ci: first try to use shared CI toolchain
This commit is contained in:
parent
2763d54c94
commit
711ac5b767
59
Jenkinsfile
vendored
59
Jenkinsfile
vendored
@ -1,56 +1,5 @@
|
||||
pipeline {
|
||||
agent { node { label 'podman-aws-trivy' } }
|
||||
library identifier: 'zdt-lib@master', retriever: modernSCM(
|
||||
[$class: 'GitSCMSource',
|
||||
remote: 'git@git.zero-downtime.net:ZeroDownTime/ci-tools-lib.git'])
|
||||
|
||||
stages {
|
||||
stage('Prepare'){
|
||||
// get tags
|
||||
steps {
|
||||
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
|
||||
}
|
||||
}
|
||||
|
||||
// Build using rootless podman
|
||||
stage('Build'){
|
||||
steps {
|
||||
sh 'make build'
|
||||
}
|
||||
}
|
||||
|
||||
stage('Test'){
|
||||
steps {
|
||||
sh 'make test'
|
||||
}
|
||||
}
|
||||
|
||||
// Scan via trivy
|
||||
stage('Scan'){
|
||||
environment {
|
||||
TRIVY_FORMAT = "template"
|
||||
TRIVY_OUTPUT = "reports/trivy.html"
|
||||
}
|
||||
steps {
|
||||
sh 'mkdir -p reports'
|
||||
sh 'make scan'
|
||||
publishHTML target : [
|
||||
allowMissing: true,
|
||||
alwaysLinkToLastBuild: true,
|
||||
keepAll: true,
|
||||
reportDir: 'reports',
|
||||
reportFiles: 'trivy.html',
|
||||
reportName: 'TrivyScan',
|
||||
reportTitles: 'TrivyScan'
|
||||
]
|
||||
|
||||
// Scan again and fail on CRITICAL vulns
|
||||
sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
|
||||
}
|
||||
}
|
||||
|
||||
// Push to ECR
|
||||
stage('Push'){
|
||||
steps {
|
||||
sh 'make push'
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
buildPodman name: 'sns-alert-hub'
|
||||
|
49
Makefile
49
Makefile
@ -2,51 +2,4 @@ REGISTRY := public.ecr.aws/zero-downtime
|
||||
IMAGE := sns-alert-hub
|
||||
REGION := us-east-1
|
||||
|
||||
# Parse version from latest git semver tag
|
||||
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
|
||||
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
|
||||
|
||||
ifeq ($(TRIVY_REMOTE),)
|
||||
TRIVY_OPTS := image
|
||||
else
|
||||
TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
|
||||
endif
|
||||
|
||||
.PHONY: build test scan push clean
|
||||
|
||||
all: test
|
||||
|
||||
|
||||
build:
|
||||
docker image exists $(IMAGE):$(TAG) || \
|
||||
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
|
||||
|
||||
test: build rm-test-image
|
||||
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test .
|
||||
|
||||
scan: build
|
||||
trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
|
||||
|
||||
push: scan
|
||||
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
|
||||
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
|
||||
docker push $(REGISTRY)/$(IMAGE):$(TAG)
|
||||
docker push $(REGISTRY)/$(IMAGE):latest
|
||||
# Delete all untagged images
|
||||
# aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
|
||||
|
||||
clean: rm-test-image rm-image
|
||||
|
||||
.PHONY: rm-image
|
||||
rm-image:
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
|
||||
|
||||
# Ensure we run the tests by removing any previous runs
|
||||
.PHONY: rm-test-image
|
||||
rm-test-image:
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
|
||||
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
|
||||
|
||||
.DEFAULT:
|
||||
@echo "$@ not implemented. NOOP"
|
||||
include .ci/podman.mk
|
||||
|
Loading…
Reference in New Issue
Block a user