diff --git a/.ci/README.md b/.ci/README.md index e08d660..689e535 100644 --- a/.ci/README.md +++ b/.ci/README.md @@ -2,6 +2,22 @@ Various toolchain bits and pieces shared between projects +# Quickstart +Create top-level Makefile +``` +REGISTRY := +IMAGE := +REGION := + +include .ci/podman.mk +``` + +Add subtree to your project: +``` +git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash +``` + + ## Jenkins Shared groovy libraries diff --git a/.ci/podman.mk b/.ci/podman.mk index 6f2bdcd..3e8b720 100644 --- a/.ci/podman.mk +++ b/.ci/podman.mk @@ -2,6 +2,8 @@ GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') +# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }') + ifeq ($(TRIVY_REMOTE),) TRIVY_OPTS := image else @@ -12,25 +14,23 @@ endif all: test - build: - @docker image exists $(IMAGE):$(TAG) || \ - docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) . + @docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \ + docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) . test: build rm-test-image @test -f Dockerfile.test && \ - docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \ + { docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \ + docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \ echo "No Dockerfile.test found, skipping test" scan: build - @echo "Scanning $(IMAGE):$(TAG) using Trivy" - @trivy $(TRIVY_OPTS) $(IMAGE):$(TAG) + @echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy" + @trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG) push: build @aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY) - @docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest - docker push $(REGISTRY)/$(IMAGE):$(TAG) - docker push $(REGISTRY)/$(IMAGE):latest + @for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done clean: rm-test-image rm-image @@ -51,5 +51,14 @@ rm-test-image: @test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null @test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed" +# Convience task during dev of downstream projects +.PHONY: ci-pull-upstream +ci-pull-upstream: + git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop + +.PHONY: create-repo +create-repo: + aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION) + .DEFAULT: @echo "$@ not implemented. NOOP" diff --git a/.ci/vars/buildPodman.groovy b/.ci/vars/buildPodman.groovy index 8479c1d..14a1b90 100644 --- a/.ci/vars/buildPodman.groovy +++ b/.ci/vars/buildPodman.groovy @@ -48,8 +48,14 @@ def call(Map config=[:]) { reportTitles: 'TrivyScan' ] - // Scan again and fail on CRITICAL vulns - sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + // Scan again and fail on CRITICAL vulns, if not overridden + script { + if (config.trivyFail == 'NONE') { + echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' + } else { + sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + } + } } }