From c69ea98418d324d44507c9c9793cdaa313e35a8d Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 11 Jul 2022 11:18:36 +0000 Subject: [PATCH] Squashed '.ci/' changes from b6fea5a..cb5faca cb5faca feat: add create-repo task to ease bootstrapping new project 49ea8c8 feat: Add support for custom EXTRA_TAGS dc2c208 fix: use absolute image URLs for some tasks bc72735 docs: add quickstart 98c8ec1 Feat: Execute tests via docker run rather than at the end of the test build process d6b2fb4 feat: improve messaging if Trivy fail is skipped git-subtree-dir: .ci git-subtree-split: cb5facae6c19643fbb08b90416c6b5917b666a46 --- README.md | 16 ++++++++++++++++ podman.mk | 27 ++++++++++++++++++--------- vars/buildPodman.groovy | 10 ++++++++-- 3 files changed, 42 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index e08d660..689e535 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,22 @@ Various toolchain bits and pieces shared between projects +# Quickstart +Create top-level Makefile +``` +REGISTRY := +IMAGE := +REGION := + +include .ci/podman.mk +``` + +Add subtree to your project: +``` +git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash +``` + + ## Jenkins Shared groovy libraries diff --git a/podman.mk b/podman.mk index 6f2bdcd..3e8b720 100644 --- a/podman.mk +++ b/podman.mk @@ -2,6 +2,8 @@ GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') +# EXTRA_TAGS supposed to be set at the caller, eg. $(shell echo $(TAG) | awk -F '.' '{ print $$1 "." $$2 }') + ifeq ($(TRIVY_REMOTE),) TRIVY_OPTS := image else @@ -12,25 +14,23 @@ endif all: test - build: - @docker image exists $(IMAGE):$(TAG) || \ - docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) . + @docker image exists $(REGISTRY)/$(IMAGE):$(TAG) || \ + docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG) --build-arg TAG=$(TAG) . test: build rm-test-image @test -f Dockerfile.test && \ - docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test . || \ + { docker build --rm -t $(REGISTRY)/$(IMAGE):$(TAG)-test --from=$(REGISTRY)/$(IMAGE):$(TAG) -f Dockerfile.test . && \ + docker run --rm --env-host -t $(REGISTRY)/$(IMAGE):$(TAG)-test; } || \ echo "No Dockerfile.test found, skipping test" scan: build - @echo "Scanning $(IMAGE):$(TAG) using Trivy" - @trivy $(TRIVY_OPTS) $(IMAGE):$(TAG) + @echo "Scanning $(REGISTRY)/$(IMAGE):$(TAG) using Trivy" + @trivy $(TRIVY_OPTS) $(REGISTRY)/$(IMAGE):$(TAG) push: build @aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY) - @docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest - docker push $(REGISTRY)/$(IMAGE):$(TAG) - docker push $(REGISTRY)/$(IMAGE):latest + @for t in $(TAG) latest $(EXTRA_TAGS); do echo "tag and push: $$t"; docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$$t && docker push $(REGISTRY)/$(IMAGE):$$t; done clean: rm-test-image rm-image @@ -51,5 +51,14 @@ rm-test-image: @test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null @test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed" +# Convience task during dev of downstream projects +.PHONY: ci-pull-upstream +ci-pull-upstream: + git stash && git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash && git stash pop + +.PHONY: create-repo +create-repo: + aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION) + .DEFAULT: @echo "$@ not implemented. NOOP" diff --git a/vars/buildPodman.groovy b/vars/buildPodman.groovy index 8479c1d..14a1b90 100644 --- a/vars/buildPodman.groovy +++ b/vars/buildPodman.groovy @@ -48,8 +48,14 @@ def call(Map config=[:]) { reportTitles: 'TrivyScan' ] - // Scan again and fail on CRITICAL vulns - sh "[ \"${config.trivyFail}\" == \"NONE\" ] || TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + // Scan again and fail on CRITICAL vulns, if not overridden + script { + if (config.trivyFail == 'NONE') { + echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...' + } else { + sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan" + } + } } }