              }
+            }
           }
         }