ci: first try to use shared CI toolchain

This commit is contained in:
Stefan Reimer 2022-02-11 17:52:46 +01:00
parent 2763d54c94
commit 711ac5b767
2 changed files with 5 additions and 103 deletions

59
Jenkinsfile vendored
View File

@ -1,56 +1,5 @@
pipeline {
agent { node { label 'podman-aws-trivy' } }
library identifier: 'zdt-lib@master', retriever: modernSCM(
[$class: 'GitSCMSource',
remote: 'git@git.zero-downtime.net:ZeroDownTime/ci-tools-lib.git'])
stages {
stage('Prepare'){
// get tags
steps {
sh 'git fetch -q --tags ${GIT_URL} +refs/heads/${BRANCH_NAME}:refs/remotes/origin/${BRANCH_NAME}'
}
}
// Build using rootless podman
stage('Build'){
steps {
sh 'make build'
}
}
stage('Test'){
steps {
sh 'make test'
}
}
// Scan via trivy
stage('Scan'){
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps {
sh 'mkdir -p reports'
sh 'make scan'
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'trivy.html',
reportName: 'TrivyScan',
reportTitles: 'TrivyScan'
]
// Scan again and fail on CRITICAL vulns
sh 'TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=CRITICAL make scan'
}
}
// Push to ECR
stage('Push'){
steps {
sh 'make push'
}
}
}
}
buildPodman name: 'sns-alert-hub'

View File

@ -2,51 +2,4 @@ REGISTRY := public.ecr.aws/zero-downtime
IMAGE := sns-alert-hub
REGION := us-east-1
# Parse version from latest git semver tag
GTAG=$(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
TAG ?= $(shell echo $(GTAG) | awk -F '-' '{ print $$1 "-" $$2 }' | sed -e 's/-$$//')
ifeq ($(TRIVY_REMOTE),)
TRIVY_OPTS := image
else
TRIVY_OPTS := client --remote ${TRIVY_REMOTE}
endif
.PHONY: build test scan push clean
all: test
build:
docker image exists $(IMAGE):$(TAG) || \
docker build --rm -t $(IMAGE):$(TAG) --build-arg TAG=$(TAG) .
test: build rm-test-image
docker build --rm -t $(IMAGE):$(TAG)-test --from=$(IMAGE):$(TAG) -f Dockerfile.test .
scan: build
trivy $(TRIVY_OPTS) $(IMAGE):$(TAG)
push: scan
@aws ecr-public get-login-password --region $(REGION) | docker login --username AWS --password-stdin $(REGISTRY)
@docker tag $(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):$(TAG) $(REGISTRY)/$(IMAGE):latest
docker push $(REGISTRY)/$(IMAGE):$(TAG)
docker push $(REGISTRY)/$(IMAGE):latest
# Delete all untagged images
# aws ecr-public batch-delete-image --repository-name $(IMAGE) --region $(REGION) --image-ids $$(for image in $$(aws ecr-public describe-images --repository-name $(IMAGE) --region $(REGION) --output json | jq -r '.imageDetails[] | select(.imageTags | not ).imageDigest'); do echo -n "imageDigest=$$image "; done)
clean: rm-test-image rm-image
.PHONY: rm-image
rm-image:
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || docker image rm -f $(IMAGE):$(TAG) > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG))" || echo "Error: Removing image failed"
# Ensure we run the tests by removing any previous runs
.PHONY: rm-test-image
rm-test-image:
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || docker image rm -f $(IMAGE):$(TAG)-test > /dev/null
@test -z "$$(docker image ls -q $(IMAGE):$(TAG)-test)" || echo "Error: Removing test image failed"
.DEFAULT:
@echo "$@ not implemented. NOOP"
include .ci/podman.mk