ci: migrate toolchain to shared libraries

2022-02-11 23:22:50 +01:00 · 2022-02-11 23:22:50 +01:00 · b5eac3cece
commit b5eac3cece
parent de5a732dd8
2 changed files with 6 additions and 86 deletions
--- a/59
+++ b/59
@ -1,56 +1,5 @@
-pipeline {
+library identifier: 'zdt-lib@master', retriever: modernSCM(
-  agent { node { label 'podman-aws-trivy' } }
+  [$class: 'GitSCMSource',
   remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
-  stages {
+buildPodman name: 'jenkins-podman'
    stage('Prepare'){
        // get tags
        steps {
            sh 'git fetch --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
        }
    }
    // Build using rootless podman
    stage('Build'){
        steps {
            sh 'make build'
        }
    }
    stage('Test'){
        steps {
            sh 'make test'
        }
    }
    // Scan via trivy
    stage('Scan'){
        environment { 
            TRIVY_FORMAT = "template"
            TRIVY_OUTPUT = "reports/trivy.html"
        }
        steps {
            sh 'mkdir -p reports'
            sh 'make scan'
            publishHTML target : [
                allowMissing: true,
                alwaysLinkToLastBuild: true,
                keepAll: true,
                reportDir: 'reports',
                reportFiles: 'trivy.html',
                reportName: 'TrivyScan',
                reportTitles: 'TrivyScan'
            ]
            // Scan again and fail on CRITICAL vulns
            sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
        }
    }
    // Push to ECR
    stage('Push'){
        steps {
            sh 'make push'
        }
    }
  }
 }
--- a/33
+++ b/33
@ -1,34 +1,5 @@
 REGISTRY := public.ecr.aws/zero-downtime
-REPOSITORY := jenkins-podman
+IMAGE := jenkins-podman
 REGION := us-east-1
-# Parse version from latest git semver tag
+include .ci/podman.mk
 GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
 TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
 ifeq ($(TRIVY_REMOTE),)
 	TRIVY_OPTS := image
 else
 	TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
 endif
 .PHONY: build push scan test
 all: build
 build:
 	podman build --rm --squash-all -t $(REPOSITORY):$(TAG) -t $(REPOSITORY):latest .
 push:
 	aws ecr-public get-login-password --region $(REGION) | podman login --username AWS --password-stdin $(REGISTRY)
 	podman tag $(REPOSITORY):latest $(REGISTRY)/$(REPOSITORY):$(TAG) $(REGISTRY)/$(REPOSITORY):latest
 	podman push $(REGISTRY)/$(REPOSITORY):$(TAG)
 	podman push $(REGISTRY)/$(REPOSITORY):latest
 	# Delete all untagged images
 	# aws ecr-public batch-delete-image --repository-name $(REPOSITORY) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(REPOSITORY) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
 scan:
 	trivy $(TRIVY_OPTS) $(REPOSITORY):$(TAG)
 test:
 	@echo "Not implemented (yet)"