Merge commit 'c69ea98418d324d44507c9c9793cdaa313e35a8d'

This commit is contained in:
Stefan Reimer 2022-07-11 11:18:36 +00:00
commit 9d26711bc4
3 changed files with 42 additions and 11 deletions

View File

@ -2,6 +2,22 @@
Various toolchain bits and pieces shared between projects
# Quickstart
Create top-level Makefile
```
REGISTRY := <your-registry>
IMAGE := <image_name>
REGION := <AWS region of your registry>
include .ci/podman.mk
```
Add subtree to your project:
```
git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
```
## Jenkins
Shared groovy libraries

View File

@ -2,6 +2,8 @@
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }')
ifeq ($(TRIVY_REMOTE),)
TRIVY_OPTS := image
else
@ -12,25 +14,23 @@ endif
all: test
build:
@docker image exists $(IMAGE):$(TAG) || \
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
@docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \
docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
test: build rm-test-image
@test -f Dockerfile.test && \
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \
{ docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \
docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \
echo "No Dockerfile.test found, skipping test"
scan: build
@echo "Scanning $(IMAGE):$(TAG) using Trivy"
@trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
@echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy"
@trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG)
push: build
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
docker push $(REGISTRY)/$(IMAGE):$(TAG)
docker push $(REGISTRY)/$(IMAGE):latest
@for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done
clean: rm-test-image rm-image
@ -51,5 +51,14 @@ rm-test-image:
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
# Convience task during dev of downstream projects
.PHONY: ci-pull-upstream
ci-pull-upstream:
git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop
.PHONY: create-repo
create-repo:
aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)
.DEFAULT:
@echo "$@ not implemented. NOOP"

View File

@ -48,8 +48,14 @@ def call(Map config=[:]) {
reportTitles: 'TrivyScan'
]
// Scan again and fail on CRITICAL vulns
sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
// Scan again and fail on CRITICAL vulns, if not overridden
script {
if (config.trivyFail == 'NONE') {
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
} else {
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
}
}
}
}