sns-alert-hub/vars/buildPodman.groovy
Stefan Reimer 174d1f9680 Squashed '.ci/' changes from 98c8ec1..aea1ccc
aea1ccc Only add branch name to tags, if not part of actual tag
a5875db Make EXTRA_TAGS work again
63421d1 fix: prevent branch_name equals tag
47140c2 feat: append branch into tags if not main
4b62ada chore: improve messaging
a49cc0c chore: improve messaging
194afb4 chore: get ci working again
8ec9769 chore: get ci working again
fef4968 fix: do NOT push PRs to registry, other fixes
50a6d67 feat: ensure ARCH is only set to defined values
8fb40c7 fix: adjust trivy call to local podman
7378ea9 fix: fix trivy scan task to match new flow, add BRANCH env to Makefile
38cf7ab fix: more podman/buildah cleanups
aece7fc fix: Improve multi-arch manifest handling
80dabc2 feat: remove implicit dependencies, add help target, cleanup
5554972 feat: multi-arch container images
da15d68 feat: handle nothing to cleanup gracefully
01df38b feat: move ecr-login into its own task
ea9c914 chore: test mermaid
19a782e chore: test mermaid
a47929d feat: switch to latest trivy cli syntax
cb5faca feat: add create-repo task to ease bootstrapping new project
49ea8c8 feat: Add support for custom EXTRA_TAGS
dc2c208 fix: use absolute image URLs for some tasks
bc72735 docs: add quickstart

git-subtree-dir: .ci
git-subtree-split: aea1cccfff35de2ef2eca138379a599c8bde39e0
2023-05-15 12:21:08 +00:00

74 lines
1.8 KiB
Groovy

// Common container builder by ZeroDownTime
def call(Map config=[:]) {
pipeline {
agent {
node {
label 'podman-aws-trivy'
}
}
stages {
stage('Prepare') {
steps {
// pull tags
withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
sh 'git fetch -q --tags ${GIT_URL}'
}
sh 'make prepare || true'
}
}
// Build using rootless podman
stage('Build') {
steps {
sh 'make build'
}
}
stage('Test') {
steps {
sh 'make test'
}
}
// Scan via trivy
stage('Scan') {
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps {
sh 'mkdir -p reports && make scan'
publishHTML target: [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'trivy.html',
reportName: 'TrivyScan',
reportTitles: 'TrivyScan'
]
// Scan again and fail on CRITICAL vulns, if not overridden
script {
if (config.trivyFail == 'NONE') {
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
} else {
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
}
}
}
}
// Push to container registry, skip if PR
stage('Push') {
when { not { changeRequest() } }
steps {
sh 'make push'
}
}
}
}
}