From b5eac3cececb50b39173acff12c16f990fa686a3 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Fri, 11 Feb 2022 23:22:50 +0100 Subject: [PATCH] ci: migrate toolchain to shared libraries --- Jenkinsfile | 59 ++++------------------------------------------------- Makefile | 33 ++---------------------------- 2 files changed, 6 insertions(+), 86 deletions(-) diff --git a/Jenkinsfile b/Jenkinsfile index 98df856..c34a302 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,56 +1,5 @@ -pipeline { - agent { node { label 'podman-aws-trivy' } } +library identifier: 'zdt-lib@master', retriever: modernSCM( + [$class: 'GitSCMSource', + remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git']) - stages { - stage('Prepare'){ - // get tags - steps { - sh 'git fetch --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}' - } - } - - // Build using rootless podman - stage('Build'){ - steps { - sh 'make build' - } - } - - stage('Test'){ - steps { - sh 'make test' - } - } - - // Scan via trivy - stage('Scan'){ - environment { - TRIVY_FORMAT = "template" - TRIVY_OUTPUT = "reports/trivy.html" - } - steps { - sh 'mkdir -p reports' - sh 'make scan' - publishHTML target : [ - allowMissing: true, - alwaysLinkToLastBuild: true, - keepAll: true, - reportDir: 'reports', - reportFiles: 'trivy.html', - reportName: 'TrivyScan', - reportTitles: 'TrivyScan' - ] - - // Scan again and fail on CRITICAL vulns - sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan' - } - } - - // Push to ECR - stage('Push'){ - steps { - sh 'make push' - } - } - } -} +buildPodman name: 'jenkins-podman' diff --git a/Makefile b/Makefile index 0de5792..6eda13a 100644 --- a/Makefile +++ b/Makefile @@ -1,34 +1,5 @@ REGISTRY := public.ecr.aws/zero-downtime -REPOSITORY := jenkins-podman +IMAGE := jenkins-podman REGION := us-east-1 -# Parse version from latest git semver tag -GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) -TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//') - -ifeq ($(TRIVY_REMOTE),) - TRIVY_OPTS := image -else - TRIVY_OPTS := client --remote ${TRIVY_REMOTE} -endif - -.PHONY: build push scan test - -all: build - -build: - podman build --rm --squash-all -t $(REPOSITORY):$(TAG) -t $(REPOSITORY):latest . - -push: - aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY) - podman tag $(REPOSITORY):latest $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest - podman push $(REGISTRY)/$(REPOSITORY):$(TAG) - podman push $(REGISTRY)/$(REPOSITORY):latest - # Delete all untagged images - # aws ecr-public batch-delete-image --repository-name $(REPOSITORY) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(REPOSITORY) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done) - -scan: - trivy $(TRIVY_OPTS) $(REPOSITORY):$(TAG) - -test: - @echo "Not implemented (yet)" +include .ci/podman.mk