Stefan Reimer
d8b6e1daf9
f00e541 Add cleanup step to remove untagged images by default git-subtree-dir: .ci git-subtree-split: f00e54179893bcaa915ddbf5c65c28adef70433a
81 lines
2.0 KiB
Groovy
81 lines
2.0 KiB
Groovy
// Common container builder by ZeroDownTime
|
|
|
|
def call(Map config=[:]) {
|
|
pipeline {
|
|
agent {
|
|
node {
|
|
label 'podman-aws-trivy'
|
|
}
|
|
}
|
|
stages {
|
|
stage('Prepare') {
|
|
steps {
|
|
// pull tags
|
|
withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
|
sh 'git fetch -q --tags ${GIT_URL}'
|
|
}
|
|
sh 'make prepare || true'
|
|
}
|
|
}
|
|
|
|
// Build using rootless podman
|
|
stage('Build') {
|
|
steps {
|
|
sh 'make build'
|
|
}
|
|
}
|
|
|
|
stage('Test') {
|
|
steps {
|
|
sh 'make test'
|
|
}
|
|
}
|
|
|
|
// Scan via trivy
|
|
stage('Scan') {
|
|
environment {
|
|
TRIVY_FORMAT = "template"
|
|
TRIVY_OUTPUT = "reports/trivy.html"
|
|
}
|
|
steps {
|
|
sh 'mkdir -p reports && make scan'
|
|
publishHTML target: [
|
|
allowMissing: true,
|
|
alwaysLinkToLastBuild: true,
|
|
keepAll: true,
|
|
reportDir: 'reports',
|
|
reportFiles: 'trivy.html',
|
|
reportName: 'TrivyScan',
|
|
reportTitles: 'TrivyScan'
|
|
]
|
|
|
|
// Scan again and fail on CRITICAL vulns, if not overridden
|
|
script {
|
|
if (config.trivyFail == 'NONE') {
|
|
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
|
|
} else {
|
|
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Push to container registry, skip if PR
|
|
stage('Push') {
|
|
when { not { changeRequest() } }
|
|
steps {
|
|
sh 'make push'
|
|
}
|
|
}
|
|
|
|
// Basic registry retention removing untagged images
|
|
stage('cleanup') {
|
|
when { not { changeRequest() } }
|
|
steps {
|
|
sh 'make rm-remote-untagged'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|